The Apache Kafka C/C++ client library
RdKafka::SslCertificateVerifyCb Class Referenceabstract

SSL broker certificate verification class. More...

#include <rdkafkacpp.h>

Public Member Functions

virtual bool ssl_cert_verify_cb (const std::string &broker_name, int32_t broker_id, int *x509_error, int depth, const char *buf, size_t size, std::string &errstr)=0
 SSL broker certificate verification callback. More...

Detailed Description

SSL broker certificate verification class.

Class instance must outlive the RdKafka client instance.

Member Function Documentation

◆ ssl_cert_verify_cb()

virtual bool RdKafka::SslCertificateVerifyCb::ssl_cert_verify_cb ( const std::string &  broker_name,
int32_t  broker_id,
int *  x509_error,
int  depth,
const char *  buf,
size_t  size,
std::string &  errstr 
pure virtual

SSL broker certificate verification callback.

The verification callback is triggered from internal librdkafka threads upon connecting to a broker. On each connection attempt the callback will be called for each certificate in the broker's certificate chain, starting at the root certification, as long as the application callback returns 1 (valid certificate).

broker_name and broker_id correspond to the broker the connection is being made to. The x509_error argument indicates if OpenSSL's verification of the certificate succeed (0) or failed (an OpenSSL error code). The application may set the SSL context error code by returning 0 from the verify callback and providing a non-zero SSL context error code in x509_error. If the verify callback sets x509_error to 0, returns 1, and the original x509_error was non-zero, the error on the SSL context will be cleared. x509_error is always a valid pointer to an int.

depth is the depth of the current certificate in the chain, starting at the root certificate.

The certificate itself is passed in binary DER format in buf of size size.

The callback must 1 if verification succeeds, or 0 if verification fails and write a human-readable error message to errstr.

This callback will be called from internal librdkafka threads.
See <openssl/x509_vfy.h> in the OpenSSL source distribution for a list of x509_error codes.

The documentation for this class was generated from the following file: