7. Known Issues

Note

For an updated list of critical known issues, see the Critical Issues List on the RTI Customer Portal at https://support.rti.com.

7.1. No Support for ECDSA-ECDH with Static OpenSSL Libraries and Certicom Security Builder

If you are using the Certicom® Security Builder® engine, you cannot use the ecdsa-ecdh shared secret algorithm together with static OpenSSL libraries. If you want to use ecdsa-ecdh with Certicom Security Builder, you must use dynamic OpenSSL libraries. Attempting to use ecdsa-ecdh with static OpenSSL libraries and Certicom Security Builder will cause the following errors during participant discovery:

Authentication_compute_sharedsecret:failed to provide remote DP public key

Authentication_process_handshake:key generation fail

Authentication_get_shared_secret:empty secret

PRESParticipant_authorizeRemoteParticipant:!security function get_shared_secret

7.2. No Support for Writing >65kB Unfragmented Samples Using Metadata or RTPS Message Protection

The following use case is not supported:

  • metadata_protection_kind = SIGN or ENCRYPT or rtps_protection_kind = SIGN or ENCRYPT

  • message_size_max > 65536. This is possible when using the TCP transport.

  • The user is writing unfragmented samples of size greater than 65kB but less than message_size_max.

In order to write the large sample, you must set message_size_max to be smaller than the message size, so the sample can be put in fragments smaller than 65 kB.

[RTI Issue ID SEC-768]

7.3. subscription_data and publication_data in check_local_datawriter_match / check_local_datareader_match are not Populated

When calling check_local_datawriter_match / check_local_datareader_match, Connext does not set the subscription_data and publication_data parameters. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on those parameters.

[RTI Issue ID SEC-758]

7.4. relay_only parameter in check_remote_datareader is not Populated

When calling check_remote_datareader, Connext does not set the relay_only parameter. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on this parameter.

[RTI Issue ID SEC-852]

7.5. ‘Allow Rule’ Patterns Incorrectly do not Allow Subset Patterns in QoS

In the Permissions Document, an <allow_rule> that has a pattern partition other than * (e.g., P*) incorrectly does not allow creation of an entity whose PartitionQosPolicy contains a regular expression pattern that is a subset of that <allow_rule> (e.g., P1*). This problem only affects Security Plugins 6.1.0 and above.

The workaround is to change the <allow_rule>’s pattern partition to exactly match the pattern partition in the QoS (e.g., change P* to P1*).

[RTI Issue ID SEC-1242]

7.6. Source and destination overlap in memcpy (called from wc_AesGcmInit) when using the Security Plugins for wolfSSL

Valgrind 3.15.0 (and lower versions) may detect an overlap in the source and destination memory when calling memcpy from wc_AesGcmInit. This is an issue in wolfSSL 5.5.1, not in the Security Plugins. The overlap happens if wolfSSL is compiled with --enable-aesgcm-stream. For more information, read wolfSSL’s #6413 GitHub issue. This issue doesn’t affect the behavior of the Security Plugins for wolfSSL.

[RTI Issue ID SEC-2087]