This guide is intended to consolidate information and recommendations on how to configure CQG FIX Connect, FIX Event Feed, WebAPI and CMS API clients to connect to CQG API endpoints via TLS.
TLS v1.2 and TLS v1.3 are the only recommended and supported versions. SSL versions 2 and 3 as well as earlier versions of TLS are not supported.
CQG uses certificates issued by a 3rd party CA (Certificate Authority) - DigiCert. These certificates are signed by DigiCert’s root CA certificates, which are already pre-added to trusted certificate stores of modern operating systems, browsers and applications supporting WWW PKI. Large software vendors usually maintain their own lists, e.g:
• Windows
• iOS
• Mozilla
• java
If you develop an application that maintains its own trusted certificate store, it should trust all of DigiCert root certificates.
If you maintain a trusted certificate store, please note that you must have processes in place to detect expired certificates and retrieve updated certificates.
If you rely on stunnel to create and maintain a secure session with CQG API endpoint, refer to specific recommendations in the next section.
Stunnel is a freeware utility based on OpenSSL stack that allows to configure secure TLS tunnel between two endpoints. In order to configure Stunnel you need to edit its configuration file. On Windows OS, its default location is C:\Program Files (x86)\stunnel\config\stunnel.conf although Stunnel lets you use a file in any other directory.
Here are example settings for Stunnel.conf for setup on Windows OS.
debug = info
output = stunnel.log
[CQG
Production FIXAPI]
client =
yes
sslVersionMin = TLSv1.3
options = NO_SSLv2
options
= NO_SSLv3
accept =
127.0.0.1:6900
connect =
fixapi.cqgtrader.com:6925
checkHost =
fixapi.cqgtrader.com
verifyChain =
yes
CAfile = C:\Program Files
(x86)\stunnel\config\ca-certs.pem
In Linux, proper value of the CAfile configuration parameter varies across distributions. On CentOS/RedHat it is /etc/pki/tls/certs/ca-bundle.crt whereas Ubuntu/Debian uses /etc/ssl/certs/ca-certificates.crt. This file is also located in ./tools directory of Stunnel source code distribution.
The example above assumes a connection to CQG FIX Connect endpoint for US-based customers. The table below shows all available CQG API endpoints.
|
Environment |
CQG API |
Location |
Connection point for TLS connections over Internet |
|
Production |
FIX Connect |
Australia |
au.cqgtrader.com:6925 |
|
China (requires approval) |
shanghai.cqgchina.com:6925 | ||
|
Europe |
europe.cqgtrader.com:6925 | ||
|
Japan |
tokyo.cqgtrader.com:6925 | ||
|
Singapore |
sng.cqgtrader.com:6925 | ||
|
Taiwan (requires approval) |
taiwan.cqgtrader.com:6925 | ||
|
United States |
fixapi.cqgtrader.com:6925 | ||
|
FIX Event Feed (FEF) |
Europe |
europe.cqgtrader.com:6950 | |
|
Singapore |
sng.cqgtrader.com:6950 | ||
|
United States |
fixapi.cqgtrader.com:6950 | ||
|
CMS API |
Any |
cmsapi.cqg.com:443 | |
|
WebAPI |
Any |
api.cqg.com:443 | |
|
Demo/Stage |
FIX Connect |
N/A |
demo.cqgtrader.com:6925 |
|
CMS API |
N/A |
democmsapi.cqg.com:443 | |
|
WebAPI |
N/A |
demoapi.cqg.com:443 |