From 7f867bff0958513c89e1e9782adcbc92e8c84abe Mon Sep 17 00:00:00 2001
From: Simone Bordet <simone.bordet@gmail.com>
Date: Mon, 15 Feb 2021 22:14:39 +0100
Subject: [PATCH] Fixes #5973 - Proxy client TLS authentication example.

Examples, in form of test cases for a proxy that uses TLS client authentication
both towards the remote client and towards the server.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
---
 .../io/ssl/SslClientConnectionFactory.java    |  27 +-
 .../jetty/proxy/ClientAuthProxyTest.java      | 551 ++++++++++++++++++
 .../resources/client_auth/client_keystore.p12 | Bin 0 -> 8051 bytes
 .../resources/client_auth/proxy_keystore.p12  | Bin 0 -> 10391 bytes
 .../resources/client_auth/server_keystore.p12 | Bin 0 -> 2575 bytes
 5 files changed, 577 insertions(+), 1 deletion(-)
 create mode 100644 jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java
 create mode 100644 jetty-proxy/src/test/resources/client_auth/client_keystore.p12
 create mode 100644 jetty-proxy/src/test/resources/client_auth/proxy_keystore.p12
 create mode 100644 jetty-proxy/src/test/resources/client_auth/server_keystore.p12

diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java
index 588794d2da96..ea7dd5f3094f 100644
--- a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java
+++ b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java
@@ -34,6 +34,9 @@
 import org.eclipse.jetty.util.component.ContainerLifeCycle;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
+/**
+ * <p>A ClientConnectionFactory that creates client-side {@link SslConnection} instances.</p>
+ */
 public class SslClientConnectionFactory implements ClientConnectionFactory
 {
     public static final String SSL_CONTEXT_FACTORY_CONTEXT_KEY = "ssl.context.factory";
@@ -120,7 +123,10 @@ public org.eclipse.jetty.io.Connection newConnection(EndPoint endPoint, Map<Stri
     {
         String host = (String)context.get(SSL_PEER_HOST_CONTEXT_KEY);
         int port = (Integer)context.get(SSL_PEER_PORT_CONTEXT_KEY);
-        SSLEngine engine = sslContextFactory.newSSLEngine(host, port);
+
+        SSLEngine engine = sslContextFactory instanceof SslEngineFactory
+            ? ((SslEngineFactory)sslContextFactory).newSslEngine(host, port, context)
+            : sslContextFactory.newSSLEngine(host, port);
         engine.setUseClientMode(true);
         context.put(SSL_ENGINE_CONTEXT_KEY, engine);
 
@@ -155,6 +161,25 @@ public Connection customize(Connection connection, Map<String, Object> context)
         return ClientConnectionFactory.super.customize(connection, context);
     }
 
+    /**
+     * <p>A factory for {@link SSLEngine} objects.</p>
+     * <p>Typically implemented by {@link SslContextFactory.Client}
+     * to support more flexible creation of SSLEngine instances.</p>
+     */
+    public interface SslEngineFactory
+    {
+        /**
+         * <p>Creates a new {@link SSLEngine} instance for the given peer host and port,
+         * and with the given context to help the creation of the SSLEngine.</p>
+         *
+         * @param host the peer host
+         * @param port the peer port
+         * @param context the {@link ClientConnectionFactory} context
+         * @return a new SSLEngine instance
+         */
+        public SSLEngine newSslEngine(String host, int port, Map<String, Object> context);
+    }
+
     private class HTTPSHandshakeListener implements SslHandshakeListener
     {
         private final Map<String, Object> context;
diff --git a/jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java b/jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java
new file mode 100644
index 000000000000..c27504edab29
--- /dev/null
+++ b/jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ClientAuthProxyTest.java
@@ -0,0 +1,551 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.proxy;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.security.auth.x500.X500Principal;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.client.HttpClient;
+import org.eclipse.jetty.client.HttpClientTransport;
+import org.eclipse.jetty.client.HttpDestination;
+import org.eclipse.jetty.client.api.ContentResponse;
+import org.eclipse.jetty.client.api.Request;
+import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
+import org.eclipse.jetty.http.HttpScheme;
+import org.eclipse.jetty.http.HttpStatus;
+import org.eclipse.jetty.io.ClientConnectionFactory;
+import org.eclipse.jetty.io.Connection;
+import org.eclipse.jetty.io.ssl.SslClientConnectionFactory;
+import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.component.LifeCycle;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.eclipse.jetty.util.thread.QueuedThreadPool;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+/**
+ * <p>Tests for client and proxy authentication using certificates.</p>
+ * <p>There are 3 KeyStores:</p>
+ * <dl>
+ *   <dt>{@code client_keystore.p12}</dt>
+ *   <dd>{@code proxy} -> the proxy domain certificate with CN=proxy</dd>
+ *   <dd>{@code user1_client} -> the client certificate for user1, signed with the server certificate</dd>
+ *   <dd>{@code user2_client} -> the client certificate for user2, signed with the server certificate</dd>
+ * </dl>
+ * <dl>
+ *   <dt>{@code proxy_keystore.p12}</dt>
+ *   <dd>{@code proxy} -> the proxy domain private key and certificate with CN=proxy</dd>
+ *   <dd>{@code server} -> the server domain certificate with CN=server</dd>
+ *   <dd>{@code user1_proxy} -> the proxy client certificate for user1, signed with the server certificate</dd>
+ *   <dd>{@code user2_proxy} -> the proxy client certificate for user2, signed with the server certificate</dd>
+ * </dl>
+ * <dl>
+ *   <dt>{@code server_keystore.p12}</dt>
+ *   <dd>{@code server} -> the server domain private key and certificate with CN=server,
+ *   with extension ca:true to sign client and proxy certificates.</dd>
+ * </dl>
+ * </ul>
+ * <p>In this way, a remote client can connect to the proxy and be authenticated,
+ * and the proxy can connect to the server on behalf of that remote client, since
+ * the proxy has a certificate correspondent to the one of the remote client.</p>
+ * <p>The main problem is to make sure that the {@code HttpClient} in the proxy uses different connections
+ * to connect to the same server, and that those connections are authenticated via TLS client certificate
+ * with the correct certificate, avoiding that requests made by {@code user2} are sent over connections
+ * that are authenticated with {@code user1} certificates.</p>
+ */
+public class ClientAuthProxyTest
+{
+    private Server server;
+    private ServerConnector serverConnector;
+    private Server proxy;
+    private ServerConnector proxyConnector;
+    private HttpClient client;
+
+    private void startServer(Handler handler) throws Exception
+    {
+        QueuedThreadPool serverThreads = new QueuedThreadPool();
+        serverThreads.setName("server");
+        server = new Server(serverThreads);
+
+        HttpConfiguration httpConfig = new HttpConfiguration();
+        httpConfig.addCustomizer(new SecureRequestCustomizer());
+        HttpConnectionFactory http = new HttpConnectionFactory(httpConfig);
+
+        SslContextFactory.Server serverTLS = new SslContextFactory.Server();
+        serverTLS.setNeedClientAuth(true);
+        // The KeyStore is also a TrustStore.
+        serverTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/server_keystore.p12").getAbsolutePath());
+        serverTLS.setKeyStorePassword("storepwd");
+        serverTLS.setKeyStoreType("PKCS12");
+
+        SslConnectionFactory ssl = new SslConnectionFactory(serverTLS, http.getProtocol());
+
+        serverConnector = new ServerConnector(server, 1, 1, ssl, http);
+        server.addConnector(serverConnector);
+
+        server.setHandler(handler);
+
+        server.start();
+        System.err.println("SERVER = localhost:" + serverConnector.getLocalPort());
+    }
+
+    private void startServer() throws Exception
+    {
+        startServer(new EmptyServerHandler()
+        {
+            @Override
+            protected void service(String target, org.eclipse.jetty.server.Request jettyRequest, HttpServletRequest request, HttpServletResponse response) throws IOException
+            {
+                X509Certificate[] certificates = (X509Certificate[])request.getAttribute(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE);
+                Assertions.assertNotNull(certificates);
+                X509Certificate certificate = certificates[0];
+                X500Principal principal = certificate.getSubjectX500Principal();
+                ServletOutputStream output = response.getOutputStream();
+                output.println(principal.toString());
+                output.println(request.getRemotePort());
+            }
+        });
+    }
+
+    private void startProxy(AbstractProxyServlet servlet) throws Exception
+    {
+        QueuedThreadPool proxyThreads = new QueuedThreadPool();
+        proxyThreads.setName("proxy");
+        proxy = new Server();
+
+        HttpConfiguration httpConfig = new HttpConfiguration();
+        httpConfig.addCustomizer(new SecureRequestCustomizer());
+        HttpConnectionFactory http = new HttpConnectionFactory(httpConfig);
+
+        SslContextFactory.Server proxyTLS = new SslContextFactory.Server();
+        proxyTLS.setNeedClientAuth(true);
+        // The KeyStore is also a TrustStore.
+        proxyTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+        proxyTLS.setKeyStorePassword("storepwd");
+        proxyTLS.setKeyStoreType("PKCS12");
+
+        SslConnectionFactory ssl = new SslConnectionFactory(proxyTLS, http.getProtocol());
+
+        proxyConnector = new ServerConnector(proxy, 1, 1, ssl, http);
+        proxy.addConnector(proxyConnector);
+
+        ServletContextHandler context = new ServletContextHandler(proxy, "/");
+        context.addServlet(new ServletHolder(servlet), "/*");
+        proxy.setHandler(context);
+
+        proxy.start();
+        System.err.println("PROXY = localhost:" + proxyConnector.getLocalPort());
+    }
+
+    private void startClient() throws Exception
+    {
+        SslContextFactory.Client clientTLS = new SslContextFactory.Client();
+        // Disable TLS-level hostname verification.
+        clientTLS.setEndpointIdentificationAlgorithm(null);
+        clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/client_keystore.p12").getAbsolutePath());
+        clientTLS.setKeyStorePassword("storepwd");
+        clientTLS.setKeyStoreType("PKCS12");
+        client = new HttpClient(clientTLS);
+        QueuedThreadPool clientThreads = new QueuedThreadPool();
+        clientThreads.setName("client");
+        client.setExecutor(clientThreads);
+        client.start();
+    }
+
+    @AfterEach
+    public void dispose() throws Exception
+    {
+        LifeCycle.stop(client);
+        LifeCycle.stop(proxy);
+        LifeCycle.stop(server);
+    }
+
+    private static String retrieveUser(HttpServletRequest request)
+    {
+        X509Certificate[] certificates = (X509Certificate[])request.getAttribute(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE);
+        String clientName = certificates[0].getSubjectX500Principal().getName();
+        Matcher matcher = Pattern.compile("CN=([^,]+)").matcher(clientName);
+        if (matcher.find())
+        {
+            // Retain only "userN".
+            return matcher.group(1).split("_")[0];
+        }
+        return null;
+    }
+
+    @Test
+    public void testClientAuthProxyingWithMultipleHttpClients() throws Exception
+    {
+        // Using a different HttpClient (with a different SslContextFactory.Client)
+        // per user works, but there is a lot of duplicated state in the HttpClients:
+        // Executors and Schedulers (although they can be shared), but also CookieManagers
+        // ProtocolHandlers, etc.
+        // The proxy has different SslContextFactory.Client statically configured
+        // for different users.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            private final Map<String, HttpClient> httpClients = new ConcurrentHashMap<>();
+
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                HttpClient httpClient = getOrCreateHttpClient(user);
+                Request proxyRequest = httpClient.newRequest(rewrittenTarget)
+                    .method(request.getMethod())
+                    .attribute(CLIENT_REQUEST_ATTRIBUTE, request);
+                // Send the request to the server.
+                proxyRequest.port(serverConnector.getLocalPort());
+                // No need to tag the request when using different HttpClients.
+                return proxyRequest;
+            }
+
+            private HttpClient getOrCreateHttpClient(String user)
+            {
+                if (user == null)
+                    return getHttpClient();
+                return httpClients.computeIfAbsent(user, key ->
+                {
+                    SslContextFactory.Client clientTLS = new SslContextFactory.Client();
+                    // Disable TLS-level hostname verification for this test.
+                    clientTLS.setEndpointIdentificationAlgorithm(null);
+                    clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                    clientTLS.setKeyStorePassword("storepwd");
+                    clientTLS.setKeyStoreType("PKCS12");
+                    clientTLS.setCertAlias(key + "_proxy");
+                    // TODO: httpClients should share Executor and Scheduler at least.
+                    HttpClient httpClient = new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+                    LifeCycle.start(httpClient);
+                    return httpClient;
+                });
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    @Test
+    public void testClientAuthProxyingWithMultipleServerSubDomains() throws Exception
+    {
+        // Another idea is to use multiple subdomains for the server,
+        // such as user1.server.com, user2.server.com, with the server
+        // providing a *.server.com certificate.
+        // The proxy must pick the right alias dynamically based on the
+        // remote client request.
+        // For this test we use 127.0.0.N addresses.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            private final AtomicInteger userIds = new AtomicInteger();
+            private final Map<String, String> subDomains = new ConcurrentHashMap<>();
+
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                // Obviously not fool proof, but for the 2 users in this test it does the job.
+                String subDomain = subDomains.computeIfAbsent(user, key -> "127.0.0." + userIds.incrementAndGet());
+                Request proxyRequest = super.newProxyRequest(request, rewrittenTarget);
+                proxyRequest.host(subDomain).port(serverConnector.getLocalPort());
+                // Tag the request.
+                proxyRequest.tag(new AliasTLSTag(user));
+                return proxyRequest;
+            }
+
+            @Override
+            protected HttpClient newHttpClient()
+            {
+                SslContextFactory.Client clientTLS = new SslContextFactory.Client()
+                {
+                    @Override
+                    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
+                    {
+                        KeyManager[] keyManagers = super.getKeyManagers(keyStore);
+                        for (int i = 0; i < keyManagers.length; i++)
+                        {
+                            keyManagers[i] = new ProxyAliasX509ExtendedKeyManager(keyManagers[i]);
+                        }
+                        return keyManagers;
+                    }
+                };
+                // Disable TLS-level hostname verification for this test.
+                clientTLS.setEndpointIdentificationAlgorithm(null);
+                clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                clientTLS.setKeyStorePassword("storepwd");
+                clientTLS.setKeyStoreType("PKCS12");
+                return new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    @Test
+    public void testClientAuthProxyingWithSSLSessionResumptionDisabled() throws Exception
+    {
+        // To user the same HttpClient and server hostName, we need to disable
+        // SSLSession caching, which is only possible by creating SSLEngine without
+        // peer host information.
+        // This is more CPU intensive because TLS sessions can never be resumed.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                Request proxyRequest = super.newProxyRequest(request, rewrittenTarget);
+                proxyRequest.port(serverConnector.getLocalPort());
+                // Tag the request.
+                proxyRequest.tag(user);
+                return proxyRequest;
+            }
+
+            @Override
+            protected HttpClient newHttpClient()
+            {
+                SslContextFactory.Client clientTLS = new SslContextFactory.Client()
+                {
+                    @Override
+                    public SSLEngine newSSLEngine(String host, int port)
+                    {
+                        // This disable TLS session resumption and requires
+                        // endpointIdentificationAlgorithm=null because the TLS implementation
+                        // does not have the peer host to verify the server certificate.
+                        return newSSLEngine();
+                    }
+
+                    @Override
+                    protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
+                    {
+                        KeyManager[] keyManagers = super.getKeyManagers(keyStore);
+                        for (int i = 0; i < keyManagers.length; i++)
+                        {
+                            keyManagers[i] = new ProxyAliasX509ExtendedKeyManager(keyManagers[i]);
+                        }
+                        return keyManagers;
+                    }
+                };
+                // Disable hostname verification is required.
+                clientTLS.setEndpointIdentificationAlgorithm(null);
+                clientTLS.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                clientTLS.setKeyStorePassword("storepwd");
+                clientTLS.setKeyStoreType("PKCS12");
+                HttpClientTransportOverHTTP transport = new HttpClientTransportOverHTTP(1);
+                return new HttpClient(transport, clientTLS);
+
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    @Test
+    public void testClientAuthProxyingWithCompositeSslContextFactory() throws Exception
+    {
+        // The idea here is to have a composite SslContextFactory that holds one for each user.
+        // It requires a change in SslClientConnectionFactory to "sniff" for the composite.
+
+        startServer();
+        startProxy(new AsyncProxyServlet()
+        {
+            @Override
+            protected Request newProxyRequest(HttpServletRequest request, String rewrittenTarget)
+            {
+                String user = retrieveUser(request);
+                Request proxyRequest = super.newProxyRequest(request, rewrittenTarget);
+                proxyRequest.port(serverConnector.getLocalPort());
+                proxyRequest.tag(user);
+                return proxyRequest;
+            }
+
+            @Override
+            protected HttpClient newHttpClient()
+            {
+                ProxyAliasClientSslContextFactory clientTLS = configure(new ProxyAliasClientSslContextFactory(), null);
+                // Statically add SslContextFactory.Client instances per each user.
+                clientTLS.factories.put("user1", configure(new SslContextFactory.Client(), "user1"));
+                clientTLS.factories.put("user2", configure(new SslContextFactory.Client(), "user2"));
+                return new HttpClient(new HttpClientTransportOverHTTP(1), clientTLS);
+            }
+
+            private <T extends SslContextFactory.Client> T configure(T tls, String user)
+            {
+                // Disable TLS-level hostname verification for this test.
+                tls.setEndpointIdentificationAlgorithm(null);
+                tls.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_auth/proxy_keystore.p12").getAbsolutePath());
+                tls.setKeyStorePassword("storepwd");
+                tls.setKeyStoreType("PKCS12");
+                if (user != null)
+                {
+                    tls.setCertAlias(user + "_proxy");
+                    LifeCycle.start(tls);
+                }
+                return tls;
+            }
+        });
+        startClient();
+
+        testRequestsFromRemoteClients();
+    }
+
+    private void testRequestsFromRemoteClients() throws Exception
+    {
+        // User1 makes a request to the proxy using its own certificate.
+        SslContextFactory clientTLS = client.getSslContextFactory();
+        clientTLS.reload(ssl -> ssl.setCertAlias("user1_client"));
+        ContentResponse response = client.newRequest("localhost", proxyConnector.getLocalPort())
+            .scheme(HttpScheme.HTTPS.asString())
+            .timeout(5, TimeUnit.SECONDS)
+            .tag("user1")
+            .send();
+        Assertions.assertEquals(HttpStatus.OK_200, response.getStatus());
+        String[] parts = response.getContentAsString().split("\n");
+        String proxyClientSubject1 = parts[0];
+        String proxyClientPort1 = parts[1];
+
+        // User2 makes a request to the proxy using its own certificate.
+        clientTLS.reload(ssl -> ssl.setCertAlias("user2_client"));
+        response = client.newRequest("localhost", proxyConnector.getLocalPort())
+            .scheme(HttpScheme.HTTPS.asString())
+            .timeout(5, TimeUnit.SECONDS)
+            .tag("user2")
+            .send();
+        Assertions.assertEquals(HttpStatus.OK_200, response.getStatus());
+        parts = response.getContentAsString().split("\n");
+        String proxyClientSubject2 = parts[0];
+        String proxyClientPort2 = parts[1];
+
+        Assertions.assertNotEquals(proxyClientSubject1, proxyClientSubject2);
+        Assertions.assertNotEquals(proxyClientPort1, proxyClientPort2);
+    }
+
+    private static class AliasTLSTag implements ClientConnectionFactory.Decorator
+    {
+        private final String user;
+
+        private AliasTLSTag(String user)
+        {
+            this.user = user;
+        }
+
+        @Override
+        public ClientConnectionFactory apply(ClientConnectionFactory factory)
+        {
+            return (endPoint, context) ->
+            {
+                Connection connection = factory.newConnection(endPoint, context);
+                SSLEngine sslEngine = (SSLEngine)context.get(SslClientConnectionFactory.SSL_ENGINE_CONTEXT_KEY);
+                sslEngine.getSession().putValue("user", user);
+                return connection;
+            };
+        }
+
+        @Override
+        public boolean equals(Object obj)
+        {
+            if (this == obj)
+                return true;
+            if (obj == null || getClass() != obj.getClass())
+                return false;
+            AliasTLSTag that = (AliasTLSTag)obj;
+            return user.equals(that.user);
+        }
+
+        @Override
+        public int hashCode()
+        {
+            return Objects.hash(user);
+        }
+    }
+
+    private static class ProxyAliasX509ExtendedKeyManager extends SslContextFactory.X509ExtendedKeyManagerWrapper
+    {
+        private ProxyAliasX509ExtendedKeyManager(KeyManager keyManager)
+        {
+            super((X509ExtendedKeyManager)keyManager);
+        }
+
+        @Override
+        public String chooseEngineClientAlias(String[] keyTypes, Principal[] issuers, SSLEngine engine)
+        {
+            for (String keyType : keyTypes)
+            {
+                String[] aliases = getClientAliases(keyType, issuers);
+                if (aliases != null)
+                {
+                    SSLSession sslSession = engine.getSession();
+                    String user = (String)sslSession.getValue("user");
+                    String alias = user + "_proxy";
+                    if (Arrays.asList(aliases).contains(alias))
+                        return alias;
+                }
+            }
+            return super.chooseEngineClientAlias(keyTypes, issuers, engine);
+        }
+    }
+
+    private static class ProxyAliasClientSslContextFactory extends SslContextFactory.Client implements SslClientConnectionFactory.SslEngineFactory
+    {
+        private final Map<String, SslContextFactory.Client> factories = new ConcurrentHashMap<>();
+
+        @Override
+        public SSLEngine newSslEngine(String host, int port, Map<String, Object> context)
+        {
+            HttpDestination destination = (HttpDestination)context.get(HttpClientTransport.HTTP_DESTINATION_CONTEXT_KEY);
+            String user = (String)destination.getOrigin().getTag();
+            return factories.compute(user, (key, value) -> value != null ? value : this).newSSLEngine(host, port);
+        }
+    }
+}
diff --git a/jetty-proxy/src/test/resources/client_auth/client_keystore.p12 b/jetty-proxy/src/test/resources/client_auth/client_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..91a29daba16cca53aa2dec7e5b124221e6badde9
GIT binary patch
literal 8051
zcmbW3RZtv^maQ8N7Tm3o;1C*j4=%wSg1c+b&`t2*E}@}ucXtU+;~oeSAh<h(`KM;?
