From 25d90380c726d3d2e1d7e9e09aac8ca65ed1cf1c Mon Sep 17 00:00:00 2001
From: Simone Bordet <simone.bordet@gmail.com>
Date: Mon, 15 Feb 2021 22:14:39 +0100
Subject: [PATCH] Fixes #5973 - Proxy client TLS authentication example.

Examples, in form of test cases for a proxy that uses TLS client authentication
both towards the remote client and towards the server.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
---
 .../io/ssl/SslClientConnectionFactory.java    |  27 +-
 .../jetty/proxy/ClientAuthProxyTest.java      | 549 ++++++++++++++++++
 .../resources/client_auth/client_keystore.p12 | Bin 0 -> 7953 bytes
 .../resources/client_auth/proxy_keystore.p12  | Bin 0 -> 7933 bytes
 .../resources/client_auth/server_keystore.p12 | Bin 0 -> 2565 bytes
 5 files changed, 575 insertions(+), 1 deletion(-)
 create mode 100644 jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java
 create mode 100644 jetty-proxy/src/test/resources/client_auth/client_keystore.p12
 create mode 100644 jetty-proxy/src/test/resources/client_auth/proxy_keystore.p12
 create mode 100644 jetty-proxy/src/test/resources/client_auth/server_keystore.p12

diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java
index 588794d2da96..ea7dd5f3094f 100644
--- a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java
+++ b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java
@@ -34,6 +34,9 @@
 import org.eclipse.jetty.util.component.ContainerLifeCycle;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
+/**
+ * <p>A ClientConnectionFactory that creates client-side {@link SslConnection} instances.</p>
+ */
 public class SslClientConnectionFactory implements ClientConnectionFactory
 {
     public static final String SSL_CONTEXT_FACTORY_CONTEXT_KEY = "ssl.context.factory";
@@ -120,7 +123,10 @@ public org.eclipse.jetty.io.Connection newConnection(EndPoint endPoint, Map<Stri
     {
         String host = (String)context.get(SSL_PEER_HOST_CONTEXT_KEY);
         int port = (Integer)context.get(SSL_PEER_PORT_CONTEXT_KEY);
-        SSLEngine engine = sslContextFactory.newSSLEngine(host, port);
+
+        SSLEngine engine = sslContextFactory instanceof SslEngineFactory
+            ? ((SslEngineFactory)sslContextFactory).newSslEngine(host, port, context)
+            : sslContextFactory.newSSLEngine(host, port);
         engine.setUseClientMode(true);
         context.put(SSL_ENGINE_CONTEXT_KEY, engine);
 
@@ -155,6 +161,25 @@ public Connection customize(Connection connection, Map<String, Object> context)
         return ClientConnectionFactory.super.customize(connection, context);
     }
 
+    /**
+     * <p>A factory for {@link SSLEngine} objects.</p>
+     * <p>Typically implemented by {@link SslContextFactory.Client}
+     * to support more flexible creation of SSLEngine instances.</p>
+     */
+    public interface SslEngineFactory
+    {
+        /**
+         * <p>Creates a new {@link SSLEngine} instance for the given peer host and port,
+         * and with the given context to help the creation of the SSLEngine.</p>
+         *
+         * @param host the peer host
+         * @param port the peer port
+         * @param context the {@link ClientConnectionFactory} context
+         * @return a new SSLEngine instance
+         */
+        public SSLEngine newSslEngine(String host, int port, Map<String, Object> context);
+    }
+
     private class HTTPSHandshakeListener implements SslHandshakeListener
     {
         private final Map<String, Object> context;
diff --git a/jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java b/jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java
new file mode 100644
index 000000000000..d6601e3700a8
--- /dev/null
+++ b/jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java
@@ -0,0 +1,549 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.proxy;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.security.auth.x500.X500Principal;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.client.HttpClient;
+import org.eclipse.jetty.client.HttpClientTransport;
+import org.eclipse.jetty.client.HttpDestination;
+import org.eclipse.jetty.client.api.ContentResponse;
+import org.eclipse.jetty.client.api.Request;
+import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
+import org.eclipse.jetty.http.HttpScheme;
+import org.eclipse.jetty.http.HttpStatus;
+import org.eclipse.jetty.io.ClientConnectionFactory;
+import org.eclipse.jetty.io.Connection;
+import org.eclipse.jetty.io.ssl.SslClientConnectionFactory;
+import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.component.LifeCycle;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.eclipse.jetty.util.thread.QueuedThreadPool;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+/**
+ * <p>Tests for client and proxy authentication using certificates.</p>
+ * <p>There are 3 KeyStores:</p>
+ * <dl>
+ *   <dt>{@code client_keystore.p12}</dt>
+ *   <dd>{@code server} -> the server certificate with CN=server</dd>
+ *   <dd>{@code user1_client} -> the client certificate for user1, signed with the server certificate</dd>
+ *   <dd>{@code user2_client} -> the client certificate for user2, signed with the server certificate</dd>
+ * </dl>
+ * <dl>
+ *   <dt>{@code proxy_keystore.p12}</dt>
+ *   <dd>{@code proxy} -> the proxy domain private key and certificate with CN=proxy</dd>
+ *   <dd>{@code server} -> the server domain certificate with CN=server</dd>
+ *   <dd>{@code user1_proxy} -> the proxy client certificate for user1, signed with the server certificate</dd>
+ *   <dd>{@code user2_proxy} -> the proxy client certificate for user2, signed with the server certificate</dd>
+ * </dl>
+ * <dl>
+ *   <dt>{@code server_keystore.p12}</dt>
+ *   <dd>{@code server} -> the server domain private key and certificate with CN=server,
+ *   with extension ca:true to sign client and proxy certificates.</dd>
+ * </dl>
+ * <p>In this way, a remote client can connect to the proxy and be authenticated,
+ * and the proxy can connect to the server on behalf of that remote client, since
+ * the proxy has a certificate correspondent to the one of the remote client.</p>
+ * <p>The main problem is to make sure that the {@code HttpClient} in the proxy uses different connections
+ * to connect to the same server, and that those connections are authenticated via TLS client certificate
+ * with the correct certificate, avoiding that requests made by {@code user2} are sent over connections
+ * that are authenticated with {@code user1} certificates.</p>
+ */
+public class ClientAuthProxyTest
+{
+    private Server server;
+    private ServerConnector serverConnector;
+    private Server proxy;
+    private ServerConnector proxyConnector;
+    private HttpClient client;
+
+    private void startServer(Handler handler) throws Exception
+    {
+        QueuedThreadPool serverThreads = new QueuedThreadPool();
+        serverThreads.setName("server");
+        server = new Server(serverThreads);
+
+        HttpConfiguration httpConfig = new HttpConfiguration();
+        httpConfig.addCustomizer(new SecureRequestCustomizer());
+        HttpConnectionFactory http = new HttpConnectionFactory(httpConfig);
+
+        SslContextFactory.Server serverTLS = new SslContextFactory.Server();
+        serverTLS.setNeedClientAuth(true);
+        // The KeyStore is also a TrustStore.
+        serverTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/server_keystore.p12").getAbsolutePath());
+        serverTLS.setKeyStorePassword("storepwd");
+        serverTLS.setKeyStoreType("PKCS12");
+
+        SslConnectionFactory ssl = new SslConnectionFactory(serverTLS, http.getProtocol());
+
+        serverConnector = new ServerConnector(server, 1, 1, ssl, http);
+        server.addConnector(serverConnector);
+
+        server.setHandler(handler);
+
+        server.start();
+        System.err.println("SERVER = localhost:" + serverConnector.getLocalPort());
+    }
+
+    private void startServer() throws Exception
+    {
+        startServer(new EmptyServerHandler()
+        {
+            @Override
+            protected void service(String target, org.eclipse.jetty.server.Request jettyRequest, HttpServletRequest request, HttpServletResponse response) throws IOException
+            {
+                X509Certificate[] certificates = (X509Certificate[])request.getAttribute(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE);
+                Assertions.assertNotNull(certificates);
+                X509Certificate certificate = certificates[0];
+                X500Principal principal = certificate.getSubjectX500Principal();
+                ServletOutputStream output = response.getOutputStream();
+                output.println(principal.toString());
+                output.println(request.getRemotePort());
+            }
+        });
+    }
+
+    private void startProxy(AbstractProxyServlet servlet) throws Exception
+    {
+        QueuedThreadPool proxyThreads = new QueuedThreadPool();
+        proxyThreads.setName("proxy");
+        proxy = new Server();
+
+        HttpConfiguration httpConfig = new HttpConfiguration();
+        httpConfig.addCustomizer(new SecureRequestCustomizer());
+        HttpConnectionFactory http = new HttpConnectionFactory(httpConfig);
+
+        SslContextFactory.Server proxyTLS = new SslContextFactory.Server();
+        proxyTLS.setNeedClientAuth(true);
+        // The KeyStore is also a TrustStore.
+        proxyTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+        proxyTLS.setKeyStorePassword("storepwd");
+        proxyTLS.setKeyStoreType("PKCS12");
+
+        SslConnectionFactory ssl = new SslConnectionFactory(proxyTLS, http.getProtocol());
+
+        proxyConnector = new ServerConnector(proxy, 1, 1, ssl, http);
+        proxy.addConnector(proxyConnector);
+
+        ServletContextHandler context = new ServletContextHandler(proxy, "/");
+        context.addServlet(new ServletHolder(servlet), "/*");
+        proxy.setHandler(context);
+
+        proxy.start();
+        System.err.println("PROXY = localhost:" + proxyConnector.getLocalPort());
+    }
+
+    private void startClient() throws Exception
+    {
+        SslContextFactory.Client clientTLS = new SslContextFactory.Client();
+        // Disable TLS-level hostname verification.
