2020-12-26 16:53

Do not log cleartext password on logon failure

Describe the bug Full FIX message with cleartext password is logged on logon failure.

Expected behavior Either do not log the FIX message, or remove cleartext password from the message.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39881575 weixin_39881575 4月前

    How widely are plain-text passwords actually used for authentication vs certificates. This feels like fixing a rare problem in the wrong place. In my experience connections are established over SSL-auth'd tunnels.

    1. If you don't want to log the password in plain text, hash the password
    2. That's still vulnerable to replay of course, so you could use something like SCRAM.
    3. For everyone else, bad logons are rare and thus useful information. This should be opt-in.

    You also might consider contributing to https://www.fixtrading.org/groups/cyberfixa/

    点赞 评论 复制链接分享
  • weixin_39675513 weixin_39675513 4月前

    Thanks for your comments. Making this configurable seems to be the way to go then.

    So settings or the to-be-created setting for this need to be handed through to the AcceptorIoHandler.

    Edit: and when it is configurable then we could as well continue to log the whole message...

    点赞 评论 复制链接分享
  • weixin_39834767 weixin_39834767 4月前

    It does look like messageString is useful for debugging. Would it be acceptable to include it in debug log only? Error log will contain remoteSessionID instead, as proposed by .

    That also does not require a new setting to be created.

    点赞 评论 复制链接分享
  • weixin_39675513 weixin_39675513 4月前

    I don't know how the others see this but I do not have DEBUG logging enabled on PROD.

    点赞 评论 复制链接分享
  • weixin_39834767 weixin_39834767 4月前

    Thanks , I created another PR (https://github.com/quickfix-j/quickfixj/pull/340). This leaves messageString logging as it is, but allows to disable verbose logging.

    点赞 评论 复制链接分享