5. Known Issues
Note
For an updated list of critical known issues, see the Critical Issues List on the RTI Customer Portal at https://support.rti.com.
5.1. No Support for ECDSA-ECDH with Static OpenSSL Libraries and Certicom Security Builder
If you are using the Certicom® Security Builder® engine, you cannot use the ecdsa-ecdh shared secret algorithm together with static OpenSSL libraries. If you want to use ecdsa-ecdh with Certicom Security Builder, you must use dynamic OpenSSL libraries. Attempting to use ecdsa-ecdh with static OpenSSL libraries and Certicom Security Builder will cause the following errors during participant discovery:
Authentication_compute_sharedsecret:failed to provide remote DP public key
Authentication_process_handshake:key generation fail
Authentication_get_shared_secret:empty secret
PRESParticipant_authorizeRemoteParticipant:!security function get_shared_secret
5.2. No Support for Writing >65kB Unfragmented Samples Using Metadata or RTPS Message Protection
The following use case is not supported:
metadata_protection_kind = SIGN or ENCRYPT or rtps_protection_kind = SIGN or ENCRYPT
message_size_max > 65536. This is possible when using the TCP transport.
The user is writing unfragmented samples of size greater than 65kB but less than message_size_max.
In order to write the large sample, you must set message_size_max to be smaller than the message size, so the sample can be put in fragments smaller than 65 kB.
[RTI Issue ID SEC-768]
5.3. subscription_data and publication_data in check_local_datawriter_match / check_local_datareader_match are not Populated
When calling check_local_datawriter_match / check_local_datareader_match, Connext does not set the subscription_data and publication_data parameters. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on those parameters.
[RTI Issue ID SEC-758]
5.4. relay_only parameter in check_remote_datareader is not Populated
When calling check_remote_datareader, Connext does not set the relay_only parameter. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on this parameter.
[RTI Issue ID SEC-852]
5.5. ‘Allow Rule’ Patterns Incorrectly do not Allow Subset Patterns in QoS
In the Permissions Document, an <allow_rule> that has a pattern partition other than * (e.g., P*) incorrectly does not allow creation of an entity whose PartitionQosPolicy contains a regular expression pattern that is a subset of that <allow_rule> (e.g., P1*). This problem only affects Security Plugins 6.1.0 and above.
The workaround is to change the <allow_rule>’s pattern partition to exactly match the pattern partition in the QoS (e.g., change P* to P1*).
[RTI Issue ID SEC-1242]
5.6. Source and destination overlap in memcpy (called from wc_AesGcmInit) when using the Security Plugins for wolfSSL
Valgrind 3.15.0 (and lower versions) may detect an overlap in the source
and destination memory when calling memcpy
from wc_AesGcmInit
.
This is an issue in wolfSSL 5.5.1, not in the Security Plugins. The
overlap happens if wolfSSL is compiled with --enable-aesgcm-stream
.
For more information, read wolfSSL’s #6413
GitHub issue. This issue doesn’t affect the behavior of the Security
Plugins for wolfSSL.
[RTI Issue ID SEC-2087]