Quickfix library with python through stunnel

Question

I am trying to send FIX messages through a stunnel connection. I am using the quickfix Python library (quickfix==1.15.1). When I launch the initiator.start(), I can print a session number, using the method:

def onCreate(self, sessionID):
   print(sessionID.toString())
   return

However, the session disconnect automatically after initiator.start() is launched, with the following error message on the stunnel shell.

enter image description here

However, I do not have any error in my python shell. I don't know if the error is coming from my quickfix setup or my stunnel one.

Does anyone already encounter this issue? More broadly, how to debug quickfix in python? as the python library is only calling C binaries?

I tried to use the Go API for quickfix, and it seems I get the exact same error, meaning that it could either be an issue of quickfix configuration or stunnel configuration.

Answer 1

Let me further explain the situation:

I am using Docker in order to run stunnel. I run my Docker container using the (vimagick/stunnel public Docker image)

docker run -p 8080:8080 -v ./test_stunnel/:/app -it --entrypoint sh vimagick/stunnel

Then I am launching the stunnel using:

stunnel /app/stunnel.conf

It requests the passphrase. I am entering it.

My stunnel configuration file is:

CAfile=./Roots.crt
cert=./cert.pfx
client=yes
verify=1
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3
debug=7
foreground=yes
output=./stunnel.log
[SESSION]
accept=8080
connect=EXAMPLE_URL:EXAMPLE_IP

I can see in my shell the following stunnel output (I replaced all private information with XXX):

Enter XXX.pfx pass phrase:
stunnel: LOG6[ui]: Initializing inetd mode configuration
2023.12.11 08:30:55 LOG6[ui]: Initializing inetd mode configuration
stunnel: LOG7[ui]: Clients allowed=512000
2023.12.11 08:30:55 LOG7[ui]: Clients allowed=512000
stunnel: LOG5[ui]: stunnel 5.57 on x86_64-alpine-linux-musl platform
2023.12.11 08:30:55 LOG5[ui]: stunnel 5.57 on x86_64-alpine-linux-musl platform
stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.1i  8 Dec 2020
2023.12.11 08:30:55 LOG5[ui]: Compiled with OpenSSL 1.1.1i  8 Dec 2020
stunnel: LOG5[ui]: Running  with OpenSSL 1.1.1k  25 Mar 2021
2023.12.11 08:30:55 LOG5[ui]: Running  with OpenSSL 1.1.1k  25 Mar 2021
stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2023.12.11 08:30:55 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI
stunnel: LOG7[ui]: errno: (*__errno_location())
2023.12.11 08:30:55 LOG7[ui]: errno: (*__errno_location())
stunnel: LOG6[ui]: Initializing inetd mode configuration
2023.12.11 08:30:55 LOG6[ui]: Initializing inetd mode configuration
stunnel: LOG5[ui]: Reading configuration from file /app/conf.conf
2023.12.11 08:30:55 LOG5[ui]: Reading configuration from file /app/conf.conf
stunnel: LOG5[ui]: UTF-8 byte order mark not detected
2023.12.11 08:30:55 LOG5[ui]: UTF-8 byte order mark not detected
stunnel: LOG7[ui]: No PRNG seeding was required
2023.12.11 08:30:55 LOG7[ui]: No PRNG seeding was required
stunnel: LOG6[ui]: Initializing service [XXX]
2023.12.11 08:30:55 LOG6[ui]: Initializing service [XXX]
stunnel: LOG6[ui]: stunnel default security level set: 2
2023.12.11 08:30:55 LOG6[ui]: stunnel default security level set: 2
stunnel: LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2023.12.11 08:30:55 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
stunnel: LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
2023.12.11 08:30:55 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
stunnel: LOG7[ui]: TLS options: 0x02100004 (+0x02000000, -0x00000000)
2023.12.11 08:30:55 LOG7[ui]: TLS options: 0x02100004 (+0x02000000, -0x00000000)
stunnel: LOG6[ui]: Loading certificate and private key from file: XXX.pfx
2023.12.11 08:30:55 LOG6[ui]: Loading certificate and private key from file: XXX.pfx
stunnel: LOG4[ui]: Insecure file permissions on XXX.pfx
2023.12.11 08:30:55 LOG4[ui]: Insecure file permissions on XXX.pfx
stunnel: LOG6[ui]: Certificate and private key loaded from file: XXX.pfx
2023.12.11 08:31:50 LOG6[ui]: Certificate and private key loaded from file: XXX.pfx
stunnel: LOG7[ui]: Private key check succeeded
2023.12.11 08:31:50 LOG7[ui]: Private key check succeeded
stunnel: LOG4[ui]: Service [XXX] uses "verifyChain" without subject checks
2023.12.11 08:31:50 LOG4[ui]: Service [XXX] uses "verifyChain" without subject checks
stunnel: LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
2023.12.11 08:31:50 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
stunnel: LOG6[ui]: DH initialization skipped: client section
2023.12.11 08:31:50 LOG6[ui]: DH initialization skipped: client section
stunnel: LOG7[ui]: ECDH initialization
2023.12.11 08:31:50 LOG7[ui]: ECDH initialization
stunnel: LOG7[ui]: ECDH initialized with curves XXX
2023.12.11 08:31:50 LOG7[ui]: ECDH initialized with curves XXX
stunnel: LOG5[ui]: Configuration successful
2023.12.11 08:31:50 LOG5[ui]: Configuration successful
stunnel: LOG7[ui]: Deallocating deployed section defaults
2023.12.11 08:31:50 LOG7[ui]: Deallocating deployed section defaults
stunnel: LOG7[ui]: Binding service [XXX]
2023.12.11 08:31:50 LOG7[ui]: Binding service [XXX]
stunnel: LOG7[ui]: Listening file descriptor created (FD=9)
2023.12.11 08:31:50 LOG7[ui]: Listening file descriptor created (FD=9)
stunnel: LOG7[ui]: Setting accept socket options (FD=9)
2023.12.11 08:31:50 LOG7[ui]: Setting accept socket options (FD=9)
stunnel: LOG7[ui]: Option SO_REUSEADDR set on accept socket
2023.12.11 08:31:50 LOG7[ui]: Option SO_REUSEADDR set on accept socket
stunnel: LOG6[ui]: Service [XXX] (FD=9) bound to 0.0.0.0:8080
2023.12.11 08:31:50 LOG6[ui]: Service [XXX] (FD=9) bound to 0.0.0.0:8080
stunnel: LOG7[ui]: No pid file being created
2023.12.11 08:31:50 LOG7[ui]: No pid file being created
stunnel: LOG7[cron]: Cron thread initialized
2023.12.11 08:31:50 LOG7[cron]: Cron thread initialized
stunnel: LOG6[cron]: Executing cron jobs
2023.12.11 08:31:50 LOG6[cron]: Executing cron jobs
stunnel: LOG6[cron]: Cron jobs completed in 0 seconds
2023.12.11 08:31:50 LOG6[cron]: Cron jobs completed in 0 seconds
stunnel: LOG7[cron]: Waiting 86400 seconds
2023.12.11 08:31:50 LOG7[cron]: Waiting 86400 seconds

