Re: [Quickfixj-users] Issue with quickfixj 2.1.0, SSLException, proxy and NTLM

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

hmm, to be fair: in QFJ-949 there isn't mentioned anything about NTLM or even a proxy?! So what 
makes you think it is the same issue?
However, did you try to use ProxyDomain and ProxyWorkstation as suggested here? 
https://github.com/quickfix-j/quickfixj/pull/92
Re MINA: QFJ already uses the most recent version 2.0.19.

As you said it might be a bug in MINA. It could of course also be a bug in QFJ (not using MINA's 
proxy classes correctly) but without a concise, reproducable unit test we cannot do much about it. 
And even with a reproducer, we still would need somebody who can analyse and fix this issue. Someone 
who has access to a proxy with NTLM authentication. Hmm, who could that be? ;)

Cheers,
Chris.

On 13/01/2019 16:17, Andrew Marlow wrote:
> QuickFIX/J Documentation: http://www.quickfixj.org/documentation/
> QuickFIX/J Support: http://www.quickfixj.org/support/
>
>
>
> Hello everyone,
>
> I am using quickfixj to talk to a remote service that uses SSL encryption. I can get to the web 
> landing page using curl but I get an SSLException with quickfixj during the handshake. I think 
> this must be an issue with the quickfixj code. Let me explain some more:
>
> The remote service cannot be accessed directly because of a corporate firewall. The corporation is 
> a heavy user of Microsoft software/environments so the corporate proxy uses NTLM for 
> authentication. This works fine for web users from their windows workstations. However, it causes 
> problems for some other software. An example is the python pip command. That fails with a proxy 
> authentication error even when the correct credentials are supplied. This was reported as a 
> problem to the python/pip developers. They refused to fix the issue. They said it was because the 
> corporate proxy had been misconfigured and they were not going to change their code to cope with 
> corporate misconfiguration. So the problem remains. To get around this problem I use a windows 
> service called CNTLM. It is basically a proxy for a proxy. I enter my credentials into that and it 
> sorts out the traffic forwarding to the pypi website. So when I hit a similar problem with 
> quickfixj I eventually hit on the idea of using CNTLM. I did and the quickfixj communication now 
> works. This is how I can get things to work on windows but unfortunately the software has to be 
> run in a RHEL environment where CNTLM is not available. I do not know what I am going to be able 
> to do about that.
>
> I've heard that other software gets hit by the same issue. There was a problem in chrome some 
> years ago apparently. There is a recently logged issue with talend, as can be seen at 
> https://community.talend.com/t5/Design-and-Development/tRest-with-NTLM-Proxy-Authorization/td-p/95066. 
> There was also (and still might be) a problem with postman, as you can see here: 
> https://github.com/postmanlabs/postman-app-support/issues/3692. Other examples include ArcEarth, 
> https://community.esri.com/thread/189903-web-proxy-ntlm-authentication-error, and gradle, see 
> https://stackoverflow.com/questions/14434101/gradle-not-working-behind-proxy-with-ntlm-on-windows. 
> But there is one bit of software that I am able to connect with ok and that's curl. I am using a 
> very recent version, 2.57. I cannot help thinking that curl has put in a workaround of the kind 
> requested by python pip users. I hope to do some investigation to see if earlier versions of curl 
> have the issue. That might shed some light on where the fix (if any) was supplied. It might be in 
> the curl code or it might be in openssl. I am really not sure. But I am fairly convinced that apps 
> that experience the issue must employ some sort of workaround.
>
> I note that a bug report was raised against quickfixj that might be the same issue, see 
> https://www.quickfixj.org/jira/browse/QFJ-949 . It was closed with the statement ". I doubt that 
> this is a bug since many people are using SSL with Java 8.". I am using JDK8 and I see the issue 
> unless I use CNTLM. So perhaps this bug report should be re-opened. I admit it might be a bug in 
> mina, since that is the component that quickfixj uses for the SSL handling. Could a version be 
> built with the most recent version of mina please?
>
> -- 
> Regards,
>
> Andrew Marlow
> http://www.andrewpetermarlow.co.uk
>
>
>
> _______________________________________________
> Quickfixj-users mailing list
> Qui...@li...
> https://lists.sourceforge.net/lists/listinfo/quickfixj-users

-- 
Christoph John
Software Engineering
T +49 241 557080-28
chr...@ma...

MACD GmbH
Oppenhoffallee 103
52066 Aachen, Germany
www.macd.com

Amtsgericht Aachen: HRB 8151
Ust.-Id: DE 813021663
Geschäftsführer: George Macdonald