QuickFIX/J: Enable protocols and ciphersuite setting

Question

I was looking at the this link for help regarding QuickFIX/J configuration.

How would I enable TLS 1.2 as the enabled protocol? Is it:

[SESSION]
EnabledProtocols=Tls1.2

What if I wanted to specify ciphersuites? For example, to only use ciphersuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. Is it:

[SESSION]
CipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Can you put commas?

There is no example of how to specify this in documenation.

TT. · Answer 1 · 2017-12-20T07:14:21.807

3

The basic configuration elements to specify TLS 1.2:

SocketUseSSL=Y
EnabledProtocols=TLSv1.2

To specify a Java Keystore along with those settings:

SocketUseSSL=Y
SocketKeyStore=certificate.jks
SocketKeyStorePassword=<password to keystore>
EnabledProtocols=TLSv1.2

Where SocketKeyStore points to the Java Keystore file on disk. Note that only Java Keystores are possible in QuickFIX/J up to and including version 1.6.2.

From version 1.6.3 onwards, it is possible to specify other types of key stores (e.g. PKCS12) using the KeyStoreType configuration element. For e.g. PKCS12, the configuration would look like:

SocketUseSSL=Y
SocketKeyStore=abcdef.pfx
SocketKeyStorePassword=<password to keystore>
KeyStoreType=PKCS12
EnabledProtocols=TLSv1.2

In QuickFIX/J 1.6.3 onwards, you can use the CipherSuites configuration element to specify cipher suites enabled for use with the SSL engine. For example, in configuration:

CipherSuites=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Please refer to the 1.6.3 configuration manual for more details.

edited Dec 20 '17 at 07:14

answered Dec 20 '17 at 06:58

TT.

15,774
6
47
88

Thank you. Do you by any chance know of a good way to verify it is using TLSv1.2 for example? – nsandersen Mar 04 '19 at 18:57
Documentation for current version (2.3.0) has no mentions of KeyStoreType-s other than JKS, so I assume they dropped support for PKCS12 at some point. – Alexander Gonchiy Sep 02 '21 at 10:34
@AlexanderGonchiy I am seeing in [2.3.0 configuration documentation](https://www.quickfixj.org/usermanual/2.3.0/usage/configuration.html) the KeyStoreType element still present though. It lists the default value being `JKS` (that is the value if element KeyStoreType is ommitted). I would be surprised if other key store types would be dropped. – TT. Sep 02 '21 at 11:11
The "Valid Values" field for the KeyStoreType element is empty, which I read as only "JKS" being supported. Considering otherwise, where would one look for a list of all accepted keystore types? (Google finds no occurrences of "PKCS" in the docs which makes me think it's something external to QuickFIX/J ) – Alexander Gonchiy Sep 13 '21 at 14:11
@AlexanderGonchiy You can see [here](https://github.com/quickfix-j/quickfixj/blob/895224da1a05055bc99d936920d1e1ed7edc9935/quickfixj-core/src/main/java/quickfix/mina/ssl/SSLContextFactory.java) that a KeyStore is created from `java.security.KeyStore` using the `KeyStoreType`. You would expect the supported types in Java to be supported in QuickFIX/J, and PKCS seems like a very typical key store type. You can see [here](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/KeyStore.html) for instance that every Java implementation requires support for at least PKCS12. – TT. Sep 13 '21 at 14:48

score 1 · Answer 2 · answered Dec 20 '17 at 02:31

1

You are very close to the correct setting. For properly enabling TLS 1.2, you should configure it as of below:

[SESSION]
EnabledProtocols=TLSv1.2

answered Dec 20 '17 at 02:31

garykwwong

2,327
2
16
20

QuickFIX/J: Enable protocols and ciphersuite setting

2 Answers2