From here it seems my stunnel is correctly up and running.

Then, I launch my quickfix application. I am running the following code:

python test.py

with the following test.py code:

import quickfix as fix

class Application(fix.Application):
    orderID = 0
    execID = 0
    def gen_ord_id(self):
        print("gen_ord_id")
        return 1

    def onCreate(self, sessionID):
        print("onCreate : Session (%s)" % sessionID.toString())
        return

    def onLogon(self, sessionID):
        self.sessionID = sessionID
        print("Successful Logon to session '%s'." % sessionID.toString())
        return

    def onLogout(self, sessionID):
        print("onLogout")
        return

    def toAdmin(self, sessionID, message):
        print("toAdmin")
        return

    def fromAdmin(self, sessionID, message):
        print("fromAdmin")
        return

    def toApp(self, sessionID, message):
        print("Recieved the following message: %s" % message.toString())
        return

    def fromApp(self, message, sessionID):
        print("fromApp")
        return


config_file = "./initiator.cfg"
settings = fix.SessionSettings(config_file)
application = Application()
storeFactory = fix.FileStoreFactory(settings)
logFactory = fix.FileLogFactory(settings)
initiator = fix.SocketInitiator(application, storeFactory, settings, logFactory)
initiator.start()

My initiator.cfg file is:

[DEFAULT]
ConnectionType=initiator
LogonTimeout=10
ReconnectInterval=30
FileLogPath=./Logs/

[SESSION]
BeginString=FIXT.1.1
DefaultApplVerID=9
SenderCompID=EXAMPLE_COMP_SENDER
TargetCompID=EXAMPLE_COMP_TARGET
StartTime=00:00:00
EndTime=00:00:00
HeartBtInt=30
CheckLatency=N
MaxLatency=240
SocketConnectPort=8080
SocketConnectHost=127.0.0.1
UseDataDictionary=Y
TransportDataDictionary=./FIX50SP2.xml
FileStorePath=./Sessions/

I want to run my quickfix application only to request quotes, meaning that I launch it as an initiator only. I confirm that the serveur I want to reach is working with FIX 5.0SP2 protocol. When running my python quickfix application, I receive the following logs :

In my python shell:

toAdmin
onCreate : Session (FIXT.1.1:XXX->XXX)

