OpenSSL failure when using Ubuntu 18.04 and ROS Galactic [14274]

[kmilo7204]

Is there an already existing issue for this?

• I have searched the existing issues

Description

Testing ROS2 demo packages with SROS2 in the provided container (See below for more information) fails. After exporting the required environment variables and running the demo packages (In both implementations C++ and Python) I am receiving the error described in the Current Behavior section.

Expected behavior

SROS2 communication between demo examples must work (C++ and Python demo nodes).

After configuration (Exporting the environment variables for SROS2) the expected result for demo_talker and demo_listener must be the following:

• Publisher/Talker

    [INFO] [1648569283.600949234] [minimal_publisher]: Publishing: "Hello World: 1"
    [INFO] [1648569284.101093229] [minimal_publisher]: Publishing: "Hello World: 2"
    [INFO] [1648569284.600692160] [minimal_publisher]: Publishing: "Hello World: 3"

• Subscriber/Listener

    [INFO] [1648569283.601321219] [minimal_subscriber]: I heard: "Hello World: 1"
    [INFO] [1648569284.101660286] [minimal_subscriber]: I heard: "Hello World: 2"
    [INFO] [1648569284.601298749] [minimal_subscriber]: I heard: "Hello World: 3"

Current behavior

After configuration (Exporting the environment variables for SROS2) the obtained result for demo_talker and demo_listener is the following:

• Publisher/Talker

    [INFO] [1648569283.600949234] [minimal_publisher]: Publishing: "Hello World: 1"
    [INFO] [1648569284.101093229] [minimal_publisher]: Publishing: "Hello World: 2"
    [INFO] [1648569284.600692160] [minimal_publisher]: Publishing: "Hello World: 3"

• Subscriber/Listener

    [SECURITY_AUTHENTICATION Error] OpenSSL library cannot set peer (/opt/ros/galactic/src/fastrtps/src/cpp/security/authentication/PKIDH.cpp:1084) -> Function on_process_handshake
    [SECURITY_AUTHENTICATION Error] OpenSSL library cannot set peer (/opt/ros/galactic/src/fastrtps/src/cpp/security/authentication/PKIDH.cpp:1084) -> Function on_process_handshake
    [SECURITY_AUTHENTICATION Error] OpenSSL library cannot set peer (/opt/ros/galactic/src/fastrtps/src/cpp/security/authentication/PKIDH.cpp:1084) -> Function on_process_handshake

Steps to reproduce

We have created a Dockerfile with the configuration for replicating this issue. It contains Ubuntu 18.04 as base and ROS Galactic with security enabled.

• Pull the provided container:

docker pull doko7204/sros2_issue:ubuntu_bionic_galactic

• Run the provided container

docker run -it doko7204/sros2_issue:ubuntu_bionic_galactic 

• Create the colcon_ws:

mkdir colcon_ws

• Create the Keystore, keys and certificates for the demo nodes:

source /opt/ros/galactic/install/setup.bash
cd ~/colcon_ws
ros2 security create_keystore demo_keystore
ros2 security create_enclave demo_keystore /talker_listener/talker
ros2 security create_enclave demo_keystore /talker_listener/listener

• Now in two terminals (Of the same container) run the following commands:

export ROS_SECURITY_KEYSTORE=~/colcon_ws/demo_keystore
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
export RMW_IMPLEMENTATION=rmw_fastrtps_cpp

• In one terminal launch the talker node (I recommend testing both C++ and Python implementations):

ros2 run demo_nodes_cpp talker --ros-args --enclave /talker_listener/talker

• In the other terminal launch the listener node (I recommend testing both C++ and Python implementations):

ros2 run demo_nodes_py listener --ros-args --enclave /talker_listener/listener

Fast DDS version/commit

• Fast DDS version 2.3.4-1 : As specified in http://repo.ros2.org/status_page/ros_galactic_default.html?q=fast

• OpenSSL version: 1.1.1f: But this issue is reproducible in version 1.1.1d

Platform/Architecture

Other. Please specify in Additional context section.

Transport layer

UDPv4

Additional context

Ubuntu 18.04
ROS Galactic
Fast DDS as a RMW

[EduPonz]

Hi @kmilo7204 ,

First of all, thanks for your report! I have been able to reproduce your issue using your container and I have some comments.

SROS2 communication between demo examples must work (C++ and Python demo nodes)

I do not know whether you are aware of this, but ROS 2 Galactic does not offer official support for Ubuntu 18.04 (see Galactic platform support), nor does Fast DDS v2.3.4 (see v2.3.4 support), which means that it be great if it works, but unfortunately it is not required.

That being said, I have been able to run the Fast DDS v2.3.4 Security example without any trouble on an Ubuntu 18.04 Docker image. To build Fast DDS, I have followed the installation instructions, making sure to use the v2.3.4 fastrtps.repos file instead of the master one. I'm attaching all the instructions:

In a terminal, run a Ubuntu 18.04 docker container

docker run -it --rm ubuntu:18.04

Within the container, build Fast DDS with:

# Install build dependecies
apt update
apt install -y \
    cmake \
    g++ \
    python3-pip \
    wget \
    git \
    libasio-dev \
    libtinyxml2-dev \
    libssl-dev
pip3 install -U \
    colcon-common-extensions \
    vcstool

# Setup workspace
mkdir ~/Fast-DDS
cd ~/Fast-DDS
wget https://raw.githubusercontent.com/eProsima/Fast-DDS/v2.3.4/fastrtps.repos
mkdir src
vcs import src < fastrtps.repos
colcon build \
    --event-handlers=console_direct+ \
    --cmake-args \
        -DSECURITY=ON \
        -DCOMPILE_EXAMPLES=ON \
        -DINSTALL_EXAMPLES=ON

To run the example, with the Docker container, run:

cd ~/Fast-DDS/
source install/setup.bash
cd install/fastrtps/examples/C++/DDS/SecureHelloWorldExample/bin/
./DDSSecureHelloWorldExample subscriber

In a separate terminal, within the same container, run:

cd ~/Fast-DDS/
source install/setup.bash
cd install/fastrtps/examples/C++/DDS/SecureHelloWorldExample/bin/
./DDSSecureHelloWorldExample publisher

To this, I'd also add that the ROS 2 security demo does work on Ubuntu 20.04.

I have checked your docker image by inspecting the layers and one thing caught my eye, and that is the fact that you are building Open SSL instead of using the one installed via apt install libssl-dev, is there a reason for that? I have checked the Open SSL version with openssl version -a, and the version installed in Ubuntu 18.04 is:

OpenSSL 1.1.1  11 Sep 2018
built on: Wed Mar  9 12:13:40 2022 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-vxXVMf/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

which sadly does not tell us about the letter release (seems they added that latter). In any case, we have had trouble in the past with upgrading Open SSL letter releases, so I'd not recommend it. If your are constrained to Ubuntu 18.04, then I'd stick with the Open SSL they provide.

I'm going to move this to the appropriate forum, as Fast DDS v2.3.4 does not officially support Ubuntu 18.04, and we can continue the discussion there.