+        clientTLS.setEndpointIdentificationAlgorithm(null);
+        clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/client_keystore.p12").getAbsolutePath());
+        clientTLS.setKeyStorePassword("storepwd");
+        clientTLS.setKeyStoreType("PKCS12");
+        client = new HttpClient(clientTLS);
+        QueuedThreadPool clientThreads = new QueuedThreadPool();
+        clientThreads.setName("client");
+        client.setExecutor(clientThreads);
+        client.start();
+    }
+
+    @AfterEach
+    public void dispose() throws Exception
+    {
+        LifeCycle.stop(client);
+        LifeCycle.stop(proxy);
+        LifeCycle.stop(server);
+    }
+
+    private static String retrieveUser(HttpServletRequest request)
+    {
+        X509Certificate[] certificates = (X509Certificate[])request.getAttribute(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE);
+        String clientName = certificates[0].getSubjectX500Principal().getName();
+        Matcher matcher = Pattern.compile("CN=([^,]+)").matcher(clientName);
+        if (matcher.find())
+        {
+            // Retain only "userN".
+            return matcher.group(1).split("_")[0];
+        }
+        return null;
+    }
+
+    @Test
+    public void testClientAuthProxyingWithMultipleHttpClients() throws Exception
+    {
+        // Using a different HttpClient (with a different SslContextFactory.Client)
+        // per user works, but there is a lot of duplicated state in the HttpClients:
+        // Executors and Schedulers (although they can be shared), but also CookieManagers
+        // ProtocolHandlers, etc.
+        // The proxy has different SslContextFactory.Client statically configured
+        // for different users.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            private final Map<String, HttpClient> httpClients = new ConcurrentHashMap<>();
+
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                HttpClient httpClient = getOrCreateHttpClient(user);
+                Request proxyRequest = httpClient.newRequest(rewrittenTarget)
+                    .method(request.getMethod())
+                    .attribute(CLIENT_REQUEST_ATTRIBUTE, request);
+                // Send the request to the server.
+                proxyRequest.port(serverConnector.getLocalPort());
+                // No need to tag the request when using different HttpClients.
+                return proxyRequest;
+            }
+
+            private HttpClient getOrCreateHttpClient(String user)
+            {
+                if (user == null)
+                    return getHttpClient();
+                return httpClients.computeIfAbsent(user, key ->
+                {
+                    SslContextFactory.Client clientTLS = new SslContextFactory.Client();
+                    // Disable TLS-level hostname verification for this test.
+                    clientTLS.setEndpointIdentificationAlgorithm(null);
+                    clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                    clientTLS.setKeyStorePassword("storepwd");
+                    clientTLS.setKeyStoreType("PKCS12");
+                    clientTLS.setCertAlias(key + "_proxy");
+                    // TODO: httpClients should share Executor and Scheduler at least.
+                    HttpClient httpClient = new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+                    LifeCycle.start(httpClient);
+                    return httpClient;
+                });
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    @Test
+    public void testClientAuthProxyingWithMultipleServerSubDomains() throws Exception
+    {
+        // Another idea is to use multiple subdomains for the server,
+        // such as user1.server.com, user2.server.com, with the server
+        // providing a *.server.com certificate.
+        // The proxy must pick the right alias dynamically based on the
+        // remote client request.
+        // For this test we use 127.0.0.N addresses.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            private final AtomicInteger userIds = new AtomicInteger();
+            private final Map<String, String> subDomains = new ConcurrentHashMap<>();
+
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                // Obviously not fool proof, but for the 2 users in this test it does the job.
+                String subDomain = subDomains.computeIfAbsent(user, key -> "127.0.0." + userIds.incrementAndGet());
+                Request proxyRequest = super.newProxyRequest(request, rewrittenTarget);
+                proxyRequest.host(subDomain).port(serverConnector.getLocalPort());
+                // Tag the request.
+                proxyRequest.tag(new AliasTLSTag(user));
+                return proxyRequest;
+            }
+
+            @Override
+            protected HttpClient newHttpClient()
+            {
+                SslContextFactory.Client clientTLS = new SslContextFactory.Client()
+                {
+                    @Override
+                    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
+                    {
+                        KeyManager[] keyManagers = super.getKeyManagers(keyStore);
+                        for (int i = 0; i < keyManagers.length; i++)
+                        {
+                            keyManagers[i] = new ProxyAliasX509ExtendedKeyManager(keyManagers[i]);
+                        }
+                        return keyManagers;
+                    }
+                };
+                // Disable TLS-level hostname verification for this test.
+                clientTLS.setEndpointIdentificationAlgorithm(null);
+                clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                clientTLS.setKeyStorePassword("storepwd");
+                clientTLS.setKeyStoreType("PKCS12");
+                return new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    @Test
+    public void testClientAuthProxyingWithSSLSessionResumptionDisabled() throws Exception
+    {
+        // To user the same HttpClient and server hostName, we need to disable
+        // SSLSession caching, which is only possible by creating SSLEngine
+        // without peer host information.
+        // This is more CPU intensive because TLS sessions can never be resumed.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                Request proxyRequest = super.newProxyRequest(request, rewrittenTarget);
+                proxyRequest.port(serverConnector.getLocalPort());
+                // Tag the request.
+                proxyRequest.tag(new AliasTLSTag(user));
+                return proxyRequest;
+            }
+
+            @Override
+            protected HttpClient newHttpClient()
+            {
+                SslContextFactory.Client clientTLS = new SslContextFactory.Client()
+                {
+                    @Override
+                    public SSLEngine newSSLEngine(String host, int port)
+                    {
+                        // This disable TLS session resumption and requires
+                        // endpointIdentificationAlgorithm=null because the TLS implementation
+                        // does not have the peer host to verify the server certificate.
+                        return newSSLEngine();
+                    }
+
+                    @Override
+                    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
+                    {
+                        KeyManager[] keyManagers = super.getKeyManagers(keyStore);
+                        for (int i = 0; i < keyManagers.length; i++)
+                        {
+                            keyManagers[i] = new ProxyAliasX509ExtendedKeyManager(keyManagers[i]);
+                        }
+                        return keyManagers;
+                    }
+                };
+                // Disable hostname verification is required.
+                clientTLS.setEndpointIdentificationAlgorithm(null);
+                clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                clientTLS.setKeyStorePassword("storepwd");
+                clientTLS.setKeyStoreType("PKCS12");
+                return new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    @Test
+    public void testClientAuthProxyingWithCompositeSslContextFactory() throws Exception
+    {
+        // The idea here is to have a composite SslContextFactory that holds one for each user.
+        // It requires a change in SslClientConnectionFactory to "sniff" for the composite.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                Request proxyRequest = super.newProxyRequest(request, rewrittenTarget);
+                proxyRequest.port(serverConnector.getLocalPort());
+                proxyRequest.tag(user);
+                return proxyRequest;
+            }
+
+            @Override
+            protected HttpClient newHttpClient()
+            {
+                ProxyAliasClientSslContextFactory clientTLS = configure(new ProxyAliasClientSslContextFactory(), null);
+                // Statically add SslContextFactory.Client instances per each user.
+                clientTLS.factories.put("user1", configure(new SslContextFactory.Client(), "user1"));
+                clientTLS.factories.put("user2", configure(new SslContextFactory.Client(), "user2"));
+                return new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+            }
+
+            private <T extends SslContextFactory.Client> T configure(T tls, String user)
+            {
+                // Disable TLS-level hostname verification for this test.
+                tls.setEndpointIdentificationAlgorithm(null);
+                tls.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                tls.setKeyStorePassword("storepwd");
+                tls.setKeyStoreType("PKCS12");
+                if (user != null)
+                {
+                    tls.setCertAlias(user + "_proxy");
+                    LifeCycle.start(tls);
+                }
+                return tls;
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    private void testRequestsFromRemoteClients() throws Exception
+    {
+        // User1 makes a request to the proxy using its own certificate.
+        SslContextFactory clientTLS = client.getSslContextFactory();
+        clientTLS.reload(ssl -> ssl.setCertAlias("user1_client"));
+        ContentResponse response = client.newRequest("localhost", proxyConnector.getLocalPort())
+            .scheme(HttpScheme.HTTPS.asString())
+            .timeout(5, TimeUnit.SECONDS)
+            .tag("user1")
+            .send();
+        Assertions.assertEquals(HttpStatus.OK_200, response.getStatus());
+        String[] parts = response.getContentAsString().split("\n");
+        String proxyClientSubject1 = parts[0];
+        String proxyClientPort1 = parts[1];
+
+        // User2 makes a request to the proxy using its own certificate.
