Default ssl.ca.location to probe on OSX

edenhill · edenhill · commit 1a722553638b · 2021-02-24T09:35:46.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,9 @@ librdkafka v1.6.1 is a maintenance release.
  * Admin API and transactional `send_offsets_to_transaction()` coordinator
    requests, such as TxnOffsetCommitRequest, could in rare cases be sent
    multiple times which could cause a crash.
+ * `ssl.ca.location=probe` is now enabled by default on Mac OSX since the
+   librdkafka-bundled OpenSSL might not have the same default CA search paths
+   as the system or brew installed OpenSSL. Probing scans all known locations.
 
 ### Transactional Producer fixes
 
diff --git a/CONFIGURATION.md b/CONFIGURATION.md
@@ -67,7 +67,7 @@ ssl_key                                  |  *  |                 |
 ssl.certificate.location                 |  *  |                 |               | low        | Path to client's public key (PEM) used for authentication. <br>*Type: string*
 ssl.certificate.pem                      |  *  |                 |               | low        | Client's public key string (PEM format) used for authentication. <br>*Type: string*
 ssl_certificate                          |  *  |                 |               | low        | Client's public key as set by rd_kafka_conf_set_ssl_cert() <br>*Type: see dedicated API*
-ssl.ca.location                          |  *  |                 |               | low        | File or directory path to CA certificate(s) for verifying the broker's key. Defaults: On Windows the system's CA certificates are automatically looked up in the Windows Root certificate store. On Mac OSX it is recommended to install openssl using Homebrew, to provide CA certificates. On Linux install the distribution's ca-certificates package. If OpenSSL is statically linked or `ssl.ca.location` is set to `probe` a list of standard paths will be probed and the first one found will be used as the default CA certificate location path. If OpenSSL is dynamically linked the OpenSSL library's default path will be used (see `OPENSSLDIR` in `openssl version -a`). <br>*Type: string*
+ssl.ca.location                          |  *  |                 |               | low        | File or directory path to CA certificate(s) for verifying the broker's key. Defaults: On Windows the system's CA certificates are automatically looked up in the Windows Root certificate store. On Mac OSX this configuration defaults to `probe`. It is recommended to install openssl using Homebrew, to provide CA certificates. On Linux install the distribution's ca-certificates package. If OpenSSL is statically linked or `ssl.ca.location` is set to `probe` a list of standard paths will be probed and the first one found will be used as the default CA certificate location path. If OpenSSL is dynamically linked the OpenSSL library's default path will be used (see `OPENSSLDIR` in `openssl version -a`). <br>*Type: string*
 ssl_ca                                   |  *  |                 |               | low        | CA certificate as set by rd_kafka_conf_set_ssl_cert() <br>*Type: see dedicated API*
 ssl.ca.certificate.stores                |  *  |                 |          Root | low        | Comma-separated list of Windows Certificate stores to load CA certificates from. Certificates will be loaded in the same order as stores are specified. If no certificates can be loaded from any of the specified stores an error is logged and the OpenSSL library's default CA location is used instead. Store names are typically one or more of: MY, Root, Trust, CA. <br>*Type: string*
 ssl.crl.location                         |  *  |                 |               | low        | Path to CRL for verifying broker's certificate validity. <br>*Type: string*
diff --git a/src/rdkafka_conf.c b/src/rdkafka_conf.c
@@ -773,14 +773,18 @@ static const struct rd_kafka_property rd_kafka_properties[] = {
           "Defaults: "
           "On Windows the system's CA certificates are automatically looked "
           "up in the Windows Root certificate store. "
-          "On Mac OSX it is recommended to install openssl using Homebrew, "
+          "On Mac OSX this configuration defaults to `probe`. "
+          "It is recommended to install openssl using Homebrew, "
           "to provide CA certificates. "
           "On Linux install the distribution's ca-certificates package. "
           "If OpenSSL is statically linked or `ssl.ca.location` is set to "
           "`probe` a list of standard paths will be probed and the first one "
           "found will be used as the default CA certificate location path. "
           "If OpenSSL is dynamically linked the OpenSSL library's default "
           "path will be used (see `OPENSSLDIR` in `openssl version -a`).",
+#ifdef __APPLE__
+          .sdef = "probe",
+#endif
           _UNSUPPORTED_SSL
         },
         { _RK_GLOBAL, "ssl_ca", _RK_C_INTERNAL,
