Skip to content

Add first-class mutual TLS support to AxonServerConnectionFactory#501

Open
abuijze wants to merge 1 commit into
masterfrom
feature/mtls-client-certificates
Open

Add first-class mutual TLS support to AxonServerConnectionFactory#501
abuijze wants to merge 1 commit into
masterfrom
feature/mtls-client-certificates

Conversation

@abuijze

@abuijze abuijze commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Client certificates could previously only be configured by hand-building a shaded-Netty SslContext. This adds file-based convenience methods to the builder:

  • useTransportSecurity(File trustedCertificates) — TLS with a custom CA bundle for verifying the server certificate
  • useMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey) — mTLS with JVM-default server trust
  • useMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey, File trustedCertificates) — mTLS with a custom CA bundle

Contexts are built via GrpcSslContexts for correct ALPN/HTTP2 configuration. All methods are self-contained (one call = complete TLS config, last call wins), consistent with the existing useTransportSecurity semantics. Null or unreadable files fail immediately with a clear exception. Files are PEM, keys PKCS#8, read once at build time.

Testing

MutualTlsConnectionTest verifies end-to-end against a stub PlatformService gRPC server requiring client authentication: connects with a trusted client certificate, fails without one, and trust-only TLS works when client auth isn't required.

Primary use case: connecting through Axon Server Proxy with proxy.tlsClientAuth=REQUIRE (AxonIQ/axon-server-proxy#22).

Client certificates could previously only be configured by hand-building
a shaded-Netty SslContext. This adds convenience methods to the builder:

- useTransportSecurity(File trustedCertificates): TLS with a custom CA
  bundle to verify the server certificate
- useMutualTransportSecurity(File clientCertificateChain,
  File clientPrivateKey[, File trustedCertificates]): mTLS, presenting
  the given client certificate during the handshake, optionally with a
  custom CA bundle (JVM default trust otherwise)

SslContexts are built via GrpcSslContexts to get the correct ALPN/HTTP2
configuration. Verified end-to-end against a stub PlatformService gRPC
server requiring client authentication.
@sonarqubecloud

Copy link
Copy Markdown

@abuijze abuijze requested a review from smcvb July 14, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant