Troubleshooting

Generic SSL/TLS client/server

openssl command-line tool can be used as a generic TLS/SSL client/server which connects to a remote host or accepts incoming connections using TLS/SSL. It's Windows version can be downloaded at https://www.slproweb.com/products/Win32OpenSSL.html. For example for the client:

openssl s_client -host HOSTNAME -port PORT -cert hostcert.pem -key hostkey.pem

or

openssl.exe s_client -host HOSTNAME -port PORT -cert hostcert.pem -key hostkey.pem -CAfile trustedCertificates.pem

For example for the server:

openssl s_server -port LISTEN_PORT -cert hostcert.pem -key hostkey.pem

or

openssl.exe s_server -port LISTEN_PORT -cert hostcert.pem -key hostkey.pem -CAfile trustedCertificates.pem

More details could be received using the -msg and -debug options. The detailed description of these modes can be found at:

• https://www.openssl.org/docs/manmaster/man1/openssl-s_client.html
• https://www.openssl.org/docs/manmaster/man1/openssl-s_server.html

SSL/TLS in detail

This article provides a detailed explanation of the TLS/SSL protocol, specifically the handshake protocol, its associated messages and alerts, and the record protocol.

SIGPIPE Linux signal

For regular TCP connections, the MSG_NOSIGNAL flag is used to avoid sending the SIGPIPE signal to the application in case of sending data to a socket closed ungratefully by another side. The OpenSSL library does not support a way to pass the MSG_NOSIGNAL flag. As a result, the application can receive the SIGPIPE signal, and the application can be terminated if there is no signal handler. Therefore, the application that is used the SSL/TLS encryption should ignore or process the SIGPIPE signal, e.g.:

signal(SIGPIPE, SIG_IGN);

You can find the proper handling example of Linux signals in BuySide and SellSide samples from the FIX Engine distributions package.

Third-party SSL/TLS tools

There are third-party SSL/TLS tools which can be used as an SSL/TLS proxy. For example, stunnel can be used for this purpose.