Built in SSL about quickfixn HOT 26 CLOSED

I think it would be a nice feature. QuickFIX/J has this.

from quickfixn.

it is trivial to do, thank heaven, once you are on .NET 4.0 / Visual Studio 2010 ;)

http://msdn.microsoft.com/de-de/library/system.net.security.sslstream.aspx

There is an SslStream class already ready for usage.

from quickfixn.

thanks for the link! Seems to be trivial. I have used ssl in QuickfIx/j. went thro its source code - pretty clean and neat. now in the process of using Quickfix/n to integrate with products based on .Net. Need SSL support as the FIX acceptor on the other side supports only SSL. Any plans when this will be out?

from quickfixn.

There are no plans. Would gladly accept submissions, though.

Contributor FAQ

It's something we certainly should have, just no one's done it yet.

Does anyone know if this would require us to update to 4.0? I'm not opposed to it, but only if there is a good reason.

from quickfixn.

I do not think so. SSLStream class has been there since .NET 2.0

http://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.80).aspx

from quickfixn.

We have added SSL support to quickfix/n and in the process rewritten the sslconnector to use stream instead of socket. I hope to post a patch within the next month(s?).

In the meantime I am open for suggestions about what settings are requried for SSL support, below is a list of the currently implemented settings:

SSLCheckCertificateRevocation=Y
SSLValidateServerCertificate=Y
SSLCertificatePath=mycert.p12 (SSL client certificate file, if not specified SSL will be turned off)
SSLCertificatePassword=CertPassword
SSLProtocols=Default (any value of http://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols.aspx)
SSLHostname=fix.myhost.org (the common-name of the servers certificate, if different from host-name)

from quickfixn.

@Daniel-Svensson - have you looked to see if there are any similar settings in QuickFIX/J or the original QuickFIX? We'd like to keep the config settings similar, when possible.

from quickfixn.

@gbirchmeier

• quickfix does not support SSL and instead recommend that you install a ssl tunnel.
• quickfix/j only a "SocketUseSSL" and very java specific names to configure certificate and password (and it requires specific java certificate-keystore to be used)

in short, there exist no god existing names for the settings so I choose to mimic the naming convention for apache mod_ssl (with SSL prefix) togheter with keeping to standard C# naming conventions, as it makes it very easy to identify and find settings concerning SSL.

I do however wonder if anyone have come in contact with a production FIX SSL environment where client certificate are not used?

from quickfixn.

@Daniel-Svensson - thanks for looking that up. I think your naming convention is appropriate. If there is no obvious commonality with the QF or QF/j, then we'll just make it up as we go.

Sorry, I myself have not needed SSL with QF/n yet, thus I don't have much feedback to give at this time.

from quickfixn.

We use SSL a lot, so I’m quite happy to do testing on this.

Given that many users would be migrating from stunnel, it might be worth keeping close to their configuration too if possible.

E.g. rather than SSLValidateServerCertficate Y/N, stunnel has verify level (0-4)

From: Grant Birchmeier [mailto:[email protected]]
Sent: 03 January 2013 15:45
To: connamara/quickfixn
Subject: Re: [quickfixn] Built in SSL (#18)

@Daniel-Svenssonhttps://github.com/Daniel-Svensson - thanks for looking that up. I think your naming convention is appropriate. If there is no obvious commonality with the QF or QF/j, then we'll just make it up as we go.

Sorry, I myself have not needed SSL with QF/n yet, thus I don't have much feedback to give at this time.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/18#issuecomment-11848057.

from quickfixn.

That'd be great if you guys can work this feature out. I just don't have the bandwidth, nor the knowledge at this time.

from quickfixn.

I've made an initial version with SSL support availible at https://github.com/Daniel-Svensson/quickfixn
Feel free to try it, I don't plan any major changes before I make a pull request except that I will look into making client certificate optional.

I've added a new setting "SSLCACertificatePath=caServerCert.cer" in order to allow validation of client certificates against a single CA certificate (and not all certificates in the certificate store)

@jcwild, i will stick with Y/N as it is easier to implement instead of trying tomimic stunnel's 5 levels

from quickfixn.

