-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable support for adding KeyManager #1811
Labels
Comments
Hakky54
changed the title
Enable support for adding KeyManager and/or custom SSLContext
Enable support for adding KeyManager
May 17, 2020
Please check the following ticket on YouTrack for follow-ups to this issue. GitHub issues will be closed in the coming weeks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Subsystem
Client, CIO module
Is your feature request related to a problem? Please describe.
I am currently configuring the client to communicate over mutual tls/mutual authentication. The server will require the client to identify itself. To enable this feature a client needs a sslcontext with a preconfigured keymanager initialized. With the Apache or OkHttp module this is already possible with ktor, because it accepts a custom sslcontext or sslsocketfactory, see below:
For Apache HttpClient
For OkHttp
The CIO module accepts couple of https parameters, such as trustmanager and secure random. I am assuming that the CIO module will use these values to create a custom sslcontext. With the current options available in the TLSConfigBuilder, which is being used by the CIOEngineConfig, it is not possible to provide the keymaterial.
Describe the solution you'd like
I would like to have the possibility to also provide a keymanager within the TLSConfigBuilder. In that way the client can identify itself when the server is requesting the client to provide client-certificate during the handshake process.
With KeyManager and TrustManager
Motivation to include to ktor
This option will enable the end-user to get the same behaviour as other clients like apache and okhttp for mutual authentication. I am not quite sure if it is easy to implement or even possible, but it would be a cool feature to have it.
The text was updated successfully, but these errors were encountered: