Troubleshooting FIX mTLS Connectivity

Last updated: February 26, 2026

Context:

Paxos employs mTLS to secure connections between the FIX Server and its clients. As part of the onboarding process, a certificate must be generated for the FIX Client and configured on both the server (Paxos) and client side to enable FIX integration.

If you are unable to connect after completing the initial client-side configuration, please refer to the troubleshooting steps below.

 

Troubleshooting Steps:

1) Check Network Connectivity:

telnet itbit-clientname.exchange.gfix.prod.itbitprod.com 4199

Trying 44.218.151.59...
Connected to itbit-clientname.exchange.gfix.prod.itbitprod.com.
Escape character is '^]'.

Please use the FIX server address and port provided by Paxos during onboarding.

If the command does not indicate a successful connection to the server, it could be due to one of the following reasons:

  • No internet access to resolve DNS

  • Incorrect server address or port

  • Corporate firewall blocking the connection

  • Your IP is not allow-listed by Paxos. 

    • Please try running the command curl ifconfig.io from the FIX client host to get your external IP address and ensure that this IP was provided to Paxos. Share the output with Paxos Support for further troubleshooting.

       

2) Check that server returns the certificates on the connection attempt:

Run the following openssl command for "prod" or "sandbox" and use the connection name provided by Paxos:

FIXENV=prod FIXNAME=clientname openssl s_client -crlf -connect itbit-$FIXNAME.exchange.gfix.$FIXENV.itbitprod.com:4199 -showcerts -servername itbit-$FIXNAME.exchange.gfix.$FIXENV.itbitprod.com

Contact Paxos Support if you see an error like:

 Connecting to 52.20.135.53 CONNECTED(00000006) write:errno=54 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 356 bytes Verification: OK ...

 

3) Verify Stunnel Configuration & Enable Debug Logs

If your FIX Client does not natively support TLS connections, you can use a Stunnel proxy. The FIX client must be configured to connect to Stunnel, which will then use the certificates given to establish a mTLS connection to the FIX server.

Example Stunnel Configuration

client = yes
foreground = yes
output = /log_path/filename.log
; Enable verbose logging if required
; debug = 7

[fix-itbit-exchange-prod]
client = yes
accept = 127.0.0.1:4198
cert = your_signed_certificate.crt
key = private.pem
connect = itbit-clientname.exchange.gfix.prod.itbitprod.com:4199
CAfile = itbitprod_prod_root_ca.crt
verifyChain = yes
checkHost = itbit-clientname.gfix-exchange.prod.itbitprod.com

Verification Steps:

  • cert - The path to your CA-signed certificate file.

  • key - The path to your private key (e.g. private.pem).

  • connect - The Paxos FIX server address and port. Replace "clientname" with the one assigned to you by Paxos support.

  • CAfile - The path to Paxos’ certificate authority.

  • checkHost - This is the subject of Paxos’ leaf certificate.

Enabling Debug Logs:

If you encounter connectivity issues, enable additional debugging by:

  1. Increasing Logging Level - Uncomment "debug = 7" to enable verbose logging.

  2. Redirecting Logs to a File - Set "output = /tmp/stunnel_debug.log" to capture stunnel logs.

  3. Running Stunnel in Foreground Mode - Use "foreground = yes" to monitor logs in real-time.

  4. Checking System Logs - Review "/var/log/syslog" or "/var/log/messages" for Stunnel-related errors.

These steps will help diagnose issues related to certificate validation, connectivity failures, or incorrect configurations.

 

4) Verify your certificate can be validated by the CA file:

openssl verify -CAfile your_CA_certificate.crt your_signed_certificate.crt

your_signed_certificate.crt: OK

If the command doesn't return "your_signed_certificate.crt: OK", it means that the certificate cannot be validated by your CA file and it won't be possible to establish the connection using these files. 

 

5) Test if the connection works using OpenSSL commands:

Run the following command to verify the connection between the FIX Server and the Client. Please use the FIX server address and port provided by Paxos during onboarding.

openssl s_client -connect itbit-clientname.exchange.gfix.prod.itbitprod.com:4199 -key private.pem -cert your_signed_certificate.crt -CAfile your_CA_certificate.crt

  • The following errors in the output of the openssl command indicates an issue with  your_signed_certificate.crt. Refer to the next steps for recommendations on how to validate the content of your_signed_certificate.crt.

SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
40263D5CF87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40

  • The following error in the command output indicates that your_CA_certificate.crt is invalid. Make sure to use the correct Root CA file provided by your Certificate Authority:

verify error:num=19:self-signed certificate in certificate chain

  • If the following message is displayed and there are no "error" messages in the output, then the certificate files used are valid. Any issues with connectivity is likely due to misconfiguration in the FIX client or stunnel proxy. Please refer to the next steps to validate your configuration.

---
SSL handshake has read 1892 bytes and written 3830 bytes
Verification: OK
---

Note that you may also see the above message if your_CA_certificate.crt was properly set but the your_signed_certificate.crt file is invalid. Please check the output for any other error messages.

 

6) Verify the expected content of the generated files:

Here are the files you should see after executing the commands outlined in the onboarding procedure:

private.pem
your_signed_certificate.crt
your_CA_certificate.crt

Here is an example of the expected content for each file:

  •  

    • private.pem - Your Private key (do not share the private key with Paxos or anyone else!)

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

  •  

    • your_signed_certificate.crt

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

  •  

    • your_CA_certificate.crt

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

 

7) Verify Certificate and Private Key Match

In some cases, you may be using the incorrect certificate file or private key.

To verify that your certificate and private key match, use the following OpenSSL commands to generate their MD5 checksums:

openssl x509 -noout -modulus -in your_signed_certificate.crt | openssl md5
MD5(stdin)= cbb4fb46fe8a7267332a41daf8ee8521
openssl rsa -noout -modulus -in private.pem | openssl md5
MD5(stdin)= cbb4fb46fe8a7267332a41daf8ee8521

If the checksums do not match, the certificate and private key do not correspond to each other. In this case, generate a new CSR using your private key, and provide the CSR to your Certificate Authority for signing. Send us the corresponding signed certificate file(your_signed_certificate.crt) and we will enroll that into our backend system.  

 

8) Check Certificate Validity

Use the following command to check the expiration date of your certificate:

openssl x509 -noout -in your_signed_certificate.crt -enddate

Ensure your certificate has not expired. If it has, please generate a new signed certificate and send that across to our Paxos support team.

 

9) Upgrade Stunnel and OpenSSL versions 

Ensure that your system is running Stunnel and OpenSSL versions that support TLS v1.2 or higher for compatibility and security. The minimum recommended versions are:

  • Stunnel: v4.54 (without FIPS), v5.00 (with FIPS).

  • OpenSSL: Latest supported version as per OpenSSL

Upgrading to the latest versions helps prevent security vulnerabilities and ensures compliance with industry standards. Check your versions using:

stunnel -version
openssl version

If needed, update them via your package manager or official sources.