+        clientTLS.reload(ssl -> ssl.setCertAlias("user2_client"));
+        response = client.newRequest("localhost", proxyConnector.getLocalPort())
+            .scheme(HttpScheme.HTTPS.asString())
+            .timeout(5, TimeUnit.SECONDS)
+            .tag("user2")
+            .send();
+        Assertions.assertEquals(HttpStatus.OK_200, response.getStatus());
+        parts = response.getContentAsString().split("\n");
+        String proxyClientSubject2 = parts[0];
+        String proxyClientPort2 = parts[1];
+
+        Assertions.assertNotEquals(proxyClientSubject1, proxyClientSubject2);
+        Assertions.assertNotEquals(proxyClientPort1, proxyClientPort2);
+    }
+
+    private static class AliasTLSTag implements ClientConnectionFactory.Decorator
+    {
+        private final String user;
+
+        private AliasTLSTag(String user)
+        {
+            this.user = user;
+        }
+
+        @Override
+        public ClientConnectionFactory apply(ClientConnectionFactory factory)
+        {
+            return (endPoint, context) ->
+            {
+                Connection connection = factory.newConnection(endPoint, context);
+                SSLEngine sslEngine = (SSLEngine)context.get(SslClientConnectionFactory.SSL_ENGINE_CONTEXT_KEY);
+                sslEngine.getSession().putValue("user", user);
+                return connection;
+            };
+        }
+
+        @Override
+        public boolean equals(Object obj)
+        {
+            if (this == obj)
+                return true;
+            if (obj == null || getClass() != obj.getClass())
+                return false;
+            AliasTLSTag that = (AliasTLSTag)obj;
+            return user.equals(that.user);
+        }
+
+        @Override
+        public int hashCode()
+        {
+            return Objects.hash(user);
+        }
+    }
+
+    private static class ProxyAliasX509ExtendedKeyManager extends SslContextFactory.X509ExtendedKeyManagerWrapper
+    {
+        private ProxyAliasX509ExtendedKeyManager(KeyManager keyManager)
+        {
+            super((X509ExtendedKeyManager)keyManager);
+        }
+
+        @Override
+        public String chooseEngineClientAlias(String[] keyTypes, Principal[] issuers, SSLEngine engine)
+        {
+            for (String keyType : keyTypes)
+            {
+                String[] aliases = getClientAliases(keyType, issuers);
+                if (aliases != null)
+                {
+                    SSLSession sslSession = engine.getSession();
+                    String user = (String)sslSession.getValue("user");
+                    String alias = user + "_proxy";
+                    if (Arrays.asList(aliases).contains(alias))
+                        return alias;
+                }
+            }
+            return super.chooseEngineClientAlias(keyTypes, issuers, engine);
+        }
+    }
+
+    private static class ProxyAliasClientSslContextFactory extends SslContextFactory.Client implements SslClientConnectionFactory.SslEngineFactory
+    {
+        private final Map<String, SslContextFactory.Client> factories = new ConcurrentHashMap<>();
+
+        @Override
+        public SSLEngine newSslEngine(String host, int port, Map<String, Object> context)
+        {
+            HttpDestination destination = (HttpDestination)context.get(HttpClientTransport.HTTP_DESTINATION_CONTEXT_KEY);
+            String user = (String)destination.getOrigin().getTag();
+            return factories.compute(user, (key, value) -> value != null ? value : this).newSSLEngine(host, port);
+        }
+    }
+}
diff --git a/jetty-proxy/src/test/resources/client_auth/client_keystore.p12 b/jetty-proxy/src/test/resources/client_auth/client_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..cf324d7ad20fe4f53c35eed084361675006c3923
GIT binary patch
literal 7953
zcmb7`RZtv^l12x2g1cLg0E4@S;I6?v5Zqm6aDq#4cL~8=2OTuH1h?QaKycXqZtdQ!
zec7sg>gw}#_v5Jsf~m3K;Shjes$pa_)(H8CJ1jU9xB@U$D<YVx@gMvX2u7d#UlIBs
zA{f2zAKV25BN-rL{MQyHIvjif81V@RM!W;EAfx{`{^vM3B0<F0H|#H|0_e6Jc||cu
z6oQ5vJ5=xpfB|(xFyiRyYbs+s+voKho!!5O0}M|fo!6}|cTJKcLFJ%LUWScoMn$1-
zU7VZ*u;^WXZsQx77=h8bsDrm8KE{BPXh!NnT{lkKp|Z`%11GLfG9B8(7jEjw2|4eO
zvdh(6_1UG5onub{g9U17%ulwCKg`A9bySv_kVCv6{VSMvtV>g#4KedfzAkuc9=tc@
z)2efq0f1lgHv?J*H2}t^?O_C5<*br4!ST(ubI8-Ke=p>?_fFeN8i_%aS9VKBK_!&g
zOY3d8flwvbi&SIo2F5<ospjbKlyh)&Oo^4gO^btDIPq6-l~=mdJSF1<TdT;P9E$Bk
zR|!Kw(z(EHOP<2ohJ^og?xGp|(cnmtF6Z1HK6sRS{UjK?^Ug05wNfwHU1tdEq}5ZI
zmrLM^98DR7Ls9HV5V`*_(n|I`1TOkhr8>$CQb9f7Kf9u0v<+m93Ht)wGQuV8H14z2
zZ(o*YhxE>jXM>gVIzal`c1ZStxUoE+8@|ULkE?XP1R+7vqkPp-p5*sXS^j*d&Te7<
zc9<6>b1WV(l96AVJ+n}S8ozR)C{7)Pq%E~SPrD&Zi*<Q3b`)A;C~m8b8YwL6-075E
zRL=rx(>BD3qmxW6X_2ej{9HhJI+yAIPpn>*6a28GJeJTRL2Ty!QVPUKZVFC-ACyg@
zH86ao)uMfvaXiprR_hG%k?>w^xswHlBe5vXrfrEIHnhn>6_tg9-r<oqvIl5dq~k#T
z4t7TSTv5b<Evd6oW-N_#7QjY%QEZz<7c>cMW9XTMg}Txp6;QKy>CP3PM8vwZZ{tcr
z?giz`;#IpSIu$ZZ8c@N@4xoqkxn<P^Na3*(Q|7AkY9^Pridq*i)n-cLDj$2eh2sEo
z_C-efS^iY_xC?$gienbjY_gim9?(_~H7;I{QvIXb5}jx~hRtI^G1*3jg*DLQnL%lM
z(=JE6WhBusPq_}0rn_f3A@EQlDOdbB?K4!}PB7VKAe%IR9s++~m!x?ijq`c9$Jf2r
zpJu4Zoz*KUp+an~A+ss19j!T6UBER~xt_{9gLyH7m*w_U_Cu~TpLPHVF!WuSow|jC
zd=XVc29J#cwMk!7!|%IZCn5eXDR-(xipa-r>QVAs8Z4{A{=Ig&$8GZ=m}iVy1h+K`
zC$eaSHem}xvxSOm$*?P<=RZ(f{Kz+nx%C}Km$96pk#{OWK16QJxrT`)T9{S~P#u#I
z_i|WaWc=kh5>%pKhyJBGH+qoR+TIT^X^QcN$%9p12~EtfedL5$6%=S<tax)Kt}=q-
zJ#@y<dSWu)dHFhXtI=O6QF~VRCQ4y5-6t^6&wfwJk(v!kBD<a>V&;+6#|qv1_G!yU
zlFD<gc%e<_j=JghaE%gtK#OXzB5!+FI0vF$BEF*6nCC2pq~IxP5fLst8dGl@udGP$
zs*yG6eKha~A$~+5dS{#}9eOAwT53zK@x4gF@7m1M9=t6fmg*P|{O>*0GX-d<<{g2}
z`7e7`R&s123?9c;0YY#|UdJ-T7g@vyTPNK5`yl}drisA-EP^P;ZNea}$qH$*Ji`#=
zH|q++`NS1)B<_LRy-rnAbzo1<(&>`w_ycHsl)GfMkuS%jPal?v;KHR0eE)A%q7iVB
zQIP;V0qy{6fE$1dU<$AVH~{Sa>6`!_K-&KqB;+DM#M8EOw5H+W=i=ex<LBk!1@Z#_
zA9j_jHO4vTFL1Vys0}vOEZm$O>g4>lUEQh%9kbP^gCU$DuemXF@$ea|F1sHGeJcBz
z_+{3roeQr-SRTfaz{>G2PNrzw;k~GhsV$)Rkr!bi(xD^${l`UZS$ng_8;&c4Ymcvu
zJfrZHVYQXwzv}|pki^^Gb?(~MS1yklt@iv4zMObv(AOOjpx`<ro0)0PCTnpdx2q$%
zRAuuCVYRxYdYuiM(_6JQv@Ss*bp81A7#}xs2`TZE4t@C5qA99|V8ni(B{f%ju-BDu
z4eiLT^77ku&$sJe3Hl41k)V}d0P2b_ft)l_N*gUwDPG4F{VKWo8U~Z*BYk*P{M4Y;
za6TS7Px2@QIBL#_KjzC>6E?*pzF9$(?}QaM)_(7X3$=|$RRs^gkU+63GZmB^GSYJs
zS~5AzTWA%yx1Bb(WY^UC21M}Mlq6LI#V}JWj@^lTR-8Ew*6mG_kC2dlHX6lNktH`M
ziOz9fYqDrV(mwP>+-ivSy6<O`?=vp-kA2*eFTtD*sXOr;x$svn=XwJZo}uCIk6@j3
zBZUcEBcDc>=h1|6^g_!iy0$#%BWW<No|l*|QD{7S=Fh<Cde3ko@Sz5N@+6G%f)phD
z+uO;?k-u{CQ68HsmPX1fTgS!??~yuu16lO<`UEu|sy3umCE17Y2>1g|bvRGER(Tq6
z6Spi^Tb~Brr{7SZqygflzU;w^6;cZMo4nU7sZupwU4HP5zee9GH$T6fUZX*X%OPOX
zncA-<;kQS=^o%#=G&X2+$I=%OZlxigY7_a`Hm#pnA<}<DL7~v0G}HF=zOtHBoryzH
zr@Pmx<?D7j^_H-Od<=dnc68^;Ywm5h?6pWQRn0ZP8_8%=tkZ<0N>@(iqF^D?+*!Dy
zOqO2G*U7MaI0fobdY5t=Gs4klxn<(N1GG~c?-th7o%U9!1){`+6TKtKIdeK6ZqF<$
zASgfzCP>G!+DzD2#u-tAbgFZ;x{1NiNl3o7e^#&xZ~-~rs6U9Hv9z!N;HY-c&L%yR
zUc2P_G;Ifyk*AYX2R`n=wX~Q(OMu7KOwYhV{5LOM1|8Y8c+>%Du3!4M{9<q6zw0wM
z0?#Fy7xOzCR5`eE?}>To12<B>ewyfO=tw#=W2p^qTF?tThl9>LrRIHbUYL>o#G1(i
z;Oh(=Y&0RSuoNKxGV<8NHp-scBrk1BLvZR%p>G(9d?R#n{fXk-ODUwdSjp%MO;G_H
zYP|jInAW%5wUD5<RrC&JyY-g%{>@${@&0ug`#%DnmzTfPt|J3UoFdQr7WHyR;OZ|q
zyD@rHl9WidFOc4(>S77i&97Z=41sLza6K2m2DXbk6|4_96_|=bR38U)Q%|m&apy)A
zVkO?wF@3#8iBmbsi10LMGu{vKR&hsSq5Pz#0n+FiYv%jvcZj-V@B7n@ONR+D=7NF}
zbCa~v#@<>x$~r7AekbAB&qVSBcN1n`?~$#)-Rg3rEhmaV1|$(!Xul?4|C72-;z3v7
z@Y#`!#60pTjbC%9RrhsP>l<!zk7j;d9~S2R_N<eQ{aD6eaAmLw`&8=nPIL;I^TVc`
zK^h#Qn%dJ;8BUjO4H-^F(al|JhdqK1cA|nhTkMTb;3U)9n{RV{UedzMZQ&<Le0VQd
zE}!@RWmoS1k6n5B1pj4M{P}+?7zMcij6d`b>W7B|{8KvqCxQE4zbx{<ep#DI_-sm?
