Apache HttpClient does not respect TLS configuration

[mgranderath]

During our attempted upgrade to 1.1.0 we noticed that some calls from the controller to the servers were failing due to TLS issues. We have 2-way TLS configured for our clusters and after investigation it seems like the Apache Http clients do not use the configured key/trust stores but just pickup the system defaults.

Error

2024/06/04 17:00:56.849 WARN [MultiHttpRequest] [async-task-thread-6181] Caught 'javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' while executing: GET on URL: https://{{server}}/tables/{{table}}/segments/{{segment}}/metadata?columns=
2024/06/04 17:00:56.849 ERROR [CompletionServiceHelper] [grizzly-http-server-6] Connection error . Details: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[mgranderath]

This seems to be due to two concrete issues:

• We are not configuring the SSLConnectionSocketFactory correctly whenever we create a PoolingHttpClientConnectionManager and that defaults to creating the default socket factory
• There is a bug in the version of the Apache httpcomponents-client that is being used where the default SocketFactory is always used instead of using the SSLConnectionSocketFactory. The bug is located here.

[Jackie-Jiang]

cc @zhtaoxiang @soumitra-st