Menu
▾
▴
Re: [Quickfixj-users] Certificate Revocation List Verification
|
From: Christoph J. <chr...@ma...> - 2019-11-13 23:17:27
|
I don't have any experience with custom TrustManagers and basically use the default SSL stuff. But as SSL FIX sessions become used more and more I think it makes sense to make it easier for developers to use a custom TrustManager e.g. for CRL. I dug a little through the QFJ code and found the class X509TrustManagerWrapper. Wouldn't this be the place for such extensions? But yes, it seems you cannot change the default behaviour from user code alone but need to extend QFJ. Cheers, Chris. On 12.11.19 01:00, Aaron Bedra wrote: > I've been working through the implications of different trust manager implementations and have run > into an important question. Is there a way to replace the trust manager in any of the packaged > acceptors? I'm currently using the threaded socket acceptor, but the SSL bits all seem to be > buried in the abstract socket acceptor. Furthermore, it seems like the initialization of the trust > manager is buried inside of the ssl context factory, and there's no option to specify different > behavior. > > I'd love to better understand the options before diving into a rabbit hole that may not be > necessary. If the right answer is submitting a pull request that makes this easier, I am happy to > explore that as well. > > On Mon, Oct 21, 2019 at 7:28 AM Christoph John <chr...@ma... > <mailto:chr...@ma...>> wrote: > > BTW, we are happy about every code contribution that might help other users. :) > > Cheers, > Chris. > > > On 19.10.19 15:50, Aaron Bedra wrote: >> QuickFIX/J Documentation:http://www.quickfixj.org/documentation/ >> QuickFIX/J Support:http://www.quickfixj.org/support/ >> >> >> >> Ah, got it. I didn't think about just replacing the trust manager. Thank you! >> >> On Fri, 2019-10-18 at 14:11 -0400, Philip Whitehouse wrote: >>> QuickFIX/J Documentation:http://www.quickfixj.org/documentation/ >>> QuickFIX/J Support:http://www.quickfixj.org/support/ >>> You probably need a custom TrustManager implementation. See >>> https://stackoverflow.com/a/38523104/1052931 for a potential implementation - not sure how >>> secure it is. >>> >>> Best, >>> >>> Philip Whitehouse >>> >>>> On 18 Oct 2019, at 13:24, Aaron Bedra <aar...@gm...> >>>> <mailto:aar...@gm...> wrote: >>>> >>>> QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ >>>> QuickFIX/J Support: http://www.quickfixj.org/support/ >>>> >>>> >>>> I'm looking to add a CRL to the client certificate validation on my quickfixj engine. It >>>> appears that the C++ engine supports this via the CertificateRevocationListFile option and >>>> uses OpenSSL to verify it. I have been digging through the quickfixj code and have not >>>> found anything equivalent. Is this feature not available or did I miss it? >>>> _______________________________________________ >>>> Quickfixj-users mailing list >>>> Qui...@li... <mailto:Qui...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/quickfixj-users >>> _______________________________________________ >>> Quickfixj-users mailing list >>> Qui...@li... <mailto:Qui...@li...> >>> https://lists.sourceforge.net/lists/listinfo/quickfixj-users >> >> >> _______________________________________________ >> Quickfixj-users mailing list >> Qui...@li... <mailto:Qui...@li...> >> https://lists.sourceforge.net/lists/listinfo/quickfixj-users > > -- > Christoph John > Software Engineering > T +49 241 557080-28 > chr...@ma... <mailto:chr...@ma...> > > MACD GmbH > Oppenhoffallee 103 > 52066 Aachen, Germany > www.macd.com <http://www.macd.com> > > Amtsgericht Aachen: HRB 8151 > Ust.-Id: DE 813021663 > Geschäftsführer: George Macdonald > -- Christoph John Software Engineering T +49 241 557080-28 chr...@ma... MACD GmbH Oppenhoffallee 103 52066 Aachen, Germany www.macd.com Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663 Geschäftsführer: George Macdonald |