zg<AJB-d33j`@}46Ig<ahZ3q}Y#IYI^>t3cHYrc$ksb<C}S1B>^&udJzeMGo7?bh|S
ztQzdwO`Kf9MVEpBZ6~XneV8QKLu{;+P{)(t6o@9b+X@xeHZ<6yR@oYq$=p~jLOE;h
zWE?x4LUQ$~vym#m(Ur2yKd$PpxP*KlMeIIw@Y|&-pla=2=ZI96VWB$V`-sgl6?0O>
z3GtMCPHS5d9xT?+lAUbUM77!8SbPtj8A&L-U3M1Gt~m^e0fHjAhJ&rEq1>W{@35p;
zo?ad4*dO;i`@|3{8QX|Jor^+dn{Pe^Q!*c-JA`RA@rnX&pDPzw+7sWaA2b$%5?enH
zKhyi$i=(8e?7xKfiqiCy6WZpBRFsT~(=Gk@u-#;){T7H&Ipv5q;)Y3Yfyah+45vC*
zI^}jg)15CjQR8R;`fVALU_&JMe$KE|+@fimF#H$zot*|gU9H4Y3Qe}a(~i_kknHIv
zC1uE2(AD<s)NO~2p;_8#>>z@2{2v<pV3z)Lk6`T)9qK{7Q_2WU71fvJ=jUkE(l-o-
z>HSQaZF$&7XZ5R${&O?N)z_naDSW3L^6A`7Q;O-9gzg^z*&l7(%tqob`seI2Sn~_#
z6zcNepRd}{AN8aV9CAjLmw&5cn`g{N*9d>{KYk;gQcRqsko_=Fv!|;CVjk0GL>ar&
z6+W2(r$+=2!kAi0w3Rvzy`=B-N&GkW9j@>h%KcY0dA)Fu(R?9sn4Qte1)jw4!gi)9
z&6paglV|fE`XQf+MW=pf1rZ+0JPZG-g)JtMy)U#p)#t!2?ASX{SfEmg@hgE2?0-Tm
z5eb82vG*r9&=!4P*D+O<aR`mh*xZ|}IGIT;HVJQ0{gE<~SQHc6rUdab%=QFo=@^&D
zPS>P_8f3NJS;>3(l`GI7NN#=DL1P$<8r-28KZFw>GzGoJlY6@PAY|DJ*6ME^xPGSK
zwwAHSt0U}_niww!+KO=%=ESs#&W({;i=LH4I82KMMOBy(HM<_NGRx)REOF?|R^@o;
z74@`#gPx8SsSz6oh&D|FMTY=ec1g@7o738<8Tj5_)oypTD?)#NvrGFU>%fNz+}49x
zp)0$Eu=FaT`jQW?)-QREeV*4vMosVXhu#{Q7S)q$sn3tZ54^+Ot{S7>bw7z5Y->f|
zy~5<VO60MjLtxi4tB9T^flSfO;d@umufW;N0U4jYHtA%(Ha0?<auZ+!lYTwloL?hQ
zfvdN*qTFNGC?(}SaTl-|h9q9_+DL;;f|SlqIIg0e(>j~WO!<SL%kJ&emf%obEy`c{
zm-Krs%abQ|w|hPW*?_!M-O?1EWoTf4J5{VF&m=Dvx;%-nYdtj6@9rw0l@)5S+NwTb
zgrd$r1P4cT6TD8|OY~ktqvp=6Z(>Yh!CmMf=X?4&W3{M`jsy!P2^-WGwN90R#->l}
zfts*BA-wt?zCPOFayk(Ir{&CKL)H2g^Y20Tym0+lHqxu-2=m{%gg*<3shhLc7M<T%
z&CmXVN-YQ+sxVOd<ppR~N@5tfFjp(F#n_72j~t)n4-1O-P|Wdu^ZV<nt3HYKsi1!-
zqX~BzXKRU`9nDc(A9FY&VaZ+=K5cq4)sQB<*!bYoju#z*iy|>vMzItHqeMGK=pWiQ
z*}$45b1_@hXkW<uUR8c>_x9p6a!hs_5Ln4{0OwYhX70OovcCNbB~@zJcl~em+6gZ!
zD!8#c+J-iw;xIU%XQs8Z-tUBid+qKhonl)>Oa!Aw+9Px?L9pAg*oDY$x803oe<zaG
zmu+0b7;aOsH~T}pYA~X_cji$e7=OYMk(wf)!<jfPzYl)NP9;g_={z5kwoH?6-oISW
zyav&E#SS<h#KEwR@C!YWUGt{}V(4vVMXCD=`QM3xv@=S7q)?{IcMa}4OMLLa<~cPl
z+~y75ts;gb*c|o`M;cWhXIp*_=m|Y7r>Y`lHO3@-owLBuFCSzbo_QNat(~;Hx{-7l
z(lbLWJmJz^(-PQ3gNwjllMvU+G)u$`E9>_}%*YD1*m55<ubtDWuwUAogG)8&ag+|}
z{8M#l2@*&Rl;&m*y?UgEZM-h5g6n6#mna`3%!BfatvX4bifoaS{!WF_+B6h%VGGiJ
zoM_om-ra(i>cqg7StPjAvd4Iq8}=pRo%M?ojjbWG&5+X~&O=7ol0v*WFoH$j;#9?S
zvHEV|+jOql-bVAVWJC5bwUyE0LAe_d$_tIPY%E!~o7Bql!TJW8&z6QjTV*15uT^wO
z*}WQ}Pw3{;I!ob@B;I`gWr9&$50bbMAWXHA@$-$xTaPyH2f<l-lTX(rIt;I&;A(zy
z=g0>2ZU=*_TG3oEIA9T8U|;P7w_}jMU~o@NvXYa{)Mj~)^`xG7F4^ne%*;uj(e~)%
zJoiG&*FZpV%3&+pN9I_*wx<KGr>D&!$E~oxVDQm(I0&tDuo*PLRSdiS>zVi6D%X^{
zQc3eZ>-1(!P>BZD75+22fc><q<jsZ%_NMnt^m`f_AK%*ZFFRRmw1J$hxnsUjdRPi;
zVbsmEU`P-BVfhw6ggdS**=SPOmZ8^TE?`3-CJ*gT^ct=KX$>`XgZVZTV~@636fK5c
zVr}+yT}3@@y!(~BW|l`K@2TSGSVqqaag(<?FTn1$tw8$ZA@cHY#Izh{cvlaY?+R{`
zC0+MyKZ77nHLVVb5kr4hS<+Z={7@SJ@+Qi()6UKu)1DueC7?o`W3c?DfL>2pEIxj%
zHJ(-<-en8_v@0=HfVL+WJ_^S$cSUDzY=G^!5B?ac;ZmM4PQff3O<gw>ifHHmR82oI
zY2j(=WSQ*%V?v`6p;u>O_)_SZBgyPz*t?9J7r<xi5E`#y@dEd2PsxQZh&t!TTBxmi
zJw@Xlg(FT(NMsfX4d`h7=7X+gXk8(bf%9oOS$6X{i>)eUykpe7hQkODiQE*;_7J+4
z`|7iRMKeoJCq&7Q)p)^f1pz{Ig_BR)(_DG`Lu00HVMblWpS>wvZ<L|q2VH&k=$3b9
z$`Y>2E&|$GWFy8dj9+bQFNtv<>kCk!dT+Mr!Zbpj6|=fXODyuPWG)1<y>M&w;1;c9
zlb)o#vNX+#^6aD<kfrs4z~%<u+3~wR!7^Re*d1^b^|>z2dO)6dMv&YP?c1u}cMW4K
zUcl^vF^ZyJq}XSQhKa|j7>{-haaM15adpze5TttSx6&PZB#6r6ZwJ7b$Gw&(<b9F-
zR7=C$)|roRwjXUJZA-JQtUH|5DcSqh!=3nrpjg$K3L_)_Q=u>05ldPhiL9ycZdb9<
z)uZT56=dT8A#(Oz1DR-}(R?;+bYlw+$I8c)u^;$)cwan%n#&K_9lsOYW-~Be^62;%
zvC1Ee599tNNYU)D@KOzkk6L{gNLlQ6Wj^9FIxiB&#ZE~e${DdO7@1PzV*|v5%xTRe
ztImgefZTR1yNkg5qkSpO1(ZQ8I|kh2IJu~h`y$Mq&&N*9L900tl8hKg^$-P31PZJS
z+(Jc(n-Eq#+lamt+}}|kojWTytE5O&a5@zR+L}AvfKU_0K;~=+NkM+Q&uo5u$E-jd
z|5Gfugv|<xau#I<aUd|(jcUNoeK_RV6VWrnTb$}vKkO0}8Keo+&lYsr=P5@|bXT!r
z7ai1Z`qQyto>l2M7FqC!rIqOGeyG1L`A+pwI9#3*P!T}?2r-c$QaX{QYETeLp4I~9
z@cGJL7w{gnik1@zF1isL<*ttMG$7&Y@tTWhvUpk!a_;?^GGcyNk0|F+(hN);$n7Nc
z<QW7S*5d0Y?XBlDe{3-vv65EPxHCx>PWtjr;pVPBf$}e{GrGbrGT{q~9RvD$zI75N
zaDl~IM%Qk<`vFtwoWnN1JDAEbYQtV>W#QIz)MwNLsmVW04qe&8K1@#LXKhv&&LchI
zh$J;y0Lqmptomy~7Il>oS-L`L++E$}on%w+B-?4(57h____^W7O`|=?u)P&Q<04KN
ziF3$01oIn3l$vp$7=w6nUGr`@q`<sWPRvQyryU@?$c()PW=CfwOIIWc3Lh%2y(Y#j
zemO;NtMU*Ar4wMrYgK%D2r|Hwxk}^0(A9_3t%)^?+XdfPRuKLT=VdD_6T>r;P1vG<
zx6<NQEZ@DGVnHk<WB+<dqrrWN*9k<2dy632ptotfz#rN`YNQEekao$ce*caST$o}%
zcdh_%{VrCe*aic*5aED4L^V7n!+8W|ejd*Rgw@iK#{0MszFakHH4XC)zRXThapC!)
