apache · eseabrook1 · May 6, 2025 · May 29, 2025 · zeekling · Jun 2, 2025
diff --git a/zookeeper-client/zookeeper-client-c/include/zookeeper.h b/zookeeper-client/zookeeper-client-c/include/zookeeper.h
@@ -537,6 +537,38 @@ ZOOAPI zhandle_t *zookeeper_init(const char *host, watcher_fn fn,
   int recv_timeout, const clientid_t *clientid, void *context, int flags);
 
 #ifdef HAVE_OPENSSL_H
+/**
+ * \brief create a handle to communicate with zookeeper using SSL.
+ *
+ * This method creates a new handle and a zookeeper session that corresponds
+ * to that handle. Session establishment is asynchronous, meaning that the
+ * session should not be considered established until (and unless) an
+ * event of state ZOO_CONNECTED_STATE is received.
+ * \param host comma separated host:port pairs, each corresponding to a zk
+ *   server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002"
+ * \param cert SSL certificate string. Two formats are supported: server CA
+ *   only e.g. "/path/to/server_ca.cer" and server CA with client certificate e.g.
+ *   "/path/to/server_ca.cer,/path/to/client_cert.pem,/path/to/client_cert.key,client_cert_password".
+ * \param fn the global watcher callback function. When notifications are
+ *   triggered this function will be invoked.
+ * \param recv_timeout the timeout for the zookeeper session.
+ * \param clientid the id of a previously established session that this
+ *   client will be reconnecting to. Pass 0 if not reconnecting to a previous
+ *   session. Clients can access the session id of an established, valid,
+ *   connection by calling \ref zoo_client_id. If the session corresponding to
+ *   the specified clientid has expired, or if the clientid is invalid for
+ *   any reason, the returned zhandle_t will be invalid -- the zhandle_t
+ *   state will indicate the reason for failure (typically
+ *   ZOO_EXPIRED_SESSION_STATE).
+ * \param context the handback object that will be associated with this instance
+ *   of zhandle_t. Application can access it (for example, in the watcher
+ *   callback) using \ref zoo_get_context. The object is not used by zookeeper
+ *   internally and can be null.
+ * \param flags reserved for future use. Should be set to zero.
+ * \return a pointer to the opaque zhandle structure. If it fails to create
+ * a new zhandle the function returns NULL and the errno variable
+ * indicates the reason.
+ */
 ZOOAPI zhandle_t *zookeeper_init_ssl(const char *host, const char *cert, watcher_fn fn,
   int recv_timeout, const clientid_t *clientid, void *context, int flags);
 #endif

diff --git a/zookeeper-client/zookeeper-client-c/src/zookeeper.c b/zookeeper-client/zookeeper-client-c/src/zookeeper.c
@@ -2769,27 +2769,30 @@ static int init_ssl_for_socket(zsock_t *fd, zhandle_t *zh, int fail_on_error) {
             errno = EINVAL;
             return ZBADARGUMENTS;
         }
-        /*CLIENT CA FILE (With Certificate Chain)*/
-        if (SSL_CTX_use_certificate_chain_file(*ctx, fd->cert->cert) != 1) {
-            SSL_CTX_free(*ctx);
-            LOG_ERROR(LOGCALLBACK(zh), "Failed to load client certificate chain from %s", fd->cert->cert);
-            errno = EINVAL;
-            return ZBADARGUMENTS;
-        }
-        /*CLIENT PRIVATE KEY*/
-        SSL_CTX_set_default_passwd_cb_userdata(*ctx, fd->cert->passwd);
-        if (SSL_CTX_use_PrivateKey_file(*ctx, fd->cert->key, SSL_FILETYPE_PEM) != 1) {
-            SSL_CTX_free(*ctx);
-            LOG_ERROR(LOGCALLBACK(zh), "Failed to load client private key from %s", fd->cert->key);
-            errno = EINVAL;
-            return ZBADARGUMENTS;
-        }
-        /*CHECK*/
-        if (SSL_CTX_check_private_key(*ctx) != 1) {
-            SSL_CTX_free(*ctx);
-            LOG_ERROR(LOGCALLBACK(zh), "SSL_CTX_check_private_key failed");
-            errno = EINVAL;
-            return ZBADARGUMENTS;
+        if (fd->cert->cert != NULL && fd->cert->passwd != NULL && fd->cert->key != NULL)
+        {
+            /*CLIENT CA FILE (With Certificate Chain)*/
+            if (SSL_CTX_use_certificate_chain_file(*ctx, fd->cert->cert) != 1) {
+                SSL_CTX_free(*ctx);
+                LOG_ERROR(LOGCALLBACK(zh), "Failed to load client certificate chain from %s", fd->cert->cert);
+                errno = EINVAL;
+                return ZBADARGUMENTS;
+            }
+            /*CLIENT PRIVATE KEY*/
+            SSL_CTX_set_default_passwd_cb_userdata(*ctx, fd->cert->passwd);
+            if (SSL_CTX_use_PrivateKey_file(*ctx, fd->cert->key, SSL_FILETYPE_PEM) != 1) {
+                SSL_CTX_free(*ctx);
+                LOG_ERROR(LOGCALLBACK(zh), "Failed to load client private key from %s", fd->cert->key);
+                errno = EINVAL;
+                return ZBADARGUMENTS;
+            }
+            /*CHECK*/
+            if (SSL_CTX_check_private_key(*ctx) != 1) {
+                SSL_CTX_free(*ctx);
+                LOG_ERROR(LOGCALLBACK(zh), "SSL_CTX_check_private_key failed");
+                errno = EINVAL;
+                return ZBADARGUMENTS;
+            }
         }
         /*MULTIPLE HANDSHAKE*/
         SSL_CTX_set_mode(*ctx, SSL_MODE_AUTO_RETRY);