Using TLS/SSL Encryption
The OnixS .NET FIX Engine provides the ability to encrypt FIX connections with the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols.
The following protocol versions are supported:
SSL 3.0TLS 1.0TLS 1.1TLS 1.2TLS 1.3(if supported by executing platform)
The protocol and version are chosen by the server during the TLS/SSL Handshake: the client sends the highest version that it supports and the server replies with the highest version that is supported by both sides.
Encrypting FIX Connection
To use TLS/SSL in FIX connectivity, the following steps should be taken:
- If the counterparty requires a client-side certificate, use the Ssl property. It can refer to a list of pfx files or storage locations separated by the '|' symbol. The certificate file can contain a single certificate with the public/private key or refer to a certificate chain file with multiple CA certificates. The certificate chain file with multiple CA certificates can also be specified using the CaFile property.
- Set Encryption property to Ssl right after the creation of the Session object.
- Establish the FIX Connection.
For example:
var settings = new EngineSettings();
// The assignment below is required only if the counterparty requires a client-side TLS/SSL certificate:
settings.Ssl.CertificateLocation = "Client-side-SSL-Certificate-file.pfx";
Engine.Init(settings);
{
Session session = new Session("SenderCompID", "TargetCompID", ProtocolVersion.Fix44)
{
Encryption = EncryptionMethod.Ssl
};
session.LogonAsInitiator("targetHost", 443);
// Message exchange ..
session.Logout("A TLS/SSL-encrypted connection is finished.");
}
// Or on the per-session basis:
{
Session session = new Session("SenderCompID", "TargetCompID", ProtocolVersion.Fix44)
{
Encryption = EncryptionMethod.Ssl
};
// The assignment below is required only if the counterparty requires a client-side TLS/SSL certificate:
session.Ssl.CertificateLocation = "Session-specific-client-side-SSL-Certificate-file.pfx.pfx";
session.LogonAsInitiator("targetHost", 443);
// Message exchange ..
session.Logout("A TLS/SSL-encrypted connection is finished.");
}