introduces tls configuration

Author: Chris Busbey

Diff for: _test_data/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIJAPGKEAYOJZ1BMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCWdvdGxzdGVzdDAeFw0xNjA4MDQxMzU4MTdaFw0yNjA4MDIxMzU4MTdaMBQx
+EjAQBgNVBAMMCWdvdGxzdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAKFHVRQr/yBkjSigBoYn+LAKeWLV5MPgiYGrOMJy5fj0KMTVEpERhyEfVQP8
+dRIOK79qFowgG4y2PoUgqZlh7yag8xvY5RTO3E/AYMQKT4E3w3Wv7SfwG5RiIYGp
+c5FnpTEFyXYisdbKv8lJqXm+X3jS4V458z/9j8vBN5O+q0hdHrDcxKLG2XrvkS7j
+w9vkN4PUyDmOIxLuSws8IALgoZ+RgeGyCIR6YepUk89PdU9dDdwXfW7d/t7H/UOm
+GW1/tlHPwaemFwI+WZ7NWSTyXg/w82cC1a8bVBSU2hvzKgoPC3Gcitu90AXbSe4I
+j9I0hWBjQluuWOaLZYjSzE2GlZMCAwEAAaOBgzCBgDAdBgNVHQ4EFgQU1YptIoNr
+ieOAqHc1Yi6ABH66BP0wRAYDVR0jBD0wO4AU1YptIoNrieOAqHc1Yi6ABH66BP2h
+GKQWMBQxEjAQBgNVBAMMCWdvdGxzdGVzdIIJAPGKEAYOJZ1BMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA64DX2whJrxTdvSJX1
+mQ/bzHoqmT61qvTlk2qkiW7H2n9+KKKHlUp0my7b13S0DH7db9zNcnnbFLhNkoy6
+LQyDh4SU29PCkD8898nVHKX9KJBrHvRi/cfd/p3zpcrBGOhr/3dWlcgGx8CCUWCw
+u8KlWBJheD/1ljm2zuZMPq6sc/BouHrXczbtGri/cu9BQRSNGoZ4FOe37B11LjyB
+vhnjRINmvnUUhQT3eiqBcriyg5K/yZhDZv+sKnOyqj/3j8emcmGzLoFao4Sj3X9B
+Dz1tzXKGHJzyfkpQIIjegZRKIwHz2C+gxYPgjbyyvCZQH6jhiXGF9OpLrCvMmvss
+rRiW
+-----END CERTIFICATE-----