zIdxyA=H91WYpuQZ<5wF50lFe0Ab}u2W>j?6aE0)@w+L?#@*qGmWC)Px9~%z@!8G~5
zB1|=82&U3Mwj2n80!79A?-mvY0%9HnMe-k06lC+S2FhEI0Z8!Q5(~tJOo(Y1x^?mW
z%wVWF!-%7^@srcv9$iF4CR{`W8W0vL+J9X{L`MODs8G?(!W9s#k&qEsk#Si+GT;6Q
z)AE2h#L!#H35_E|kf$B47vSW|l?9d#z)2UTylvNxHp1GHFyr8_(-=wBMEipK6B|Ty
ztg}TFVO8|;zf8_&{;<lzlt9J+6<fF3n1q?H;GXeBDf~v=`&^m8+lFhFU*TwF{8xLa
z_zLLcxR@37-+%qe$^=KIe@4$d=;n)geb2Wj_r@=!&?*FVO88cm;EM@0C)2?@5=`U3
z!)gB^6UAE?>zN?Z2U&dG2@1)lifxIoOKns;4BSFZjsE=Pot}Is5kK+6hu_?}BQa&Q
zds(^ax<e92bYl89l_!cVpHWWjM!!>s^|1#!e00j7Nb3TwNodZhEaY%0nb}a{FE=yW
zb{{#XGqSFqV&$6fXi9_;S9L_*bq1)*R8yrWDOf|m`I2J4Xl?6A=k(_+=p+(K4$c&x
zE}~G4>%hAmtKQm{xzUThOvXq1O41ecv!gT#nxOhH;5dOmIvkN~FfzN6gE@H?#+h}3
z^pIM0<?9-_v%09zC;&%d%CNYws{Vd4u@c=ib%MKsY=KsDWkgocrnTCoyyKn{x*bK?
z*C_#mA+ToM_ni5ZHoVVXH!hw;!fKP+Z+YJ;?VpA5+dd8{(Q6nmUKsbDSe%WMW+tZo
znKYpwy=0tI+!+fCK^Bi8BeYkJ$}ZkzTr!1MOR=J59`{J%YiKDs@1tJXonkC?C=X5T
z+EGR)<nqZE7%Oo6H{OVgs&;9lAt<fkSnKB&M(K|3LY8l_JZs=8gTznolBlFtF)+1#
ztB&za=Y4<FoO7{*o~Lg$Cv75qJ)a$8Cfdk(l>cf23t?>`4upk1js5wn_<RM?NQl1>
zaiKJ|0k|Ba*a5Brsj1)!c+PcPXz+C;ME&$Mz#R^&(AVB&Hk%pb$}3eLMh_N+WmxNF
z;tceY8{s{E$61KSh8ke}kVG2uO(fu<<A87dEE%o&wa;Kp@vNr*^T;lxBrK~esK{Z%
zb2bRhCT4{cM^2`!S|3Pm(EjQj)`{=>5N+7bp(G*Xk0SM1k-omYBE3oDNUE)OwrL5I
zG+_i-F-bHbplgfCHk+Zc3+nl6deIT_P4Oy*BT`}dCjpvp2>NAWO-}#7M&t(0_wQK}
zVG$f=3r9I|C9EEF5kVG)DwreDAHG&0kFXgn5$^AnO(MAp3E3Ti9~wL}7<azH<5F?P
z33xr;j5D49tG5cyRl*=&%s@TeF5L!sWSTt@K4*8o^Ja%>`<leebd@eIhtf!?pi|HG
z&nv>jBAfMBsyeXXdbW0`W7n9o<!J8qDeMT?{FpoPqPQ(~f$wu%YG1mQXDn*vfAc`9
zy3Zx+7wT|NrID`|30B6U?+KaljmT7xHI$}ecYGW8mX-#3>R0dV_auMF)9k(zm+hcH
ze1S{l3xf!;n_A$9A^k=J-P@1hB&t^X;Kl9fTFC62edIXXTKbAV-aC}6KJZEDo>^$h
z%vqLX0>EtY3Ki{aWe&Hbb47qYJ2+8w4R@?1QCpkdXiX0W;0H*~ydGPTFl)M0m^Xdc
zK`;zW7mP-78Rl23wH5y3S3Ouz%C9AbYryhx>tLhxPHSNC8e*x!TO3>PBydUY$Xrrk
zJ1ea}H><Lwia_XKdP;7%8@C*Z{-pdc%k|}kTjXfmBT4Eeb*STw4`hjWj%KV6^PYiA
z1;q3(T%r?lkyDcbyaAp7Yk&uU3-AeG32*|~|D#+0ULe|kFA{MPBI9e@J6qFm@pJKT
z@e1;A^YRJt{(mEy`cP~7#v>v8M*?9Ut^c&Nu|^Tj{|3>0)xDus^4nWMcM_NddKdQp
ziD(=IokCbuC|!ZC1JI*!zidbx&CcnIl;~b{NNeiY{@N}J==C9?+5QJ9hmpy_d)av;
z6#R?ifI`k&l%hD!z}%#^CyH(z2`hX9j~i@;sl&J-6}!<2N_1UQT3N%;nj)-v8EQK}
zqf0lef*X}xA^g~$5PbUt|FQx-bJS<F2pui`qMR`&AUkqn-#y@VD7%_3E#FdO$@T|;
zFYYD%Q@Oo{oFVCcS0<*O8Ron{rL(amV_KQrylU+!e?QS@c2WiYNeB;nk~b<{K0T|A
z+SCv6C3G9reIL^&L}1$wcveKVv0KT7$q#O>dacDv*EUaM9NkE!A3q0+=urvhyasLL
zuKg41*6w#vxKtf$#hN}Obp9$8Y~|#TEc9$<63>m5?l*Nu5r%~<_d!$K^4GN4&M<8i
zJEecu_4~AcfpeMMGf7uxM8tz`Ta-?ansx3uZ9ZvhxZyTgd_=8liATrh!6nrWjOtmx
z`=sE^wM#*`W@CZx3*lZ;wolghW(|;)?aI#t7_49<X-kIh(^6|;N%UB5AAkaMB3Yw*
zWw%>auiQpQo6p6n+Rs+c7KC~}vP{6GS(EKfDdJIUWF=aTvhZ$cI`T_Get3#7ZT|j+
z+W0}Qjc8D)TJ7e2YOVeUePxW#>+1qQ(VW{VLeF5zP1>f?!!uQW7PLZ2Xdd=P*)v+7
z2*a8@5Q<-7{HC#GNDV73W)E>$a{Gc*OI}1cYAbl3y65Grto6oN<B-hgV2l``1A{)_
z?rap}cn%{c+nGzOi&4f|1y1!Gr!k9-$_J&;6`p8Wnk3N`6Z9N72IH!f4g%1NN)fb1
zpB31~xJfWvGydMb<*SizqdBaV815RGgq~~an7K#a)dK`6?H<dMhMF8VlE)RoE>>G|
zH5F^_bcOS9x4*iEeNc%_7qLC%DC*7^m4QBFqi#&U6}tFBsn6V}8+*6FJ;sOKD3@_8
zP3EhYHJ5_wuhBFQ3^X<VGTR;y8k(8o18Gw_ddK<+)03aokt#}0cI@{S(4$tws&+9l
zGF#FyjDuN)T06Me4czg;ExFr_NIyaXo~w|PX1S2TnoyJwX&1ye2Ih3)k@kpCet)-J
zWrPT7tWqiZ3B0jpiZKhq&j&9$L9Rn^u}U9NvcO>G?U2ilqLgJKQUXuZ<2U5nPtDsO
z^H{5SW^UDq6mHtnnNO&BzbcF{P9$2ilukjx&_z{to<K3IQSBU!_&FmF9XoE4pBi^W
zpusLUJNNh;3c>y*_}MvKtQSz*$gxP;H52|W?Shy}9%tv<2u~N%z(Q0`3$k63OiKLO
zjV_j*ggk>(4P^SEpt!mN2BXm=dSMlw)GiA)^DL)yc@?2}z>a#zPpdp({HBpcJ<)xe
zm-Z5V^PF#kFGqDHaDMO(vDN-o+PX{ltj!y-r$G`bLkuUwjF0#codFu}NC*o^j`?J6
zucII9QD58X+(O>1?Y9BljxTKoV5cYY4k&E@AS(%J^yp~h4yr<o6~0YTvk=Ba_bf66
z&$E?ZSJq+_bAQEQZo1S{zJD-pBlyA_M@&|M_bhY0=}MGYhGp!b+)Nko-B|nBy?I(0
zZ^X@+LO7)A9Me~hFfCkXVAI)HVIoMof7=Nkj}Y-u+}}1~C-i?pH241tqItNuctIct
zLFK<V{suJ<Lh$_`D-#g`@Xtv4cY*+7LB;q#&o%-ohyt0=Xr~<fBtYhE+vxgdTTsMJ
zocQw{A`)OgJp@9aZ!4o@k*d%ggVud5I5*<Je6*Ih)$kQ`2?l-zJ~_U$9P=!m&h)7V
zz?t54<OjXY;NE+O?XxlFNNFeW8_+=`O|iE4Y%Cjs);c{(l_F&qb&zl9EfdT!@JYuq
z*i_4_LKsdVc*-tk4TpEN#_7#wjB1qZ(3l7E;smFDpN(CWa0p4zPwaT6w7G~|R?^}g
zU==m31}w{te;q-i`DJplH~di%34)0ke#lxUZrixs)O1R&@p5jPXy0IZ9lYB*B2?J=
z>uvwSCz6VwL7z1;f6-^ETpN!;w3=dIM^y5-1OEp(_>AsGn|35-=$fng#acP`-wfk@
zFGL#j(gFQ9UCF5MrNem6)`ggSE^q;|N-@;ZyKqgd!j|Ooa<&|*VovKhe&rCNuBODB
zd@d2ZCZwVo=~|X><?cf`^9hQ+E3Kt9xQihu<D=*ZY^^tXgX;)*yhC%AcX=w0t!y&;
zN$KtzfQY==-5By!kr~VOeHe)q`cC#ZdD!n2xrxGxJP#43kFBKX^sB=okck@f6VL6B
zO!UKY*)y3{^D06Hs2f7O$*ZGMkd_q9W{Awz?<6)q@z6DxrXY3(@k;ooVz-~YuAw`#
zH>Ni^Bm=^>R6T4ds`I^O`+)d%hPwRhx*%5|$(gS=Zw>v5ZN7!e+j^P~DByVZowZaS
