Re: [Quickfixj-users] Issue with quickfixj 2.1.0, SSLException, proxy and NTLM

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Andrew,

just curious if you made some progress that you could share?

Thanks,
Chris.

On 14/01/2019 11:12, Christoph John via Quickfixj-users wrote:
> QuickFIX/J Documentation: http://www.quickfixj.org/documentation/
> QuickFIX/J Support: http://www.quickfixj.org/support/
>
>
>
> Hi,
>
> hmm, to be fair: in QFJ-949 there isn't mentioned anything about NTLM or even a proxy?! So what 
> makes you think it is the same issue?
> However, did you try to use ProxyDomain and ProxyWorkstation as suggested here? 
> https://github.com/quickfix-j/quickfixj/pull/92
> Re MINA: QFJ already uses the most recent version 2.0.19.
>
> As you said it might be a bug in MINA. It could of course also be a bug in QFJ (not using MINA's 
> proxy classes correctly) but without a concise, reproducable unit test we cannot do much about it. 
> And even with a reproducer, we still would need somebody who can analyse and fix this issue. 
> Someone who has access to a proxy with NTLM authentication. Hmm, who could that be? ;)
>
> Cheers,
> Chris.
>
> On 13/01/2019 16:17, Andrew Marlow wrote:
>> QuickFIX/J Documentation:http://www.quickfixj.org/documentation/
>> QuickFIX/J Support:http://www.quickfixj.org/support/
>>
>>
>>
>> Hello everyone,
>>
>> I am using quickfixj to talk to a remote service that uses SSL encryption. I can get to the web 
>> landing page using curl but I get an SSLException with quickfixj during the handshake. I think 
>> this must be an issue with the quickfixj code. Let me explain some more:
>>
>> The remote service cannot be accessed directly because of a corporate firewall. The corporation 
>> is a heavy user of Microsoft software/environments so the corporate proxy uses NTLM for 
>> authentication. This works fine for web users from their windows workstations. However, it causes 
>> problems for some other software. An example is the python pip command. That fails with a proxy 
>> authentication error even when the correct credentials are supplied. This was reported as a 
>> problem to the python/pip developers. They refused to fix the issue. They said it was because the 
>> corporate proxy had been misconfigured and they were not going to change their code to cope with 
>> corporate misconfiguration. So the problem remains. To get around this problem I use a windows 
>> service called CNTLM. It is basically a proxy for a proxy. I enter my credentials into that and 
>> it sorts out the traffic forwarding to the pypi website. So when I hit a similar problem with 
>> quickfixj I eventually hit on the idea of using CNTLM. I did and the quickfixj communication now 
>> works. This is how I can get things to work on windows but unfortunately the software has to be 
>> run in a RHEL environment where CNTLM is not available. I do not know what I am going to be able 
>> to do about that.
>>
>> I've heard that other software gets hit by the same issue. There was a problem in chrome some 
>> years ago apparently. There is a recently logged issue with talend, as can be seen at 
>> https://community.talend.com/t5/Design-and-Development/tRest-with-NTLM-Proxy-Authorization/td-p/95066. 
>> There was also (and still might be) a problem with postman, as you can see here: 
>> https://github.com/postmanlabs/postman-app-support/issues/3692. Other examples include ArcEarth, 
>> https://community.esri.com/thread/189903-web-proxy-ntlm-authentication-error, and gradle, see 
>> https://stackoverflow.com/questions/14434101/gradle-not-working-behind-proxy-with-ntlm-on-windows. 
>> But there is one bit of software that I am able to connect with ok and that's curl. I am using a 
>> very recent version, 2.57. I cannot help thinking that curl has put in a workaround of the kind 
>> requested by python pip users. I hope to do some investigation to see if earlier versions of curl 
>> have the issue. That might shed some light on where the fix (if any) was supplied. It might be in 
>> the curl code or it might be in openssl. I am really not sure. But I am fairly convinced that 
>> apps that experience the issue must employ some sort of workaround.
>>
>> I note that a bug report was raised against quickfixj that might be the same issue, see 
>> https://www.quickfixj.org/jira/browse/QFJ-949 . It was closed with the statement ". I doubt that 
>> this is a bug since many people are using SSL with Java 8.". I am using JDK8 and I see the issue 
>> unless I use CNTLM. So perhaps this bug report should be re-opened. I admit it might be a bug in 
>> mina, since that is the component that quickfixj uses for the SSL handling. Could a version be 
>> built with the most recent version of mina please?
>>
>> -- 
>> Regards,
>>
>> Andrew Marlow
>> http://www.andrewpetermarlow.co.uk
>>
>>

-- 
Christoph John
Software Engineering
T +49 241 557080-28
chr...@ma...

MACD GmbH
Oppenhoffallee 103
52066 Aachen, Germany
www.macd.com

Amtsgericht Aachen: HRB 8151
Ust.-Id: DE 813021663
Geschäftsführer: George Macdonald