Chickenzilla commented on issue #8963: URL: https://github.com/apache/pulsar/issues/8963#issuecomment-746874435
Did some digging on this. The issue is because the certs array is null, and that's null because Java threw a `SSLPeerUnverifiedException` which the getter caught and ate (and returned null). I'd argue that's confusing and a log line should be added where that exception is eaten so it's obvious at least _why_ the connection is being refused (or even don't eat that exception at all, and just bubble it back to the caller; it will just NRE on it anyhow currently). After checking our trust store configurations, everything seemed to be valid, so why Java would not trust our client certificate is another mystery. One thing we changed which we are currently testing as a workaround is we changed the broker's `tlsRequireTrustedClientCertOnConnect` from false to true. With it set to true, a test that was persistently failing before now succeeds, but it's non-obvious from the setting or documentation that such a setting should be required for client certs to work at all. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