zZfy`OFU0fK-Y%(s4VB&mw2hhDUNFe|Zb;8^oB1qt=XKj%4nbjNd)RtXw}HG~wYQ)a
z)5y!|u*KiPr!;DvY@qnrN0*!N@jYHq{ZC9zV)ICIt0x?NSlQd#e*X3<wo|#Y-<=%P
zzNro-=!Rg=%!L8g4Zt6^Ep|LrBBGT(w)L9=%^yA`>#UtBa;^*r%Jg34jWK4kcs!er
zz?-fOR<*6bFDQtOiElF5V0}xOariu3zc`KS33;Ld3?5Z%xm~>fzJ;45vPT_`x^X(b
zS8U0i;*<=wPI+m!;Cmc&pSiOaxKvC*S97u1O4)FXyInfs*8h&p47q@!_1b6BF*^Eq
z<}dpK`S`J(lO<wk41GnP8#OUKODB`6%~#@OtJb9s!9oe2%OwZ6vUm1q!GfS0%}I>E
zJ>dWW<zx9*0^R}t)R1Fuxt~eJf1>A1#4|$2)vMz?ycsMqQ(Xv(Km<pjO}S0X@9`RU
z{(KW~rM1#Efh&Y9VMP%!BVE49ar6P&t$gefgqM`gTJVtUcPCT40JA8In}%3ig$<eS
zuUolDYpTHLmfaOrf@nNt3r6eM&Y<OAR!8Ap)OelRM6aIc{35oVwb~8G!H7(D55n(R
z?2Y^b2B;hD-N<uRn-rAIMw^eX{gyNE-T2?2q;A7**~0N;3_3=LBdB79n~Cny+F1^l
z<oYPz<x5%jru8MbyPQnWC@5V-5GI>vVp{(Fc964Z@`>kU!aOOed^;5E$5HA*e+7x*
z9Po*dxRT~{O~B}lL2-#H8Zn<3;+gD1XJ~TlA|V9o?1Y=_{~@&TI~=oY7~?wB4hyBp
zcN@~74w#0^aBk;-_56PK6=yIdfOD^1X@pZ1V*?h~hB(lYebw_017PJcC>f`R_*3{b
zvgV7v@0>$eP<E1g%+L@#N;GvVNcjQSrcFyaCBhFn&wu#Nt$In8$MGEv+S~IFV2v#|
zyuC6Coax^&jO|f_wIp_3DWMTIYCMTEv1OP-#+jOrj5ueGJ??M<-aR5YSt*BPLF(SH
zDrvvb`X`Rp256XhK`=`*O#aL0jOCY%{4Z<T*B1>5YpZ*c&wq!z+tvNk3)}=P#BbqG
zucAv%*ZhPN7EQYYthiz91AJ`fuv~_F*P^9PYVS_fN0X%c>SWB!4;BK@Ju$YW*=z)u
z#kXXuFCTyzX)5U(i?4zwNOXdf2sr%5Bv=n{Ua|x5<h)Lr_?R)zj$1z8=yui{_-yO#
z&BsQxUzaZ{h%PrX#x}e7?ha^Py!+>r2kq`FVDcFQY-l(_>^(^fGX&FhI-7H@0K*@D
z8Db{)mvuDp<ngmabq$ALmGd>3+rpwp0FbtG{T0!+f5N_;HEs7+dp%x(q^k1Etk!oq
zJ6#=EMRTUyhm4{w+U!o6y>*1eH`$+pq}~>LIP8B;^5VFPa5Thy>8C~QPV{>v9U0Ef
z@O?vn$~%NMjNN~)_(7s+Vji~aXEQ%vJFDj^#-*{7OrbZhTuAiQ+m~>~R4jzkDhgLV
zb?Dh0J((1}&<G<FlNKmR(-Fq*A@6T7F)+5D<}!`#I9cF`C>UA~y}IHwOd?{an5wO(
z(Bt;#k$+|{;%Bgxp^P4)(=NKqn?@Rf)x6Qu4gY046kuLH$E6<oIkBnTh(gGCI)h!D
z$TBduA(_;6dLS!9t;V5El!GC~HGdvf0cPDnUcnbvxzu}!kTauOb8-5DwbR?wTH<}M
zaK0|L>UK%J++XW2j6v|CXqf9{^zx=k{e4_svHYXkTZiw1&0V6_72}v<uz>nWTJDl8
z-fwZHGoeqN*rx);sl8V4ZO2X5zKEZaI)*A}q&3}<4=ygB3@$I9_*31wa$#EqQQE%-
zeo)!D0%TeByS4O%-+i+tL#qu-&Lf<uONg=8FPFY|)A?4?E=vC~dURW}%eI~Xh9l*A
z9)F<M_7IVQt?24*ZY}It$-n1hfadic&7}6Cl8t-b73BF8UVaNg+65X=q6qA~C2=#S
zv|LizC9wVd%FnVyO^i(R1Jn1x&`ysmFROQO{*)quQ%zE}u2P@UL|k5^NxNY85=q{-
zlHtc3%0nn`<5CMpY)!yj)uE6zeSfX8H{JpkvnXNrx54}T*l}DDz005&yB6M#(uUE=
zwnvX7+H;+1*rxpq9q3-JuOQ89M_Al(E=W^B0zPF#0dHNlJWpz3N}~`MyGhTRsC)@W
z7r*<KA?Ojbj97K6T+YJ*H~lTL>SowUUKoWVP)9k{=cj!k_s<Km$H)%Is$l;6I$tE=
znbEg0Ki)0w7|@WR^n?<b@@T$v2|pOVG<fBHVQ9~ing6~8^sdwN7Y){I*gQ4JSY2#U
z{OaUIxgn$bT<4}kp0!uD<TzT8w^_^bJt3gOcKP)%E_xTIuxzx7zQ7vlL@h&#e*xcD
z)$@$IW;z;y<>O8It2lX7T2%c;TG9396qdmy*dh4|!DM3MTe<$TPZ1Cx9UJ7i+1|TU
zCq-!q$>fQ5sk#q0pR2gTo2;(v6Gh@vUyd1(^A&9$RdR(zUtKBr+w8C~^C*q-W=*2R
zpHo!mgXvtyv4r|W1+(^VgEW(eByY}fCq?gRy$He^H;h?n#s4yZaBf=LO`KkOX+y+2
zkr1d#{6p0cHzSGd6`D|q?!5BaWC#js5!=0~_9b#_lzBMTg(&UaP$I*N#A0sD>?*Kf
z+;exh{eR|T_@Cdg_p__}WD8z$)s?m9M6RKE9r7qAZ6h1BVTugqB&zS!Ehd)-eh4HE
zX6lSc-uu}fAc<3x6S9@_vW<i*8Rh^ON|B42_&}hSn8nJO89F(5j})|TE%p^0!@1xY
z`c_H}G!x%d<o&eU8#%yq=*lVj@tyiHiroPga+fA}pz?c4eUgh(?H4Hw&5%-13DfAF
zAC&DUpLtLuBc!i>IifEnVr#9c2uHEmIM)$!p;+`Tp>A-d*{B}UpfI7p@8X;_p`5m0
z<`^hu)XN@t<lZh$X#a>xbM`fAD$NLy{Fu+kXD~C-1*hDACvYvUuW7~;bk$oeObM*G
z+tJ_LsShFRR&82k>tz-s?q0u-bR~saSlzo0<4W~6mq*7a_NP8FEhywFE`6kULPC+v
zVLS9JE23y&j5@e{E&Q7Ua3gM6d5Qj&CZrJ<{HhhTeSVBA(fe&Q+lt8U^W}t~&eJjE
z9AipQeH{$mg2kceI+!}g;h9;!=ps9PwwO~blYe3!sd~qH_{d@0{t4l`W(19?dy_Ov
zzrFgP?Ndv?l`^!mtu{}}#5$6lU#mol+(L!yTibQj-OdNVh@~$G5Mfo>KJZw56gvrG
z)Zr=&!fLJg4W$Ezo4i?h6MSX%_h%JtLEG9S6w7njRJ31gN+|PG9Y2yH66#qd%o=hi
zd4Z3=NhZUq3MWARR*@H*XolovbAg+Z7Mm9PL)FUr#5ig(kc+P_LRhJt?fpLYPt``Y
zlc0mX>r`Qkhm(&(Qn~y?ScRo>cag*$^3VlZzp-prcHTbtpJbc@0=vGM(5}-%(CPXt
z;!J|IpH;ZFSSH<#xPh$c+n6W3=nzeyOWh~7ehG<Z*e@N$p6Jd5HAEr<5v<bh{DLIx
zwVch2_Y|0Uh||a$*<+VV8M_;7zxgVc<*^nW{L+K&rnHkA!)^PXwclJ&Cl!txPD|nI
zbvYEzpFfb@Elz*-P4g1VCfKK38WcbZhU>=3yW8*<m|NxY;85)`oYgp=)bqK*GC|=a
z3qOK#p9CiKmK_Z!HEMA2<GnjD&h3KwXVT&`34Ila89hmANb51OKp-SpGo@xUl^uN8
zKAZ(=#?nqtcGVP6-r7pLVUX=X4PC5M^Ca~|Z)u-`G5fz|d(QJ&wzxLTOoB!@>%~Oa
z-3?<R1<#Pd?ZC33v>Big-m6MI-pL!EzdLu10f#k9GS@HNyIX!{x%HU@C7Zo{_sk6{
zogC^9O^b|9rY3?g63jX{trM;OpT(>Lhv?0#J2PnvyPoC%&LlKhPF?*Ay=>u6CETA)
z)%{F8uHwz7$DHJ70F=slNLh_^`;GyCuRlOj;bPz4jdlQrqPcrz@ZC>1xqK;_XkEsX
zs*b}g(a$d;Ma4iI3Eyd_;94f~8C8oeYvuD&JB@u+@;qkRw6`bY$*2~J63$6yWI+tO
zew8jHG!-_<Hlgl4qd6S$_B#Q*fo~0X;_~;botM@(mlLj@c9pkJYRWtWYx9HQbJ6Y4
z5RsIc6ddjS$Rt$+-4VWW-az^FA*LotUgI4%c2pF)S=ydgyXQ~{=BgO5kxXq$GogM9
z>F7Br{ci34tfJ5k4(A#toCBfz1zK9#VF-qrhmiyvw(^9R`5RD|G+8_@6tdS!Su8kb
zd<4AEIXuk{zdp{TrNbV7?fgEd<*5~X#(pyWTV(8yfKV_;zxAQRIyxk%x_57dhIMo*
z@4IC@G`5}QNC3umdiMo<wJE4B3w5h&WgH`C8$(LoTqcqCsY#^V7H(30T=I`OA>F%>
