SSLContextFactory is able to load a custom keystore into the KeyManagerFactory to send a certificate to the other party. However, it is not able to load a custom truststore into the TrustManagerFactory, instead it uses SimpleTrustManagerFactory which accepts any certificate sent by the other party.

This has no impact on the ability to connect since all connections will be accepted, however it seems to leave the connection open to a man-in-the-middle attack.

Although the chances of this happening are remote, it would be good to be able to specify a custom truststore.

This could be achieved by using TrustManagerFactory.getInstance(...) instead of SimpleTrustManagerFactory.X509_MANAGERS and specifying the trust store using system properties (As mentioned here http://www.nabble.com/SSL-with-QuickFIX-J-1.1.0-t3758073.html).

Alternatively, possibly better would be to use the existing configuration files, and load a configured trust store into the TrustManagerFactory something like this:

----------------
// initialise the TrustManagerFactory and load our keystore into it
trustManagerFactory = TrustManagerFactory.getInstance(trustAlgorithm);

FileInputStream trustInputStream = new FileInputStream(trustFile);
KeyStore keystore = KeyStore.getInstance("jks");
keystore.load(trustInputStream, trustPass.toCharArray());
trustInputStream.close();

// Initialise TrustManagerFactory with this KeyStore
trustManagerFactory.init(keystore);
----------------

This can then be passed to SSLContext.init() instead of SimpleTrustManagerFactory.X509_MANAGERS.

Thanks,
James