I have been struggling for a few weeks now to connect an Eclipse-based report designer (Jaspersoft Studio) to a remote reports repository using mutual (two-way) authentication. I have asked this question on their community forum but have not had any useful replies so hope to have more luck here. I will broaden the question as it may not be (probably isn't) a bug or problem with that particular software.
First of all, I am using Apache to handle SSL (TLS) connections and then route traffic to various virtual hosts running on other servers behind that (with SNI). This system works as intended. However, with this one particular client I am getting an error during the SSL handshake:
Warning: no suitable certificate found - continuing without client authentication
Since client authentication is mandatory, Apache simply refuses the connection thereafter. I have tested the URL with a browser and several other clients, all of which work perfectly. I wrote my own SSL client to see how that fared, and it also authenticated and connected to the underlying reports server. All of these clients used the same pk12 and/or trust store as Jaspersoft Studio. I have also tried separating the key store and trust store, and configuring them in the client's .ini file (-Djavax.net.ssl.keystore..., and -Djavax.net.ssl.truststore), but it didn't help. If I disable client authentication in Apache, everything works perfectly.
I have experimented with cyphersuites and protocols and every combination of jks, pkcs12, crt etc. that I can think of. I have included the java unlimited strength libraries. I am not convinced there is anything wrong with any of this, however, because every other client I've tried simply works.
So, in the experience of the SO community, with regard to Apache, TLS, SNI and virtual hosts in general, or with Jaspersoft Studio in particular, are there any other configuration options or environment settings that might be required by an SSL client to connect to Apache in this way, other than importing the server root CA and client key/cert pair into the configured trust store? Might there be some specific configuration of the key/cert in the trust store that only this particular client requires? Or is there any way I can debug the key manager to gain an insight into why it cannot match a certificate that I can see has clearly been loaded?
Many thanks for any pointers or advice that you may have!