Diff for: _test_data/localhost.crt

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            83:d2:c3:07:a1:bd:25:ad:d7:c1:5d:47:f2:c3:4b:b9
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=gotlstest
+        Validity
+            Not Before: Aug  4 14:00:05 2016 GMT
+            Not After : Aug  2 14:00:05 2026 GMT
+        Subject: CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:9a:5e:80:58:07:16:6c:e5:3d:57:5b:60:ad:27:
+                    09:fe:dc:cc:53:64:5d:b4:d3:dd:ca:c0:24:c2:51:
+                    ac:84:84:d3:27:79:a9:28:7b:d7:9b:83:ba:93:9f:
+                    e5:0b:0a:77:c4:66:55:b9:b2:67:c5:9b:a3:21:42:
+                    af:94:f6:03:6d:a8:9e:b2:42:91:99:5e:68:95:f1:
+                    02:59:4c:da:55:c1:35:d3:c2:e8:ab:dd:f0:26:18:
+                    02:11:4d:46:69:68:cd:05:2f:5d:e4:27:b1:6b:50:
+                    e5:70:01:bf:83:82:2c:0d:cc:5b:4f:6f:93:7d:ad:
+                    d6:5f:37:b7:f6:08:ab:2d:c1:1b:8d:e3:e0:85:97:
+                    55:29:2c:13:79:8d:a3:66:5f:dd:51:43:30:9e:d0:
+                    55:61:7d:18:fd:0f:7d:4a:6f:f4:d8:08:ba:3b:32:
+                    d3:b8:0c:4f:1b:c9:16:3c:71:77:1e:05:b1:fe:0a:
+                    eb:6e:e7:27:69:c5:fe:31:91:f2:05:9f:fb:6c:70:
+                    e5:7f:15:46:d9:3e:a4:39:99:d5:51:42:24:a2:63:
+                    a3:29:e8:dd:17:3f:79:73:ef:a6:ec:d8:9a:96:4f:
+                    65:30:70:40:0a:98:ad:3a:60:a2:10:c6:30:92:5c:
+                    f8:6c:c7:4e:1f:a6:b3:10:95:11:5c:2f:9b:2a:95:
+                    92:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                02:29:1F:26:4A:25:01:47:61:50:01:A8:B2:DB:38:53:F9:EA:8E:27
+            X509v3 Authority Key Identifier: 
+                keyid:D5:8A:6D:22:83:6B:89:E3:80:A8:77:35:62:2E:80:04:7E:BA:04:FD
+                DirName:/CN=gotlstest
+                serial:F1:8A:10:06:0E:25:9D:41
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+        0c:69:32:44:b1:56:f0:d6:90:aa:6e:42:35:0d:f2:56:c0:58:
+        c9:f8:4c:a7:29:de:74:06:03:85:fe:ca:c1:34:d1:1a:51:c0:
+        aa:b8:06:bf:a0:c1:e1:1c:b7:57:74:09:53:ba:38:05:ce:8d:
+        1a:e9:02:f9:d9:76:99:42:99:e6:57:3c:2a:00:7f:a7:1c:a7:
+        5b:69:34:41:cd:e5:0f:35:ad:ff:c5:0f:e5:b9:ca:11:05:4b:
+        5a:06:5d:ca:62:03:0a:5e:22:59:02:a8:9e:68:81:50:45:23:
+        73:e6:08:e5:3c:d4:04:af:4c:c0:e2:5b:44:ea:f3:8a:11:a3:
+        b7:3f:8b:44:f8:e6:da:b9:08:0e:2f:3c:f8:b4:7e:9f:f5:74:
+        d2:74:3a:52:f8:8f:60:b6:79:96:7c:08:92:7d:1b:17:d3:fc:
+        04:28:82:ab:c9:84:10:00:4f:f3:04:62:48:7d:62:f2:24:06:
+        11:b8:ff:85:66:93:12:3b:e1:34:88:16:73:a2:c3:e3:e7:96:
+        32:db:08:7f:86:5b:f4:4d:db:28:3f:65:11:ac:43:ed:41:be:
+        03:ab:69:e2:bc:72:d1:1f:6c:2a:11:7c:3e:6e:e2:a4:1b:77:
+        6f:10:ab:b2:76:d7:82:ea:10:23:5c:f1:b7:ab:07:ae:3d:05:
+        32:1f:a6:a7
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIRAIPSwwehvSWt18FdR/LDS7kwDQYJKoZIhvcNAQELBQAw
+FDESMBAGA1UEAwwJZ290bHN0ZXN0MB4XDTE2MDgwNDE0MDAwNVoXDTI2MDgwMjE0
+MDAwNVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAml6AWAcWbOU9V1tgrScJ/tzMU2RdtNPdysAkwlGshITTJ3mp
+KHvXm4O6k5/lCwp3xGZVubJnxZujIUKvlPYDbaieskKRmV5olfECWUzaVcE108Lo
+q93wJhgCEU1GaWjNBS9d5Cexa1DlcAG/g4IsDcxbT2+Tfa3WXze39girLcEbjePg
+hZdVKSwTeY2jZl/dUUMwntBVYX0Y/Q99Sm/02Ai6OzLTuAxPG8kWPHF3HgWx/grr
+bucnacX+MZHyBZ/7bHDlfxVG2T6kOZnVUUIkomOjKejdFz95c++m7Nialk9lMHBA
+CpitOmCiEMYwklz4bMdOH6azEJURXC+bKpWSNwIDAQABo4GVMIGSMAkGA1UdEwQC
+MAAwHQYDVR0OBBYEFAIpHyZKJQFHYVABqLLbOFP56o4nMEQGA1UdIwQ9MDuAFNWK
+bSKDa4njgKh3NWIugAR+ugT9oRikFjAUMRIwEAYDVQQDDAlnb3Rsc3Rlc3SCCQDx
+ihAGDiWdQTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwDQYJKoZI
+hvcNAQELBQADggEBAAxpMkSxVvDWkKpuQjUN8lbAWMn4TKcp3nQGA4X+ysE00RpR
+wKq4Br+gweEct1d0CVO6OAXOjRrpAvnZdplCmeZXPCoAf6ccp1tpNEHN5Q81rf/F
+D+W5yhEFS1oGXcpiAwpeIlkCqJ5ogVBFI3PmCOU81ASvTMDiW0Tq84oRo7c/i0T4
+5tq5CA4vPPi0fp/1dNJ0OlL4j2C2eZZ8CJJ9GxfT/AQogqvJhBAAT/MEYkh9YvIk
+BhG4/4VmkxI74TSIFnOiw+PnljLbCH+GW/RN2yg/ZRGsQ+1BvgOraeK8ctEfbCoR
+fD5u4qQbd28Qq7J214LqECNc8berB649BTIfpqc=
+-----END CERTIFICATE-----

