Enable Mutual SSL Authentication

[atgjack]

It seems that the current implentations for SSL request do not support Mutual SSL authentication. Current outgoing requests do not use the javax.net.ssl.keyStore when making requests, which prevents the 2-way ssl handshake from going through.

The Apache ApacheHttpTransport (UPDATE: this should really have been referred to v2 ApacheHttpTransport, although the same question applies to v1. see #904 (comment)) not using getSystemSocketFactory. That version takes into account the javax.net.ssl properties, and would most likely allow for the 2way ssl connection to complete. Is there a reason this is not being used?

[chanseokoh]

At least it's possible to override the SSLSocketFactory to whatever you like on the client side, if it helps at all. Some bad example (taken from Jib code) to make an insecure connection:

          ApacheHttpTransport.newDefaultHttpClientBuilder()
              .setSSLSocketFactory(null) // creates new factory with the SSLContext given below
              .setSSLContext(SslUtils.trustAllSSLContext())
              .setSSLHostnameVerifier(new NoopHostnameVerifier());

[elharo]

ApacheHttpTransport is deprecated and scheduled to be removed in about a year.

[chanseokoh]

I have some context. This is when using Jib, which uses the new v2 ApacheHttpTransport (com.google.api.client.http.apache.v2.ApacheHttpTransport). @atgjack should have referred to the v2 instead of the deprecated v1. I think @atgjack just searched the class at HEAD instead of searching on the v2 branch.

[chanseokoh]

In any case, I think the general question as to whether it should have used getSystemSocketFactory remains valid regardless of v1 or v2. Although I haven't looked into the code, but if what @atgjack said is right, perhaps this library should use the system socket factory?

[chingor13]

This should be available in 1.38.0