1. Paxos Crypto Brokerage
  2. Support & Troubleshooting

Troubleshooting FIX mTLS Connectivity

Context:

Paxos employs mTLS to secure connections between the FIX Server and its clients. As part of the onboarding process, a certificate must be generated for the FIX Client and configured on both the server (Paxos) and client side to enable FIX integration.

If you are unable to connect after completing the initial client-side configuration, please refer to the troubleshooting steps below.

 

Troubleshooting Steps:

1) Check Network Connectivity:

telnet itbit-clientname.exchange.gfix.prod.itbitprod.com 4198


Trying 44.218.151.59...
Connected to itbit-clientname.exchange.gfix.prod.itbitprod.com.
Escape character is '^]'.

Please use the FIX server address and port provided by Paxos during onboarding.

If the command does not indicate a successful connection to the server, it could be due to one of the following reasons:

  • No internet access to resolve DNS
  • Incorrect server address or port
  • Corporate firewall blocking the connection
  • Your IP is not allowlisted by Paxos.

 

2) Verify Stunnel Configuration & Enable Debug Logs

If your FIX Client does not natively support TLS connections, you can use a Stunnel proxy. The FIX client must be configured to connect to Stunnel, which will then use the certificates given to establish a mTLS connection to the FIX server.

Example Stunnel Configuration

client = yes
foreground = yes
output = /log_path/filename.log
; Enable verbose logging if required
; debug = 7

[fix-itbit-exchange-prod]
client = yes
accept = 127.0.0.1:4198
cert = exchange_clientname_prod_certificate.crt
key = private.pem
connect = itbit-clientname.exchange.gfix.prod.itbitprod.com:4198
CAfile = exchange_prod_intermediate_ca.crt
verifyChain = yes
checkHost = gfix-service.gfix-exchange.prod.itbitprod.com

Verification Steps:

  • cert - The path to your exchange_clientname_prod_certificate.crt file
  • key - The path to your private key (e.g. private.pem)
  • connect - The FIX server address and port provided to you during onboarding.
  • CAfile - The path to the Paxos certificate authority provided during onboarding (e.g. exchange_prod_intermediate_ca.crt)

Enabling Debug Logs:

If you encounter connectivity issues, enable additional debugging by:

  1. Increasing Logging Level - Uncomment "debug = 7" to enable verbose logging.
  2. Redirecting Logs to a FileSet "output = /tmp/stunnel_debug.log" to capture stunnel logs.
  3. Running Stunnel in Foreground Mode - Use "foreground = yes" to monitor logs in real-time.
  4. Checking System Logs - Review "/var/log/syslog" or "/var/log/messages" for Stunnel-related errors.

These steps will help diagnose issues related to certificate validation, connectivity failures, or incorrect configurations.

 

3) Verify the certificate can be validated by the CA file:

openssl verify -CAfile exchange_prod_intermediate_ca.crt exchange_clientname_prod_certificate.crt

exchange_clientname_prod_certificate.crt: OK

If the command doesn't return "exchange_clientname_prod_certificate.crt: OK", it means that the certificate cannot be validated by the CA file and it won't be possible to establish the connection using these files. 

 

4) Test if the connection works using OpenSSL commands:

Run the following command to verify the connection between the FIX Server and the Client. Please use the FIX server address and port provided by Paxos during onboarding.

openssl s_client -connect itbit-clientname.exchange.gfix.prod.itbitprod.com:4198 -key private.pem -cert exchange_clientname_prod_certificate.crt -CAfile exchange_prod_intermediate_ca.crt
  • The following errors in the output of the openssl command indicates an issue with the certificate in exchange_clientname_prod_certificate.crt. Refer to the next steps for recommendations on how to validate the content of exchange_clientname_prod_certificate.crt file.
SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
40263D5CF87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40
  • The following error in the command output indicates that exchange_prod_intermediate_ca.crt is invalid. Make sure to use the file provided by Paxos Support:
verify error:num=19:self-signed certificate in certificate chain
  • If the following message is displayed and there are no "error" messages in the output, then the certificate files used are valid. Any issues with connectivity is likely due to misconfiguration in the FIX client or stunnel proxy. Please refer to the next steps to validate your configuration.
---
SSL handshake has read 1892 bytes and written 3830 bytes
Verification: OK
---

