Menu
▾
▴
Re: [Quickfixj-users] SSL handshake callback and socket handle access
|
From: Aaron B. <aar...@gm...> - 2019-09-03 12:33:02
|
Thanks Chris! I was able to extract the information a few different ways. The one that made the most sense to my particular use case was to run the check during the onLogon callback. I was able to cleanly get the IoSession and extract the information from the filterChain. This was late enough to ensure the handshake had completed, and early enough that the connection won't be able to make any further actions. Really appreciate the pointers on this, they were quite helpful. On Mon, 2019-09-02 at 15:05 +0200, Christoph John wrote: > Or could maybe this method > be extended: > https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/main/java/quickfix/mina/ssl/X509TrustManagerWrapper.java#L58 > > > > Cheers, > > Chris. > > > > On 29.08.19 19:09, Christoph John > wrote: > > > > > > > Maybe this helps a little: > > https://stackoverflow.com/questions/6813929/how-to-get-the-principal-after-a-successful-ssl-handshake-using-mina > > > > > > > > I cannot access the code currently but IIRC you could do > > something > > with a custom TrustManager. But do not remember exactly > > > > > > > > Cheers > > > > Chris > > > > > > > > Am 29. August 2019 16:41:59 MESZ schrieb > > Aaron Bedra <aar...@gm...>: > > > > > Thanks Chris. Yes, this is for the acceptor. > > > The goal is to obtain the client certificate subject > > > dn as > > > early as possible and verify that it is authorized, > > > killing > > > the connection if not. I'll dig further into the MINA > > > session to see if I can get a handle to the socket. > > > > > > > > > > > > On Tue, Aug 27, 2019 at > > > 3:25 PM Christoph John <chr...@ma...> > > > wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > I did not understand if you want to do this > > > > from client > > > > code or do you want to extend the acceptor? > > > > > > > > IMHO you can only get access to that lowlevel > > > > information using reflection. QFJ uses MINA for > > > > SSL > > > > communication and does not get notified if the > > > > handshake > > > > is completed. > > > > > > > > If I am not mistaken you can get access to the > > > > MINA > > > > SslSession via a session attribute. > > > > > > > > For an example see here: > > > > > > > > > > > > https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java#L470 > > > > > > > > > > > > > > > > I hope I did not misunderstand your question. > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Chris. > > > > > > > > > > > > > > > > > > > > > > > > On > > > > 27.08.19 19:30, Aaron Bedra wrote: > > > > > > > > > > > > > > > > > QuickFIX/J Documentation: > > > > > http://www.quickfixj.org/documentation/QuickFIX/J Support: > > > > > http://www.quickfixj.org/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > I've been digging through the source code > > > > > for > > > > > acceptors to figure out how to get a > > > > > handle to the > > > > > underlying socket as connections are > > > > > established. > > > > > I have two things I would like to do > > > > > with that > > > > > handle. In my case I am using SSL with > > > > > client > > > > > certificate authentication. All of that > > > > > is working > > > > > properly with the basic configuration > > > > > options. > > > > > > > > > > > > > > > > > > > > 1) Add a handshake completed listener. > > > > > The > > > > > basic structure looks like > > > > > > > > > > > > > > > > > > > > ((SSLSocket) > > > > > socket).addHandshakeCompletedListener(h > > > > > andshakeCompletedEvent > > > > > -> { > > > > > > > > > > try { > > > > > > > > > > X509Certificate cert = > > > > > (X509Certificate)handshakeCompletedEven > > > > > t.getPeerCertificates()[0]; > > > > > > > > > > > > > > > System.out.println(cert.getSubjectDN(). > > > > > getName()); > > > > > > > > > > } catch > > > > > (SSLPeerUnverifiedException e) > > > > > { > > > > > > > > > > e.printStackTrace(); > > > > > > > > > > } > > > > > > > > > > }); > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Ultimately there are some things I would > > > > > like > > > > > to extract from the client certificate > > > > > in order to > > > > > authorize a connection and potentially > > > > > kill it > > > > > once the certificate is available. > > > > > > > > > > > > > > > > > > > > 2) Extract a handle to the connection so > > > > > it can > > > > > be terminated. There may be a reason to > > > > > disable > > > > > connections belonging to a session and > > > > > I would > > > > > like to be able to wire up a mechanism > > > > > to do that > > > > > through the broader management > > > > > components of the > > > > > platform. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___________________________________________ > > > > > ____Quickfixj-users mailing listQuickfixj- > > > > > us...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/quickfixj-users > > > > > > > > > > > > > > > > > > > > > > > > > > -- Christoph JohnSoftware EngineeringT +49 241 > > > > 557...@ma... > > > > MACD GmbHOppenhoffallee 10352066 Aachen, Germanywww.macd.com > > > > Amtsgericht Aachen: HRB 8151 Ust.-Id: DE > > > > 813021663Geschäftsführer: George Macdonald > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Christoph JohnSoftware EngineeringT +49 241 > 557...@ma... > MACD GmbHOppenhoffallee 10352066 Aachen, Germanywww.macd.com > Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663Geschäftsführer: > George Macdonald > > |
