I have a Java application (Spring boot, webflux) that use a webclient with a reactor connector to make an https request to another server.
This server require mutual TLS authentication so i have configured an sslContext on the webclient and everything works fine.
However my application needs to go through a proxy to make externals calls, but when i configure the webclient to go through a proxy (tinyproxy, but i tried squid and got the same result) there is an ssl handshake error.
Here’s the webclient code (works without the proxy) :
String keystore = Files.readString(Paths.get("/my-keystore.p12"));
InputStream keystoreInputStream = new ByteArrayInputStream(keystore);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(keystoreInputStream, "keystore-pass");
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "my-pass");
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(keyManagerFactory)
.build();
WebClient.Builder builder = WebClient.builder()
.baseUrl("external-service-url")
.clientConnector(
new ReactorClientHttpConnector(
HttpClient.create()
.secure(sslSpec -> sslSpec.sslContext(sslContext))
.proxy(
proxySpec -> proxySpec
.type(ProxyProvider.Proxy.HTTP)
.host("my-proxy-host")
.port(Integer.parseInt(3128))
)
)
);
When using -Djavax.net.debug=all there’s a lot of output but i think the interesting part is that without the proxy i have :
javax.net.ssl|WARNING|10 51|reactor-http-epoll-5|2024-06-03 15:07:30.250 CEST|SignatureScheme.java:434|Unsupported signature scheme: dsa_sha384
javax.net.ssl|WARNING|10 51|reactor-http-epoll-5|2024-06-03 15:07:30.250 CEST|SignatureScheme.java:434|Unsupported signature scheme: dsa_sha512
javax.net.ssl|DEBUG|10 51|reactor-http-epoll-5|2024-06-03 15:07:30.250 CEST|SunX509KeyManagerImpl.java:388|matching alias: my-cert
and with the proxy :
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.166 CEST|SignatureScheme.java:434|Unsupported signature scheme: dsa_sha384
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.166 CEST|SignatureScheme.java:434|Unsupported signature scheme: dsa_sha512
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.166 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.166 CEST|CertificateRequest.java:821|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.166 CEST|X509Authentication.java:249|No X.509 cert selected for DSA
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.166 CEST|CertificateRequest.java:821|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for DSA
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|ALL|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:821|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|WARNING|10 01|reactor-http-epoll-5|2024-06-03 15:05:32.167 CEST|CertificateRequest.java:831|No available authentication scheme
If i understand all this correctly, when the proxy is enabled the jvm can’t seems to find the certificate to use for authentication, but i have no idea why (or if this is even possible through a http proxy).