Skip to content

Add SocketUseSSL parameter to allow SSL/TLS without client certs #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 4, 2019
Merged

Add SocketUseSSL parameter to allow SSL/TLS without client certs #353

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a76af44
Add SocketUseSSL parameter to allow SSL without client certs
Jan 9, 2019
a5ee841
Update tls_test.go
blutack Jan 14, 2019
4d434d2
Update tls_test.go
blutack Jan 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/configuration.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ const (
SocketInsecureSkipVerify string = "SocketInsecureSkipVerify"
SocketMinimumTLSVersion string = "SocketMinimumTLSVersion"
SocketTimeout string = "SocketTimeout"
SocketUseSSL string = "SocketUseSSL"
DefaultApplVerID string = "DefaultApplVerID"
StartTime string = "StartTime"
EndTime string = "EndTime"
Expand Down
4 changes: 4 additions & 0 deletions config/doc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,10 @@ SocketMinimumTLSVersion

Specify the Minimum TLS version to use when creating a secure connection. The valid choices are SSL30, TLS10, TLS11, TLS12. Defaults to TLS12.

SocketUseSSL

Use SSL for initiators even if client certificates are not present. If set to N or omitted, TLS will not be used if SocketPrivateKeyFile or SocketCertificateFile are not supplied.

PersistMessages

If set to N, no messages will be persisted. This will force QuickFIX/Go to always send GapFills instead of resending messages. Use this if you know you never want to resend a message. Useful for market data streams. Valid Values:
Expand Down
12 changes: 10 additions & 2 deletions tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,14 @@ import (
)

func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error) {
allowSkipClientCerts := false
if settings.HasSetting(config.SocketUseSSL) {
allowSkipClientCerts, err = settings.BoolSetting(config.SocketUseSSL)
if err != nil {
return
}
}

insecureSkipVerify := false
if settings.HasSetting(config.SocketInsecureSkipVerify) {
insecureSkipVerify, err = settings.BoolSetting(config.SocketInsecureSkipVerify)
Expand All @@ -19,9 +27,9 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
}

if !settings.HasSetting(config.SocketPrivateKeyFile) && !settings.HasSetting(config.SocketCertificateFile) {
if insecureSkipVerify {
if allowSkipClientCerts {
tlsConfig = defaultTLSConfig()
tlsConfig.InsecureSkipVerify = true
tlsConfig.InsecureSkipVerify = insecureSkipVerify
}
return
}
Expand Down
9 changes: 9 additions & 0 deletions tls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,15 @@ func (s *TLSTestSuite) TestLoadTLSWithCA() {
func (s *TLSTestSuite) TestInsecureSkipVerify() {
s.settings.GlobalSettings().Set(config.SocketInsecureSkipVerify, "Y")

tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
s.Nil(err)
s.Nil(tlsConfig)
}

func (s *TLSTestSuite) TestInsecureSkipVerifyWithUseSSL() {
s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
s.settings.GlobalSettings().Set(config.SocketInsecureSkipVerify, "Y")

tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
s.Nil(err)
s.NotNil(tlsConfig)
Expand Down