5.2.3. Security Plugins

The following issues affect backward compatibility in Security Plugins when migrating from Release 6.0.0 to Release 6.0.1.

5.2.3.1. OpenSSL upgrade

Release 6.0.1 of Security Plugins uses OpenSSL® 1.1.1d. (Release 5.3.1 used OpenSSL 1.0.2n, and Release 6.0.0 used OpenSSL 1.0.2o.) Security Plugins 6.0.1 is API-compatible with OpenSSL versions 1.1.0a through 1.1.1d, not with versions earlier than OpenSSL 1.1.0a.

Note

OpenSSL 1.0.2 will only be supported until the end of 2019 (https://www.openssl.org/policies/releasestrat.html), so it is recommended that you upgrade the version of OpenSSL that you are using to OpenSSL 1.1.1d for release 6.0.1. For instructions on installing the latest version of OpenSSL, see the RTI Security Plugins Getting Started Guide 6.0.1.

5.2.3.2. Changes to building an application

When building a Windows application, you must now link against libssl and libcrypto instead of ssleay32 and libeay32.

When building a Windows statically-linked application, you must now link against the system library crypt32.lib. See rti_workspace/6.0.1/examples/connext_dds/c++/hello_security/READ_ME.txt for details.

When building a non-Windows statically-linked application, you may see this error:

undefined reference to 'pthread_atfork'

If so, open your makefile and make sure that -lpthread (which is part of $(SYSLIBS) in the makefile generated by RTI Code Generator) appears after -lssl and -lcrypto.

5.2.3.3. Changes to behavior of intermediate certificates

Intermediate certificates are certificates that have signed other certificates but are not self-signed. Security Plugins 6.0.1 requires that intermediate certificates have an X509 v3 extension, which explicitly allows it to sign other certificates. For example, the intermediate certificate’s .cnf file should have

[ v3_ca ]
basicConstraints = CA:true

and the “openssl ca” command to sign the intermediate certificate should have “-extensions”. For example (entered all on one line):

% openssl ca -batch -create_serial -config opensslECdsa.cnf -days 365 -in intermediateCaReqECdsa.pem
-extensions v3_ca -out intermediateCaECdsa.pem

Any intermediate certificates from previous releases must have this extension in order for their DomainParticipants to communicate with 6.0.1 DomainParticipants.

5.2.3.4. Property key_material_key now required for Secure Persistence Service

In previous releases, dds.data_writer.history.key_material_key was an optional string. Starting in 6.0.1, this property is now mandatory when configuring Durable Writer History (including Persistence Service) to store secure data. You may now specify either the file name or the document contents. If specifying the file name, the property value may optionally have the prefix file: (no space after the colon), followed by the fully-qualified path and name of the file. Note that a property value without a prefix is interpreted as a file name. If specifying the contents of the document, the property value must have the prefix data:, (no space after the comma), followed by the contents inside the document. For example: data:,myPassword.

If you need to use the current version of Persistence Service to access a database encrypted with a previous version of Persistence Service that did not specify a value for the property dds.data_writer.history.key_material_key, please contact RTI Support at support@rti.com to get the default non-disclosed key_material_key.