2.3.2.4. RTI TLS Support
2.3.2.4.1. OpenSSL 3.0 upgrade and 1.1.1 removal
Release 7.2.0 of the Security Plugins uses OpenSSL® 3.0.9.
(Release 7.1.0 used OpenSSL 1.1.1t and OpenSSL 3.0.8.
Release 6.1.1/6.1.2 used OpenSSL 1.1.1n.) TLS Support 7.2.0
includes only one set of target bundles:
rti_tls_support-7.2.0-target-openssl-3.0-<architecture>.rtipkg
. These
bundles are API-compatible with OpenSSL versions 3.0.0 through 3.0.9, not with
versions earlier than OpenSSL 3.0.0. Note that TLS Support 7.2.0 has only
been tested by RTI using OpenSSL 3.0.9. If you need TLS Support 7.2.0 to run
against older versions of OpenSSL, please contact support@rti.com.
The support of OpenSSL 1.1.1 has been removed, because it is end-of-life in September, 2023 (https://www.openssl.org/policies/releasestrat.html).
2.3.2.4.2. Deprecated tls.cipher.dh_param_files
Release 7.1.0 deprecated the tls.cipher.dh_param_files
property. This
property is only effective when communicating with Connext 5.3 applications
and is deprecated for all other purposes. Support may be removed in future
versions of TLS Support.
If you use this property when using OpenSSL 3.0.0 or above, the following will apply:
You may not have multiple elements in this property value (i.e., you may not have a comma).
The number of bits must be at least 512.
If this value is NULL (recommended), then TLS Support will use the built-in DH parameters. See the OpenSSL manual page for
SSL_CTX_set_dh_auto
for more information on these parameters.
2.3.2.4.3. New OpenSSL 3 requirement on tls.cipher.cipher_list
If you use the tls.cipher.cipher_list
property when using OpenSSL 3.0.0 or
above, the value must contain the substring @SECLEVEL=0
; otherwise, you
will see the following error when communicating with Connext 6.0.0 or below:
RTITLS_ConnectionEndpointTLSv4_doHandshake:OpenSSL protocol error:0A000410:SSL routines::sslv3 alert handshake failure