Warning
This documentation assumes the reader has basic knowledge of TLS concepts since terms like Certificate Authority (CA), Private Key, Rivest–Shamir–Adleman (RSA) cryptosystem, and Diffie-Hellman encryption protocol are not explained in detail.
Fast DDS allows configuring TCP Transports to use TLS (Transport Layer Security). In order to set up TLS, the transport_tcp_transportDescriptor must have its apply_security data member set to true, and its tls_config data member filled with the desired configuration on the TransportDescriptor. The following is an example of configuration of TLS on the TCP server.
| C++ |
/../code/DDSCodeTester.cpp |
| XML |
/../code/XMLTester.xml |
The corresponding configuration on the TCP client is shown in the following example.
| C++ |
/../code/DDSCodeTester.cpp |
| XML |
/../code/XMLTester.xml |
The following table describes the data members that are configurable on TLSConfig.
| Member | Data type | Default | Description |
|---|---|---|---|
password |
string |
empty | Password of the private_key_file or rsa_private_key_file. |
private_key_file |
string |
empty | Path to the private key certificate file. |
rsa_private_key_file |
string |
empty | Path to the private key RSA certificate file. |
cert_chain_file |
string |
empty | Path to the public certificate chain file. |
tmp_dh_file |
string |
empty | Path to the Diffie-Hellman parameters file. |
verify_file |
string |
empty | Path to the CA (Certification- Authority) file. |
verify_mode |
TLSVerifyMode |
empty | Establishes the verification mode mask. See transport_tcp_tls_verifyMode |
options |
TLSOptions |
empty | Establishes the SSL Context options mask. See transport_tcp_tls_options |
verify_paths |
vector<string> |
empty | Paths where the system will look for verification files. |
verify_depth |
int32_t |
empty | Maximum allowed depth for verifying intermediate certificates. |
default_verify_path |
bool |
empty | Look for verification files on the default paths. |
handshake_role |
TLSHandShakeRole |
DEFAULT |
Role that the transport will take on handshaking. See transport_tcp_tls_role |
Note
Fast DDS uses the Boost.Asio library to handle TLS secure connections. These data members are used to build the asio library context, and most of them are mapped directly into this context without further manipulation. You can find more information about the implications of each member on the Boost.Asio context documentation.
The verification mode defines how the peer node will be verified. The following table describes the available verification options. Several verification options can be combined in the same TransportDescriptor using the add_verify_mode member function.
| Value | Description |
|---|---|
VERIFY_NONE |
Perform no verification. |
VERIFY_PEER |
Perform verification of the peer. |
VERIFY_FAIL_IF_NO_PEER_CERT |
Fail verification if the peer has no certificate. Ignored unless VERIFY_PEER is also set. |
VERIFY_CLIENT_ONCE |
Do not request client certificate on renegotiation. Ignored unless VERIFY_PEER is also set. |
Note
For a complete description of the different verification modes, please refer to the OpenSSL documentation.
These options define which TLS features are to be supported. The following table describes the available options. Several options can be combined in the same TransportDescriptor using the add_option member function.
| Value | Description |
|---|---|
DEFAULT_WORKAROUNDS |
Implement various bug workarounds. See Boost.Asio context |
NO_COMPRESSION |
Disable compression. |
NO_SSLV2 |
Disable SSL v2. |
NO_SSLV3 |
Disable SSL v3. |
NO_TLSV1 |
Disable TLS v1. |
NO_TLSV1_1 |
Disable TLS v1.1. |
NO_TLSV1_2 |
Disable TLS v1.2. |
NO_TLSV1_3 |
Disable TLS v1.3. |
SINGLE_DH_USE |
Always create a new key when using Diffie-Hellman parameters. |
The role can take the following values:
| Value | Description |
|---|---|
DEFAULT |
Configured as client if connector, and as server if acceptor |
CLIENT |
Configured as client. |
SERVER |
Configured as server. |