Add first-class mutual TLS support to AxonServerConnectionFactory#501
Merged
Conversation
Client certificates could previously only be configured by hand-building a shaded-Netty SslContext. This adds convenience methods to the builder: - useTransportSecurity(File trustedCertificates): TLS with a custom CA bundle to verify the server certificate - useMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey[, File trustedCertificates]): mTLS, presenting the given client certificate during the handshake, optionally with a custom CA bundle (JVM default trust otherwise) SslContexts are built via GrpcSslContexts to get the correct ALPN/HTTP2 configuration. Verified end-to-end against a stub PlatformService gRPC server requiring client authentication.
smcvb
requested changes
Jul 15, 2026
smcvb
left a comment
Contributor
There was a problem hiding this comment.
Bunch of minor comments to tackle before we can go ahead I think. Nothing major though, so should be easy to tackle.
Adds the missing copyright notice, updates the header year, uses requireNonNull for null checks, documents that transport security methods overwrite earlier invocations, and corrects the javadoc on when certificate files are read.
|
smcvb
approved these changes
Jul 16, 2026
smcvb
left a comment
Contributor
There was a problem hiding this comment.
My concerns have been addressed, hence I'm approving this pull request.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Client certificates could previously only be configured by hand-building a shaded-Netty
SslContext. This adds file-based convenience methods to the builder:useTransportSecurity(File trustedCertificates)— TLS with a custom CA bundle for verifying the server certificateuseMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey)— mTLS with JVM-default server trustuseMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey, File trustedCertificates)— mTLS with a custom CA bundleContexts are built via
GrpcSslContextsfor correct ALPN/HTTP2 configuration. All methods are self-contained (one call = complete TLS config, last call wins), consistent with the existinguseTransportSecuritysemantics. Null or unreadable files fail immediately with a clear exception. Files are PEM, keys PKCS#8, read once at build time.Testing
MutualTlsConnectionTestverifies end-to-end against a stubPlatformServicegRPC server requiring client authentication: connects with a trusted client certificate, fails without one, and trust-only TLS works when client auth isn't required.Primary use case: connecting through Axon Server Proxy with
proxy.tlsClientAuth=REQUIRE(AxonIQ/axon-server-proxy#22).