Menu
▾
▴
quickfixj-users
|
From: Aaron B. <aar...@gm...> - 2019-08-27 17:31:14
|
Hello,
I've been digging through the source code for acceptors to figure out how
to get a handle to the underlying socket as connections are established. I
have two things I would like to do with that handle. In my case I am using
SSL with client certificate authentication. All of that is working properly
with the basic configuration options.
1) Add a handshake completed listener. The basic structure looks like
((SSLSocket) socket).addHandshakeCompletedListener(handshakeCompletedEvent
-> {
try {
X509Certificate cert =
(X509Certificate)handshakeCompletedEvent.getPeerCertificates()[0];
System.out.println(cert.getSubjectDN().getName());
} catch (SSLPeerUnverifiedException e) {
e.printStackTrace();
}
});
Ultimately there are some things I would like to extract from the client
certificate in order to authorize a connection and potentially kill it once
the certificate is available.
2) Extract a handle to the connection so it can be terminated. There may be
a reason to disable connections belonging to a session and I would like to
be able to wire up a mechanism to do that through the broader management
components of the platform.
|
|
From: Christoph J. <chr...@ma...> - 2019-08-27 20:25:52
|
Hi, I did not understand if you want to do this from client code or do you want to extend the acceptor? IMHO you can only get access to that lowlevel information using reflection. QFJ uses MINA for SSL communication and does not get notified if the handshake is completed. If I am not mistaken you can get access to the MINA SslSession via a session attribute. For an example see here: https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java#L470 I hope I did not misunderstand your question. Cheers, Chris. On 27.08.19 19:30, Aaron Bedra wrote: > QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ > QuickFIX/J Support: http://www.quickfixj.org/support/ > > > > Hello, > > I've been digging through the source code for acceptors to figure out how to get a handle to the > underlying socket as connections are established. I have two things I would like to do with that > handle. In my case I am using SSL with client certificate authentication. All of that is working > properly with the basic configuration options. > > 1) Add a handshake completed listener. The basic structure looks like > > ((SSLSocket) socket).addHandshakeCompletedListener(handshakeCompletedEvent -> { > try { > X509Certificate cert = > (X509Certificate)handshakeCompletedEvent.getPeerCertificates()[0]; > System.out.println(cert.getSubjectDN().getName()); > } catch (SSLPeerUnverifiedException e) { > e.printStackTrace(); > } > }); > > Ultimately there are some things I would like to extract from the client certificate in order to > authorize a connection and potentially kill it once the certificate is available. > > 2) Extract a handle to the connection so it can be terminated. There may be a reason to disable > connections belonging to a session and I would like to be able to wire up a mechanism to do that > through the broader management components of the platform. > > > _______________________________________________ > Quickfixj-users mailing list > Qui...@li... > https://lists.sourceforge.net/lists/listinfo/quickfixj-users -- Christoph John Software Engineering T +49 241 557080-28 chr...@ma... MACD GmbH Oppenhoffallee 103 52066 Aachen, Germany www.macd.com Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663 Geschäftsführer: George Macdonald |
|
From: Aaron B. <aar...@gm...> - 2019-08-29 14:42:18
|
Thanks Chris. Yes, this is for the acceptor. The goal is to obtain the client certificate subject dn as early as possible and verify that it is authorized, killing the connection if not. I'll dig further into the MINA session to see if I can get a handle to the socket. On Tue, Aug 27, 2019 at 3:25 PM Christoph John <chr...@ma...> wrote: > Hi, > > I did not understand if you want to do this from client code or do you > want to extend the acceptor? > IMHO you can only get access to that lowlevel information using > reflection. QFJ uses MINA for SSL communication and does not get notified > if the handshake is completed. > If I am not mistaken you can get access to the MINA SslSession via a > session attribute. > For an example see here: > > https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java#L470 > > I hope I did not misunderstand your question. > > Cheers, > Chris. > > > On 27.08.19 19:30, Aaron Bedra wrote: > > QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ > QuickFIX/J Support: http://www.quickfixj.org/support/ > > > Hello, > > I've