Reputation: 1
Why does AliasX509ExtendedKeyManager not take client alias into account?
I'm trying to do mTLS with SpringBoot (3.4.3) and so use classes from the package org.springframework.boot.ssl.
My client-side KeyStore contains several client certificate keys which I would like to select according to the server I target. I have configured an SslBundle with the appropriate client key alias, but while using the SslContext built from that bundle, it looks like that I can't get the expected client key to be used. Instead I get the first client key whose issuer is known by the server-side.
Looking at the code in the class AliasKeyManagerFactory.AliasX509ExtendedKeyManager, I am a bit surprised that the given alias member is not taken into account by any of the chooseEngineClientAlias(...) or chooseClientAlias(...) methods.
On the server-side, I have managed to select the appropriate certificate key thanks to that same alias member but in this case, I have noticed that the chooseEngineServerAlias(...) returns that alias value. I wonder why the client and server alias selection methods are not symmetric and whether it is not the cause of my issue. Client key alias seems useless actually, right ?
Can anyone clarify that point and tell me whether the implementation is correct ?
Upvotes: 0
Views: 12
Answers (0)
Related Questions
- mutualTLS with SpringBoot SslBundles and RestTemplate
- Java MTLS implementation doesn't pick any certificate from keystore when using with a connection pool
- I do not get an error on the client-side during tls-handshake
- NodeJS - mtls connection through proxy
- In mTLS does the client CN name actually matter?
- MTLS and http client connection pool usage
- How the proper SSL certificate is selected from java keystore in order to be sent to corresponding endpoint in case of mutual TLS
- "SSLHandshakeException: Error signing certificate verify" after certificate update
- Get certificate by alias in keystore with multiple entries in Java