zndCncRQGeAxAmZG#xrtfPI>N6icrIOe)y>ToSI&J=s3bdsj$V!5MS>cR~>+WBQ$rG
zvEI62DA<y)%uRdACLvd9b&E%jvJBA>wxFtW%&7R{TpiGzvr|(=!#Yu4{<-=l@}?Gq
zwD;WM0rF2cDH`>vEJzhPL_c#(S;ZoA8}V5iGBDIDl-1*Df*Kq1fcw|`b7_{MQw5I_
zfm%U(AGCMgcR<I~aBXo!kjgbu6(#>fnf=mnA~M&tJ$QDSa|r5fb_uE2j4z&2`$8wu
z+u!E%_f+PaQ178J)qV>Z4~Hb6gqQgYx<^qQmk|>)mT8->tANZ|93qbuN-E7YDAg=^
z1%w@@cq86WCk&?tVg42YFQ<EGdiYroKTMjXro$jOB~RlR0$r8rN)cWOubCM=Rkx;3
z9-ku5&aVd*v#&Gg1+0rhKIqI@R&37K_qwkiyGAb@8qx9mc_d(S@GSWXs=JRVhwI-k
zy62(JR@vd`9={|RM(APL17BtM8<vnce<aDh&v*LlA|$pi??BG($`2wnhA3fDT7Qn)
zH0}^zN7s>Q8$%2{ZURR?<=kc&bt5bLKt1g4JJh?@EEu!RDv)iyx-!1)FrMLQiD?%o
zIVJPX_sgnvsY#$?<Js!IvSqc$aHvYydyg=GUX~O-#E4AHoE5S%*FsN`R;~Nvtp<4H
zqF~L+hR$Df#!9S&0Z(%oti&fjuZ<Oqr*!3d9W$Fp!V>hZp`e>U*JU*L)*@Q|{&L-+
z@2%<$e&M+J!`OKFQo%_CWN%eI4B(#HCwy+i^X~SYnuQ;w#gUt<;2GXG!$U=&st0Sh
z*sg!Qgg(lf^}sNds^$fSl6EoGnyQL=FaLtU!jWPe(I{Htt*v-1Eg9Az=_uTY+5tbI
zJdHcbJ|L=bV(vQKE{=$|mbaO#c98)t-YzyTT6#b_$o-cSl^s`P(8>sB4Js*^-*<|V
z^SI-;0sOqb2!jQYTO{;mY`wgVRnb&<?-9Lq0TGM&5=^xQr_^n-kxZ6Rc3en1rsw=5
zLxEB5bd5=Qv5-2;jm#aFP~eF{?bW(VQQr1((kuLSD{yttxyi_t9i@zK*q{X1q}Czb
zg@_xM_g8wcBqm_pdYczUyn4kRfm6IcxT$^)l#Ovz=4S(nqR+`(p}iFi=6skgz+Mzd
z&0I~7+aZQlu2zzChCc_Gib)V@L#2KYP<)9S`f^xzLbvnT1R<#8<m)hY)JWC7;*H~(
z@B^nt_eXr5U(5xDc`&;s*D{k;Z0(U2&sqQEIy^CnLi_z}QQXq-SD8E=zi-!~`$dE9
zzYnwe!eZmA`CAIyu={yKHZT)R`(_{_flh?sXgYRpkdob>W|SeH)lCY}S>_&CO~$g3
zl!n77A8Nw%+>FYYz*gEL-x7N`eMTk@52HZhAX*SQDheAm5+XSY0GUuuwjJH(<#!)}
rpepKVlCY45*D3}w;k#)Lk1vx?*I9qnP!UTEM2b*09T1Ta!t?$E4(=>j

literal 0
HcmV?d00001

diff --git a/jetty-proxy/src/test/resources/client_auth/proxy_keystore.p12 b/jetty-proxy/src/test/resources/client_auth/proxy_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..46a44fae095bb62aa3b3506d3e0d625f8d011090
GIT binary patch
literal 10391
zcmbW*Q;;sqmL}k`ZQK0HwvAmjcG<RVbC+#<mu=g&?drb==S0uNM9*Ah<hx?!MP57+
zYXJhOl0bk#0fAJq5YRNClA$l~z>vUsfmD28fmB@o#B6{-r1Jk#LdpaSL`wZ9P6Pyk
z%R<2ZuP!(kV352(un#~W*b9If0_K0m|2&QhhF0cx5fU`Es%cj>1?hHZg-J#<VG05Y
zG@u9;2sR30k|rTS`bQlHc9a=VTAa295E210)X_q^nXJ6&U*oaz6{-sN`zB)nY2Zi@
zPa*0Lt*C&3RL=~cq(=o4?6J^q9t_)C9GEI$FQbu>GI`8D@HarrrwyXX6)NLru@J+i
znf9S!Fv(s;czIgED^qm;N}Xm9@_K~z9=>a5nlUww<-SSnCuKK5R{8|wCnNRZq`c>Z
z2EzW}wp~C?NV;K~B$UUCPSd&<g=O9RJX%*qZ&ViHv?99?jZ|MDN^hUM$5VkCs_sEb
znP@^uuQQ(mcaI)f>kiX#X}CDv-h@g*Cd#y_=^yzz;K>iAOZ{Z53%kN@-*LDRYaGBY
zH)u;}@jI70x8j6ESXXHxzc7AdIYEl@)d_E3*)~wiJwt)N7*-G(Z!MLxwSBRN%e`Vy
z85;9Fn}r~VRZ4z`%~MdgeQ-I=9C__vjJ9&ftr2ZQmqf6%_O3@2DHl=9$b{9H#3ck4
zx3zq(li1G{ZV^jBbCfAn-7)r0P)V~v(7N7l9^(scZxj?-L{F`Z1(apXA=u+tP0Qa~
zTOl$Rqmv;DhW^UGJrKAu)=DqyoEe$D<HdhhebuAEa^z%Q?UI94%f1MD;ODXwrsh&4
zNg1as^}02doO0mgF()txF`_xBZJX?v9;O1~hYnqocLBM<V_`{ny=^)!+nejKn7&Lc
zSM2<O**f6dOP=jx(<avspdNJ{HBc>I#Y7$nLW=tCCvTczd2EMWGS^F{zd1kL#mluy
z=e5?0u%AuYAT!v0Y=;`*L?`BBX{!jK`z3>+b5fY+mx{1Lrb${<`nlv*V?Z2}^8VmK
z9P}V(5Y{YosUc$LVJf4)`H>@{U+I}E(Bui@%^X5Ksfjy7RUOWL@JFKTvfwxh@_VT-
z#bAIVvp3PbvMbQ7rR_?l9tW~ZAXRu2$EJlZMyHwS#gBrd>m0;lWbB>zt@Tq?Tbc%;
zBsHL@9q|tEFoU*5XcD(66tKt-ka`+c96Bu^-wW+*fGesOjc1m0L{5^yo{B|tk=0*r
zg?xl7I%f)_xv)XeAbDpE#`?XV54T~tKVMA3Z>#H^v#<-s<$DYc;-_2~fW2x0>85r5
zxt^9|rRqj-37au$VaTH;l?g4TXTX&sUgZbqe9oW~S6?U!r`9{Y<HxGEe(T`FC<8lK
zFC+AEgU@yV^CG$`KfIGc{pt=$E%Jd7&~}1_3Fj$9F#4YVZU3uB5!GSFhYP4hxtB*9
zqn+8K0aPz4kRpB*ND_v7xAf5R!)z3V>oB(RrRoLJ>CEVUar4=aTztljCs?CR%i*?1
zMM}{GFUt(aJEHu=yS<eveYW1~Zvi+y2^c1Q&Ej@;f7HP=c36%VelVV2CS+r%I<JnZ
ztI;~eexQ(Js*2`2ty@ahCukwpc!9vHI<*Ykz>~AF=XPvw$~7_ReTY{jnUHBF%Wa`^
z!>KR%E$Q1pegETj^d>C4^mI%uqi6eLJsi_O-ya8R(IB0=9G>=G7obbN8>Pq!qjzU<
zkxWHVcere%qP4+p(0%~5z<YQfTiZP4*uo{1{jLrhYSg1mLOE3_`KVWJax8;D;Qb0r
zK#thsg9~%_?@3tsqw;nhUJt2S6kP{Hlvk{uQiwKZ?nFl>egO8rsDwsif+K(dvIlYm
zvIBAl@&FM3yM)e!28N<yVPitX#LmRR#LCIW%*D?954Ygi|A(jGg8ziP0Mmc<g2Mwe
z0i6H7!U1T(&|bLWB#}wV13>lK;Ev`hWEx(%tUy30kwAcn0B{gc|C3@6XmB6^J_NKu
zs3fonC>Sse7}CN-?|WY=qhy1QdIVuFh|ND3&m#4CT%PfIuh$wQGuFFNhbBD#;pDFp
zMs(P=T}#d(W!etRt=BZLmon(Y=zn9f2g3mQ>u+!$Ul=1$gS2&sFw}*DH}lG`9qD3}
z9wbsaM7&ojm$`DS7p2<P#snICp~DFWXS<(tWOh1&k?}!|2iMv@l4>@mc$Y4221cqD
zK5DO_*HP5=7JeaV-1Cc^k>j)#CQe1aK8R9!lpGOVU&=+5t0Gg;eVH|;d&vaPc$-85
z{?ldL>^(~`XcOf5j3}wcUz%;SXbpF-rN4OmlzOT8jRkbi+|(2T5^fYklNSa<pEqGP
z(AtgWA^2fBpK-=V%GqoKEn48Fnt6M1cHNLgT72-lI>MPwzlFZt{#!V*H0sD*6}_|8
zfOvpB0uqL&u)eW}k)VF@pi>_3={JA+!wVUm{gEB-IXUsv<>9^1oxRiMId<5eJ5(MC
zEkA*lD!aHCbRPz~GKLU~;>sbuJj6aGgupS~3*kknQex{P6MFvW#w>raJo6(jz#;HM
z9OT<fb*KG^Ijx7RvJRHw?H^5w|0?1Hwb?fS8>cDoa(0C1T5Rv3?t835Cxp)mSKrB}
z#Yk=6`f5WwH438!csd?I4F#lxFCl9+{w0+Ke>a$Xu!vCnI#8n-;3>PHBV;fxl>u&m
