Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1894

PoolingHttpClientConnectionManager difficulties with client certificate

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 4.5.4
    • Fix Version/s: None
    • Component/s: HttpClient (classic)
    • Labels:
      None
    • Environment:
      Linux x86-64 Oracle JRE

      Description

      We run SOAP calls over HTTPS with specific client keypair and certificate attached into communication. We followed tutorial way to create a CloseableHttpClient with customized PoolingHttpClientConnectionManager, which has a customized Registry<..> instance with appropriately custom constructed SSLSocketFactory instance hooked on our specific client keystore.

      However things didn't work as expected. HttpClient kept opening new sockets, and not reusing any.

      We created a wrapper class on top of PoolingHttpClientConnectionManager which logged the received call parameters, and called original function.
      Then we saw that ConnectionRequest requestConnection(HttpRoute route, Object state) was called with state = null, and that void releaseConnection(HttpClientConnection managedConn, Object state, long keepalive, TimeUnit tunit) was called with state != null.

      Specifically at release time the state value was HTTPS client certificate Subject in text form, while at request time it was null.

      So the pool never found any connections returned into pool because lookup criteria did not match the store keys.

      Now that we have a wrapper class on top of PoolingHttpClientConnectionManager we could simply force the state to be null both on request and on release time, and session reuse works.

      We did not use HttpClientContext.setUserToken(Object val) before debugging this issue, nor are using any afterwards; during debug we observed that requestConnection() had our supplied value at state, and releaseConnection had null. (Opposite to what it did show without UserToken parameter.)

      So: Why does releaseConnection() time supply a state value with TLS client keystore certificate subject value when requestConnection() has state=null, and if I supply requestConnection() with non-null state value, then releaseConnection() has null state value?

      There are no pool reuse problems in HTTP URLs, only on HTTPS URLs with client certificate being used.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              oh2mqk Matti Aarnio
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: