From cfb9c1c25d9aa4c3b81ec511315a06c2d84a1ca8 Mon Sep 17 00:00:00 2001 From: Grant Birchmeier Date: Wed, 26 Jun 2024 17:27:27 -0500 Subject: [PATCH] proper path searching for CA certs --- Examples/Executor/Program.cs | 3 +- Examples/Executor/executor.cfg | 6 +- Examples/Executor/executor_ssl.cfg | 96 +++--------------------- Examples/TradeClient/Program.cs | 1 + Examples/TradeClient/tradeclient.cfg | 7 +- Examples/TradeClient/tradeclient_ssl.cfg | 16 ++-- QuickFIXn/Transport/SslCertCache.cs | 3 +- QuickFIXn/Transport/SslStreamFactory.cs | 6 +- RELEASE_NOTES.md | 1 + 9 files changed, 37 insertions(+), 102 deletions(-) diff --git a/Examples/Executor/Program.cs b/Examples/Executor/Program.cs index a4c74ce31..1811b10d5 100644 --- a/Examples/Executor/Program.cs +++ b/Examples/Executor/Program.cs @@ -31,7 +31,8 @@ static void Main(string[] args) SessionSettings settings = new SessionSettings(args[0]); IApplication executorApp = new Executor(); IMessageStoreFactory storeFactory = new FileStoreFactory(settings); - ILogFactory logFactory = new FileLogFactory(settings); + ILogFactory logFactory = new ScreenLogFactory(settings); + //ILogFactory logFactory = new FileLogFactory(settings); ThreadedSocketAcceptor acceptor = new ThreadedSocketAcceptor(executorApp, storeFactory, settings, logFactory); HttpServer srv = new HttpServer(HttpServerPrefix, settings); diff --git a/Examples/Executor/executor.cfg b/Examples/Executor/executor.cfg index e0cfca983..1da3a28d6 100644 --- a/Examples/Executor/executor.cfg +++ b/Examples/Executor/executor.cfg @@ -3,12 +3,16 @@ ConnectionType=acceptor SocketAcceptPort=5001 StartTime=00:00:00 EndTime=00:00:00 -FileLogPath=log UseDataDictionary=Y ResetOnLogon=Y ResetOnLogout=Y ResetOnDisconnect=Y +FileLogPath=log +ScreenLogShowIncoming=Y +ScreenLogShowOutgoing=Y +ScreenLogShowEvents=Y + [SESSION] BeginString=FIX.4.0 SenderCompID=EXECUTOR diff --git a/Examples/Executor/executor_ssl.cfg b/Examples/Executor/executor_ssl.cfg index 6d020ac8f..9b49a0506 100644 --- a/Examples/Executor/executor_ssl.cfg +++ b/Examples/Executor/executor_ssl.cfg @@ -4,106 +4,28 @@ SocketAcceptPort=5001 SocketReuseAddress=Y StartTime=00:00:00 EndTime=00:00:00 -FileLogPath=log UseDataDictionary=Y ResetOnLogon=Y ResetOnLogout=Y ResetOnDisconnect=Y + +FileLogPath=log +ScreenLogShowIncoming=Y +ScreenLogShowOutgoing=Y +ScreenLogShowEvents=Y + + SSLEnable=Y # It is recommended to install the certificate and refer to it by name instead of using filename + password -SSLCertificate=QuickFixn-TestServer.pfx +SSLCertificate=../QuickFixn-TestServer.pfx SSLCertificatePassword=QuickFixn-TestServer # For production refer to certificate by name instead: SSLCertificate=CN=QuickFixn-TestServer -SSLCACertificate=QuickFixn-TestCA.cer +SSLCACertificate=../QuickFixn-TestCA.cer SSLCheckCertificateRevocation=N -[SESSION] -BeginString=FIX.4.0 -SenderCompID=EXECUTOR -TargetCompID=CLIENT1 -FileStorePath=store -DataDictionary=../../spec/fix/FIX40.xml - -[SESSION] -BeginString=FIX.4.0 -SenderCompID=EXECUTOR -TargetCompID=CLIENT2 -FileStorePath=store -DataDictionary=../../spec/fix/FIX40.xml - -[SESSION] -BeginString=FIX.4.1 -SenderCompID=EXECUTOR -TargetCompID=CLIENT1 -FileStorePath=store -DataDictionary=../../spec/fix/FIX41.xml - -[SESSION] -BeginString=FIX.4.1 -SenderCompID=EXECUTOR -TargetCompID=CLIENT2 -FileStorePath=store -DataDictionary=../../spec/fix/FIX41.xml - -[SESSION] -BeginString=FIX.4.2 -SenderCompID=EXECUTOR -TargetCompID=CLIENT1 -FileStorePath=store -DataDictionary=../../spec/fix/FIX42.xml - -[SESSION] -BeginString=FIX.4.2 -SenderCompID=EXECUTOR -TargetCompID=CLIENT2 -FileStorePath=store -DataDictionary=../../spec/fix/FIX42.xml - -[SESSION] -BeginString=FIX.4.3 -SenderCompID=EXECUTOR -TargetCompID=CLIENT1 -FileStorePath=store -DataDictionary=../../spec/fix/FIX43.xml - -[SESSION] -BeginString=FIX.4.3 -SenderCompID=EXECUTOR -TargetCompID=CLIENT2 -FileStorePath=store -DataDictionary=../../spec/fix/FIX43.xml - [SESSION] BeginString=FIX.4.4 SenderCompID=EXECUTOR TargetCompID=CLIENT1 FileStorePath=store DataDictionary=../../spec/fix/FIX44.xml - - - -[SESSION] -BeginString=FIX.4.4 -SenderCompID=EXECUTOR -TargetCompID=CLIENT2 -FileStorePath=store -DataDictionary=../../spec/fix/FIX44.xml - -#[SESSION] -#BeginString=FIXT.1.1 -#DefaultApplVerID=FIX.5.0 -#SenderCompID=EXECUTOR -#TargetCompID=CLIENT1 -#FileStorePath=store -#TransportDataDictionary=../../spec/fix/FIXT11.xml -#AppDataDictionary=../../spec/fix/FIX50.xml - -#[SESSION] -#BeginString=FIXT.1.1 -#DefaultApplVerID=FIX.5.0 -#SenderCompID=EXECUTOR -#TargetCompID=CLIENT2 -#FileStorePath=store -#TransportDataDictionary=../../spec/fix/FIXT11.xml -#AppDataDictionary=../../spec/fix/FIX50.xml - diff --git a/Examples/TradeClient/Program.cs b/Examples/TradeClient/Program.cs index cbf8cd616..f991f5382 100644 --- a/Examples/TradeClient/Program.cs +++ b/Examples/TradeClient/Program.cs @@ -35,6 +35,7 @@ static void Main(string[] args) TradeClientApp application = new TradeClientApp(); IMessageStoreFactory storeFactory = new FileStoreFactory(settings); ILogFactory logFactory = new ScreenLogFactory(settings); + //ILogFactory logFactory = new FileLogFactory(settings); QuickFix.Transport.SocketInitiator initiator = new QuickFix.Transport.SocketInitiator(application, storeFactory, settings, logFactory); // this is a developer-test kludge. do not emulate. diff --git a/Examples/TradeClient/tradeclient.cfg b/Examples/TradeClient/tradeclient.cfg index 1e7222648..3ee5851f1 100644 --- a/Examples/TradeClient/tradeclient.cfg +++ b/Examples/TradeClient/tradeclient.cfg @@ -2,7 +2,6 @@ ConnectionType=initiator ReconnectInterval=2 FileStorePath=store -FileLogPath=log StartTime=00:00:00 EndTime=00:00:00 UseDataDictionary=Y @@ -10,14 +9,16 @@ DataDictionary=../../spec/fix/FIX44.xml SocketConnectHost=127.0.0.1 SocketConnectPort=5001 SocketIgnoreProxy=Y -LogoutTimeout=5 -ResetOnLogon=Y ResetOnDisconnect=Y +FileLogPath=log ScreenLogShowIncoming=Y ScreenLogShowOutgoing=Y ScreenLogShowEvents=Y +LogoutTimeout=5 +ResetOnLogon=Y + [SESSION] # inherit ConnectionType, ReconnectInterval and SenderCompID from default BeginString=FIX.4.4 diff --git a/Examples/TradeClient/tradeclient_ssl.cfg b/Examples/TradeClient/tradeclient_ssl.cfg index b493ec970..be5e28c3d 100644 --- a/Examples/TradeClient/tradeclient_ssl.cfg +++ b/Examples/TradeClient/tradeclient_ssl.cfg @@ -2,7 +2,6 @@ ConnectionType=initiator ReconnectInterval=2 