v1.1.0
librdkafka v1.1.0 release
v1.1.0 is a security-focused feature release:
- SASL OAUTHBEARER support (by @rondagostino at StateStreet)
- In-memory SSL certificates (PEM, DER, PKCS#12) support (by @noahdav at Microsoft)
- Pluggable broker SSL certificate verification callback (by @noahdav at Microsoft)
- Use Windows Root/CA SSL Certificate Store (by @noahdav at Microsoft)
ssl.endpoint.identification.algorithm=https
(off by default) to validate the broker hostname matches the certificate. Requires OpenSSL >= 1.0.2.- Improved GSSAPI/Kerberos ticket refresh
Upgrade considerations
- Windows SSL users will no longer need to specify a CA certificate file/directory (
ssl.ca.location
), librdkafka will load the CA certs by default from the Windows Root Certificate Store. - SSL peer (broker) certificate verification is now enabled by default (disable with
enable.ssl.certificate.verification=false
) %{broker.name}
is no longer supported insasl.kerberos.kinit.cmd
since kinit refresh is no longer executed per broker, but per client instance.
SSL
New configuration properties:
ssl.key.pem
- client's private key as a string in PEM formatssl.certificate.pem
- client's public key as a string in PEM formatenable.ssl.certificate.verification
- enable(default)/disable OpenSSL's builtin broker certificate verification.enable.ssl.endpoint.identification.algorithm
- to verify the broker's hostname with its certificate (disabled by default).- Add new
rd_kafka_conf_set_ssl_cert()
to pass PKCS#12, DER or PEM certs in (binary) memory form to the configuration object. - The private key data is now securely cleared from memory after last use.
Enhancements
- configure: Improve library checking
- Added
rd_kafka_conf()
to retrieve the client's configuration object - Bump
message.timeout.ms
max value from 15 minutes to 24 days (@sarkanyi, workaround for #2015)
Fixes
- SASL GSSAPI/Kerberos: Don't run kinit refresh for each broker, just per client instance.
- SASL GSSAPI/Kerberos: Changed
sasl.kerberos.kinit.cmd
to first attempt ticket refresh, then acquire. - SASL: Proper locking on broker name acquisition.
- Consumer:
max.poll.interval.ms
now correctly handles blocking poll calls, allowing a longer poll timeout than the max poll interval. - configure: Fix libzstd static lib detection
- rdkafka_performance: Fix for Misleading "All messages delivered!" message (@solar_coder)
- Windows build and CMake fixes (@myd7349)
Checksums
Release asset checksums:
- v1.1.0.zip SHA256
70279676ed863c984f9e088db124ac84a080e644c38d4d239f9ebd3e3c405e84
- v1.1.0.tar.gz SHA256
123b47404c16bcde194b4bd1221c21fdce832ad12912bd8074f88f64b2b86f2b