6. Known Issues

Note

For an updated list of critical known issues, see the Critical Issues List on the RTI Customer Portal at https://support.rti.com.

6.1. No Support for ECDSA-ECDH with Static OpenSSL Libraries and Certicom Security Builder

If you are using the Certicom® Security Builder® engine, you cannot use the ecdsa-ecdh shared secret algorithm together with static OpenSSL libraries. If you want to use ecdsa-ecdh with Certicom Security Builder, you must use dynamic OpenSSL libraries. Attempting to use ecdsa-ecdh with static OpenSSL libraries and Certicom Security Builder will cause the following errors during participant discovery:

Authentication_compute_sharedsecret:failed to provide remote DP public key

Authentication_process_handshake:key generation fail

Authentication_get_shared_secret:empty secret

PRESParticipant_authorizeRemoteParticipant:!security function get_shared_secret

6.2. No Support for Writing >65kB Unfragmented Samples Using Metadata or RTPS Message Protection

The following use case is not supported:

  • metadata_protection_kind = SIGN or ENCRYPT or rtps_protection_kind = SIGN or ENCRYPT

  • message_size_max > 65536. This is possible when using the TCP transport.

  • The user is writing unfragmented samples of size greater than 65kB but less than message_size_max.

In order to write the large sample, you must set message_size_max to be smaller than the message size, so the sample can be put in fragments smaller than 65 kB.

[RTI Issue ID SEC-768]

6.3. subscription_data and publication_data in check_local_datawriter_match / check_local_datareader_match are not Populated

When calling check_local_datawriter_match / check_local_datareader_match, Connext does not set the subscription_data and publication_data parameters. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on those parameters.

[RTI Issue ID SEC-758]

6.4. relay_only parameter in check_remote_datareader is not Populated

When calling check_remote_datareader, Connext does not set the relay_only parameter. While this issue has no impact on the DDS Security builtin plugins, it could affect a custom plugin relying on this parameter.

[RTI Issue ID SEC-852]

6.5. ‘Allow Rule’ Patterns Incorrectly do not Allow Subset Patterns in QoS

In the Permissions Document, an <allow_rule> that has a pattern partition other than * (e.g., P*) incorrectly does not allow creation of an entity whose PartitionQosPolicy contains a regular expression pattern that is a subset of that <allow_rule> (e.g., P1*). This problem only affects Security Plugins 6.1.0 and above.

The workaround is to change the <allow_rule>’s pattern partition to exactly match the pattern partition in the QoS (e.g., change P* to P1*).

[RTI Issue ID SEC-1242]

6.6. Source and destination overlap in memcpy (called from wc_AesGcmInit) when using the Security Plugins for wolfSSL

Valgrind 3.15.0 (and lower versions) may detect an overlap in the source and destination memory when calling memcpy from wc_AesGcmInit. This is an issue in wolfSSL 5.5.1, not in the Security Plugins. The overlap happens if wolfSSL is compiled with --enable-aesgcm-stream. For more information, read wolfSSL’s #6413 GitHub issue. This issue doesn’t affect the behavior of the Security Plugins for wolfSSL.

[RTI Issue ID SEC-2087]

6.7. Lightweight Security Plugins do not support Distributed Logging

The Lightweight Builtin Security Plugins do not support logging messages over DDS. Configuring the com.rti.serv.secure.logging.mode_mask property to include the SECURITY_TOPIC value does not have any effect.

The Builtin Secure Logging Topic (DDS:Security:LogTopicV2) is a secure Topic that requires protecting both the data and the metadata of RTPS submessages. However, the Lightweight Builtin Security Plugins only support protection at the RTPS level. A different, unprotected, Topic would be required for logging messages over DDS. The OMG DDS Security 1.2 specification doesn’t describe how the Lightweight Builtin Security Plugins should handle distributed logging. This issue is not a bug in the Lightweight Builtin Security Plugins, but a result of unspecified requirements in the OMG DDS Security 1.2 specification.

[RTI Issue IDs SEC-2770, SEC-2780, and ADMINCONSOLE-1466]