In my stunnel shell:

stunnel: LOG7[ui]: Found 1 ready file descriptor(s)
2023.12.11 08:44:51 LOG7[ui]: Found 1 ready file descriptor(s)
stunnel: LOG7[ui]: FD=4 events=0x2001 revents=0x0
2023.12.11 08:44:51 LOG7[ui]: FD=4 events=0x2001 revents=0x0
stunnel: LOG7[ui]: FD=9 events=0x2001 revents=0x1
2023.12.11 08:44:51 LOG7[ui]: FD=9 events=0x2001 revents=0x1
stunnel: LOG7[ui]: Service [XXX] accepted (FD=3) from IP:PORT
2023.12.11 08:44:51 LOG7[ui]: Service [XXX] accepted (FD=3) from IP:PORT
stunnel: LOG7[0]: Service [XXX] started
2023.12.11 08:44:51 LOG7[0]: Service [XXX] started
stunnel: LOG7[0]: Setting local socket options (FD=3)
2023.12.11 08:44:51 LOG7[0]: Setting local socket options (FD=3)
stunnel: LOG7[0]: Option TCP_NODELAY set on local socket
2023.12.11 08:44:51 LOG7[0]: Option TCP_NODELAY set on local socket
stunnel: LOG5[0]: Service [XXX] accepted connection from IP:PORT
2023.12.11 08:44:51 LOG5[0]: Service [XXX] accepted connection from IP:PORT
stunnel: LOG6[0]: s_connect: connecting IP:PORT
2023.12.11 08:44:51 LOG6[0]: s_connect: connecting IP:PORT
stunnel: LOG7[0]: s_connect: s_poll_wait IP:PORT: waiting 10 seconds
2023.12.11 08:44:51 LOG7[0]: s_connect: s_poll_wait IP:PORT: waiting 10 seconds
stunnel: LOG7[0]: FD=6 events=0x2001 revents=0x0
2023.12.11 08:44:51 LOG7[0]: FD=6 events=0x2001 revents=0x0
stunnel: LOG7[0]: FD=11 events=0x2005 revents=0x0
2023.12.11 08:44:51 LOG7[0]: FD=11 events=0x2005 revents=0x0
stunnel: LOG5[0]: s_connect: connected IP:PORT
2023.12.11 08:44:51 LOG5[0]: s_connect: connected IP:PORT
stunnel: LOG5[0]: Service [XXX] connected remote server from IP:PORT
2023.12.11 08:44:51 LOG5[0]: Service [XXX] connected remote server from IP:PORT
stunnel: LOG7[0]: Setting remote socket options (FD=11)
2023.12.11 08:44:51 LOG7[0]: Setting remote socket options (FD=11)
stunnel: LOG7[0]: Option TCP_NODELAY set on remote socket
2023.12.11 08:44:51 LOG7[0]: Option TCP_NODELAY set on remote socket
stunnel: LOG7[0]: Remote descriptor (FD=11) initialized
2023.12.11 08:44:51 LOG7[0]: Remote descriptor (FD=11) initialized
stunnel: LOG6[0]: SNI: sending servername: SERVER_URL
2023.12.11 08:44:51 LOG6[0]: SNI: sending servername: SERVER_URL
stunnel: LOG6[0]: Peer certificate not required
2023.12.11 08:44:51 LOG6[0]: Peer certificate not required
stunnel: LOG7[0]: TLS state (connect): before SSL initialization
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): before SSL initialization
stunnel: LOG7[0]: Initializing application specific data for session authenticated
2023.12.11 08:44:51 LOG7[0]: Initializing application specific data for session authenticated
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
stunnel: LOG7[0]: Verification started at depth=2: CN=XXX Client Root CA
2023.12.11 08:44:51 LOG7[0]: Verification started at depth=2: CN=XXX Client Root CA
stunnel: LOG7[0]: CERT: Pre-verification succeeded
2023.12.11 08:44:51 LOG7[0]: CERT: Pre-verification succeeded
stunnel: LOG6[0]: Certificate accepted at depth=2: CN=XXX Client Root CA
2023.12.11 08:44:51 LOG6[0]: Certificate accepted at depth=2: CN=XXX Client Root CA
stunnel: LOG7[0]: Verification started at depth=1: DC=root, DC=dmz, CN=XXX Client SubCA1
2023.12.11 08:44:51 LOG7[0]: Verification started at depth=1: DC=root, DC=dmz, CN=XXX Client SubCA1
stunnel: LOG7[0]: CERT: Pre-verification succeeded
2023.12.11 08:44:51 LOG7[0]: CERT: Pre-verification succeeded
stunnel: LOG6[0]: Certificate accepted at depth=1: DC=root, DC=dmz, CN=XXX Client SubCA1
2023.12.11 08:44:51 LOG6[0]: Certificate accepted at depth=1: DC=root, DC=dmz, CN=XXX Client SubCA1
stunnel: LOG7[0]: Verification started at depth=0: C=US, ST=New York, L=New York, O=XXX Holdings Inc., OU=Network Engineering, CN=SERVICE_NAME, [email protected]
2023.12.11 08:44:51 LOG7[0]: Verification started at depth=0: C=US, ST=New York, L=New York, O=XXX Holdings Inc., OU=Network Engineering, CN=SERVICE_NAME, [email protected]
stunnel: LOG7[0]: CERT: Pre-verification succeeded
2023.12.11 08:44:51 LOG7[0]: CERT: Pre-verification succeeded