Diff for: _test_data/localhost.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAml6AWAcWbOU9V1tgrScJ/tzMU2RdtNPdysAkwlGshITTJ3mp
+KHvXm4O6k5/lCwp3xGZVubJnxZujIUKvlPYDbaieskKRmV5olfECWUzaVcE108Lo
+q93wJhgCEU1GaWjNBS9d5Cexa1DlcAG/g4IsDcxbT2+Tfa3WXze39girLcEbjePg
+hZdVKSwTeY2jZl/dUUMwntBVYX0Y/Q99Sm/02Ai6OzLTuAxPG8kWPHF3HgWx/grr
+bucnacX+MZHyBZ/7bHDlfxVG2T6kOZnVUUIkomOjKejdFz95c++m7Nialk9lMHBA
+CpitOmCiEMYwklz4bMdOH6azEJURXC+bKpWSNwIDAQABAoIBAF3cJ91eMdx0Zh+/
+h8DAg+tbBUGPPQq955VnzvH4BxVsTZcq+heLdUUxizhHeFSGQNxB/M20FDSqtT17
+9pZ0HxGF/TgWEcFXDfBdYjg56mdJ2xiu4hneEC6ZWmh6u91Lw5zreANJvy6pOVgp
+N/EWLQMWxk4+YUeBc17h2hDWpH5kgkVSot4IGjdstUSxbEZCDePBqxEoZNgyloNn
+a8IuNWSB82GB0tujmWelK9xcg7A2OOC7E9PsQNfc/SkxK1enTxyVpS2yuFCtqUVZ
+ix5rBeExEA3Jk3bQoznpkDv8FbW44mWRGl+kLEXjKpdBzv1VrC5BHAhrCgIfeXnk
+tAp5B4ECgYEAx59RETheQyeDuBmC5Elfkp5+0OBo/LcU/8FS5DwoQgfIEuYMKDeq
+yBf2n6YIsWPO2wXxLd3vLQFUxAQfgDqKC2SGeJoLkKo1K/8gjmtPChc0ooODLlQX
+tPJBv6/+oPjaBvtKutpQ3y/2zBagv0SbbAjaFzTNoXgSOv3vUj7bTB8CgYEAxfdh
+xwXQ1s1YGUWU8TnLEi1zVMdF2XVezeaWhPMuns2it3LS+Ge4nCtAYBEJOmpvujHK
+xJ0mGbuP+xNmfd2se34lUCSqfSodtPVUN8nMBAFmS770JHR+gn+k5TKYlt+Crbng
+zh0ej4ffegPvO1gboncQJgzGWGKjp+XlH3M5dukCgYEAkIiGrrwsa90BXtuBzP5f
+J46AbYX+HfQFTURRWxU/ZMezkhNke/4KNkQ7ec5CfwWv8R81R6toECLll+MQV8yK
+xMLtJgcLFpxWUVuw281QdhLlNkGYSoPygj3hYwPvjeeAHQv3SKDnayGURKKhkrr+
++VLTbXf65s1EDdhsXhVKvKsCgYBRnmjFsXQk24yS/sklm3pKCEsgjPgTa/ymT4eH
+UOvLtWR81e59U+YdHQfxk5SGbRObZKQA4/mtalM2ZQ1An4BZeezQWg2ghRiyXuNW
+DPD8RcdzO0tVLGJsU0wc4vteWNB758Lzt7W933sXxz9+7BiYpxYVWfb8wc5Pjs0k
+ZlEu4QKBgHwAGTSOL42WemEJ/FizWBxzc9RQ6Ipo6Erm3raYYhuM/0WK7rahRUU7
+1N1ghSQH6MIm+PdsKl9wbdDEySN2PPPioNOWOmi6SS1oEq8fs1Qizn8x2pmKIvHS
+L3CqlpjHdj50rbBwk2diboN+0FIanlFiM6kL8WmCmVGrV4QhMdUg
+-----END RSA PRIVATE KEY-----

Diff for: acceptor.go

@@ -1,10 +1,12 @@
 package quickfix
 
 import (
+	"crypto/tls"
 	"fmt"
-	"github.com/quickfixgo/quickfix/config"
 	"net"
 	"strconv"
+
+	"github.com/quickfixgo/quickfix/config"
 )
 
 //Acceptor accepts connections from FIX clients and manages the associated sessions.
@@ -19,17 +21,29 @@ type Acceptor struct {
 }
 
 //Start accepting connections.
-func (a *Acceptor) Start() (e error) {
+func (a *Acceptor) Start() error {
 	port, err := a.settings.GlobalSettings().IntSetting(config.SocketAcceptPort)
 	if err != nil {
 		return fmt.Errorf("error fetching required SocketAcceptPort: %v", err)
 	}
 
-	server, err := net.Listen("tcp", ":"+strconv.Itoa(port))
-	if server == nil {
+	var tlsConfig *tls.Config
+	if tlsConfig, err = loadTLSConfig(a.settings); err != nil {
 		return err
 	}
 
+	var server net.Listener
+	address := ":" + strconv.Itoa(port)
+	if tlsConfig != nil {
+		if server, err = tls.Listen("tcp", address, tlsConfig); err != nil {
+			return err
+		}
+	} else {
+		if server, err = net.Listen("tcp", address); err != nil {
+			return err
+		}
+	}
+
 	connections := a.listenForConnections(server)
 
 	a.quitChan = make(chan bool)
@@ -39,7 +53,7 @@ func (a *Acceptor) Start() (e error) {
 		}
 	}()
 
-	return
+	return nil
 }
 
 //Stop logs out existing sessions, close their connections, and stop accepting new connections.

Diff for: config/configuration.go

@@ -8,6 +8,9 @@ const (
 	SocketAcceptPort         string = "SocketAcceptPort"
 	SocketConnectHost        string = "SocketConnectHost"
 	SocketConnectPort        string = "SocketConnectPort"
+	SocketPrivateKeyFile     string = "SocketPrivateKeyFile"
+	SocketCertificateFile    string = "SocketCertificateFile"
+	SocketCAFile             string = "SocketCAFile"
 	DefaultApplVerID         string = "DefaultApplVerID"
 	DataDictionary           string = "DataDictionary"
 	TransportDataDictionary  string = "TransportDataDictionary"

Diff for: config/doc.go

@@ -139,6 +139,18 @@ SocketAcceptPort
 
 Socket port for listening to incoming connections, Only used with for acceptors. Value must be	positive integer, valid open socket port.
 
+SocketPrivateKeyFile
+
+Private key to use for secure TLS connections.  Must be used with SocketCertificateFile.
+
+SocketCertificateFile
+
+Certificate to use for secure TLS connections. Must be used with SocketPrivateKeyFile.
+
+SocketCAFile
+
+Optional root CA to use for secure TLS connections. For acceptors, client certificates will be verified against this CA.  For initiators, clients will use the CA to verify the server certificate. If not configurated, initiators will verify the server certificate using the host's root CA set.
+
 FileLogPath
 
 Directory to store logs.	Value must be valid directory for storing files, application must have write access.

