From a76af446e980143585b851030e98c43b5b4c51d1 Mon Sep 17 00:00:00 2001 From: Gareth Roberts Date: Wed, 9 Jan 2019 13:58:21 +0000 Subject: [PATCH 1/3] Add SocketUseSSL parameter to allow SSL without client certs --- config/configuration.go | 1 + config/doc.go | 4 ++++ tls.go | 12 ++++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/config/configuration.go b/config/configuration.go index cc4d4230a..06ad4a2e0 100644 --- a/config/configuration.go +++ b/config/configuration.go @@ -22,6 +22,7 @@ const ( SocketInsecureSkipVerify string = "SocketInsecureSkipVerify" SocketMinimumTLSVersion string = "SocketMinimumTLSVersion" SocketTimeout string = "SocketTimeout" + SocketUseSSL string = "SocketUseSSL" DefaultApplVerID string = "DefaultApplVerID" StartTime string = "StartTime" EndTime string = "EndTime" diff --git a/config/doc.go b/config/doc.go index 041baf745..abfa7c9b5 100644 --- a/config/doc.go +++ b/config/doc.go @@ -284,6 +284,10 @@ SocketMinimumTLSVersion Specify the Minimum TLS version to use when creating a secure connection. The valid choices are SSL30, TLS10, TLS11, TLS12. Defaults to TLS12. +SocketUseSSL + +Use SSL for initiators even if client certificates are not present. If set to N or omitted, TLS will not be used if SocketPrivateKeyFile or SocketCertificateFile are not supplied. + PersistMessages If set to N, no messages will be persisted. This will force QuickFIX/Go to always send GapFills instead of resending messages. Use this if you know you never want to resend a message. Useful for market data streams. Valid Values: diff --git a/tls.go b/tls.go index 0184fc7f4..ef6846f61 100644 --- a/tls.go +++ b/tls.go @@ -10,6 +10,14 @@ import ( ) func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error) { + allowSkipClientCerts := false + if settings.HasSetting(config.SocketUseSSL) { + allowSkipClientCerts, err = settings.BoolSetting(config.SocketUseSSL) + if err != nil { + return + } + } + insecureSkipVerify := false if settings.HasSetting(config.SocketInsecureSkipVerify) { insecureSkipVerify, err = settings.BoolSetting(config.SocketInsecureSkipVerify) @@ -19,9 +27,9 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error) } if !settings.HasSetting(config.SocketPrivateKeyFile) && !settings.HasSetting(config.SocketCertificateFile) { - if insecureSkipVerify { + if allowSkipClientCerts { tlsConfig = defaultTLSConfig() - tlsConfig.InsecureSkipVerify = true + tlsConfig.InsecureSkipVerify = insecureSkipVerify } return } From a5ee841aa0ac1bb295c4535f125690a1a0150396 Mon Sep 17 00:00:00 2001 From: blutack Date: Mon, 14 Jan 2019 18:38:42 +0000 Subject: [PATCH 2/3] Update tls_test.go InsecureSkipVerify alone can no longer be use to create a secure session. Update tests to reflect that. --- tls_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tls_test.go b/tls_test.go index 322c452c5..d1f96c6d5 100644 --- a/tls_test.go +++ b/tls_test.go @@ -90,6 +90,14 @@ func (s *TLSTestSuite) TestLoadTLSWithCA() { func (s *TLSTestSuite) TestInsecureSkipVerify() { s.settings.GlobalSettings().Set(config.SocketInsecureSkipVerify, "Y") + _, err := loadTLSConfig(s.settings.GlobalSettings()) + s.NotNil(err) +} + +func (s *TLSTestSuite) TestInsecureSkipVerifyWithUseSSL() { + s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y") + s.settings.GlobalSettings().Set(config.SocketInsecureSkipVerify, "Y") + tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings()) s.Nil(err) s.NotNil(tlsConfig) From 4d434d22ee433dace0311e62456c4401991a49a2 Mon Sep 17 00:00:00 2001 From: blutack Date: Mon, 14 Jan 2019 19:14:45 +0000 Subject: [PATCH 3/3] Update tls_test.go --- tls_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tls_test.go b/tls_test.go index d1f96c6d5..3ddbddeaf 100644 --- a/tls_test.go +++ b/tls_test.go @@ -90,8 +90,9 @@ func (s *TLSTestSuite) TestLoadTLSWithCA() { func (s *TLSTestSuite) TestInsecureSkipVerify() { s.settings.GlobalSettings().Set(config.SocketInsecureSkipVerify, "Y") - _, err := loadTLSConfig(s.settings.GlobalSettings()) - s.NotNil(err) + tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings()) + s.Nil(err) + s.Nil(tlsConfig) } func (s *TLSTestSuite) TestInsecureSkipVerifyWithUseSSL() {