been digging through the source code for acceptors to figure out how > to get a handle to the underlying socket as connections are established. I > have two things I would like to do with that handle. In my case I am using > SSL with client certificate authentication. All of that is working properly > with the basic configuration options. > > 1) Add a handshake completed listener. The basic structure looks like > > ((SSLSocket) socket).addHandshakeCompletedListener(handshakeCompletedEvent > -> { > try { > X509Certificate cert = > (X509Certificate)handshakeCompletedEvent.getPeerCertificates()[0]; > System.out.println(cert.getSubjectDN().getName()); > } catch (SSLPeerUnverifiedException e) { > e.printStackTrace(); > } > }); > > Ultimately there are some things I would like to extract from the client > certificate in order to authorize a connection and potentially kill it once > the certificate is available. > > 2) Extract a handle to the connection so it can be terminated. There may > be a reason to disable connections belonging to a session and I would like > to be able to wire up a mechanism to do that through the broader management > components of the platform. > > > _______________________________________________ > Quickfixj-users mailing lis...@li...://lists.sourceforge.net/lists/listinfo/quickfixj-users > > > -- > Christoph John > Software Engineering > T +49 241 557...@ma... > > MACD GmbH > Oppenhoffallee 103 > 52066 Aachen, Germanywww.macd.com > > Amtsgericht Aachen: HRB 8151 > Ust.-Id: DE 813021663 > Geschäftsführer: George Macdonald > > |
|
From: Christoph J. <chr...@ma...> - 2019-08-29 17:09:37
|
Maybe this helps a little: https://stackoverflow.com/questions/6813929/how-to-get-the-principal-after-a-successful-ssl-handshake-using-mina I cannot access the code currently but IIRC you could do something with a custom TrustManager. But do not remember exactly Cheers Chris Am 29. August 2019 16:41:59 MESZ schrieb Aaron Bedra <aar...@gm...>: >Thanks Chris. Yes, this is for the acceptor. The goal is to obtain the >client certificate subject dn as early as possible and verify that it >is >authorized, killing the connection if not. I'll dig further into the >MINA >session to see if I can get a handle to the socket. > >On Tue, Aug 27, 2019 at 3:25 PM Christoph John ><chr...@ma...> >wrote: > >> Hi, >> >> I did not understand if you want to do this from client code or do >you >> want to extend the acceptor? >> IMHO you can only get access to that lowlevel information using >> reflection. QFJ uses MINA for SSL communication and does not get >notified >> if the handshake is completed. >> If I am not mistaken you can get access to the MINA SslSession via a >> session attribute. >> For an example see here: >> >> >https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java#L470 >> >> I hope I did not misunderstand your question. >> >> Cheers, >> Chris. >> >> >> On 27.08.19 19:30, Aaron Bedra wrote: >> >> QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ >> QuickFIX/J Support: http://www.quickfixj.org/support/ >> >> >> Hello, >> >> I've been digging through the source code for acceptors to figure out >how >> to get a handle to the underlying socket as connections are >established. I >> have two things I would like to do with that handle. In my case I am >using >> SSL with client certificate authentication. All of that is working >properly >> with the basic configuration options. >> >> 1) Add a handshake completed listener. The basic structure looks like >> >> ((SSLSocket) >socket).addHandshakeCompletedListener(handshakeCompletedEvent >> -> { >> try { >> X509Certificate cert = >> (X509Certificate)handshakeCompletedEvent.getPeerCertificates()[0]; >> System.out.println(cert.getSubjectDN().getName()); >> } catch (SSLPeerUnverifiedException e) { >> e.printStackTrace(); >> } >> }); >> >> Ultimately there are some things I would like to extract from the >client >> certificate in order to authorize a connection and potentially kill >it once >> the certificate is available. >> >> 2) Extract a handle to the connection so it can be terminated. There >may >> be a reason to disable connections belonging to a session and I would >like >> to be able to wire up a mechanism to do that through the broader >management >> components of the platform. >> >> >> _______________________________________________ >> Quickfixj-users mailing >lis...@li...://lists.sourceforge.net/lists/listinfo/quickfixj-users >> >> >> -- >> Christoph John >> Software Engineering >> T +49 241 557...@ma... >> >> MACD GmbH >> Oppenhoffallee 103 >> 52066 Aachen, Germanywww.macd.com >> >> Amtsgericht Aachen: HRB 8151 >> Ust.-Id: DE 813021663 >> Geschäftsführer: George Macdonald >> >> |