zFip!-vy{uaVuSDXP*fOZD2sF3DTYiw$2QV${z$EJ4fcs}FcI+w>UoF!3Xt~K<uY0H
z393@0rV809uUZ-U`R#aZIUCR9nQla{TB%xW>6WDP9&&YGMDxwl<&lqvXa3{+9oAFF
zNpO{8p+gL<bD2pipSZCVwESSMRzU2uxr2F8k=^>qLxKDq_a}{sXke4vGxkN8I*hws
z6jBI^T2VSG&jS)(?VLRPz==Abe{p${)*n!R|1iM+NAvZMEX6bfO%0w$0uzWR7Dm)8
z!JbPu)nlrbTExS7afwPm_oDz-xn)E%#@_^4Ww2diPJ6;V;>iCk@}O$l8omj}QccNn
z__jKk0j=5Yc(DzO^hnr7pQ08Ze=rTYD9PxkLKr)uQLG73`Rd6RD6+5G!)^Zkmh}D+
z?+B6FZ4=|1U-$6Ua-#`2&k@3RqFrnc+DM212naCt3V6JI-@?s|+7+jM??lm<XJ56?
z*xH~@Y3reY(w;8h_<P*uO+N~bR~tNmi+5s8rdsd|Qlk!XUrP?Lwj5P;{-`~W$?79V
zVMZ#>vz7olmS|bj_FKQ;x>^Dw=Tfo^X4z-e22ejin#l74&b1MC1iIBk2jcMG{$!Dx
z3#DF|AWy8s@sDg35z6Kz<D45Ef3>|}I{!v1Z=DQ#GH*0+V0T9@PraJx>(i-lJ@$Ol
zY>Li`)@bi$ygiJ<w-e-P{Z*@AecVmV9&%qpWq{M=u9epELQznAPg9I+q4nlHhgt*@
zn3VFB8%h1CRUu2vbSv)uJ@l9<=Z|=Ivfcf12$fCm)po9f3%fT|-KpxZ(!M+BTS>38
zwQY5LePM(M^sCYlHZn0hDsYrL`?ZsHD6}Bo1rA|mcIhE(Ckts=>Qqv)DI(im*;(Vd
zE4!mGCl3KIDS#RKXgQDdV@9b9eJI?8)Ng2T5VORdoyE&2Pr2k(noP&C19n*oyRR&V
zS-SHHspE|J?2N2OT)^Cw5DR5-8F>V6>rS^b!#E&?<U$Lp(t@jM2$76TM=R$E-10@O
z7Vask3@6;rSraA)(3pU2%LHMlKUOkH3N3yb@!$$Juuu)jF5c}`jzcQx2-BUmNT%3f
z5D#(MRVNvg5>leE$k&Z$vdfNqSoPdQ#*!M+68sQq;fz*mVCs&5Q?jGb?MT`_S<@_{
z04Og7Vj=T9JvqH#IC>!vM$QA~&OLcJXdq-F?roHM-h%9|>(Gt`L_Vu>L@{i&^h=GJ
zz#<yd?B<8bP2H9=^u-kF-wDKm2KD<Si%#`6S=)lg#X@I&&PHlgZueK|NwYm+$CKbR
z#3uyQwp5m%G#TiBm|r3u*JBu1v%@1C%ju*fPEY!!&u_}0hqmR(@6^7ta;yt*Fd+ZM
z#4^}S-ibBVKYln}xe^TC&hAKt)(I+l*vhw}g!J11%=*-se!?$pG}2WrCaC&{wI5p8
z)*=^vGV(gz{WCu?uc#pZX%t)|SjUWV1r;O9FESNQs_~8|!?p>j;}Ov1AV}Vi6~7pR
zEms>k9tSl+vdZz6r>$xi93n-hf&+?gpTCxbKifCDiY!94QRdpqIh{k}^L-Du6F#Mc
zOV?`k{{CoYRBNMUHsfo>+{j*&=qAP9rWs~@oWJH4G||3)XED91{(0Y=R1V@s-kf~h
zzSW(7VF1P2SC=~pL0v9%29d=5c>Dm%QWe^x>sgp~66MN}GpmZ|Dx0edZB)Irz`*~8
zx-Ze|dOR<WDziu$ztcLB`p9|o+^lEv=-gg@rU4GftLBbWc(QMebE_K?MX*qLU;S#)
zO7~p;>*6a!fF6Q4$5*|iLOB+Bu|qMS?cxy;=uY^TaHIPyaG4xQf2DYCLh`uO3?NTy
z`hjPx+vpmIUqbS;W(1pGG*k0+dFVzXY3%W-LO`RB-Z42#Pm2Z)tz^5W;|*hawW*`F
zJ~FN3N41uUN#};p8ExuPZi8-OgSqtV&>1e@3Z?gT&WT7YmWPa~KbZVr+Dyvb6&z=e
z8umG#e@MDH+=YaiwFNgnTcWjr86A!+RbITzN;pP`X}6+dw>VZN;xBq6AV8K*CvbpP
z`3Vkf%W<%R)rcR<%gD})W}~gD^oZQ$!tl!z7If9|I(F+fQQ^?7xz7XlZqnYGo@S73
zbP!bx>Fx~Y=o+zHuTq1I6WyS+dy~I!<kPR_$oO=ZULc?Q`QHwc&S3}TkKv+*BOKJY
zjN~hlThok-qZ_Q&Z~O!4bHj-)RjzLNtSKCgWxhWoreQf_z*o5{d_5MH$&Ull-JUke
z?A7!|x=*0%&bBIc@lvTx<ZK-GN<trS*mCWP#<yrN@`e*P30ktA<ReF%Fvf3dJybu8
zD{BkywNJZSqZN#gr96c-;cYz&Kye@~5DgiL4I2TT3<-cp0Eglh!RK+%Xlz<OVv_sb
lh+bH~5s~2A-(<d@xqmYRRhFXH@%_vYKGciBBfv!z{0D0^A-4bk

literal 0
HcmV?d00001

diff --git a/jetty-proxy/src/test/resources/client_auth/proxy_keystore.p12 b/jetty-proxy/src/test/resources/client_auth/proxy_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..50a21ec94c28464fc74eabf92084191a0ed68893
GIT binary patch
literal 7933
zcma*rV{j%=ydLn_PTtsd-gsl%Hr{N^jcpqn+sVeZxv_008yg#R+v&aSZD%_D^q+YS
zKAri^GY1$%{0adM2@E1`fPtqElMZ`E28RXD4<ast3L?(?7iR&35JvyY5<(kP5JJ<x
zxDFTutqp_tKTjbcfJ5X5LHz{=K|KTMU=aQz{&zV66jq2QHTJA+x+Cf7dQk?4b(yDQ
ziWCGS*q}005Y%rU`$LvK(*ty_QMH0_%MdmyG0l5;plaZI!R_{iJM^1mf$D><0J>w8
zRND48Ep*yCV_g@NPkAX*G&eonM9}B!!Zl<zHl87m{0_772rq%N9O+BHDoxz0ExM@Y
z5b4avh>f5nhorRJL}5~5Z?K!8vFWUw=YWekZ%K^wPGE?}tYBcvULP6P=uTMT?m_Hf
zbn{#&{v@gg5fj}QhvEIx=O%&~Vh$7DFm!Z~h{Xr)`#i4bUC51N!qLS-sM_pyf8OjQ
zFTDNkplNf6+Td4pk-)uK>&?e`&fe3v<tjHS>N}{2XWrtj_{1CI$f<!Tt*W^C_PL5~
z&5bl}<h@%%@+qW3?~2Cx+X;w#I@XsSYXzfB_-Fy9@#y8J_3deF(AX(3&*wr1mhqMj
zU3?8y{`4!FeAZMqr{B?DT_6T#Tp5Q38K%bGbK5JF4{OHb?C;m&!ppPX8INr;+N5Qt
z+=`9&rfP-oV&NMANi4UZlney6B)@0^$#Jy9w8S&v2C*Ezw@5qY4NY(~qJ=XHj;Gg{
z@T4>jTz@gWJ7wI_j-pObDyDImHTDy(P)qIY@Aw9Ok_RS#CH!oRpLh`61gz+IRTNX%
zb&-5t+<5FMn84W4f9ZRA70ZI#RY3pirW>3XO@F^BPXfxsJ#F(6QxKgqS>mt$;GZkp
zJxAUVrB<#hiv2^1e}b>JST89!LeisJ=BR^VXdkyVH=<iPoLBh3ZMbu7aB4NtEfNN?