FileStorePath=store -FileLogPath=log StartTime=00:00:00 EndTime=00:00:00 UseDataDictionary=Y @@ -11,15 +10,20 @@ SocketConnectHost=127.0.0.1 SocketConnectPort=5001 SSLEnable=Y +FileLogPath=log +ScreenLogShowIncoming=Y +ScreenLogShowOutgoing=Y +ScreenLogShowEvents=Y + +LogoutTimeout=5 +ResetOnLogon=Y + # It is recommended to install the certificate and refer to it by name instead of using filename + password -SSLCertificate=QuickFixn-TestClient.pfx +SSLCertificate=../QuickFixn-TestClient.pfx SSLCertificatePassword=QuickFixn-TestClient # For production refer to certificate by name instead: SSLCertificate=CN=QuickFixn-TestClient SSLServerName=QuickFixn-TestServer -SSLCACertificate=QuickFixn-TestCA.cer - -LogoutTimeout=5 -ResetOnLogon=Y +SSLCACertificate=../QuickFixn-TestCA.cer [SESSION] # inherit ConnectionType, ReconnectInterval and SenderCompID from default diff --git a/QuickFIXn/Transport/SslCertCache.cs b/QuickFIXn/Transport/SslCertCache.cs index 1308e6692..7eba7c122 100644 --- a/QuickFIXn/Transport/SslCertCache.cs +++ b/QuickFIXn/Transport/SslCertCache.cs @@ -55,14 +55,13 @@ private static X509Certificate2 LoadCertificateInner(string name, string? passwo { var certPath = StringUtil.FixSlashes(name); - // If no extension is found try to get from certificate store + // If cert file not found, then try to get from certificate store if (!File.Exists(certPath)) { var certFromStore = GetCertificateFromStore(StringUtil.FixSlashes(name)); if (certFromStore is not null) return certFromStore; - // see TODO in LoadCertificate() string msg = $"Certificate '{name}' could not be loaded from store or path '{Directory.GetCurrentDirectory()}'"; Console.WriteLine(msg); diff --git a/QuickFIXn/Transport/SslStreamFactory.cs b/QuickFIXn/Transport/SslStreamFactory.cs index 296129f86..a7b388bc1 100644 --- a/QuickFIXn/Transport/SslStreamFactory.cs +++ b/QuickFIXn/Transport/SslStreamFactory.cs @@ -178,11 +178,13 @@ private bool VerifyRemoteCertificate( return false; } + string caCertPath = StringUtil.FixSlashes(_socketSettings.CACertificatePath); + // If CA Certificate is specified then validate against the CA certificate, otherwise it is validated against the installed certificates - X509Certificate2? cert = SslCertCache.LoadCertificate(_socketSettings.CACertificatePath, null); + X509Certificate2? cert = SslCertCache.LoadCertificate(caCertPath, null); if (cert is null) { _nonSessionLog.OnEvent( - $"Certificate '{_socketSettings.CACertificatePath}' could not be loaded from store or path '{Directory.GetCurrentDirectory()}'"); + $"Certificate '{caCertPath}' could not be loaded from store or path '{Directory.GetCurrentDirectory()}'"); return false; } diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 69148e5c4..7b5af0898 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -88,6 +88,7 @@ What's New * Cleanup/nullable-ize SocketInitiatorThread (gbirchmeier) * #839 - change ScreenLog to output FIX messages with "|" instead of non-visible SOH (gbirchmeier) * #844 - implement "Weekdays" setting (MichalUssuri/gbirchmeier) +* #859 - implement proper path searching for CA certs in config (gbirchmeier) ### v1.11.2: * same as v1.11.1, but I fixed the readme in the pushed nuget packages