Sending client certificates on custom ClosableHttpClient for zuul

问题

I'm trying to send an X.509 client certificate with outgoing requests for zuul forwardproxy. Certificate is included in the keystore which i'm loading with loadKeyMaterial() on SSLContext.

Here's the code:

    @Bean
    public CloseableHttpClient httpClient() throws Throwable {
        SSLContext sslcontext = SSLContexts.custom()
                .loadKeyMaterial(new File(keyStorePath), keyStorePass, keyStorePass, new PrivateKeyStrategy() {
                    @Override
                    public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
                        return alias;
                    }
                })
                .loadTrustMaterial(new File(keyStorePath), keyStorePass, new TrustSelfSignedStrategy())
                .build();

        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
                sslcontext,
                new String[] { "TLSv1.3" },
                new String[] { "TLS_DHE_RSAWITH_AES_256_GCM_SHA384" },
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());

        return HttpClients.custom().setSSLSocketFactory(sslsf)
           .build();
    }

when i make a test request i'm getting Received fatal alert: handshake_failure and on the verbose logs i see the message No X.509 certificate for client authentication, use empty Certificate message instead. How i can make the httpClient send the certificate as X.509 client certificate?

回答1:

I had encountered simmilar problem in my case it was two part solution.

1. Import correcly certificate,

I had incorrectly created keystore:

keytool -importcert -keystore keystore.jks -alias client-cert -file client-cert.pem  -storepass password

What helped me was:

openssl pkcs12 -export -chain -in client-cert.pem  -inkey client-key.pem  -out keystore.p12 -name client-cert -CAfile ca-cert.pem
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -alias client-cert

I found this here: https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore

2. Problem with spring-cloud-starter-zuul 1.1.5.RELEASE. Zuul did not used my custom CloseableHttpClient, this issue was solved in https://github.com/spring-cloud/spring-cloud-netflix/issues/2026 and after upgrading to 1.4.2.RELEASE this problem was fixed.

来源：https://stackoverflow.com/questions/59894129/sending-client-certificates-on-custom-closablehttpclient-for-zuul