|
From: Christoph J. <chr...@ma...> - 2019-09-02 13:05:48
|
Or could maybe this method be extended: https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/main/java/quickfix/mina/ssl/X509TrustManagerWrapper.java#L58 Cheers, Chris. On 29.08.19 19:09, Christoph John wrote: > Maybe this helps a little: > https://stackoverflow.com/questions/6813929/how-to-get-the-principal-after-a-successful-ssl-handshake-using-mina > > I cannot access the code currently but IIRC you could do something with a custom TrustManager. But > do not remember exactly > > Cheers > Chris > > Am 29. August 2019 16:41:59 MESZ schrieb Aaron Bedra <aar...@gm...>: > > Thanks Chris. Yes, this is for the acceptor. The goal is to obtain the client certificate > subject dn as early as possible and verify that it is authorized, killing the connection if > not. I'll dig further into the MINA session to see if I can get a handle to the socket. > > On Tue, Aug 27, 2019 at 3:25 PM Christoph John <chr...@ma... > <mailto:chr...@ma...>> wrote: > > Hi, > > I did not understand if you want to do this from client code or do you want to extend the > acceptor? > IMHO you can only get access to that lowlevel information using reflection. QFJ uses MINA > for SSL communication and does not get notified if the handshake is completed. > If I am not mistaken you can get access to the MINA SslSession via a session attribute. > For an example see here: > https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java#L470 > > I hope I did not misunderstand your question. > > Cheers, > Chris. > > > On 27.08.19 19:30, Aaron Bedra wrote: >> QuickFIX/J Documentation:http://www.quickfixj.org/documentation/ >> QuickFIX/J Support:http://www.quickfixj.org/support/ >> >> >> >> Hello, >> >> I've been digging through the source code for acceptors to figure out how to get a handle >> to the underlying socket as connections are established. I have two things I would like >> to do with that handle. In my case I am using SSL with client certificate authentication. >> All of that is working properly with the basic configuration options. >> >> 1) Add a handshake completed listener. The basic structure looks like >> >> ((SSLSocket) socket).addHandshakeCompletedListener(handshakeCompletedEvent -> { >> try { >> X509Certificate cert = >> (X509Certificate)handshakeCompletedEvent.getPeerCertificates()[0]; >> System.out.println(cert.getSubjectDN().getName()); >> } catch (SSLPeerUnverifiedException e) { >> e.printStackTrace(); >> } >> }); >> >> Ultimately there are some things I would like to extract from the client certificate in >> order to authorize a connection and potentially kill it once the certificate is available. >> >> 2) Extract a handle to the connection so it can be terminated. There may be a reason to >> disable connections belonging to a session and I would like to be able to wire up a >> mechanism to do that through the broader management components of the platform. >> >> >> _______________________________________________ >> Quickfixj-users mailing list >> Qui...@li... <mailto:Qui...@li...> >> https://lists.sourceforge.net/lists/listinfo/quickfixj-users > > -- > Christoph John > Software Engineering > T +49 241 557080-28 > chr...@ma... <mailto:chr...@ma...> > > MACD GmbH > Oppenhoffallee 103 > 52066 Aachen, Germany > www.macd.com <http://www.macd.com> > > Amtsgericht Aachen: HRB 8151 > Ust.-Id: DE 813021663 > Geschäftsführer: George Macdonald > -- Christoph John Software Engineering T +49 241 557080-28 chr...@ma... MACD GmbH Oppenhoffallee 103 52066 Aachen, Germany www.macd.com Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663 Geschäftsführer: George Macdonald |
|
From: Aaron B. <aar...@gm...> - 2019-09-03 12:33:02
|
Thanks Chris! I was able to extract the information a few different ways. The one that made the most sense to my particular use case was to run the check during the onLogon callback. I was able to cleanly get the IoSession and extract the information from the filterChain. This was late enough to ensure the handshake had completed, and early enough that the connection won't be able to make any further actions. Really appreciate the pointers on this, they were quite helpful. On Mon, 2019-09-02 at 15:05 +0200, Christoph John wrote: > Or could maybe this method > be extended: > https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/main/java/quickfix/mina/ssl/X509TrustManagerWrapper.java#L58 > > > > Cheers, > > Chris. > > > > On 29.08.19 19:09, Christoph John > wrote: > > > > > > > Maybe this helps a little: > > https://stackoverflow.com/questions/6813929/how-to-get-the-principal-after-a-successful-ssl-handshake-using-mina > > > > > > > > I cannot access the code currently but IIRC you could do > > something > > with a custom TrustManager. But do not remember exactly > > > > > > > > Cheers > > > > Chris > > > > > > > > Am 29. August 2019 16:41:59 MESZ schrieb > > Aaron Bedra <aar...@gm...>: > > > > > Thanks Chris. Yes, this is for the acceptor. > > > The goal is to obtain the client certificate subject > > > dn as > > > early as possible and verify that it is authorized, > > > killing > > > the connection if not. I'll dig further into the MINA > > > session to see if I can get a handle to the socket. > > > > > > > > > > > > On Tue, Aug 27, 2019 at > > > 3:25 PM Christoph John <chr...@ma...> > > > wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > I did not understand if you want to do this > > > > from client > > > > code or do you want to extend the acceptor? > > > > > > > > IMHO you can only get access to that lowlevel > > > > information using reflection. QFJ uses MINA for > > > > SSL > > > > communication and does not get notified if the > > > > handshake > > > > is completed. > > > > > > > > If I am not mistaken you can get access to the > > > > MINA > > > > SslSession via a session attribute. > > > > > > > > For an example see here: > > > > > > > > > > > > https://github.com/quickfix-j/quickfixj/blob/bab477e0959b7ab7338b6a37f20749bb0f0478c3/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java#L470 > > > > > > > > > > > > > > > > I hope I did not misunderstand your question. > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Chris. > > > > > > > > > > > > > > > > > > > > > > > > On > > > > 27.08.19 19:30, Aaron Bedra wrote: > > > > > > > > > > > > > > > > > QuickFIX/J Documentation: > > > > > http://www.quickfixj.org/documentation/QuickFIX/J Support: > > > > > http://www.quickfixj.org/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > I've been digging through the source code > > > > > for > > > > > acceptors to figure out how to get a > > > > > handle to the > > > > > underlying socket as connections are > > > > > established. > > > > > I have two things I would like to do > > > > > with that > > > > > handle. In my case I am using SSL with > > > > > client > > > > > certificate authentication. All of that > > > > > is working > > > > > properly with the basic configuration > > > > > options. > > > > > > > > > > > > > > > > > > > > 1) Add a handshake completed listener. > > > > > The > > > > > basic structure looks like > > > > > > > > > > > > > > > > > > > > ((SSLSocket) > > > > > socket).addHandshakeCompletedListener(h > > > > > andshakeCompletedEvent > > > > > -> { > > > > > > > > > > try { > > > > > > > > > > X509Certificate cert = > > > > > (X509Certificate)handshakeCompletedEven > > > > > t.getPeerCertificates()[0]; > > > > > > > > > > > > > > > System.out.println(cert.getSubjectDN(). > > > > > getName()); > > > > > > > > > > } catch > > > > > (SSLPeerUnverifiedException e) > > > > > { > > > > > > > > > > e.printStackTrace(); > > > > > > > > > > } > > > > > > > > > > }); > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Ultimately there are some things I would > > > > > like > > > > > to extract from the client certificate > > > > > in order to > > > > > authorize a connection and potentially > > > > > kill it > > > > > once the certificate is available. > > > > > > > > > > > > > > > > > > > > 2) Extract a handle to the connection so > > > > > it can > > > > > be terminated. There may be a reason to > > > > > disable > > > > > connections belonging to a session and > > > > > I would > > > > > like to be able to wire up a mechanism > > > > > to do that > > > > > through the broader management > > > > > components of the > > > > > platform. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___________________________________________ > > > > > ____Quickfixj-users mailing listQuickfixj- > > > > > us...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/quickfixj-users > > > > > > > > > > > > > > > > > > > > > > > > > > -- Christoph JohnSoftware EngineeringT +49 241 > > > > 557...@ma... > > > > MACD GmbHOppenhoffallee 10352066 Aachen, Germanywww.macd.com > > > > Amtsgericht Aachen: HRB 8151 Ust.-Id: DE > > > > 813021663Geschäftsführer: George Macdonald > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Christoph JohnSoftware EngineeringT +49 241 > 557...@ma... > MACD GmbHOppenhoffallee 10352066 Aachen, Germanywww.macd.com > Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663Geschäftsführer: > George Macdonald > > |
Thanks for helping keep SourceForge clean.
X