z8!XxsttmO<{?p0RK!_p$syXE9UO^;E=$EgGvHJ=x@pY_s`YEgvkCg!CeD*o*@`Al_
zXVr0e+WbWN;fLI5BS{X%Yh@$ava#>yfNh;KZrd7?vKgdHU#KgaJEP1CH%V3<N8uiO
z19vHIdt8k$q?2&~`XiRzs8$y4x1!7K_xQ`<x~U{}rU@d7IT>0@+n-Jc(u>)H#Pi8)
za~_oP1{Za`TTSALbMI#<S%NS?$@aCim^-I$WL*m5>-nwWJjJ)7bCCA)p4vZ?B@kUT
z$+VPN=FN5<4y^D=|56Q3x^m|o6)}leC$n)F&G8FsYUtJ(N<;fJ%{9#<WC#h_G)@ff
zAq}Ur(hik&%@;ZOnFz@`H}+igrzQ9#on@hRrifnk6vWPYWD+cpvfM|s7EBiyaCI?`
zfU-Uno-)jjD}{3!m7^YBmP$SPq&o<~D9BzilshF^(MnxJh>KfaWhiy+eu<WwYoL#`
zkjIv<Cm_6u$`f!^6~<l`=wr|in~o(7R1pR+nTtg<yee|TD9AD+8FZfEbvHxo2*^dM
zv_6Es;WUp(-4S-)OY$EiOP+n+eI|Wa)WPsY@|pM;bxvOsygrtSvdG#Q3D-@Jz1IG4
z4{r1eCtPa6$}im!aN7XDhO=LM7O!zFc`t6Di3h2O7zZpc>GPpdb9jtyTaNagx+}uS
z>6=#l5Uvz%9#;EA008YH7%)VLZ;KN>Tr_EBN#S7Pp8tYrvQW2eF<rL3;I+NrL$ju&
zvOz6(EraKTqZ{q;4%#RhUdqNe{k#z{^`=;wGRW$3M&inLDgJYd`<C9A%({Jy-)tn{
zN2pHdH<sh~WEU_N+^o%He~UX%r8SPJ0Xvv&nqJv6qG`LvPJL6&Dhs6gPb%TDSaFH5
z!Cb+d!OXy%z*xbIz<&Ij4qzT&o<OqywGF_E1%;t*WoJgp%Eijg$;rjR#lz0S^Uqf0
z|I^m{f3{x#-?m~^a>11;Atlg0L(gy;M4hf-w_*Q>t$o=kyFtTlYI%QdHFMg=Jm|}-
zyMXzYW|OkcP_)zo<>RiE8VfXQjFdN;M{(yrZ%q+6Mf=}OGbAqgQ#I<Dh2N?^w~(*_
zy~1p;<g-<7>gH%d1t!H^Tf=;`mt$2mWqcf2iG7tQDuS@$`<7|MXfP~p3Mx?i-MYT}
zIKkGE9lEKw4@=6oo1Pdv+Hwy(WOw}&HY{?Ar}cQhciFNk*|~#MVsyNwk7X2JGvsoJ
zuYO>B<Mx6_3pV`sEEXkMJ{Y75A(_%{7xE@8hsZlWDz2v9He=n7^?TmO9Kx-7EDo|=
z1ws*a3(yIYEPrexT8nZph*YIVE=FHQ<&<ojK@gk#w2(Z;>TrPTZ^+QpTxu(^d!;|`
z^wAcQ^C3uwqoJ%k`RlZjB5_`|kujUs2IuYk93ROjLj~q>TjU%EEV4@B3Ka=%zIz4}
zE`Lh7hnYfAC?yQa71{g{-(t!C#-q(CIP{fGWW^DbP}tS&w~RzM-6N^r1H*J5>QNlC
zacsdX%@g1VT_X1UI~&EINm?oIgJinijL^{f<4y9$6YiiTM(^!u)8^W8F}h0O;K}f&
zzWrXv!_L>8SnZlp@^h)7&Jz3Oh!-C-YPq=<+<QoKcy85|&Cdx&AlTgZt$Dr1AcxdR
zgmM_7xenss30*-PPLf-okJAxvOWCiSJz;SbYguOxta1X^Q$1PKGFUN4q_CJ*<$S)Y
z0g`B#%u_p=Nf7!?cgbA<UDw3O^~0W(-Q1Uoov1vr6;=(9tc~?@VunCmpn&Y|4o3{_
z7bE4;%ckk*J1yo_ohBTu?$mY>0A)1H&e?p18iU!Yv$;rFu$OH~d;t0xxhVhR*QE~N
zXRQyrz{A+J$Y|0&zF#$?I2yN@DWO!2+4qaKO9?4?v1#co?Uy|JwfMH^NrY)vE5+*g
zV_TnOOYTX#)EG0=t)!eCXOhdAP?wxpq=mOSN_A{Qz1p^CC6VK@UNMIWX<5x?p06>E
zQZ!O>fqFzjYbeGc<!<>)a}u&G4>EzfXKJ*_5~@ai5S^EU_tK>_sz%QwU63PtD0tU|
z#P$<Obo%TkPSKG6sR&)?;eHRP2E|#C^QyLh^>^rmF~S79)p(uZ#>V;X+&a?)K5~}a
zOa?1<_^m(A2$FY%#;=*eEVZ>~SE+@x+lRkd!$<W;^X)MpvuYg*9bkv`>-kElQ^-fu
zXdTD%v<0?2GtP8Igpx)p@0G%vUSMR@;eB`TK21KKa%5IsAurUQIyTFmc5l%NwMGBV
znUw#o9^S29(j38VLrE%kxeeQlCTWSS{&B}FilgiBdVt`M9i<)X4zCNnpw&=R7TV%2
zq!Hwxgp5PLz?n?e^*K7o*vcc)$9pS{)5~g~tVT21WC5`4awUpT+~QB}jB<5!L8c!D
zZkXq~h<4rZxHL#8Ic;*Ac@(LCVn#F?H6?*pf!pugr+^{j38K_Un9JvR%h0;gAT^GY
zM&^|s4ag2REFj$rQaLCbp3YjPLUPSA1~qi-LTN{1$%4b74lWlJ(9~LSKXy>GOmpqq
zigXy6WXDz6oYy97hsTprFD4L}Kgv-51jl9Zi1W~ZcZvJ-f$&L94tKbhmGH48z#EzR
zUe|E;|1y>B|KC(@9#(cBFbH$<KjDRi$q&Np{ui}FfP?)T|9k)aFUG?B_x=iVqMj9r
zYk$GSDX$nGUnxF~Wvlr=j136F^uUNVF6Hpxk5JI?pMJ<~(Gf`})o99It`ib;Q7Kg7
z9nBGO{_w7*b=-!wc$E5R!S!D8&5!o(9N`{n30XlWJt)t<U>OjYLb`@N{6Rs6CSO$7
z0adwV6UUvHS?H%@AtZUB=)MAhs2pu%2UM-Xo%Qm?ZRvIX2#az8SU#yvG@7?E=%+nN
zHIt4=IAB+ws*$*C((T7G#*G>i!<h*#nNiy<#_MIFv3)U}MjUPg*uBTf*eJxWrwI4T
z#@7d6-nDIv>qEvjg=qL}6hQQP6lk_mDI!VlDfsM$g`c`_9@)IMwxjr<9}}=MhvS>l
zc4JkVCm%`;&dTU%;Q#;=EVuN&2&Fa9dG>-d3se$w*G^<!dfNNrO$yL)OO@22wk&L6
z(g>-y8nXekj76mBXvlvfi-j|A7kSg}AWgC7{e4)3NV-`0P69u!gq8U)-zbt78{CoO
z4y6d&UW^cFq69u#^bPJbz>Bh08mivLoB+gMOQ3KPIfjV6y{?|<t<S@CnGsqIOSATV
zUx_Jmq}75h{e6ZaH0#)%U>i3lUcrH7N8;7w*iv2_%PvD(<8`SMwX3G0!EvKhkoe;$
z!gA=d&Idwx{tP93?n*4wPxn)?IoEh$^4yvu&Q@}#P9?~YJQ`9HpjD&z?5W}Xo?QYM
zrH1*9G}qsLHHn`GbXF7hm};@feZYu9sIjpuabr|w-uFm#p^FP`<KV=Wb5I;iu@I)&
zm0Q1wX`geb0PX_CwVym4=v><m=M7Iz22G!(!FX1cupNzEbSdmX<&IBOeNnZ%FqIS0
ze0-zvgXBw!+mzo0^YB9OCRLCK;&X-^+?oz$sXDtW7rVe)`i!r8ZP{&9Fo2pDT;M~_
z@&XTT(GzVn3ySd%7p2|v%0L#>LlZZ6L)H)d>*K8>8hVR0nf93yyxgiV=Bf^!3FP0Q
zo9BT<4BXr704RuQ4@1>beCQRokkvEm(-Z8Z-;F!pG@~FLmJy}Jlg9^F4X`*ERP|B{
zRZMmM4xSp@eV04Bsas5eI)f5u!))5D4&G1$FT^L``u2(on?1nipPuv6=c;3Hx$eGA
zlayh>T>y<F5xqSSnqJ`4%sjU`$rjZ~XMBj$)W+T-lgR$+fM`UV)g`u0*(z($bRRgg
zZfG!es?RGai3A5HfwxgpTHyTd8bgWZ$?Sn=9Q*!#Gz};4HWMN}i;^WuagQGD_j-vW
z-;feNY+WIxq-@25c$ztS$nnmQG?|A}!Usj#YSUsBZR2VlV{X7leDZ_etFA-=g=}Bp
z3vzZm$BF{`=R&lG!r;z2fJBhiw$di^QJ2XOZ60~&<IKiWD{C7WUwEtdaBSOC;k@dB
znC<G5n0E!2q)v`U<xY|b1Va1BOl=^?r(Fk(Fx0y{>NWry9y4Tbd@W7ogGVw((8SMt
zZ6L@<rSX&0XENjnn^@&~%3=NJCHT&rCMYK=5*e-tKTp4N^8IQZfDt3*R`x+MPn(E|
z*91z8KcpT{<ktTQ8?VE+C@WVibxpcSNxu>f0<iSU7?Z%=-3qj4(qnb25E>-c0O}Wb
zE!}GGsen4<K7kK#XsT!+xDR2(Y^}CDN5*2+KtJa;WZvnZb!OsziWSe5+*CK}CzLot
z{7fjo_-xD0Dy-noHzm|9^TzCe`_Jo_N;;!-@%2Qd>p~hU|G*j+_F8WL;>##cTW#vU
