longbridge · level2player · Jun 3, 2025 · Aug 24, 2021 · Sep 8, 2021 · Sep 8, 2021
diff --git a/tls.go b/tls.go
@@ -4,7 +4,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
+	"os"
 
 	"github.com/quickfixgo/quickfix/config"
 )
@@ -35,33 +35,40 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	}
 
 	if !settings.HasSetting(config.SocketPrivateKeyFile) && !settings.HasSetting(config.SocketCertificateFile) {
-		if allowSkipClientCerts {
-			tlsConfig = defaultTLSConfig()
-			tlsConfig.ServerName = serverName
-			tlsConfig.InsecureSkipVerify = insecureSkipVerify
-			setMinVersionExplicit(settings, tlsConfig)
+		if !allowSkipClientCerts {
+			return
 		}
-		return
-	}
-
-	privateKeyFile, err := settings.Setting(config.SocketPrivateKeyFile)
-	if err != nil {
-		return
-	}
-
-	certificateFile, err := settings.Setting(config.SocketCertificateFile)
-	if err != nil {
-		return
 	}
 
 	tlsConfig = defaultTLSConfig()
-	tlsConfig.Certificates = make([]tls.Certificate, 1)
 	tlsConfig.ServerName = serverName
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 	setMinVersionExplicit(settings, tlsConfig)
 
-	if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
-		return
+	if settings.HasSetting(config.SocketPrivateKeyFile) || settings.HasSetting(config.SocketCertificateFile) {
+
+		var privateKeyFile string
+		var certificateFile string
+
+		privateKeyFile, err = settings.Setting(config.SocketPrivateKeyFile)
+		if err != nil {
+			return
+		}
+
+		certificateFile, err = settings.Setting(config.SocketCertificateFile)
+		if err != nil {
+			return
+		}
+
+		tlsConfig.Certificates = make([]tls.Certificate, 1)
+
+		if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
+			return
+		}
+	}
+
+	if !allowSkipClientCerts {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 
 	if !settings.HasSetting(config.SocketCAFile) {
@@ -73,7 +80,7 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 		return
 	}
 
-	pem, err := ioutil.ReadFile(caFile)
+	pem, err := os.ReadFile(caFile)
 	if err != nil {
 		return
 	}
@@ -86,12 +93,11 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 
 	tlsConfig.RootCAs = certPool
 	tlsConfig.ClientCAs = certPool
-	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 
 	return
 }
 
-//defaultTLSConfig brought to you by https://github.com/gtank/cryptopasta/
+// defaultTLSConfig brought to you by https://github.com/gtank/cryptopasta/
 func defaultTLSConfig() *tls.Config {
 	return &tls.Config{
 		// Avoids most of the memorably-named TLS attacks

diff --git a/tls_test.go b/tls_test.go
@@ -60,7 +60,7 @@ func (s *TLSTestSuite) TestLoadTLSNoCA() {
 	s.Len(tlsConfig.Certificates, 1)
 	s.Nil(tlsConfig.RootCAs)
 	s.Nil(tlsConfig.ClientCAs)
-	s.Equal(tls.NoClientCert, tlsConfig.ClientAuth)
+	s.Equal(tls.RequireAndVerifyClientCert, tlsConfig.ClientAuth)
 }
 
 func (s *TLSTestSuite) TestLoadTLSWithBadCA() {
@@ -87,6 +87,36 @@ func (s *TLSTestSuite) TestLoadTLSWithCA() {
 	s.Equal(tls.RequireAndVerifyClientCert, tlsConfig.ClientAuth)
 }
 
+func (s *TLSTestSuite) TestLoadTLSWithOnlyCA() {
+	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
+	s.settings.GlobalSettings().Set(config.SocketCAFile, s.CAFile)
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+
+	s.NotNil(tlsConfig.RootCAs)
+	s.NotNil(tlsConfig.ClientCAs)
+}
+
+func (s *TLSTestSuite) TestLoadTLSWithoutSSLWithOnlyCA() {
+	s.settings.GlobalSettings().Set(config.SocketCAFile, s.CAFile)
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.Nil(tlsConfig)
+}
+
+func (s *TLSTestSuite) TestLoadTLSAllowSkipClientCerts() {
+	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+
+	s.Equal(tls.NoClientCert, tlsConfig.ClientAuth)
+}
+
 func (s *TLSTestSuite) TestServerNameUseSSL() {
 	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
 	s.settings.GlobalSettings().Set(config.SocketServerName, "DummyServerNameUseSSL")