Using TLS/SSL Encryption in Session Connections

For security in FIX messaging, the OnixS .NET Framework FIX Engine provides the ability to encrypt FIX connections with the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols. SSL v3.0, TLS v1.0, v1.1, v1.2 are supported. The actual protocol and version are chosen automatically by a server side during the TLS/SSL Handshake. The client sends the highest version number that is supported and the server sends the highest version number that is supported by both sides. This is the protocol version that will be used during the connection.

Encrypting FIX Connections with TLS/SSL

To use TLS/SSL in FIX connectivity the following steps should be taken:

If the counterparty requires client-side certificate set both SSL.CertificateFile and SSL.PrivateKeyFile parameters in Engine configuration settings or use SslCertificateFile and SslPrivateKeyFile properties of EngineSettings object. They can refer to the same file if it contains both the certificate and the private key and moreover SSL.CertificateFile configuration setting can refer to a certificate chain file with multiple CA certificates. Also, there is an ability to set TLS/SSL settings on a per-session basis using Ssl members.
Set Encryption property to SSL right after the creation of the Session object.
Establish the FIX Connection as usual.

Example

Copy

EngineSettings settings = new EngineSettings();

// The next two assignments are only needed if the
// counterparty requires client-side TLS/SSL certificate:

settings.SslCertificateFile = "SSL_Certificate_File.pem";

// Could be the same file as above.
settings.SslPrivateKeyFile = "SSL_PrivateKey_File.pem";

Engine.Init(settings);

Session session = new Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44);

session.Encryption = EncryptionMethod.SSL;

session.LogonAsInitiator("localhost", 443, true);

// Message exchange goes here.

session.Logout("TLS/SSL-encrypted connection is finished.");



// Or on per-session basis

Session session2 = new Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44);

session2.Encryption = EncryptionMethod.SSL;
session2.Ssl.CertificateFile = "SSL_Certificate_File_2.pem";
session2.Ssl.PrivateKeyFile = "SSL_PrivateKey_File_2.pem";

session2.LogonAsInitiator("localhost", 443, true);

// Message exchange goes here.

session2.Logout("TLS/SSL-encrypted connection is finished.");

Copy

Dim settings As New EngineSettings()

' The next two assignments are only needed if the
' counterparty requires client-side TLS/SSL certificate:

settings.SslCertificateFile = "SSL_Certificate_File.pem"

' Could be the same file as above.
settings.SslPrivateKeyFile = "SSL_PrivateKey_File.pem"

Engine.Init(settings)

Dim session As New Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44)

session.Encryption = EncryptionMethod.SSL

session.LogonAsInitiator("localhost", 443, True)

' Message exchange goes here.

session.Logout("TLS/SSL-encrypted connection is finished.")



' Or on per-session basis

Dim session2 As New Session("SenderCompID", "TargetCompID", ProtocolVersion.FIX44)

session2.Encryption = EncryptionMethod.SSL;
session2.Ssl.CertificateFile = "SSL_Certificate_File_2.pem";
session2.Ssl.PrivateKeyFile = "SSL_PrivateKey_File_2.pem";

session2.LogonAsInitiator("localhost", 443, True);

' Message exchange goes here.

session2.Logout("TLS/SSL-encrypted connection is finished.");

Reference

SslCertificateFile

SslListenPort

SslPrivateKeyFile