zT$h%(tyk}nzsgOZZ+{hce_eaGh|geVh<@h=m(jj5HuNf;p*c#sXJpGeYJ;;682QS5
zt-_}(`~h&X(`7pD*D%jf+?MAoyPa{1Y(x&yT6NHTSimI^SOpX$(Qe_<O@x%}-5BYk
zj-=Yvm`qPm9~g&1)-8+p1H5K^mq(GhilThm0N;loBYKFYqv|&$GIOh^6@P)Cc=Mxr
zPi<I%vwrghew<5UlW}Ryuu^5Y5|cWgD!azl)th!Y%h)nf-QPcT4pdUti~8ITP+etA
z^d^+=HW^GRUe|p%xNd)({XEU+^v3G!BluB((WM|uW!I7u1*upnnc2vTUOLtJeBOB4
zkBNb=x0MaM5-bRTw}h0QwCWk{q^gzENCxp_RnD6`6RXK(2W6}UmL(*Qy<vcQCaNoj
zs%mO1<HO`d4v&3Rk#PRG2>l&tfe1Ty9<{^!<Y0)L%}N#<+rN15HolpobXX+UOM);L
zHrg2wTtSdl$)s8~v{Q218W67A8h`KP%0e9!a1*w?(UdsKvQ*vPL6?0u1|xvJ@7vGF
zhN#U66|zk~I@nRRk0xk!VtzwcUuz(n6X}S0|A{>yxL|O@#!Dfb3NZdFYjsoWmG=#m
zbfUG43+E3W9EOT(iFhwg8xfvkh--;`=wN^R+xiMDUbQ}5R*ekHHF*0kl5jnmI-CG&
z#4$#pR~x|n)^g(FfsPg=7>_Z{pLg2OVgV`i+XC7brN^}vlQ6MoBR3d_(LgHy42tZC
zNqt9cJ2#CFPQ7e9W-(qTk$}ja!G`IL0|V<2*WFR<vt8%>%F^<lmr(6hUzyrHTG-As
zMmMCY^*LvY`N@9L5<8Ea>?x_vK^4ogjIh8fsFAoz>1oE}K;ZAlCr5N7Y@SX2D(m$P
z>1;nOAzrI@g+NN710s2j%N1kzH)Km%P$W~x!j)3JV3WH=m|tmm<f4FZOEngS^(MV9
z&_k%C22OQ1-Bj|rIz?KcbSogN+t(<<w@<GBK$yqteY#J*(M<la<OdW^xu}~Yx*FsP
zDL<~(5RUg~n*0jAwZMmB0#6^FAAIpnloU+U42CW^Nxv0_-CJY;hMSR}Xrz`UR>(G_
zOV+?_LamG4dAj%zQu3YnjLzbx)zP?H`ozcz)d46Yy_q_npyZ4|+zLKs(IHD0bMp=Z
z1!m3tYACjY$N|B9N8G7w?NXGN(H;lL?%R`(7!odnqJq*ePs8JQUVps!1{@CH!Tl}B
zXp7Okr;lFwf?6QuF$4a)#Lv}y6{eyN+izAE<gFev&OoutZJ2xy@c(;<40dPy`#HCL
zJO;!aBU~F6t(Z5>)_Y3j72_O)iJjOL5{5Q{F$%OQPIELAw+)dq{6XXc63sMlCJtw_
zNrDTokmd9JN$uG<)=O7{E^Z=5z4Jl=!n6Nq8ZyY2fPS>X084L3^6o|ttE_P<{L}VD
zhQC1NG37kWz0a$1^r~r#5@I%T&(}SVC&&y-y8E42oCS84<md0U`onU&K>nb0yPqra
z?^HghcSP6zocM6Qr29$=Gd+=Tb3bRRG$=*g^vs<@q{#dw;OC?t*mqkA@k_#+^5iO5
zv)QjuI8GYnnaK7g7fuWr1WD#<>=>dLQ3mRd%{-do+YK*crD>l09;{|i1o(M=y{<ZU
ziQKZC7L#ovn7RZZ(L{wj77Ij@v1P{~;~=mU9&Kz>^T)8Kmw<Bcsnx_Bqew%xi3Lp*
zHJ~#UkOZkY*V?)ELI-wpH`L^?8G{K7&D7^iq|K#_CAkJ+9B9W?c9k4RV(JZc?Yd}N
z+YrZC9O6uUsSMs!XL%|;P}SR`mo_~&pjR^GRHBl1O4Ak~e7%QMNUSZ^on^q6dj2|<
z&PLtgOmT7*fnw=Ee(`b1S6KuvCx~D47YQ~ua-dY=t|5;cF9p3a>&ti}x^aY~cgFi3
zZ6r#0loYBzb@<unTTGz*CV$HpB#>QqxGY2|@()?~!zY{qrnZZzV=cXa)De*oo43SV
zuqaoK`C9e;0n#FfJstRw-wWU>&m}J7T{FKcB5!<o;$923pQohR;w2`*`b5t~VequY
z&MT&Ou)Z~cX5Mhh154|QQGOZD$0{8O^{RCgHbm`=P-Fo@hHK*V3`5EXHvPLu{|d@>
zOJ=_RRpR@meK~xiuc-aa_p9DnD;?Wio**tcO3IDvUXN<O)#Xi<?MEc9w=Mx!b{wD0
zELQ4Y>tIVFre<M3MG^&Z??mrU9enNCMGjBQxnc3Bet3Ss5pp?KtKN#b%=%t8;+hG=
zsX{$!`|Sx$5j||+GjgHyzb<H29oFFAI!`xT=q<HL=G?O}HHV&-N=CQ4uc;*O?XPPS
zrwQQg%Bik8&QVhz1yEnyHw=e;|5|Z~#&q_2rb3dTP66aw0?bbLR>3g(bT9^Pgf)+Z
z72mWg`V1hkJ!0~=@jO9tIYy~52f}Ibhvr}hktzWh`#fvCyU;<y*_{k1r}aC*I-Js6
z^e?<(u*ds#o5;qRNPT-SEUX@5;FY(}s2S)G+AIkh?g(UuGBdS3rgtz4!Oj;36defu
z#b^f?WeYnCfU9cpE?XX&xy!NejqQbTHzw0aG>QH3M$xV)OW&&&14GS>LA;v@X4qTp
z8;5O18vd#)EI@<5@g_s6arDfF&D&rN4-|cF9pdblc<b2|w*>4kb-Q)s$~%D$)zd9_
z-SSVdvh=NUA8Qvv!V?fv7fLY>agyCTN(D0#lDz2lEehqM`ld{V`%QOs2p9eU#9q8)
zt&2hRxh&F@5`jff6}HC*v|r>EZG6f)9vX$BmV3-E3dR}hd?Nf!^W!?qNz1CSY+wab
zhYqZkAzk6YHv-v&B`UyR=B9MvPCdr(WNPsci;@L>Q9t+k{{6?=srD7)CR?I0F9XXu
zsEoxFE_O@OG4aUK9iw_a=T0jSG!EEa?oJAGS-YgKkbbKiI<=qF?50c6jZi2nqklRE
z5`7Y){wmgHFrAmnqe|6Y^jT#MI5YE@CXO&<&u*#;PIR5DutqjPUnzvRi_Gm0Mj|!?
zoh#(d&GX`Z+VHJNKDMwsh9R7)-fYh3zF&Ig+;9;3i>aYn&7=_`fUUC>A{&H?ud6G7
z&AzTJoCIV>PSb|2BUU_}ZNAW#JfvAALibCqo&Wo8L|F*gJ&>GQ{VVMXfAWsJ8d~eh
z4Q;`q37e-0p==v16LbNIHa)NBZFy+d+lAPLvZtn}SM6FOS{QN)M%y021jggT1D6an
zn{x|5!;xlh4u+H|d^DWzh+>(!?lBs%c<Z<1rELzW@n2VD+a?htuGuS=hLd({a<kV<
z*<b&uVY%z!UJ>Q@_l&-eD(i5?2Xu7OaC`%z=G(W@koH9({$n<$?Mts#cut$XoRRq4
zQs~b%_&Xjf5I#wGzk{PnAzdN`yK`+}^2_qf8$c*&U(yyZv(7hjF{fLM1!vX0%k+t#
z%5s4u$wmxK+2l7lKa3TXU&s~Y7`v#ZlxW62CPc6(I%m!@0=U-Ae&xc<&moccfr>-W
z5fL1Q52A)sSd4^4-J&^il!zd%vrgai-*qhJQhvxz@#Ll~)|bGB!F;{2D3~|E7#Yv0
z$xq37ALL?ouUCzzk3_7Pz@+5f;(h$xW!XEVD%SXUx|3=>t|_^f1$R-+078Qh-U@O5
zb4s{++@q$F$rJ@N75qFPORnlZYLoqJho<Fen=B2Qj+bX1=`D%VY5n7oqDhS={-u|H
zEgnv`#LXRMaRc&qz_gN@LHnA#Yo)gkuj@BBIL1NjgUv04J_#=HHV8+w1%ebGAcq?z
z4x%SucT6;A3|P7tH=V`scOteA*+<0PM`R!D=lLJ2AKc46E99|z^D**J5O8XO2R6R?
z(ZMPgmdP7lOL&++UHjyN5*q>CI*ViTW^q&OlDvZ!i)->Yc6^+FW@Rt7NZHqFE-~@V
zI?B9Ubq&TN;<E^?9e8g$SLDPm<UE1kJIsx@d|qrpPxSqCqPTq%nQbvo*S4^HJ-?a>
z5JG}<zgGq?$VRfD84g!wi6J_<Gz_2v06-4&U)VgJ7dSH~wXRW8kuZj!1A6IvTEvMo
z2}Y}323F^g-#c54?E%55Y>Mks<yuG7DG0(k(GzR@Xe*LuH1oN+&`nsh>qn%TeCtEY
zjDN#a<3J`~8<xQ2UNYBe<J17J`jG<sD`xy!4r>=U!11N+sWagpeopyPsRjFFk507g
zYJTA`)%zMl{X+MJ3*{q|2OR^o8?#(&x6y;gOEEAHt6`gVi$-&lZ{T%&G+1|MQuJfJ
zt(`L2hd^$}*}DZmGYOM1N`ut7<HXt}t31J6Z7Mm!{8qzn=DI#|Mf%!?J-UEBHC^vp
zK_c2T8B|M_O8NqZ&;h2Lj&~boXd^1Qlf~b{nS_!q-M*I$Vtn5c8P;e+-pS@}0E+|R
zg;0>wf$9ME#1t&A5>)9q=_vbjE_4WS^q`}}A(PH!MP+~LP8ezo-5tDkMTme%BwCF?
