Disable TLS certificate verification after EMA 3.5 to 3.6.1 upgrade (Java)
We are using EMA with the RRT Optimized AWS endpoints. As such, the servers that we are trying to connect to appear to lie in our own network, and we have custom hostnames/IP addresses - but the actual servers are hosted by Refinitiv in Singapore.
We recently upgraded from EMA 3.5 to 3.6.1 (Java) to find we see the following error. It seems that the new EMA API is attempting to verify the TLS certificate hostname. This will naturally fail in an AWS endpoint scenario because we won't be using the Refinitiv hostname.
When we connect to the internal IP address, we see a certificate issued to 'apac-1-t1.streaming-pricing-api.refinitiv.com'.
We would like to disable TLS certificate verification (or at least the hostname verification). Although this is normally extremely reckless, because we are using an AWS endpoint, we know that the communication is not going to be subject to MITM attacks.
Here is the error we see in our logs. The presence of 'subject alternative DNS name' is proof that the problem is because of the TLS certificate verification.
Please help us to investigate why we saw this regression moving from EMA 3.5 to EMA 3.6.1 and let us know how we can address it (example: registering our own Java trust manager, or otherwise setting an option to disable the verification that EMA is passing to its HTTP client library.
[18:53:31,908] WARN [our process] main - loggerMsg
ClientName: ChannelCallbackClient
Severity: Warning
Text: Received ChannelDownReconnecting event on channel Channel_1
RsslReactor @6574a52c
RsslChannel @6c1a5b54
Error Id 0
Internal sysError 0
Error Location Reactor.processWorkerEvent
Error text Error initializing channel: errorId=-1 text=No subject alternative DNS name matching our-hostname.our-domain.com found.
loggerMsgEnd
Best Answer
-
W do not recommend the disabling of TLS certificate validation - as we consider this to be highly un-secure. The recommendation is for you to create a private DNS entry so that something like ‘apac-1-t1.streaming-pricing-api.refinitiv.com (the RRT Optimized endpoint) resolves to ‘abcd.privatelink.efgh.com’ (your private link).
1
Answers
-
I found that the code has been changed in the Refinitiv Real-Time SDK 3.6.
sslParameters.setEndpointIdentificationAlgorithm(ENDPOINT_IDENTIFICATION_ALGORITHM);
I couldn't find this line in the 3.5 version.
When I remove this line, the application can connect to the server properly without the "No subject alternative DNS name matching xxx found" error.
I couldn't find an option used to disable this feature in the Refinitv Real-Time SDK.
Therefore, you can build your own library by removing that line. Otherwise, you can raise an issue in GitHub to provide a parameter to turn off this feature.
0
Categories
- All Categories
- 6 AHS
- 37 Alpha
- 161 App Studio
- 4 Block Chain
- 4 Bot Platform
- 16 Connected Risk APIs
- 47 Data Fusion
- 30 Data Model Discovery
- 608 Datastream
- 1.3K DSS
- 577 Eikon COM
- 4.9K Eikon Data APIs
- 7 Electronic Trading
- Generic FIX
- 7 Local Bank Node API
- Trading API
- 2.7K Elektron
- 1.3K EMA
- 236 ETA
- 519 WebSocket API
- 33 FX Venues
- 10 FX Market Data
- 1 FX Post Trade
- 1 FX Trading - Matching
- 12 FX Trading – RFQ Maker
- 5 Intelligent Tagging
- 2 Legal One
- 20 Messenger Bot
- 2 Messenger Side by Side
- 9 ONESOURCE
- 7 Indirect Tax
- 59 Open Calais
- 264 Open PermID
- 39 Entity Search
- 2 Org ID
- PAM
- PAM - Logging
- 8.4K Private Comments
- 6 Product Insight
- Project Tracking
- ProView
- ProView Internal
- 20 RDMS
- 1.4K Refinitiv Data Platform
- 367 Refinitiv Data Platform Libraries
- 3 Refinitiv Due Diligence
- LSEG Due Diligence Portal API
- 3 Refinitiv Due Dilligence Centre
- Rose's Space
- 1.1K Screening
- 18 Qual-ID API
- 13 Screening Deployed
- 23 Screening Online
- 10 World-Check Customer Risk Screener
- 990 World-Check One
- 44 World-Check One Zero Footprint
- 45 Side by Side Integration API
- Test Space
- 3 Thomson One Smart
- 1.2K TR Internal
- Global Hackathon 2015
- 2 Specialists Who Code
- 10 TR Knowledge Graph
- 150 Transactions
- 142 REDI API
- 1.7K TREP APIs
- 4 CAT
- 21 DACS Station
- 117 Open DACS
- 1.1K RFA
- 103 UPA
- 172 TREP Infrastructure
- 224 TRKD
- 886 TRTH
- 5 Velocity Analytics
- 5 Wealth Management Web Services
- 59 Workspace SDK
- 9 Element Framework
- 5 Grid
- 13 World-Check Data File
- Yield Book Analytics
- 46 中文论坛