Note that you may also see the above message if exchange_prod_intermediate_ca.crt was properly set but the exchange_clientname_prod_certificate.crt file is invalid. Please check the output for any other error messages.

 

5) Verify the expected content of the generated files:

Here are the files you should see after executing the commands outlined in the onboarding procedure and saving the content of the Paxos server certificate into itbit-ca.pem:

private.pem
exchange_clientname_prod_certificate.crt
exchange_prod_intermediate_ca.crt

Here is an example of the expected content for each file:

    • private.pem - Your Private key (do not share the private key with Paxos or anyone else!)
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCT5YaxDb/g4YXX
...
8P7oMPDrT1BLQ7xwE5Kf4nFWA9zLsg==
-----END PRIVATE KEY-----
    • exchange_clientname_prod_certificate.crt
-----BEGIN CERTIFICATE-----
MIIFUTCCAzkCFGZE+l0Tx8RVS7z7JkHHu7ppjSZCMA0GCSqGSIb3DQEBCwUAMGMx
...
84DxImyoe554wsw6rxiFdyV/IX6b
-----END CERTIFICATE-----
    • exchange_prod_intermediate_ca.crt
-----BEGIN CERTIFICATE-----
MIID6DCCAtCgAwIBAgIUDmtUYRo9bjpkhRuOTyAgPJ556aowDQYJKoZIhvcNAQEL
...
GKUUixR0Qk6jGTyZxHR5ZCYzkMYUea6AlIqB7Njac7fgN4bnfPTueLIXKKo=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIUWhpRwwUwRO2IjZ4fHCrvrr5sYe8wDQYJKoZIhvcNAQEL
...
HAWLatk=
-----END CERTIFICATE-----

 

6) Verify Certificate and Private Key Match

In some cases, you may be using the incorrect certificate file or private key.

To verify that your certificate and private key match, use the following OpenSSL commands to generate their MD5 checksums:

openssl x509 -noout -modulus -in exchange_clientname_prod_certificate.crt | openssl md5
MD5(stdin)= cbb4fb46fe8a7267332a41daf8ee8521
openssl rsa -noout -modulus -in private.pem | openssl md5
MD5(stdin)= cbb4fb46fe8a7267332a41daf8ee8521

If the checksums do not match, the certificate and private key do not correspond to each other. In this case, generate a new CSR using your private key, and provide the CSR to Paxos Support. Paxos Support will generate the corresponding certificate file(exchange_clientname_prod_certificate.crt) and send it back to you.  

 

7) Check Certificate Validity

Use the following command to check the expiration date of your certificate::

openssl x509 -noout -in exchange_clientname_prod_certificate.crt -enddate

Paxos can generate certificates with a maximum validity of 12 months. If you need a new certificate, you can contact Paxos Support via https://support.paxos.com to have one generated for you.

You can provide a new CSR generated from your private key, or you can ask Support to use the previous CSR if you plan to continue using the same private key.

 

8) Upgrade Stunnel and OpenSSL versions 

Ensure that your system is running Stunnel and OpenSSL versions that support TLS v1.2 or higher for compatibility and security. The minimum recommended versions are:

  • Stunnel: v4.54 (without FIPS), v5.00 (with FIPS).
  • OpenSSL: Latest supported version as per OpenSSL

Upgrading to the latest versions helps prevent security vulnerabilities and ensures compliance with industry standards. Check your versions using:

stunnel -version
openssl version

If needed, update them via your package manager or official sources.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section