Add first-class mutual TLS support to AxonServerConnectionFactory#501
Open
abuijze wants to merge 1 commit into
Open
Add first-class mutual TLS support to AxonServerConnectionFactory#501abuijze wants to merge 1 commit into
abuijze wants to merge 1 commit into
Conversation
Client certificates could previously only be configured by hand-building a shaded-Netty SslContext. This adds convenience methods to the builder: - useTransportSecurity(File trustedCertificates): TLS with a custom CA bundle to verify the server certificate - useMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey[, File trustedCertificates]): mTLS, presenting the given client certificate during the handshake, optionally with a custom CA bundle (JVM default trust otherwise) SslContexts are built via GrpcSslContexts to get the correct ALPN/HTTP2 configuration. Verified end-to-end against a stub PlatformService gRPC server requiring client authentication.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Client certificates could previously only be configured by hand-building a shaded-Netty
SslContext. This adds file-based convenience methods to the builder:useTransportSecurity(File trustedCertificates)— TLS with a custom CA bundle for verifying the server certificateuseMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey)— mTLS with JVM-default server trustuseMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey, File trustedCertificates)— mTLS with a custom CA bundleContexts are built via
GrpcSslContextsfor correct ALPN/HTTP2 configuration. All methods are self-contained (one call = complete TLS config, last call wins), consistent with the existinguseTransportSecuritysemantics. Null or unreadable files fail immediately with a clear exception. Files are PEM, keys PKCS#8, read once at build time.Testing
MutualTlsConnectionTestverifies end-to-end against a stubPlatformServicegRPC server requiring client authentication: connects with a trusted client certificate, fails without one, and trust-only TLS works when client auth isn't required.Primary use case: connecting through Axon Server Proxy with
proxy.tlsClientAuth=REQUIRE(AxonIQ/axon-server-proxy#22).