zjEeu;18^@vpVMEXdjhtKhZ!x9qnRjK@C{#Nr@8v{5&mn&|G++yL%X)lgDIzTf_ab<
z20q4kDfYW^E~_I*7RX%;-9%Y)h>GECm0C2Ci{}Tw*68~HeVDDnk4F%iz&g$0`lTSC
zIjMqE2{%IPeJB3Cy5*D>&kMr|7FP;+F`UJ$ILw-Q(%t+cjeFO*YPiZ`SAMP?B}pdZ
zwso_Y-DL;}C)B%`X9C+7l&ls#h`w8{n0B)Y{S!E;Cl5@Gg#N^(RSb@tYcw+UV>TQc
z!X?#-b92`b?)<CH`7Ey0hfHmqSEqDy=HmP#yTr)g^<a$8Z6ivJ`*72AG0v~I>Vpd0
zjeh&fl9xaumd!TPXvZIGnE)XzvbuXd-v{Z&{*qyhJ7l#*vX4}5@R|aO%&h4r|Hp?m
zNq@2m?s7;zy$FTxdzT6SXfT!kL_uQ{_+mjWK>tz2?#Q1&4I;mR|L$=#iZ{5A_*4Je
ze+j`ZGg-XKclFT%nws-`pIu8<0zNZ{xlerN3*58j0oQGQzn3Dq&dg&seg9fN0AuHk
zOvtF}tYp(|Bue?7WieQ;yqN?Gn5-W0a81dUs$d%`(uM601`<^}>{m~2l8N)cVPvB3
zQOPv9;DuTIlH`wtPQ3NTFj9kCJl^uM_N&yggdz<kHLtYDSE<X0R66E&*cv7~jm3wC
z%y2y$?%^-H5M$c=3Abh04epvkKdPS9(X0v@*Blp|B%2=%&CLnbHh=G?ey}TEk5DPu
z9il<IcBDwAT*`Rv5O${X4IdzPo|{DfX`TwpXB$AJk|Q(m%wQ#&+l1RtT2ppT?vBf}
zqk=&VD6y^i3&zpv!<rv$np72kNz5^nt`hkBNTdEm2Z;GinViVH|8m@_T%YP|?{^Xr
zkwOFIAmtuAUQQ7{U4%G4Z^`>SMN7F08MhXB7YAQ=Bv7s8!5+uJ<;`sg_w$tg1JBb-
z%)&0z@7%AHw7gfy9SA0A0QtYT{0C($0t_G*ASWP`e_&<;(*JJ)&Cbfi#R~ZU1{#Al
z6(VAS@o8dU;B?pxZ=qO1+U&mrwDP6(D(X1ecJ3CgBRp`J#eV`#T_EnuQaQrOOxi2E
zKbm#3g;duGvt6L-<t>tVc6~}^)cQj=DVv$iU;Q{u&<r$jMz6CEvsu(Jb{wx#^tA>&
zbEo)#{fGS4aE}sy^}hR=682`CE9O1<ZxocJY!rgRQdu8<WcDoH)A^*j^p5ZjMA5xc
zg#-GSc#+Ss;(8uu3@51sFPXJg20PNGu+&pq?regqZS&)>v^CbRZF%+lIL{qZ0womW
zP<95x1ym{rY1J{3-_SnRC0A#aU3d^*;wnF&$*vL<@~b{o!vb6&F~}ArCozlH$p^UN
z`E?YJjBkg%ljOSKcNkoo%|(qiYq)b^0$>ml6K8Kd_-eWoF`+VwUR<VZyhCkT3%SA-
zuJ(0teFrn-z=#?)Df5AZiSbB9mb4+8ot_aZHzaS|4b%_aHK{CJMdAb(VV&~S;lz_F
zARP}j-k&L<`2HZ|H9V;?rr@fw+Jsfh`*u~rlc;3)pbKzp43ut;#wnbQT%Nz65p=em
zPGw*`Jqp0F<0v8%EG)z-)$Q_s1b~uch2yA-)PmrsZ8jiNOr4`!{fP}kZDwmSH2W<Q
zCMXh3NEJG_uXMaD*S;c!cbhGsZ&c^%t*2yX-obuVr{yVXIVqeKebnhDB|gnOQLHg7
z430(C?QTn-rZgLo#!$~2u*u5=Tz2wo2RX(j<^9qlAa1)Vyie299jGaJ0d;f)`C0GL
zIe386<(4u}=Rpa8JJ&#~@PmV=^`^BAH!5S6RJn!P_YE4VFAuV~QyP~~3wKR=GEEFB
zhdJl;>GjD5G089Y(<uUUaNi>jiwXY3Sk$RM#~i4cDL7c3l)&8Q&*RvWE{EO+=yCB5
zmW#n_dP|;rVK{Q<_7~EyV7OWy1)U^(>~j~G#hE5`7&M(#kdo%n#*hu#UI~J9HDY5+
z*aSbiZZMAeeXdma(Sur%&p;QU|9wN5&V~+_(#HvsY3`1@H*P8NTcy{bg6}_jSpoFF
zF(bO3)y@RGda0}qrEHg$L#No_lge7>G{!TiE`87=juW``nSHWws1B4Rs@Epxrx0dK
zT{;9u?ipcp?9~L&JSAUV@D6?Z2i98Y8ikGhoO@P>EL%vj3;&T&vXb6?J*!t}Xbsy>
zp6(QTwCYE=n1$NB!8O77X>ngl6Mgix%*bb>LOdwm`SCMCz%A{G4M_FStgGUDS^On`
zn@l|4o}vFI%w1&ye~U&*s6K3_IFJ$!W(ZW)so<ML$e@-}cOdR;t{y7pvGamO|1y@r
z*&zI-sgvRB`PtLqBi;1GxT&%Xj2lt4v9HIgvc-_h0@@HSW;&}mJfy=+$=Q0+oILq}
z{XQPrHYJP?a#XT?dEDgO<!`2jJ_28OC|EpJgRMEL`=fq(R<LO51bTOCx$^9x@n^wu
zVZm$J<McOOX72IcKICy!+IlJT7X7k7X$edJyq0Z9m!qdRPttpjSbM)+PNQ82Ii&Th
zQ4APU?sEiNG-5cNHtwx9BDKj4t7}DRlr*hR55ut-XQksjZ)hA*R0ol?q^*1d)m`!O
z?s{uzy$<9Gj_X=$0>jalXlrUsh0>7o#SZt!sRtVqmZkWB_dG^Ml(GYOm^-GV5lU>g
zU>J0!@whus#&2_|zaYoLROw0<hF9}m3ja5tng1Vv=Hg)C00d$N{|kFah`c~dmwzG$
z5MZEx4$FU6fd9*e0^&b66kW^O4O5|rcV8AHs7aI?=MJAP(EnpY;U9<zXoiu&p|X->
z<unz8_<hY%IbZRr{L-c60P_*uyr*Cx-aW-2CIM-=h{QxK;`Qk1`Oy?>hXfi2Q7i<b
zLRQeZFn3XDU2DI~>*YWAk_*M|qlbo!CU3HS-Tm34tKTz$MsyX|AS_GUConhlgt6f7
zRURP&e|gL%j|dJc(T|rf88C?`-b}cHef&jk&`K#qq_}^3g^wRLNZB%5TkUBFLv_VY
zbYn=ml>#LZb1tgS(L0}_4UOjL)u3^LPwQ;_TZe1HFpJxkR^+zVv%ZjCE)c|oBnNjH
zSSG4ZJz44!q>6xg{F&X+8a-O-7fw(+A`TXDHJEQ<1Q}i1JRj0c2_~y|j|BGngHQtj
zO8II_V`{+oRoeX!k|^~Apf&5Z11^0+LA8zuRVM@sIRBzKv~2`(r-p@5Q;wn66hD!o
z=;|IAnKgRfi2jY5a<T;SFJW`W+TTs{zWeiy#Pe>*YMiJS8iLFnqEY76O3v7w31pO(
zMXwXqS|)WH{<E~fnFfjvn)r0einZvx<G};*H|?p$%9YPFoV$f!*1{ylg*`KZasGo_
zt;io{>`^ru8~pgAmonSEBm^J=YZGblE1@;0gKl((6JZcwOwwg|7nbvx7)HAte2sox
z)b<cl60ctQUDOp>GhmY&*z>BD+MP9TQ`Kei==N%ZV!<}^du{@7zS*l<J63Fs3|5tv
zQU0fajeDjSsu<SYFW{3nTU1*5W@V%a!^eo?pu-Q|gH(6Rpay1Rbx0_Lswp4#AR$$q
zsn#iE9Z+yn^<B?uln|wOIq*-Bqu{AYN_1eJi&r01Ty_m4Wgjk-Ufq{z6Ep$&mM)Fw
zeoT?pX`($2Y?Z+};^6qqP*egCv7_8oup)~ZuH|scUUr`z;ZYWn@GqBDjTV+wzzAur
z9bEYgIh}hwBZG3#C;yXSRyG51YiIunLR`e3>#?fV8vR>?J`<n5M{Z}+3XsAhSX#sW
ztt6@fKKKM*5eVEdP7Gzx17;6K7K^+xlR!OYT7g=63G^!o%)bwvNne?@#ERfK{us|&
z`xpEdcVCKoN!Uqp8KBdZQla(4AT_=dPUA;zk9*KtzR=#bpyjaJO0h!-0`u@rt{`9b
zt6N2fmt_IWsVY<k6p@(+NP10ykK&D!rSy@1+#G%3{t%Xav7A{~V<jysN;!v<y>_9k
zJcU|odcSK$E8Nz|V@B-am3-!I?ml;FQLFlA{-G(JE=>!IP!uAIe8T~aE?1;Em$Wbw
z6j!6)6Qy{}{Y4rs*!FQVlvY%|Lky?3{nZI6ELCvN`ISM|Vr*D^kX}H_w?pQ`7YqeT
z=!QWQpy`|KDc#p5Syk%##RunJ#zVz#d+JI{2OS52{-b{!KRAQ*{2T`RQ=L*ZA2r`B
z7G|mbO|Uvnl8z@o+Ugn&OIjj%DC4Qr-A~C=RA1V}`6UInm??R-?tq*U78h%NVx!a<
z!YCDuo4JM7N#e6k)yW_{`Wz5nfPzPQN@@H~S+viZBmk;Gihks`e2l#5O?C#1WJL6J
z$w^e577K@+LQxfDO-1wMg@Rn5ZO`Bfp|i1zCT`&odRpb4RLRXnI19PgtdrWmPjAk!
