Outdated SSL CA /etc/ssl/cert.pem on macOS is used by default

[trietsch]

On macOS, the default CA certificate file location that librdkafka uses is /etc/ssl/cert.pem. On macOS 11.5, this is outdated and includes the expired "DST Root CA X3" that Let's Encrypt uses. This causes connections with librdkafka to hosts using certificates signed by this CA, to fail. I'm having this issue with the Golang client for Kafka (github.com/confluentinc/confluent-kafka-go v1.7.0).

By default, the directory /etc/ssl is checked by librdkafka, as it seems. I know it's possible to override the ssl.ca.location, however, I think it would be nice that Homebrew OpenSSL certificates should take presedence over /etc/ssl.

What do you think? Is this something that can be fixed in librdkafka?

Reference to my original discussion in Homebrew core: Homebrew/discussions#2444

[trietsch]

I noticed that /etc/ssl/cert.pem occurs before /usr/local/etc/openssl@1.1/cert.pem (Homebrew location for ca certificates), which is probably the reason the probe method for ssl.ca.location ends up using the outdated CA certs located at /etc/ssl/cert.pem. Changing the order would solve this, which makes sense in the case of macOS.