0

We have a generic application which delivers message to different POST endpoints. And we are using CloseableHttpAsyncClient for this purpose. Its been built/initialized as follows,

       private static CloseableHttpAsyncClient get() {
            CloseableHttpAsyncClient lInstance;
            IOReactorConfig ioReactorConfig = IOReactorConfig.custom()
                    .setIoThreadCount(100)
                    .setConnectTimeout(10000)
                    .setSoTimeout(10000).build();

            ConnectingIOReactor ioReactor = null;
            try {
                ioReactor = new DefaultConnectingIOReactor(ioReactorConfig);
            } catch (IOReactorException e) {
                logger_.logIfEnabled(Level.ERROR, e);
            }
            PoolingNHttpClientConnectionManager connManager = new PoolingNHttpClientConnectionManager(ioReactor);
            connManager.setDefaultMaxPerRoute(50);
            connManager.setMaxTotal(5000);
            connManager.closeIdleConnections(10000, TimeUnit.MILLISECONDS);
            baseRequestConfig = RequestConfig.custom().setConnectTimeout(10000)
                    .setConnectionRequestTimeout(10000)
                    .setSocketTimeout(10000).build();
            lInstance = HttpAsyncClients.custom().setDefaultRequestConfig(baseRequestConfig)
                    .setConnectionManager(connManager).build();
            lInstance.start();
            return lInstance;
        }

This is prebuilt and initialized. As an when a new request arrives to our application, based on message, authentication type, a new postRequest is built httpPost = new HttpPost(builder.build());

After setting the required header, payload etc. exiting httpClient is used to send the request. httpClient.execute(httpPost, httpContext, null);

Now, the question is based on the our new requirement to support client certificate based authentication. And since our current approach is to create httpClient in the beginning, the question is how to change the behaviour of httpClient to send client certificate to some endpoints and work as it is for other endpoints which doesn't require certificate to be send?

I know I can introduce SSLContext to CloseableHttpAsyncClient while creating, but at the time of creating I don't have any information that we have any endpoint which requires certificate based authentication. And we can have many endpoints which would be supporting client certificate and that would be known at runtime.

sakura
  • 2,249
  • 2
  • 26
  • 39
  • Whether client authentication is used on a given TLS-was-SSL connection is controlled by the server; JSSE will use (and send) a cert _if the server sends a CertRequest message in the handshake_ and a suitable keymanager entry is available, and otherwise not. – dave_thompson_085 Mar 16 '21 at 07:16
  • @dave_thompson_085 server controls it, this part I understand. but keymanager entry is available with httpclient right? And in my context its HttpAsyncClient. Now can we build HttpAsyncClient with domain information, so that if server with specific domain which request for cert, will be presented However for other domains its not present. – sakura Mar 18 '21 at 08:28

0 Answers0