6. Known Issues

Note

For an updated list of critical known issues, see the Critical Issues List on the RTI Customer Portal at https://support.rti.com.

6.1. Segmentation fault when origin authentication is applied to submessages only

Consider the following scenario:

  • The Governance tag <rtps_protection_kind> is set to a value that does not contain WITH_ORIGIN_AUTHENTICATION.

  • A different Governance tag (for example, <metadata_protection_kind>) is set to a value that does contain WITH_ORIGIN_AUTHENTICATION.

  • The cryptography.max_receiver_specific_macs property is set to a value other than AUTO.

In this scenario, you may experience a segmentation fault in the internal function RTI_Security_Cryptography_serializeReceiverSpecificMacs while sending a message. This problem occurs when the number of destinations of the message exceeds the max_receiver_specific_macs value.

This problem only affects version 7.7.0.

[RTI Issue ID SEC-2955]

6.2. Intraparticipant communication fails when origin authentication is applied to messages

If the Governance tag <rtps_protection_kind> is set to a value containing WITH_ORIGIN_AUTHENTICATION and the cryptography.max_receiver_specific_macs property is set to a value other than AUTO, then the DomainParticipant may fail to receive messages that were sent from itself. This problem occurs when the message is sent to itself as well as to other DomainParticipants, and the number of destinations of the message exceeds the max_receiver_specific_macs value. The following error message accompanies the reception failure:

RTI_Security_Cryptography_verifyReceiverSpecificMac:OpenSSL function EVP_DecryptFinal_ex (GMAC) failed with error: (error details not available)

This problem only affects version 7.7.0.

[RTI Issue ID SEC-2952]

6.3. Using Lightweight Builtin Security Plugins with TypeObject v2 may result in communication issues between Connext applications

Starting with Connext 7.7.0, TypeObject v2 is the default mechanism for type discovery. Because of a known issue, using Lightweight Builtin Security Plugins with only TypeObject v2 may lead to the following communication problems because type information is not correctly propagated:

  • Incomplete endpoint discovery: A DataWriter will fail to match a DataReader (or vice versa), if the DataReader is configured with reader_qos.type_consistency.force_type_validation = TRUE, or if the registered type names do not match.

  • NULL TypeCode: The type_code field of DDS_PublicationBuiltinTopicData and DDS_SubscriptionBuiltinTopicData will be NULL when the remote endpoint’s type is not available locally (for example, in a bridge component).

    Note

    This issue directly affects DynamicData applications that rely on the type_code field to create DataReaders and DataWriters.

  • RTI Infrastructure Services and Tools may not discover endpoints: Connext Infrastructure Services and Tools will fail to discover endpoints unless all required types are explicitly provided through XML.

To mitigate these issues, you can use one of the following workarounds:

  • Use TypeObject v1: Explicitly set type_object_max_serialized_length to a value large enough to accommodate your data type. The default value for this field in Connext 7.7.0 is DDS_LENGTH_AUTO, which disables the propagation of TypeObject v1. If you enable TypeObject v1, even if TypeObject v2 is still enabled, there will not be communication issues because Connext will use TypeObject v1. See TypeLookup Service in the RTI Connext Core Libraries User’s Manual for more information.

  • Upgrade security: Use the Security Plugins (non Lightweight) with Pre-shared keys (PSK) enabled in the interoperability mode.

  • Declare types in XML: Explicitly declare all data types in the XML configuration of the Infrastructure Services and RTI tools.

[RTI Issue ID SEC-2962]

6.4. No Support for ECDSA-ECDH with Static OpenSSL Libraries and Certicom Security Builder

If you are using the Certicom® Security Builder® engine, you cannot use the ecdsa-ecdh shared secret algorithm together with static OpenSSL libraries. If you want to use ecdsa-ecdh with Certicom Security Builder, you must use dynamic OpenSSL libraries. Attempting to use ecdsa-ecdh with static OpenSSL libraries and Certicom Security Builder will cause the following errors during participant discovery:

Authentication_compute_sharedsecret:failed to provide remote DP public key

Authentication_process_handshake:key generation fail

Authentication_get_shared_secret:empty secret

PRESParticipant_authorizeRemoteParticipant:!security function get_shared_secret

6.5. No Support for Writing >65kB Unfragmented Samples Using Metadata or RTPS Message Protection

The following use case is not supported:

  • metadata_protection_kind = SIGN or ENCRYPT or rtps_protection_kind = SIGN or ENCRYPT

  • message_size_max > 65536. This is possible when using the TCP transport.

  • The user is writing unfragmented samples of size greater than 65kB but less than message_size_max.

In order to write the large sample, you must set message_size_max to be smaller than the message size, so the sample can be put in fragments smaller than 65 kB.

[RTI Issue ID SEC-768]

6.6. subscription_data and publication_data in check_local_datawriter_match / check_local_datareader_match are not Populated

When calling check_local_datawriter_match / check_local_datareader_match, Connext does not set the subscription_data and publication_data parameters. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on those parameters.

[RTI Issue ID SEC-758]

6.7. relay_only parameter in check_remote_datareader is not Populated

When calling check_remote_datareader, Connext does not set the relay_only parameter. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on this parameter.

[RTI Issue ID SEC-852]

6.8. ‘Allow Rule’ Patterns Incorrectly do not Allow Subset Patterns in QoS

In the Permissions Document, an <allow_rule> that has a pattern partition other than * (e.g., P*) incorrectly does not allow creation of an entity whose PartitionQosPolicy contains a regular expression pattern that is a subset of that <allow_rule> (e.g., P1*). This problem only affects Security Plugins 6.1.0 and above.

The workaround is to change the <allow_rule>’s pattern partition to exactly match the pattern partition in the QoS (e.g., change P* to P1*).

[RTI Issue ID SEC-1242]

6.9. Lightweight Security Plugins do not support Distributed Logging

The Lightweight Builtin Security Plugins do not support logging messages over DDS. Configuring the com.rti.serv.secure.logging.mode_mask property to include the SECURITY_TOPIC value does not have any effect.

The Builtin Secure Logging Topic (DDS:Security:LogTopicV2) is a secure Topic that requires protecting both the data and the metadata of RTPS submessages. However, the Lightweight Builtin Security Plugins only support protection at the RTPS level. A different, unprotected, Topic would be required for logging messages over DDS. The OMG DDS Security 1.2 specification doesn’t describe how the Lightweight Builtin Security Plugins should handle distributed logging. This issue is not a bug in the Lightweight Builtin Security Plugins, but a result of unspecified requirements in the OMG DDS Security 1.2 specification.

[RTI Issue IDs SEC-2770, SEC-2780, and ADMINCONSOLE-1466]