stunnel: LOG6[0]: CERT: No subject checks configured
2023.12.11 08:44:51 LOG6[0]: CERT: No subject checks configured
stunnel: LOG5[0]: Certificate accepted at depth=0: C=US, ST=New York, L=New York, O=XXX Holdings Inc., OU=Network Engineering, CN=SERVICE_NAME, [email protected]
2023.12.11 08:44:51 LOG5[0]: Certificate accepted at depth=0: C=US, ST=New York, L=New York, O=XXX Holdings Inc., OU=Network Engineering, CN=service_name, [email protected]
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange
stunnel: LOG6[0]: Empty client CA list
2023.12.11 08:44:51 LOG6[0]: Empty client CA list
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate request
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate request
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server done
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read server done
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client certificate
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write client certificate
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write certificate verify
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write certificate verify
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec
stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read finished
2023.12.11 08:44:51 LOG7[0]: TLS state (connect): SSLv3/TLS read finished
stunnel: LOG7[0]: New session callback
2023.12.11 08:44:51 LOG7[0]: New session callback
stunnel: LOG7[0]: Peer certificate was cached (5802 bytes)
2023.12.11 08:44:51 LOG7[0]: Peer certificate was cached (5802 bytes)
stunnel: LOG6[0]: Session id: XXX
2023.12.11 08:44:51 LOG6[0]: Session id: XXX
stunnel: LOG7[0]:      1 client connect(s) requested
2023.12.11 08:44:51 LOG7[0]:      1 client connect(s) requested
stunnel: LOG7[0]:      1 client connect(s) succeeded
2023.12.11 08:44:51 LOG7[0]:      1 client connect(s) succeeded
stunnel: LOG7[0]:      0 client renegotiation(s) requested
2023.12.11 08:44:51 LOG7[0]:      0 client renegotiation(s) requested
stunnel: LOG7[0]:      0 session reuse(s)
2023.12.11 08:44:51 LOG7[0]:      0 session reuse(s)
stunnel: LOG6[0]: TLS connected: new session negotiated
2023.12.11 08:44:51 LOG6[0]: TLS connected: new session negotiated
stunnel: LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2023.12.11 08:44:51 LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
stunnel: LOG6[0]: Peer temporary key: ECDH, P-256, 256 bits
2023.12.11 08:44:51 LOG6[0]: Peer temporary key: ECDH, P-256, 256 bits
stunnel: LOG6[0]: Read socket closed (readsocket)
2023.12.11 08:44:51 LOG6[0]: Read socket closed (readsocket)
stunnel: LOG7[0]: Sending close_notify alert
2023.12.11 08:44:51 LOG7[0]: Sending close_notify alert
stunnel: LOG7[0]: TLS alert (write): warning: close notify
2023.12.11 08:44:51 LOG7[0]: TLS alert (write): warning: close notify
stunnel: LOG6[0]: SSL_shutdown successfully sent close_notify alert
2023.12.11 08:44:51 LOG6[0]: SSL_shutdown successfully sent close_notify alert
stunnel: LOG6[0]: SSL_read: Socket is closed
2023.12.11 08:44:51 LOG6[0]: SSL_read: Socket is closed
stunnel: LOG6[0]: TLS socket closed (SSL_read)
2023.12.11 08:44:51 LOG6[0]: TLS socket closed (SSL_read)
stunnel: LOG7[0]: Sent socket write shutdown
2023.12.11 08:44:51 LOG7[0]: Sent socket write shutdown
stunnel: LOG5[0]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2023.12.11 08:44:51 LOG5[0]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
stunnel: LOG7[0]: Remote descriptor (FD=11) closed
2023.12.11 08:44:51 LOG7[0]: Remote descriptor (FD=11) closed
stunnel: LOG7[0]: Local descriptor (FD=3) closed
2023.12.11 08:44:51 LOG7[0]: Local descriptor (FD=3) closed
stunnel: LOG7[0]: Service [XXX] finished (0 left)
2023.12.11 08:44:51 LOG7[0]: Service [XXX] finished (0 left)

I don't understand why the stunnel is disconnecting directly after the initiator.start. Isn't it supposed to stay up? waiting for subsequent FIX messages? Also, how to test sending an heartbeat request?