2.3.2.4. RTI TLS Support

2.3.2.4.1. OpenSSL 3.0 upgrade and 1.1.1 removal

Release 7.2.0 of the Security Plugins uses OpenSSL® 3.0.9. (Release 7.1.0 used OpenSSL 1.1.1t and OpenSSL 3.0.8. Release 6.1.1/6.1.2 used OpenSSL 1.1.1n.) TLS Support 7.2.0 includes only one set of target bundles: rti_tls_support-7.2.0-target-openssl-3.0-<architecture>.rtipkg. These bundles are API-compatible with OpenSSL versions 3.0.0 through 3.0.9, not with versions earlier than OpenSSL 3.0.0. Note that TLS Support 7.2.0 has only been tested by RTI using OpenSSL 3.0.9. If you need TLS Support 7.2.0 to run against older versions of OpenSSL, please contact support@rti.com.

The support of OpenSSL 1.1.1 has been removed, because it is end-of-life in September, 2023 (https://www.openssl.org/policies/releasestrat.html).

2.3.2.4.2. Deprecated tls.cipher.dh_param_files

Release 7.1.0 deprecated the tls.cipher.dh_param_files property. This property is only effective when communicating with Connext 5.3 applications and is deprecated for all other purposes. Support may be removed in future versions of TLS Support.

If you use this property when using OpenSSL 3.0.0 or above, the following will apply:

  • You may not have multiple elements in this property value (i.e., you may not have a comma).

  • The number of bits must be at least 512.

  • If this value is NULL (recommended), then TLS Support will use the built-in DH parameters. See the OpenSSL manual page for SSL_CTX_set_dh_auto for more information on these parameters.

2.3.2.4.3. New OpenSSL 3 requirement on tls.cipher.cipher_list

If you use the tls.cipher.cipher_list property when using OpenSSL 3.0.0 or above, the value must contain the substring @SECLEVEL=0; otherwise, you will see the following error when communicating with Connext 6.0.0 or below:

RTITLS_ConnectionEndpointTLSv4_doHandshake:OpenSSL protocol error:0A000410:SSL routines::sslv3 alert handshake failure