z_fu7ONbL9caC}~Re%j>!-sEMWL8vS>QaGk1tlqp-F~E@+1%>A+yl%WUza_wi5N0gY
za3776WO>^y(j5BJ+F_Bu_QA!!D&p0)IZwnllAkg^(wKOD_+;!#MJo(zCBVQOl_&_V
z62V>%QGI~b5p!*t1Si-T6%aI*43|S{n7N6;@7CLxXZQ_C|MwQ`L!|7`!re8MI9p9i
z%$vN}yLrafp=&?5N%2oFE1as2<-1iax^Ef%Q(FcnC2*L2esTRmAA-F9#<vHXRMMK5
zE>tkzXF~f<#9Qa<6{0Ak2a7baSJHM9D;PhsRu8!a*@{^irT~)?zS~Ao8&WX;X@+fN
zP!{TQ2|rid&^JrB8nG5{(Dlv6%Pp(`g?xqfJZ`~JB@{lX0l9;JLlH=@a={6RHI#dQ
z_sEdr(RHsR&o&sX!cN9#cMy)YrL0nK30?KjpJi9>h7L^g*Rxz@yU^*qHu3%}onYXE
zatlpqXpqhou&7(0o*7vUG`o{4Zt0&wi?Q~I_6&KlF!f(pe+Nn&l8EH#H%lZaJfUCG
zFGSa)vwgmW5w`O|p>$vj;*UAUV=+BGpY_6kgJa0HMAGtyPqWwRXGezKOI{tAvgD{M
z>sBEKDYfBb#!;PM1yYiuGxMMh4%j`iusPF3z`-eOPxQPVP0n=5)Iqt8N8F3FL7{wT
zH%C@&4j<yT2E59DN{xDOEe|r^hUemw6IIk<gx%m<9}(}|&T*M)&3Y{nKy)?yo&xAQ
zzT{cz#LFQ*wk)|FgWfgobkQ9b+^^;$NCvYqJYZ6He2bWj+lot0o8T4q^w*H#A2z;q
zi)ecrbuk6%5*o<V30S4fzw+VwyYC&q5Lt0glQMBe3a*#;@uI;HzXz<w2mM}K6Lyu4
z-~zI=B6pyMq!_kjLHAz#W6rZ8-yfOQn%GN!LN{}^Y15`rwFCNM|Arr;AkqQr%(uJF
zz~6jPvz5m=+iRA>U_5CZ*qO(ExsVyp&6f5yfoBgVWM0z>DD5aUlUX}H2dul&`(CL<
z?TZ5~^|Uope-va*H8BudTWJBr9IhZPyJ5@&O0dQUz%f}tpDe5Rk=CcKVJ0@1MxV*S
z1igP1t21#dMK9lx`}886FsDfhkRrocg5_^TtcC<@J|9sRhA7^@G+GJ23mN+#EM$}3
zq?7rb#x@&pf_Pmd#&$b6J7yP|etj1iBDk6n_LWi9NLc2YFlmk{DZYyU@SdZV7O6}$
zvW)L}38@K$oNQFNTk|%QEaCFNT)T<_sp^mc7lG)7+BKw3pe4~EEDK&7Jg)j%Jj}Ne
zx%e=$s`8mgKu>Yy=?{AO(_r<#6xUKjS|#G-L`_Mi<NeEV$0p3RHn}{_T2?ZFPz0h~
zE=C&dr1_AtXaPAyfq6Q2$i-&;;i&HmAAFKxmM$$0P!7ouxK;rLqCM5aRWtLHq276@
zt39WSJ`=zbm`PHieZa>-4*Wf?=O8NkI1zQeIx+5EPo`^JTJ{S<5*dk|ev->drhX!E
z%BT?`v*7_ITya~lKI*4)abjoaxt|mdX$nAK_n5kVMCjIhx0QD(-l>%BuEhCb^{Nf-
zl4pGHh?sR%XWcotjkCx|lsfLeK{T?IZzm9Elm?i86xpPtj&5m4WR4(6Sk-0%Tkzh2
z#x%}7hX+odoapMKj_LXR`DaA$ucQ9t`g5%yw+seijLCql38e5xg|;jUV@SVKVsMOQ
z{Ji`A_H98~-=f>KSJuzjVlkzi0|svtMtLX9#C-C@-@#v0Ng^FHoPmXLRD)=S;C8K0
zJwUPk-4TQ4mRsF}6;}9EX|G12g=_7dgHd!Nuu$hTo}T-1`s%X~R`upN*altd7Ifn)
z6G|I6i+T0n-tAlPLx-pxS~t5LJ#*h&@_Q8v8#B#u+~Nd|<Vi3Ikgrhqky|b*{o}ID
zw5EY$E?|UqPu*ex+Q6hlv^pfbu)$NRY5A~)AUG>)a?WwB=!HwT%L9dIH!&}cCK_&8
z#S!Et6?xC^?LG1fFt)>zI~6LhJ4~pFn)t9v{giBNtNLd@cFZnfWnS?1cSoNLC}Hnt
zAScDnk|kZI@h|JHU59;G55E;f-r&csE918i?5ioHi&3*HC5dF#he3bUwxss}2G$=6
zpQ%kkE~5+-FxbzP;fd}ZPr;=D<Ye5Jc)rK|o(JO|i1z8U%dt5H5SUotIog!1kfn&f
zr~aqBKODIGw$noE#KGxUuD7_*L?wRd)kg(e4r=KKEjCv3^<?dk58LCK3W%1U?}pzQ
z(skByk|hjAw}~F7<?EQ+@C2^<LU=Q0fb<h3P=q8pec(2eRe91q^sPm;Bea~uh|U(^
zI_44JLv#)8F?Q@bP8kGf0S(N(o2wW-#>r`Flay&CKXW~`(<tH_ilnHjEu?i58}p1f
ztvTw~<P3w6@qvEC7fQ(}dXAI<ak`LL?M*H>Q~62W-vs&m6rQTiTA+B5s$G93rw)$K
z>0zBBp2-kH4F_3&^Rg`Z6_)+=RF8xYc4oyVgK04~J{jl;P{z|rlz8!{wm9Tp3}e0i
z@%Jc@JnTR6O6o!%)n&<@$C3Hq32T?=8j9?{(3zmo_`n=;Aw)=xxGI_Jl0>@dg<ul|
zzrfI&gk(paTohLtsWXn=5f#-hur@APP(h3X)kDuE2_OQ393COuC@mxf{R5$3Oe5$C
z>sb>DSfa3Co)KkAw$fM$5msehj<aEv90z~KH<#{~w{=Nx&X*KDBW?c2-(k!iQr~o!
zOG2;2AnHGk3&ihR5R4K<%<!zOT&am~O?2TWP4ISi?B4E&bA3&HiZShxi#fl1z_9Zz
z{O=#N@$(2?M33&UG7Wj|v^O%YJoy5GqI4%REnq!T14TEQn(w!98YkJ$Vd8Uulkn=K
zWJUhU&VtE}oFyfy4ig73-uZmpz^{ok^yKEn6FuZ>R&M5aow1cW7!mJXlrI#oB9|rL
zO&$qASj$g~Dh3*yxu;}2;c`E_RBv{y>0F7wOW$%}5s;q4uW*fIf?daN%D8c;ot~Yg
zbSHMP2;+rcK!)j|%t@;ooZZ!kz9{%h<x{%>Gx~wTJ_~#O(rR3)PY0eOc>W--(9d-e
z57*qyd`j-vBKAv|qd;K!=O1fF_^%LApYlQ_cZrh(<W>wS*!_!v2^J;!mT{C$sLQ>w
zn@J}oO<T&}6mH8tp}Z3br~IGhc-20C9rvEfYP@00TELx(KS5EYI}Ws;JxdLysIK+F
z$z61#Rc|aqsFS1OU`LnQYN^`9X4VWwTHvy8C||7#^sfizCk0)(xI8*LGh0zAd(c1B
zXOB^H%_SnPfDolC>6-(>t>kqb>LhT@1SzXw<CYhoY$f5KwcV&HS9h$B)`O*An+y?c
zQhS2ky2d~&++9t^`Zjp?%pJIA2&ZHzJ(oeOT>Y-KiEXGyPT7v5W{XfmM9YkNoIvVT
z4e=pM8v4CevqZUIY{?_TsfI73oH=F>S7xt-mgI5P)_(m&Vl`z}UV==jS0tKfEc^K_
zFc~q9-iKRo1G{)oSh%l4KzRG7=lCBePmfzd?MGk=vMKl5Su0yneBKGR&=6;2pyR0I
zi-&Q5E!M&$BcmwmO7wy_?8tC^+TJo@XJS_s$Bvp#QlLX%myPw)l=bESQDSr5XW!yC
zP|uloF6&57WYPcF2lX|IH*em2%it2!g!UqSlZ&NDjGg748e+4?@eX9Pz-ow=?xsxU
z4wrS(w7bx4%dG566Lx9#oyo!=X!A*<|I`f>z-&k=WI0WWni-7Q&DiSz9c+_;!yCVQ
z?9y0Pd`Hz@f4%@-39`t@O$VA}K=l8(^rHqNzal$#k|lFnT!qeOb+ThTAUU8@UPoIW
zlyia`>dsM6K?Me1TuSc13=5KKl2OtAdeAanU8AdgH$=Be5IFs`E4d1GhxQ@DiA^G3
zKRI!Wiv#{K)swX?j(^l4DMr}hBdk(RA69X%^Sak@5ylzQc3!S0tIa#4Jn5zz8}MkA
zLfB*@cu<r|=lYI(1A>*e9l&Iwy>9796T4&ol+Wzj$bVY<q`7AOf;-yv02HDx_=YG!
zWQRqoV24pv3kyd+uiOSk*%DHYd?QJZGG4w+Q_a7g+h2j(u}P6<PqfoE7Wb!Suke=;
zEq(N8!gK(>Y38Y>!tHw{s4K}QkBdyHsjpciR?TcGC*x2DZ6<%?vZwU?-aZ-CI;n>P
z21gZJ7w{frU@pMP{kHm1#xZo8{l>R7CVN<Fdu?#iEa=?_OxC)Z&+PwdcTV=2QrBGG
z(UuIg(kQev%Te+#u&F;>I3hOC$ym^-MZ?MrN>a)aV^uOw;s-*^8cy((>-z-RKssWq
zjo>im;aC8;f|7%gZSD;B^lC6+x29FzIYmD3pS^MBp9u!(UEQxpHt4bGZyxBmUUdc=
zgelyMm(N=;o!W4{l{AN!@$!4bMsfSCd$r(NQ+@Km_*k8Oik}Fjl#2~fV9_T$>k0Wo
z1zFYp9eVc&SZemMAS@E$&uUw$7Yx6bX}|exw800r>GSwmB%1I6Ag3W}5w8@}v(C9y
zgI39Knn5q6mzYvZP=V86rt5tDqakjb%o$IkQ<fc5D5cpbDD04+R5f=lgt8pG+z@B?
z3koWnV(MsU8ez}v`IPo?=T*EnT*ZjGo?O!NobLTIGI@1_!b)?x1=NA3K~yM%4?&DJ
zHG!016`9jt0CYe`SeyZN_;0d=Cv0VFZ2};96NB@65ZJmWOLSg(DGmw`E_L+K?GHkT
zsCi>fEtX*&WF0+9+Pi5PV=B#p;$3hSEdy2!y8w@ndK$e1J<UVqN#uYPA<u1xO`O(m
zC3$d}t$_o_Mu<&>V4%w_RUF`Avu`xGi;KO$2?n^r<<w(6agx1F#!Dy^bamSDp5zG?
