I'm trying to setup mutual SSL authentication in java application. Server side (Websphere Liberty) is configured properly (tested with openssl) but java client application fails with 'java.io.EOFException: SSL peer shut down incorrectly'.
After some investigation I found that X509KeyManager doesn't choose any client certificate to send back to the server. Despite the fact that server sends a list of 3 issuers from server's truststore (including the one related to client's private key) key manager's chooseClientAlias(...) always return null. However if create a custom key manager and return a proper alias from chooseClientAlias(...) then handshake completes successfully.
Why key manager is not choosing alias? Which rules are using for this?
Here is server's trustore:
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 3 entries
bssuat, Apr 5, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 2F:EA:2C:86:95:DF:08:CC:F1:84:39:94:1C:BF:7D:33:1B:77:49:AE
*.somecloud.com, Aug 17, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): D5:99:95:84:0A:87:0C:AC:4E:4B:38:4E:5C:A2:43:11:EF:59:F7:E6
stag.somecloud.com, Aug 17, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 11:5C:40:40:98:AA:87:80:5B:87:17:A7:38:B7:BB:DC:32:38:45:6D
Client's key store:
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 1 entry
stag.somecloud.com, 22-Aug-2017, keyEntry,
Certificate fingerprint (SHA1): 11:5C:40:40:98:AA:87:80:5B:87:17:A7:38:B7:BB:DC:32:38:45:6D
