forwardTLS/SSL Encryption   Table of ContentSupported Certificatesforward
Using TLS/SSL Encryption in Session Connections

For security in FIX messaging, the OnixS .NET Framework FIX Engine provides the ability to encrypt FIX connections with the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols. SSL v3.0, TLS v1.0, v1.1, v1.2, v1.3 are supported. The actual protocol and version are chosen automatically by a server side during the TLS/SSL Handshake. The client sends the highest version number that is supported and the server sends the highest version number that is supported by both sides. This is the protocol version that will be used during the connection.

Encrypting FIX Connections with TLS/SSL

To use TLS/SSL in FIX connectivity the following steps should be taken:

  1. If the counterparty requires client-side certificate set both SSL.CertificateFile and SSL.PrivateKeyFile parameters in Engine configuration settings or use SslCertificateFile and SslPrivateKeyFile properties of EngineSettings object. They can refer to the same file if it contains both the certificate and the private key and moreover SSL.CertificateFile configuration setting can refer to a certificate chain file with multiple CA certificates. Also, there is an ability to set TLS/SSL settings on a per-session basis using Ssl members.
  2. Set Encryption property to SSL right after the creation of the Session object.
  3. Establish the FIX Connection as usual.

Example
C#
Copy
EngineSettings settings = new EngineSettings();

// The next two assignments are only needed if the
// counterparty requires client-side TLS/SSL certificate:

settings.SslCertificateFile = "SSL_Certificate_File.pem";

// Could be the same file as above.
settings.SslPrivateKeyFile = "SSL_PrivateKey_File.pem";

Engine.Init(settings);

Session session = new Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44);

session.Encryption = EncryptionMethod.SSL;

session.LogonAsInitiator("localhost", 443, true);

// Message exchange goes here.

session.Logout("TLS/SSL-encrypted connection is finished.");



// Or on per-session basis

Session session2 = new Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44);

session2.Encryption = EncryptionMethod.SSL;
session2.Ssl.CertificateFile = "SSL_Certificate_File_2.pem";
session2.Ssl.PrivateKeyFile = "SSL_PrivateKey_File_2.pem";

session2.LogonAsInitiator("localhost", 443, true);

// Message exchange goes here.

session2.Logout("TLS/SSL-encrypted connection is finished.");
VB
Copy
Dim settings As New EngineSettings()

' The next two assignments are only needed if the
' counterparty requires client-side TLS/SSL certificate:

settings.SslCertificateFile = "SSL_Certificate_File.pem"

' Could be the same file as above.
settings.SslPrivateKeyFile = "SSL_PrivateKey_File.pem"

Engine.Init(settings)

Dim session As New Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44)

session.Encryption = EncryptionMethod.SSL

session.LogonAsInitiator("localhost", 443, True)

' Message exchange goes here.

session.Logout("TLS/SSL-encrypted connection is finished.")



' Or on per-session basis

Dim session2 As New Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44)

session2.Encryption = EncryptionMethod.SSL;
session2.Ssl.CertificateFile = "SSL_Certificate_File_2.pem";
session2.Ssl.PrivateKeyFile = "SSL_PrivateKey_File_2.pem";

session2.LogonAsInitiator("localhost", 443, True);

' Message exchange goes here.

session2.Logout("TLS/SSL-encrypted connection is finished.");
Limit the TLS/SSL protocol versions

By default, a server side automatically chooses the actual TLS/SSL protocol and version during the TLS/SSL Handshake. However, some erroneous or more restricted servers, which allow only the specific protocol version, can reject TLS/SSL connections acting in such an algorithm. In such cases, the client can limit the TLS/SSL protocol versions to be used. For this purpose, SSL.MinProtocolVersion and SSL.MaxProtocolVersion parameters of Engine configuration settings can be used. Also, there are corresponding session-level Ssl properties (MinProtocolVersion/MaxProtocolVersion):

Example
C#
Copy
Session session = new Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44);

// Limit the given session to use the TLS v1.2 version only.
session.Ssl.MinProtocolVersion = SslProtocolMinMaxVersion.TLS12;
session.Ssl.MaxProtocolVersion = SslProtocolMinMaxVersion.TLS12;

session.Encryption = EncryptionMethod.SSL;

session.LogonAsInitiator("localhost", 443, true);

// Message exchange goes here.

session.Logout("TLS/SSL-encrypted connection is finished.");
Note Note

It is not recommended to limit the TLS/SSL protocol versions in normal cases since it can prevent using the most secure available protocol version. Therefore, it should be used only when the default method does not work.

See Also