zbt(@EVsH3(qjeXunWbnp@o0(Q<bj}@8^nNAngS%ZzpyJmTZLsfzvwen(zi!zmC9s@
zf?+V{GP0ATTd})KwLfBZ4Ez0Dx4pi-bfy%whlvGTuXTp}b(5>q5S6ta-9cf}wOvX1
z6c)RSN_W2+3)<A(bIctXY<c4o8#nk*vGOE?%@+p?+iG5gc>Wn@=BBo%lS|6*y6IfB
z(j!wm11Fi7aBDuCj*QA|hf3W}icNI0B$v93ptGwiTz1KNv;Dd#C)#|);y^_eaT1KH
zARrH$?KWH(qfT{@=fSPADoxWtUFDW~uw$CDjxX*%T!BQI4Ky5>Z;cuU8wp{GD=tr>
zYs5@L!qKQbT=OsOq|%EARO7ZRLWURA=To6O@V+hDDkE;DMW7l~1k~$VBZK@tYY?<Z
zx7bB566%p^^+sH;%j6}Dfm0gz7ojC?fz=%Fu+pe<`?{rWbM%uqfng<XJ$f_rd_?i7
zoVE!wcy*;sZQwjF{E9kr{LhAX4gZ8V_mEG6{@e<K=EboT<^s$s6r^ve0LblrQH(<a
z&rKm~yL6im#W&1&MuPx^`8sYAr)h}07gL3td>tJGs70z<$fGy~V}|_DQbeH9d7@4|
z)HWg-UADP3KiT3pZuNX>=BrC|)F{AHm)N-0Tfb!XOAsHA6!w6|9g6dNYnyX5Qn=+U
zu7As$Taa)X+dh1s&S_056xakF(UaUG-au8K9d|sKA$m`4{&<oG+p!!Pl5*?A@6J|@
zB1+3-2B!F3UT#cbQ)&hE7+T#<u=GI@8#{HH;&Ta#QW+6gLx?#qx1Oy$a!-+d4VR#{
zr#Bz4IyG-1FKb3Ckc4R^2oWz8Nj=E~iWXj<H-ni%vwR$Q*_ew-kNpJ-Kmhx!+w={P
zc8=v5Qt~Q-l%+{u5*zX<TnT??+4L<Ia3B<lIz4^$P(G^{Eac1T$hIu;9l)t6c!9$<
z3H`>BU2)4er}~NpGNVW4@q~7nOcy@$g9=s&5K|W<!5bcjMW<<}jB|G$qjAq+H0$lK
zdKhRsCh>|nToq&`7^R{~3I&+30mT&HjIBc$yoF*+7d^dxn&V{fiOy~|pr>ytC#)#Z
zZr4{YESyhRuq+6Ep&R7LQ%%FxTO|yrZ&=(ott#H48i7o2A;BWx6eju=HvZSHT>%tZ
zVgyPG>rk5qbWxAjn2eXCBLQ_BJA2r~sNjZ2ZkF1`)blv%Wzm|W>FGDXdv?)R`IKbE
zU6GPU2Q1mQ{{Y&wdyo+bNo=QpdN7|Y!}Q>d6(8eq({W8x@#j+cQoBlmaNxED%(9=z
zMn+~~2^xfLSXjoF$9geGjwTZYJ4_hXgMf-;UjW&&P%e**;p~#OvjBs5-xR#~6p|w)
zvne7Mzz-k>Ktq7jB7lP6fCGV{O=i#xWT3@51UsN1tH7V!w*J{U1Vghwbss~wlDBWg
UFmy=v+}o}GLsS9+3LKjE9|Mn%2><{9

literal 0
HcmV?d00001

diff --git a/jetty-proxy/src/test/resources/client_auth/server_keystore.p12 b/jetty-proxy/src/test/resources/client_auth/server_keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..d69a31386a4262f6ca5cd60fa808c0b3785ea35c
GIT binary patch
literal 2575
zcmY+EX*d)L7sqEa7`uxww<bm=QjL8bdl#9Iec$)3FuWrQBZI7k?CVvwVG?B-%eAkK
z2xEy*w#Y6dT=#w6_ul7zIOjai?|;tu_(Kz5Oduc_O<?SVGKvzli3cn|dSC&8@ePE)
zSbdHw(F8h=e?@eb5CWa)IW{~mJt))vu9#s!PyqpQj3z)1&>~RS|MB^AID||6pv3UX
z^DLNG!9skWPbHBvT15&326Pxe2#{W00?W_BR5?P@hOrhnbb+fzeE&*5%>et@6`gL$
z7KNB{JGmJ0I*ti5<Jx-WE4f`*wfHEwA+FziLM*!q<*RDzc5OFWM#GBmtA#c)ZSF$c
z)u{9l`Pt=ycAl4(1}}xxKYzct#4X03tMb%Foe(N~L52dH9o3UcjEhqS*N}(Y67vgm
z<gaeKB_F#b@k6a>;a0TGsj3kNKg)<$H8+{FjFhnDk#8e$uSF#lv8&ZoKLjIwkE75W
z>uxAg*#7Qu&u-d@&}?xm7Sd4U6@M&@^X0!iQp)v}3>%#dtDiR^?cC8liD~g(HLsYw
z6E<vVy!0Fe%mFX|a?h3PcE#J`q8r%IzVC4S-2MWS*UggK9FucH>%W&=0!EPWb{>Cx
z;Ao}Jn^d?hHA{x_-q6J0mCBq|y*5u+-+oRRlrrbFcsMm;QxZru3tVj)Xb|O{(0+Gt
z$rh1NZTd;c<>JtErT)~fDcE&Mh9PJ9XWB@+ODwx;G_d2TNZDtq?yMbnKJ;rd-%>Pp
zPuiN){%;+#IQ$s-(R|+zl!LhSX~bu9L!z?*4$*eiWx^U#77+5x#YghPN2jIVrz_U>
z4V|a!O+^;j_IZM68Z3e0!H;SU%}d@;(ud>;iHK`eYR?BeW%|6`*XULCYa|@%a#|G)
z0170oRnhQ4-5Y!a5~n%yY<xm?yF!<u+~7<O<<VuqsXW()o5;A+olE*U9GA9sD`Khx
zEg_uJ=yE6Wq<<nAJ<>GOVs^~cf0ykhbV~F|cHJkxYiCCb>NSAA$>EL(>W!S}ea<JL
z)$)#qpv8bXl_vKSyPB6;iz?ExX4`(E{>hq`AM7}3JbDb;okYq%W3Vqs%)bjfJI#!W
zXALxtrYrMQ)m%3Ud-au*D}5t{OxF(`%#zU>In8G>G6Sq0rY|<vJltg3zDS`{XdD!n
z^9X}C6Yn$Gt7%*3Zwd3J+JA6toSXchZrm@CE?f<&DHjrygU?}5zHi{jFK4&J?A@8!
zbz_0|X0vFBm1FLQc7hf#Q>tAywk`GjsP#mmX_z8^w*@Pjlv$7ILwaN{ENN+P<~&p?
zVKq?KLptJnTbeTI!LU}P&0?_{A0K}0mA&Se2AZI)+=Y<k<{eGMve{e?ed(LlyrNt6
zCN8rP_o;bq1bJEQj^Y*WLSvWyh#;KrNolu9ZKf7%c6e9*UH}S#hDc}r5tA!&J4V?h
z^3%~NsrsJoN^#K7AiI6#a)FSYIh;{PCNZFHsK2^)4=diG979Pk<PWwi4z1RAaF;RD
z5zKg9%P8jbc4(A5X3!FE^QrOZr&>{^g@0E<@G8<_i+vR_c&pcW?kz6HCJnX}?K9u@
z_}UB4qB5RNu?|6ZcSecD;o*XDyISMD7&+2O_cXB6KLflU+9a%~X<zp`al{^JsDZ<~
zzX<XGBg_}Jg0-P5f<*Qg$Btn=P|0>mz^)k$kGvZ!mAbJ~A??t)=2RLe`NL3ospx5p
zMD}_qf7@$~990uk^>qPv%*6ZMyhU4{Z@(O_Z6A-Z>tf$HYTDj+cVv<U<FrHqYPDFs
zU43nIza01-)SCuuwe$IRM|%@FxmYbP4<IsZHTg7ypFRmE8ybxDmi#!jxA-)gs<bDr
ziiZEKN=7bm)=SKQ0Dud?9}x6cM+^KDa*K08IE_7gTrP{th)aq~$)UxiWTd6e<*D@d
z5<T?Xr`OMs2nYx`AA<iRz<(JQ`j=r%H_`?YS|0Q}IygV`e<RZHxfU(`U&DqIz$=5Y
zdp4dn@(hit;t|%@udod0+f+ta(Rnl)JwQ#Hj=kesjN>O7=ziO<MIdH6;iVg?*Xn9B
zfV{yY1~rQpJPDy5lwM=eM9RGAtXgc;f3^<!^XZ=y$5k?u03mqY8&$BcUf#ydm^-y7
zq_tyIGHD>7Y$ifN1P<?PhwmGJpCgkNe58UDsQNlvE%q?0HC$QYX*}6#i+1J;R#yp_
z#5ed}-ymRJ-upxr05DfZRHl2O6E}p%HK^#r`(5`&eU$7Ojve>AwAf@VWAM82&T+ZU
zmD@oIw7KWo{CbzmO~Qih^S+6nER_muQo)F^-)1%q+50MbmirWiS7h%C1?kxAg6qG1
zD*W=1CV0hW6n9D+QbJE_tZ<`F7eF(@8-j{egBI6&HbWXH=9TM$BZ~}8jf#ygU*YPS
zijsQLfXu(F0weVn#1z;%?#I=|A0f^nO*(pSH6EIM$>vE^SCAPH-NNKU<R=J#1YXuD
zHFCIHv=>eW46@Rz=^(|}qz>iAh=XAV3Y;xOY<KW6FX@jX_qMq^<3o|C&gAZVdyl90
zFvBakX>=O$bcax+^<cT6#Sn44YW!#~8l6<tN-6%B8TFgYTLu=j%<!o$DPCb;iEq@l
z^{~1hq!dQ(LsaRn4XqbOrdNdIz$i0MP-1S93cD9nM_)PxWZ)Ab$>Tq|e)?|NbU&X>
zc^ID-K3*SN4nOKKyh8tz?^apooy%3Xwxm%H{R<iyL6n;@)>-VToosWUfO>pYuH~El
zEV%~by}aJ?RqL^NXR^lo<Cw;9{36?IDD9vT&Qz6!ak4y>?AFNLWnInSh%@8pxXQ-h
z$dQR$x7^)h*^tZB5K6A;@DoDR&G&;>lt&xYUc}D8F<f`mK+EMaZqrpAO}5PARQ$SH
zt(l&;@cT?EtwkwVK-DAB#lxZ4GX8r`kmfwU2+wzS*w^85w|XY!Dyp$_8--iGD#H@4
zr4)=9m=?@C?2hd+!5;ahydb&Nt<$FFZ~}f^5%>Tjr<4>tPjsiZo@|;ZY<oKb73=b<
zeUPEnn{s<wFa4*>-VDX5C!4m@`fUxRkXM}!c&qnwvh&zH<Ktu@5A?}}jbd~`sL<(y
zyqfFFrJq3YTDn3JdqJx1c4I|8^+_0lEN0LIHTa}+W6qudY_F58=+f*81{`Z*H`cNa
z%{}4t)*o#N6YXT#i=Q3hhvFnulLq-h2NlmmfnBnsYXnM{5ZO`eG#;G(`{QKx*!O7G
zj}3V}{Oha4!t6i~wx>BEz|8jMEu?jT)xe1!7TN!D_c;#u>;h!i>iRM9hMNv}Pg2RA
zWZUurt&A2xGeYUEv4TPTbN~n!8F=+JX2NLO3ztll?9@;(HRnr!aJhbu4%AoU@f(SP
TZ6>aC6ujDz`UnC8i3NWGm+HX0

literal 0
HcmV?d00001