Quick Fix J (QFJ) SSL connection between Initiator and Acceptor logic

[cypatorYA]

I have built an Acceptor using QFJ, and wanted to add another layer of protection when a client connects to my engine, so I added:

SocketUseSSL=Y
NeedClientAuth=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=****

to create this jks file I used:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks -validity 3650

and also I created a server.cer file using the command:

keytool -export -alias server -file server.cer -keystore server.jks -validity 3650
to test that it is working I built a small Initiator engine and used configuration:

SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=****

and to create the client.jks I used:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks -validity 3650
keytool -export -alias client -file client.cer -keystore client.jks -validity 3650

I then imported the client client.cer file into my server.jks using:

keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks

I tested it and all worked perfectly, client was able to connect to the server and also I tested that when the client does not send cert (SocketUseSSL=N) client is unable to connect.

The problem is that when I change the client jks file to another cert (client2.jks), the client is still able to connect to the server even though I did not import the new cert .cer (client2.cer) file into the server .jks file.

Is this the right logic? From what I could find online I saw that maybe I need to generate a .jks file and a .crt file then give the client the .crt file and on the client side do the same and then the client provide his .crt file.

I could not find any clear example how should it work with QFJ, can someone please note all the steps and commend to achieve a secure SSL connection between client (initiator) and server (acceptor)

thanks

[chrjohn]

Did you take a look at https://github.com/quickfix-j/quickfixj/blob/master/quickfixj-core/src/test/java/quickfix/mina/ssl/SSLCertificateTest.java

AFAIR it also has tests for client authentication.

[the-thing]

@cypatorYA

Truststore properties are used for certificate checks. It doesn't seem like you are configuring any.

[chrjohn]

BTW, @cypatorYA which QFJ version are you using?

[cypatorYA]

Hi @chrjohn, @the-thing, thanks for the prompt response.
@chrjohn regarding your question, I briefly looked in the past at the examples under SSLCertificateTest.java, this is because on the web all the examples were using different logic, I probably should have started with the examples.

I have looked at the examples now and it does connect to what @the-thing has mentioned that I am missing Truststore properties and this probably the reason why every cert been sent by the client is passing (although I validated that all messages are encrypted using wireshark).

I am still not sure how the relationship between the keys .keystore and .truststore and client-server is done.
From the examples, I can see that on the server side (acceptor) a server.keystore and a server1.truststore is been used.

When I look into the files I can see that server.keystore Entry type is PrivateKeyEntry and server1.truststore is Entry type: trustedCertEntry
and on the client side client1.keystore continues 2 entries with the server.keystore and server1.truststore fingerprints and alias

I tried to generate this logic using:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.keystore -validity 3650
keytool -export -alias server -file server.cer -keystore server.keystore -validity 3650
keytool -import -v -trustcacerts -alias server1 -file server.cer -keystore server1.truststore

but I ended up with server1.truststore which has the same fingerprints as the server.keystore (and not a unique one of it is own like the one under quickfix example) but one has Entry type: trustedCertEntry and the other has Entry type: PrivateKeyEntry respectively.

How do I generate all the 3 files server.keystore, server1.truststore, and client1.keystore also from client's perspective do I generate the client1.keystore for him and send it on a secure connection to use or does he need to generate it by himself and I just need to send him my server1.truststore

Sorry for the long question, I have been working on this for a long time now.
I will appreciate any help.
PS: I am using quickfixj-core 2.3.1 and fix version 4.4

[the-thing]

Normally key stores contain certificate key-pairs and trust stores contain trusted certificates, but the file format e.g. JKS is the same so nothing stops you from using a single file for acceptor and initiator respectively. That's how QFJ did it initially and now we have to follow it.

Client always validates server's certificate, but not vice versa, although this can be enforced. QFJ has a "feature" that when a trust store is not specified it will use a dummy one that will trust anyone. Not super nice, but this is for backwards compatibility.

I can't advise on keytool command line tool, but I can suggest using "KeyStore Explorer" which is an excellent desktop application for key files and certificates manipulation.

What you want to do is to generate acceptor's keystore file containing only a key pair entry. Then you want to export a certificate from that entry and send it to your client/initiator so the client can generate their own trust stores. That's it. It will use encrypted connection and client/initiator will validate server's certificate.

If you want to do something custom you will have to play around a bit and find it for yourself. I have a feeling some new work has been given to you at the company. :)

Hope this helps.

[chrjohn]

I'd also like to thank you for the detailed answer. I feel this could go into some kind of how-to.

QFJ has a "feature" that when a trust store is not specified it will use a dummy one that will trust anyone. Not super nice, but this is for backwards compatibility.

Do you think that this should be changed?

That's how QFJ did it initially and now we have to follow it.

Do we still? ;)

[the-thing]

I'd also like to thank you for the detailed answer. I feel this could go into some kind of how-to.

QFJ has a "feature" that when a trust store is not specified it will use a dummy one that will trust anyone. Not super nice, but this is for backwards compatibility.

Do you think that this should be changed?

In theory a client could connect to a bad endpoint, but I'm not sure if there is much value in changing that. I would leave it as is for now.

That's how QFJ did it initially and now we have to follow it.

Do we still? ;)

Actually I was wrong. This has roots in Java SSL style so probably it is good as is.

[the-thing]

@cypatorYA Was this helpful? Could this be marked as answered?

[cypatorYA]

Yes! sorry about that