Just added pull request #167 which implements SSL support

Documentation is added to the quickfix configuration documentation section (of the pull request)

from quickfixn.

So is SSL available now? or do I still need to use stunnel?

from quickfixn.

@russgove, if you compile quickfixn yourself you can get ssl support if you either merge my pull request #167 or compile it directly.

If you however decide for the later I must "warn" you that it is based on quickfixn 1.4.0 beta2 and I have not merged in any later changes from quickfixn in order to keep it stable in until @gbirchmeier merges it.

from quickfixn.

Thanls Daniel, I have been trying to manually merge your changes into my local quickfix (1.4.0) but haven't gotten far. I don't know how to do a GIT merge....perhaps now is a good time to learn!
Seeing that your pull request was submitted over 7 months ago and no action has been taken, I guess there's little hope that anything will be done soon. Thats unfortunate. Are you using your SSL Mod in a production environment? I'm trying to figure out if I should 1.)try to take on your mod 2.) go with quickfix/N+stunnel 3.) quickfix/J or 4.) paid product... Any advice would be much appreciated.

from quickfixn.

Sorry for the non-activity. I've been stuck on a project for most of the
summer and I haven't made time for QF/n. I'm hoping to get on some of
these within the month.

from quickfixn.

Thanks Grant! I'm trying to figure out this GIT thing so i can put that
patch on my local instance. I'll be sure to let you guys know how it works
for me.

So I'm doing '$ git pull #167'
and that doesnt work ... how the heck to i merger that code.....

On Wed, Sep 11, 2013 at 9:46 AM, Grant Birchmeier
[email protected]:

Sorry for the non-activity. I've been stuck on a project for most of the
summer and I haven't made time for QF/n. I'm hoping to get on some of
these within the month.

On Wed, Sep 11, 2013 at 7:57 AM, russellgove [email protected]:

Thanls Daniel, I have been trying to manually merge your changes into my
local quickfix (1.4.0) but haven't gotten far. I don't know how to do a
GIT
merge....perhaps now is a good time to learn!
Seeing that your pull request was submitted over 7 months ago and no
action has been taken, I guess there's little hope that anything will be
done soon. Thats unfortunate. Are you using your SSL Mod in a production
environment? I'm trying to figure out if I should 1.)try to take on your
mod 2.) go with quickfix/N+stunnel 3.) quickfix/J or 4.) paid product...
Any advice would be much appreciated.

—
Reply to this email directly or view it on GitHub<
https://github.com/connamara/quickfixn/issues/18#issuecomment-24237415>
.

Grant Birchmeier
Connamara Systems, LLC
Made-To-Measure Trading Solutions.
Exactly what you need. No more. No less.*
*
http://connamara.com

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/18#issuecomment-24240721
.

from quickfixn.

You want this:
git pull git://github.com/Daniel-Svensson/quickfixn.git master
This is the branch that the pull request is using.

from quickfixn.

Does the 1.5 release includes ssl support?

from quickfixn.

I haven't actually tried the official funal 1.5 build, but it should be included.

From: russellgove
Sent: 2014-02-24 16:01
To: connamara/quickfixn
Cc: Daniel-Svensson
Subject: Re: [quickfixn] Built in SSL (#18)

Does the 1.5 releas includes ssl support?

Reply to this email directly or view it on GitHub:
#18 (comment)

from quickfixn.

It does, at least as far as @Daniel-Svensson implemented it.

@russgove, Please let us know what you think of it. We haven't gotten much feedback on it.

from quickfixn.

Hi

Can quckfix/n work with a client certificate file with the .pem extension?
E.g. SSLCertificaste=foo.pem.

Thanks.

from quickfixn.

No, right now it only supports PKCS12.

I think we really should support pem, but no one has written it.

from quickfixn.

HI does QuickFIX/n support SSL with .pem certificates and what are the config parameters, pls point me to the doc if any.
http://quickfixn.org/tutorial/configuration.html#ssl this site does nor provide teh SSL settings

from quickfixn.

@hadagali, look one post above yours.

No, right now it only supports PKCS12.
I think we really should support pem, but no one has written it.

from quickfixn.