zCzNVLyHKa=(JqY8p=m5u#ew)~Z-_01TnjDW^rL?{b68Q;D`f8*40f6xGXf8*^J2sp
zU*ZXI!J1qZ+VZ2P!`Szbp$o~%JLlte6(&>eia8r`Sv4D0S|r^08GnK;F}AwNMpqLY
z(P7WNcjt7(GO&a~4h8a136Xtmy-pB6iL>M7%Zl-|<5@1>><a#yXRVi~+r^{Qh>llW
zya&Vyo<dn$)Qy8a(nV4?_G9!NNgj>=@}REolu#=+L96?zU)FqU3c~0~ib#xPC~tSL
zR}6!h!Q$xlcr5%%r^2a(=N;j|JTv%U8vfTQ$f+1p%|E&8>uA4!YAyn|Pn<b>1?k7W
zOXVtag7-WLoOFs$cGaKl2gf*(c|Y%xwNv_fwihC4<p`ZoT~_^~OlUoxLkJI&8XVt_
z%_fq@<SU1ZI_@;jFQ6ch3<wVc&42<4fe#G^g;g(#x!6Kn9sCftXP&B2;3l*|3V_18
duEi(6jwR5z7GRy9bRdo6vS~ShfCLZA|8Fh^1X}<A

literal 0
HcmV?d00001

diff --git a/jetty-proxy/src/test/resources/client_auth/server_keystore.p12 b/jetty-proxy/src/test/resources/client_auth/server_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..73ecd4d656a19d7487a773b3d3944108c28b2fe5
GIT binary patch
literal 2565
zcmY+EXEYlM8^@Cfv1yG`N~qBo6*N|*T7puwcWqL8-xfs?MA2JUY3)%fYR@2~MeS9j
zwHjiS)~J1zD6aQC?|bjLAD;7^^ZP%~|KksiVFZGJG;j<9fsR1}dl&nY1qcD=V;IW8
z7zW%qE`(!fUH=u)T7ogOrsvr3eDvs;{`bXvUX+gkAHy-=pKur*<Nxt_IUkr4CmMA@
zX-TS8LdPv7yM6Kp)TK-kL<9I>2*!Z>M3foShhbW+UD7>Yd%ccRSzFCO9<DWsSg&MM
z>iv<U-+FJUl0K3|#s5^5RAFg~mJmCPyb*dS?=6Q02TFv?e*|FJuAgn1sV$Zn6KH-$
z{~B=SosS^;6&&w)u}V+JQkM)@7b^s3=bUQIR6Wv#nD_{|Uk&{qLnRF|l8YA@H!J63
z%|+jiz6;o$nkmxdy|vnSu%0a1x5r2mKW;?1o!w_H_ey^k;=2N%p4`zvfUaRb_YL%G
zeFJ;%5koOW#y+C()Y?jV{WZgSh&Iz<$7F0ZSw5*y5cCW{hLOw1shN#@BlRT{9t+W&
zXWdlzZ)fkf(%dI#hH90Md@C+M-~dpha@JIUhZDI-+{d)OJ8WPy-byyU+~U58BX1<@
zA3F6*pMEAH%#%3$>1z)2_-|T|I$^WM%?hFmM9F@G+#A<X_==NHZ#MaYEtj>}9yI5r
zcWUUBF#c#7^b4u%8f#9cqz{_w_cwO|pf;J<?pxL<=jdil)yv8{&RZJUA~7X$JuIiy
zOQ|R+S?KnB6|P0e?M@r^PAbgJR-=x;n)qUN3q1CcPUwJw%KHw9=4>MCB(n6LjB4d1
z#|pVJWQtia*B*fs_Y_xzkZk_BZ>+Scuf0#wULoxetBmehu<v#~d|BMN=6FD4r+6sx
z(2o6H!Xu+Uf{^b>8MEQqs*l*Tj<q4lT&-zvfWDnLAk1EsLOJyfG$wG=-K<f?oKy{;
zow)PiuN^IILj`*IOx5}w^a?>+tzHkz?U}yC3HiP_9;_5@i%vg<-Z&i)#Xj6#Zhq?A
zOCLnBOkEo(Jy<uFD+(Q7&f+XT%zO=x_cPHJiAD&(wNNQyQa(oF^_BD}-7ts1XKn9Y
zJe$-7G-3NJrv9r6DxcY=)F5Xg5m^d_kOl;5FN*7n8Y5cK7~^L7<O*xC4-L^aw@qU$
zwv)}?&V4l>Ng1obZ7ywJ*6Olb{BF5>vH@m9`&*CaW=YTw-qt^fa5|<3W*b}cbr=xa
zGe3{T=og>~sal;0{s`-$i<zX{@S{fyo?*(t6G_CbHl}HpIj`+1<PS!#!jxO;Mei>1
zyc4bMwFnn}*jG!wsqWr8xi<$*LvC)96)UEo>Z7H{r=O_>wJ|-&ieMEEx@JSk?HxTH
z{In;v#{03bKntEXAwuHk;Ii#I$@B|(7sAr1G<S)6QIsa!Tx3sBAsTS09Zly{_xi(H
zn61lG<tz3^{eZ3sMD#`SJclbAvrn-7QQbqLnG_woWGQw!tl7P@+GUD4KeKTmnNUgS
zlW+aetcabJ=dwslD@@`Z2|MMuhm8tPyi%jNf4TAUX<VC0gPOr~Zr>U08f14Vcw)1E
zcnHoGY}fFEUClFR@6{1A!^Cp&E)m(J0eTkmo;hNm0s?axlxJOajd1=Ty}AZV30$QX
z?UFd<OekrjBEgLz#5#xB921n4NXcGR)hsVXWGp*y$DzDV-}6k6DDnnbZF`RVfmx;1
zSFa+k+ZqnL33R=!?J=@D*%pm(HS^{5d1PInKF0P^@^|hD?y)*=@|QRhUg{ekStQyt
z%;<D3*dt^&r91$3TKQ`5N%nkOuhiiBiWwGWJH^pN)g=4tiqg$MEX6cK6DE6QZ^3#0
zRwV<cEVBS3z#9+(@C2X%A#kC8A}(1@@I_O1Z!}a^K~^4tKqxE8%FD@}tMkU+M-aMm
zn~I(zArKI7zApch0RQDzy8rlfK0KrSH#O1<Wz29^5Vpa|eB-$AzkZFx(9F+&L%>y7
zU5mFwthAs!zM2FC)oELeLmIb;bBbB5BC=`wqZ)*gTs~ee4FF_(Y}udLcKY!y7x*TV
zjrNkEA<};bCbwPc9uMlQcS-)qIeGKXZkXOQ$@iX}g->Q+h2t2x!;DmR;DY`>kHmUy
z@G?l1b^XNAMBO<OhAfIke`BEXJ+`+`4)7PAiA1JPRR)<sU+I>V`<a4szPFUsLicGs
z{VMPUvA;?N{pO}<*%lZf9%(Z<p5h53iMb&pp4obOu!Tn@zQ}Lgl@Ra$9G%#jq-73#
zqV_zNbTnA5a(vf7|3w-0iy+^xHfd|TF063`H!Oe~z^x=n<c43VA6<*R$b3~kKBCyh
zGCaE0O-49LW32#_($O%tw97HDId`|<b6##ckp7FLsOxh_(=#z=%U?KrV}MN(Vf+C0
zcCVIkqi3Vowf4ddt9K)h-Lx`7_LR~T^fE~G?D<tKn?zeP?xw)l{*wBTr8aMCQ<efW
z-F)QD_t0q5A?rNtfRL5OxG~E{@m*BSGn{qQAM8ohE9t+lc{zrB8ZEn({V_YV)gZ4=
zqJ1JYE^j$9=9i`UZG9#5evzy(D&k2_+gtm1ag@yNR&B=q;n1t7d$`{15tHu8x*)$5
zm+OMuG0GeK*soTbBExv^r<9D)(%u-0j+5gRZO$8dzB*N9CiYPeC>_r>ivLjC{4i`+
zAodcZPRY+GnmOF#TtN~ON>zN*%i~%<`Mv}sDR^hQZm+P(NH0{HJ$C?(>gW<$stvWK
zspjn$j<XpAjOX&I?&_gV%Lw5cw^!>9X7M)E(2j7-BYy;8`;&RjqDlxE6lIg9T<{|G
z$h=wDsiP^<a>m20w{sNg8~Uw(>^lEKAv?pbAQq<nPm9vjM95I;Fh`5V0nW}6{aS5y
z2eQ&R`JxfCA2VSfXk_GlFHlcd?P0P8_stfB;vtTiELLwizOyr@9&{u~m~@C!{E(S;
z--f5D+m<T-I8%Tf-_VInT>mnXHRLs^3QWYAt2Of9oy3N;h;W$=*h-Y}=ZLXds1KDG
z(g(!}&fHh2eW0m=B*;|XrYOxQ*!o&O$Yb4W#)I;+mf~OOYCM|H2$&I1oYln_N;>0h
zv|Ut5v#yW{x6eh@?M5X_S)_#T&iTo}98Y(6cS2mlX^FyB{?moP>FA{nO5$z&0DFVL
zbDoSu<4c#&856ibv(5t;LO|B*nvSMxx(yfI;n(XTo%bfoSsjgbzSQ5(4|t+>-+{T5
zVbyQFCu>B5U@DQ)PT$8jVd0_#l+AZnE)P?rjxL$U=Zc~DgTtlMk#y^d?4kgxIruHO
z5S)RIR+5zlbeR?a<~+N&tVgks8Pb!F{wf=M_5mcW(F*32<4r?9HU1hnE)QDdz>udD
MHhp<PG(c?rU#^kWtN;K2

literal 0
HcmV?d00001