Using TLS/SSL Encryption in Session Connections

For security in FIX messaging, C++ FIX Engine provides the ability to encrypt FIX connections with the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols. SSL v3.0, TLS v1.0, v1.1, v1.2, v1.3 are supported. The actual protocol and version are chosen automatically by a server side during the TLS/SSL Handshake. The client sends the highest version number that is supported and the server sends the highest version number that is supported by both sides. This is the protocol version that will be used during the connection.

Encrypting FIX Connections with TLS/SSL

To use TLS/SSL in FIX connectivity, the following steps should be taken:

1. If the counterparty requires client-side TLS/SSL certificate set both SSL.CertificateFile and SSL.PrivateKeyFile parameters in Engine configuration settings. They can refer to the same file if it contains both the TLS/SSL certificate and the private key. Also, SSL.CertificateFile parameter can refer to a certificate chain file with multiple CA certificates.
2. Call the OnixS::FIX::Session::encryptionMethod method with OnixS::FIX::EncryptionMethod::SSL as newEncryptionMethod parameter value right after the creation of the OnixS::FIX::Session object.
3. Establish the FIX Connection as usual.

Example

    Session session("Sender", "Target", ProtocolVersion::FIX_42, ONIXS_FIXENGINE_NULLPTR);
 
    session.encryptionMethod(EncryptionMethod::SSL).logonAsInitiator("localhost", 443, true);
 
    // Message exchange goes here..
 
    session.logout("TLS/SSL connection is finished.").shutdown();

Limit the TLS/SSL protocol versions

By default, a server side automatically chooses the actual TLS/SSL protocol and version during the TLS/SSL Handshake. However, some erroneous or more restricted servers, which allow only the specific protocol version, can reject TLS/SSL connections acting in such an algorithm. In such cases, the client can limit the TLS/SSL protocol versions to be used. For this purpose, SSL.MinProtocolVersion and SSL.MaxProtocolVersion parameters of Engine configuration settings can be used. Also, there are corresponding session-level OnixS::FIX::Session::sslMinProtocolVersion and OnixS::FIX::Session::sslMaxProtocolVersion settings:

    Session session("Sender", "Target", ProtocolVersion::FIX_42, ONIXS_FIXENGINE_NULLPTR);
 
    // Limit the given session to use the TLS v1.2 version only.
    session.sslMinProtocolVersion(SslProtocolMinMaxVersion::TLS12);
    session.sslMaxProtocolVersion(SslProtocolMinMaxVersion::TLS12);
 
    session.encryptionMethod(EncryptionMethod::SSL).logonAsInitiator("localhost", 443, true);
 
    // Message exchange goes here..
 
    session.logout("TLS/SSL connection is finished.").shutdown();

Note

It is not recommended to limit the TLS/SSL protocol versions in normal cases since it can prevent using the most secure available protocol version. Therefore, it should be used only when the default method does not work.

See Also

• The "SIGPIPE Linux signal" article on the Troubleshooting page