5.2.2. RTI Security Plugins

5.2.2.1. Changes to Building an Application

5.2.2.1.1. OpenSSL 3 upgrade

Release 7.3.1 of the Security Plugins upgrades the version of OpenSSL® from 3.0.12 to 3.5.1. The Security Plugins 7.3.1 bundles have been renamed from 3.0 (e.g., rti_security_plugins-7.3.0-target-openssl-3.0-<architecture>.rtipkg) to 3.5 (e.g., rti_security_plugins-7.3.1-target-openssl-3.5-<architecture>.rtipkg). These bundles are API-compatible with OpenSSL version 3.5.1, not with versions earlier than OpenSSL 3.5.1. Note that Security Plugins 7.3.1 has only been tested by RTI using OpenSSL 3.5.1. If you need Security Plugins 7.3.1 to run against older versions of OpenSSL, please contact support@rti.com.

If you use OpenSSL 3.5.1 to generate a Identity CA certificate, you may get the following error when you attempt to create a DomainParticipant:

X509_verify_cert returned 0 with error 79: invalid CA certificate

You may be using an X.509 v3 Identity CA that does not have basicConstraints = CA:true. Refer to The basicConstraints X.509 v3 extension in the RTI Security Plugins User’s Manual for more details. In the .cnf configuration file, make sure the x509_extensions = v3_ca line is not commented out.

Note

When running openssl ca or openssl x509, OpenSSL version 3.2.0 and above generate X.509 v3 (as opposed to v1) certificates by default.

The certificates used by the shipped examples (i.e., the certificates in the rti_workspace/7.3.1/examples/dds_security/cert directory) have been updated with X.509 v3 certificates.

OpenSSL 3.4.0 and above no longer support the X25519 and X448 key establishment algorithms in the FIPS provider. This change affects you if you are setting authentication.enable_custom_algorithms to TRUE and using the FIPS provider.

5.2.2.1.2. wolfSSL 5 upgrade

Release 7.3.1 of the Security Plugins upgrades the version of wolfSSL® from 5.5.1 to 5.8.2. The Security Plugins bundles have been renamed from 5.5 (e.g., rti_security_plugins-7.3.0-target-wolfssl-5.5-<architecture>.rtipkg) to 5.8 (e.g., rti_security_plugins-7.3.1-target-wolfssl-5.8-<architecture>.rtipkg). These bundles are API-compatible with wolfSSL version 5.8.2, not with versions earlier than wolfSSL version 5.8.2. Note that Security Plugins 7.3.1 has only been tested by RTI using wolfSSL version 5.8.2. If you need Security Plugins 7.3.1 to run against older versions of wolfSSL, please contact support@rti.com.

wolfSSL 5.8.2 requires your X.509 Identity CA certificate (root and intermediates) to have the basicConstraints = CA:true extension. Refer to The basicConstraints X.509 v3 extension in the RTI Security Plugins User’s Manual for more details. If you are migrating from wolfSSL 5.5.1 to 5.8.2, make sure your Identity CA certificates have this extension. In the .cnf configuration file, verify that the x509_extensions = v3_ca line is not commented out.

5.2.2.1.3. New API to get Lightweight Builtin Security Plugins library version

In 7.3.0 and previous releases, you could get the version of both the Builtin Security Plugins library and the Lightweight Builtin Security Plugins library by calling the RTI_Security_get_library_version API. This approach lead to potential problems when linking against both libraries of the Security Plugins.

Starting in release 7.3.1, you must use the RTI_Security_get_library_version API to get the version of the Builtin Security Plugins library and the new RTI_SecurityLightweight_get_library_version API to get the version of the Lightweight Builtin Security Plugins library.

5.2.2.2. Configuration Changes

5.2.2.2.1. Changes to Additional Authenticated Data (AAD) configurability

This release of the Security Plugins changes the cryptography.enable_additional_authenticated_data property type to an enum and adds the AUTO value, which is also the new default. Using AUTO, the Builtin Security Plugins will auto-enable Additional Authenticated Data for messages protected with a pre-shared key and for messages containing an RTPS Header Extension submessage. We are also removing the Builtin Security Plugins support for 0, 1, yes, and no values of this property. If you use any of these values, please move to a value from the set of AUTO, TRUE and FALSE. Beyond the values, related functionality changes should be transparent to the user and no interoperability breaks are expected.

Note that from this release Additional Authenticated Data is the only RTPS protection method available in the Lightweight Builtin Security Plugins; other methods are not supported. Therefore, cryptography.enable_additional_authenticated_data is not read by the Lightweight Builtin Security Plugins.

See Properties for Configuring Cryptography in the Security Plugins User’s Manual for more information about the property.

5.2.2.3. Security Plugins SDK

If you use the Security Plugins SDK, read the Security Plugins Interface (SPI) Notes section of its documentation. This documentation lists the changes introduced in each release to the interface between the Core Libraries and the Security Plugins.