2.2.2.3. RTI TLS Support

2.2.2.3.1. OpenSSL upgrade

Release 7.1.0 of TLS Support uses OpenSSL® 1.1.1t and OpenSSL 3.0.8. (The previous release used OpenSSL 1.1.1n.) TLS Support 7.1.0 includes two sets of target bundles: rti_tls_support-7.1.0-openssl-1.1.1-<architecture>.rtipkg and rti_tls_support-7.1.0-openssl-3.0-<architecture>.rtipkg. The openssl-1.1.1 version is API-compatible with OpenSSL versions 1.1.0 through 1.1.1t, not with versions earlier than OpenSSL 1.1.0. The openssl-3.0 version is API-compatible with OpenSSL versions 3.0.0 through 3.0.8, not with versions earlier than OpenSSL 3.0.0. Note that TLS Support 7.1.0 has only been tested by RTI using OpenSSL 1.1.1t and OpenSSL 3.0.8. If you need TLS Support 7.1.0 to run against older versions of OpenSSL, please contact support@rti.com.

OpenSSL 1.1.1 will only be supported until 2023-09-11 (https://www.openssl.org/policies/releasestrat.html), so it is recommended that you upgrade the version of OpenSSL that you are using to OpenSSL 3.0.8 for release 7.1.0.

For instructions on installing the latest version of OpenSSL, see the RTI TLS Support Installation Guide 7.1.0.

2.2.2.3.2. Deprecated tls.cipher.dh_param_files

Release 7.1.0 deprecated the tls.cipher.dh_param_files property. This property is only effective when communicating with Connext 5.3 applications and is deprecated for all other purposes. Support may be removed in future versions of TLS Support.

If you use this property when using OpenSSL 3.0.0 or above, the following will apply:

  • You may not have multiple elements in this property value (i.e., you may not have a comma).

  • The number of bits must be at least 512.

  • If this value is NULL (recommended), then TLS Support will use the built-in DH parameters. See the OpenSSL manual page for SSL_CTX_set_dh_auto for more information on these parameters.

2.2.2.3.3. New OpenSSL 3 requirement on tls.cipher.cipher_list

If you use the tls.cipher.cipher_list property when using OpenSSL 3.0.0 or above, the value must contain the substring @SECLEVEL=0; otherwise, you will see the following error when communicating with Connext 6.0.0 or below:

RTITLS_ConnectionEndpointTLSv4_doHandshake:OpenSSL protocol error:0A000410:SSL routines::sslv3 alert handshake failure