Don't overwrite ssl.ca.location on OSX (#3566)

confluentinc · Oct 1, 2021 · 4ff3feb · 4ff3feb
1 parent 36406ba
commit 4ff3feb
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,9 @@ librdkafka v1.8.2 is a maintenance release.
  * Prebuilt binaries for Mac OSX now contain statically linked OpenSSL v1.1.1l.
    Previously the OpenSSL version was either v1.1.1 or v1.0.2 depending on
    build type.
+ * It was not possible to configure `ssl.ca.location` on OSX, the property
+   automatically would revert back to `probe` (default value).
+   This regression was introduced in v1.8.0. (#3566)
 
 ## Enhancements
 

diff --git a/src/rdkafka_conf.c b/src/rdkafka_conf.c
@@ -3712,7 +3712,8 @@ const char *rd_kafka_conf_finalize (rd_kafka_type_t cltype,
                 return "`ssl.ca.location` or `ssl.ca.pem`, and memory-based "
                        "set_ssl_cert(CERT_CA) are mutually exclusive.";
 #ifdef __APPLE__
-        else /* Default ssl.ca.location to 'probe' on OSX */
+        else if (!conf->ssl.ca && !conf->ssl.ca_location && !conf->ssl.ca_pem)
+                /* Default ssl.ca.location to 'probe' on OSX */
                 rd_kafka_conf_set(conf, "ssl.ca.location", "probe", NULL, 0);
 #endif
 #endif

diff --git a/tests/0004-conf.c b/tests/0004-conf.c
@@ -607,6 +607,26 @@ int main_0004_conf (int argc, char **argv) {
                 rd_kafka_conf_destroy(conf);
         }
 
+#if WITH_SSL
+        {
+                TEST_SAY("Verifying that ssl.ca.location is not "
+                         "overwritten (#3566)\n");
+
+                conf = rd_kafka_conf_new();
+
+                test_conf_set(conf, "security.protocol", "SSL");
+                test_conf_set(conf, "ssl.ca.location", "/?/does/!/not/exist!");
+
+                rk = rd_kafka_new(RD_KAFKA_PRODUCER, conf,
+                                  errstr, sizeof(errstr));
+                TEST_ASSERT(!rk,
+                            "Expected rd_kafka_new() to fail with "
+                            "invalid ssl.ca.location");
+                TEST_SAY("rd_kafka_new() failed as expected: %s\n",
+                         errstr);
+        }
+#endif
+
 	/* Canonical int values, aliases, s2i-verified strings, doubles */
 	{
 		static const struct {