spencergibb
commented
4 years ago We would have to maintain backward compatibility at the very least. Compatibility is not specific to Spring Cloud Gateway, but reactor HttpClient. You can currently customize the HttpClient with a HttpClientCustomizer bean currently. I'm going to mark this as waiting for votes to see if there is more interest before working on a PR given that you could add support locally via the customizer.
nicolasSoyeur
Problem statement Spring Cloud Gateway currently supports passing in a list of filenames pointing to certificates in PEM format (property
spring.cloud.gateway.httpclient.ssl.trusted-x509-certificates). If this list is non-empty, the certificates will be loaded, and they will be considered the only trusted certificates.Applications I work on are provided a Java KeyStore that should be used as a source of trusted certificates. I wish to use this unmodified, if at all possible. This is currently not supported by Spring Cloud Gateway.
Desired solution Support JKS and/or PKCS#12 "keystores" as a source of trusted certificates.
Considered alternatives
PropertySourcethat is provided the path to a keystore as input, and solely provides thespring.cloud.gateway.httpclient.ssl.trusted-x509-certificatesproperty. To do this, the input keystore must be converted to a format understood by Spring Cloud Gateway as it is currently implemented. At first glance, this seems complex.Closing comments If there's interest in this feature, I'm willing to attempt creating a PR that implements this. I'm not sure what to do with the current configuration possibility though: would we maintain two different ways of adding sources of trusted certificates, which means we'd need to merge them? Or would one replace the other?