1

I have a zuul proxy acting as an edge server and my microservices are non jvm applications and I dont use ribbon or eureka. These microservices are accessible over https only and require client certs to communicate with them. Does zuul support mutual auth with certs for downstream? If so how do i set it up on my zuul server.

Abhishek
  • 181
  • 3
  • 11

1 Answers1

5

If you're using Spring Cloud Zuul, you can provide your own Http Client by define CloseableHttpClient bean like below. (supported from Edgware release)

@Bean
public CloseableHttpClient httpClient() throws Throwable {
    return HttpClients.custom()
           .......ssl context or sslsocketfactory settging.
           .build();
}

If you provides this type of bean, Zuul will use this bean when making http request. Therefore you can define your custom SSL context to support client certificate. You can find many examples to support client certificate in apache http client like this or this.

yongsung.yoon
  • 5,489
  • 28
  • 32
  • Thanks @youngsung. I got this partially working. The new httpclient works if the microservice is over https but the client cert is still failing. From the debug logs I see an error "Warning: no suitable certificate found - continuing without client authentication" and hence i think client certificate is not send I tried this [link](https://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake) and i can confirm that my pkcs12 keystore has the complete chain. Any suggestions? – Abhishek Feb 03 '18 at 21:42
  • so i ran some more tests and i see that a stand alone httpclient works but the same code within zuul fails. `*** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 00 00 00 .... Warning: no suitable certificate found - continuing without client authentication *** Certificate chain *** *** ECDHClientKeyExchange` – Abhishek Feb 06 '18 at 07:04
  • It turns i had the older version of spring boot, upgrading fixed the issue. – Abhishek Feb 26 '18 at 13:31
  • @yongsung.yoon you saved my life! – Mustafa Oct 18 '18 at 12:45
  • @Abhishek how did you enable the debug logging that you mention above, where it says "Warning: no suitable certificate found - continuing without client authentication"? I'm experiencing what I believe is the same problem (through packet captures and server-side logs), but I'd like to try to reproduce that same error message. – Ubunfu Nov 28 '18 at 18:15
  • 1
    @Ubunfu you can use the flag `-Djavax.net.debug=all` when you run the jar or there is an equivalent system property that you can set in your code – Abhishek Jan 18 '19 at 06:09