Diff for: connection.go

@@ -2,13 +2,14 @@ package quickfix
 
 import (
 	"bufio"
+	"crypto/tls"
 	"io"
 	"net"
 	"time"
 )
 
 //Picks up session from net.Conn Initiator
-func handleInitiatorConnection(address string, log Log, sessID SessionID, quit chan bool, reconnectInterval time.Duration) {
+func handleInitiatorConnection(address string, log Log, sessID SessionID, quit chan bool, reconnectInterval time.Duration, tlsConfig *tls.Config) {
 	session := activate(sessID)
 	if session == nil {
 		log.OnEventf("Session not found for SessionID: %v", sessID)
@@ -21,9 +22,27 @@ func handleInitiatorConnection(address string, log Log, sessID SessionID, quit c
 		msgIn := make(chan fixIn)
 		msgOut := make(chan []byte)
 
-		netConn, err := net.Dial("tcp", address)
-		if err != nil {
-			goto reconnect
+		var netConn net.Conn
+		if tlsConfig != nil {
+			tlsConn, err := tls.Dial("tcp", address, tlsConfig)
+			if err != nil {
+				log.OnEventf("Failed to connect: %v", err)
+				goto reconnect
+			}
+
+			err = tlsConn.Handshake()
+			if err != nil {
+				log.OnEventf("Failed handshake:%v", err)
+				goto reconnect
+			}
+			netConn = tlsConn
+		} else {
+			var err error
+			netConn, err = net.Dial("tcp", address)
+			if err != nil {
+				log.OnEventf("Failed to connect: %v", err)
+				goto reconnect
+			}
 		}
 
 		go readLoop(newParser(bufio.NewReader(netConn)), msgIn)

Diff for: initiator.go

@@ -1,6 +1,7 @@
 package quickfix
 
 import (
+	"crypto/tls"
 	"fmt"
 	"time"
 
@@ -43,8 +44,12 @@ func (i *Initiator) Start() error {
 			}
 		}
 
+		var tlsConfig *tls.Config
+		if tlsConfig, err = loadTLSConfig(i.settings); err != nil {
+			return err
+		}
 		address := fmt.Sprintf("%v:%v", socketConnectHost, socketConnectPort)
-		go handleInitiatorConnection(address, i.globalLog, sessionID, i.quitChan, time.Duration(reconnectInterval)*time.Second)
+		go handleInitiatorConnection(address, i.globalLog, sessionID, i.quitChan, time.Duration(reconnectInterval)*time.Second, tlsConfig)
 	}
 
 	return nil

Diff for: tls.go

@@ -0,0 +1,74 @@
+package quickfix
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/quickfixgo/quickfix/config"
+)
+
+func loadTLSConfig(settings *Settings) (tlsConfig *tls.Config, err error) {
+	if !settings.GlobalSettings().HasSetting(config.SocketPrivateKeyFile) && !settings.GlobalSettings().HasSetting(config.SocketCertificateFile) {
+		return
+	}
+
+	privateKeyFile, err := settings.GlobalSettings().Setting(config.SocketPrivateKeyFile)
+	if err != nil {
+		return
+	}
+
+	certificateFile, err := settings.GlobalSettings().Setting(config.SocketCertificateFile)
+	if err != nil {
+		return
+	}
+
+	tlsConfig = defaultTLSConfig()
+	tlsConfig.Certificates = make([]tls.Certificate, 1)
+
+	if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
+		return
+	}
+
+	if !settings.GlobalSettings().HasSetting(config.SocketCAFile) {
+		return
+	}
+
+	caFile, err := settings.GlobalSettings().Setting(config.SocketCAFile)
+	if err != nil {
+		return
+	}
+
+	pem, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return
+	}
+
+	certPool := x509.NewCertPool()
+	if !certPool.AppendCertsFromPEM(pem) {
+		err = fmt.Errorf("Failed to parse %v", caFile)
+		return
+	}
+
+	tlsConfig.RootCAs = certPool
+	tlsConfig.ClientCAs = certPool
+	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+
+	return
+}
+
+//defaultTLSConfig brought to you by https://github.com/gtank/cryptopasta/
+func defaultTLSConfig() *tls.Config {
+	return &tls.Config{
+		// Avoids most of the memorably-named TLS attacks
+		MinVersion: tls.VersionTLS12,
+		// Causes servers to use Go's default ciphersuite preferences,
+		// which are tuned to avoid attacks. Does nothing on clients.
+		PreferServerCipherSuites: true,
+		// Only use curves which have constant-time implementations
+		CurvePreferences: []tls.CurveID{
+			tls.CurveP256,
+		},
+	}
+}