2.1.2.3. RTI TLS Support
2.1.2.3.1. OpenSSL upgrade
Release 7.1.0 of TLS Support uses OpenSSL® 1.1.1t and OpenSSL 3.0.8.
(The previous release used OpenSSL 1.1.1n.) TLS Support 7.1.0 includes two sets of
target bundles: rti_tls_support-7.1.0-openssl-1.1.1-<architecture>.rtipkg
and
rti_tls_support-7.1.0-openssl-3.0-<architecture>.rtipkg
. The openssl-1.1.1
version is API-compatible with OpenSSL versions 1.1.0 through 1.1.1t, not with
versions earlier than OpenSSL 1.1.0. The openssl-3.0
version is
API-compatible with OpenSSL versions 3.0.0 through 3.0.8, not with versions
earlier than OpenSSL 3.0.0. Note that TLS Support 7.1.0 has only been tested
by RTI using OpenSSL 1.1.1t and OpenSSL 3.0.8. If you need TLS Support 7.1.0
to run against older versions of OpenSSL, please contact support@rti.com.
OpenSSL 1.1.1 will only be supported until 2023-09-11 (https://www.openssl.org/policies/releasestrat.html), so it is recommended that you upgrade the version of OpenSSL that you are using to OpenSSL 3.0.8 for release 7.1.0.
For instructions on installing the latest version of OpenSSL, see the RTI TLS Support Installation Guide 7.1.0.
2.1.2.3.2. Deprecated tls.cipher.dh_param_files
Release 7.1.0 deprecates the tls.cipher.dh_param_files
property. This
property is only effective when communicating with Connext 5.3 applications
and is deprecated for all other purposes. Support may be removed in future
versions of TLS Support.
If you use this property when using OpenSSL 3.0.0 or above, the following will apply:
You may not have multiple elements in this property value (i.e., you may not have a comma).
The number of bits must be at least 512.
If this value is NULL (recommended), then TLS Support will use the built-in DH parameters. See the OpenSSL manual page for
SSL_CTX_set_dh_auto
for more information on these parameters.
2.1.2.3.3. New OpenSSL 3 requirement on tls.cipher.cipher_list
If you use the tls.cipher.cipher_list
property when using OpenSSL 3.0.0 or
above, the value must contain the substring @SECLEVEL=0
; otherwise, you
will see the following error when communicating with Connext 6.0.0 or below:
RTITLS_ConnectionEndpointTLSv4_doHandshake:OpenSSL protocol error:0A000410:SSL routines::sslv3 alert handshake failure