Skip to content

librdkafka v1.1.0 release

v1.1.0 is a security-focused feature release:

  • SASL OAUTHBEARER support (by @rondagostino at StateStreet)
  • In-memory SSL certificates (PEM, DER, PKCS#12) support (by @noahdav at Microsoft)
  • Pluggable broker SSL certificate verification callback (by @noahdav at Microsoft)
  • Use Windows Root/CA SSL Certificate Store (by @noahdav at Microsoft)
  • ssl.endpoint.identification.algorithm=https (off by default) to validate the broker hostname matches the certificate. Requires OpenSSL >= 1.0.2.
  • Improved GSSAPI/Kerberos ticket refresh

Upgrade considerations

  • Windows SSL users will no longer need to specify a CA certificate file/directory (ssl.ca.location), librdkafka will load the CA certs by default from the Windows Root Certificate Store.
  • SSL peer (broker) certificate verification is now enabled by default (disable with enable.ssl.certificate.verification=false)

SSL

New configuration properties:

  • ssl.key.pem - client's private key as a string in PEM format
  • ssl.certificate.pem - client's public key as a string in PEM format
  • enable.ssl.certificate.verification - enable(default)/disable OpenSSL's builtin broker certificate verification.
  • enable.ssl.endpoint.identification.algorithm - to verify the broker's hostname with its certificate (disabled by default).
  • Add new rd_kafka_conf_set_ssl_cert() to pass PKCS#12, DER or PEM certs in (binary) memory form to the configuration object.
  • The private key data is now securely cleared from memory after last use.

Enhancements

  • configure: Improve library checking
  • Added rd_kafka_conf() to retrieve the client's configuration object
  • Bump message.timeout.ms max value from 15 minutes to 24 days (@sarkanyi, workaround for #2015)

Fixes

  • SASL GSSAPI/Kerberos: Don't run kinit refresh for each broker, just per client instance.
  • SASL GSSAPI/Kerberos: Changed sasl.kerberos.kinit.cmd to first attempt ticket refresh, then acquire.
  • SASL: Proper locking on broker name acquisition.
  • Consumer: max.poll.interval.ms now correctly handles blocking poll calls, allowing a longer poll timeout than the max poll interval.
  • configure: Fix libzstd static lib detection
  • rdkafka_performance: Fix for Misleading "All messages delivered!" message (@solar_coder)
  • Windows build and CMake fixes (@myd7349)
Assets 2

@edenhill edenhill released this May 28, 2019 · 158 commits to master since this release

librdkafka v1.0.1 release

v1.0.1 is a maintenance release with the following fixes:

  • Fix consumer stall when broker connection goes down (issue #2266 introduced in v1.0.0)
  • Fix AdminAPI memory leak when broker does not support request (@souradeep100, #2314)
  • Update/fix protocol error response codes (@benesch)
  • Treat ECONNRESET as standard Disconnects (#2291)
Assets 2
May 27, 2019
AppVeyor: we still need CoApp to create nupkg
You can’t perform that action at this time.