Make client cert auth work even if server certificate verification is disabled

dnault · dnault · commit 837414c1aa01 · 2026-02-04T10:44:03.000-08:00
A bug in the previous connection logic prevented the
client certificate from being applied to the SSL context
when an insecure trust source was used.
diff --git a/couchbase-analytics-java-client/src/main/java/com/couchbase/analytics/client/java/AnalyticsOkHttpClient.java b/couchbase-analytics-java-client/src/main/java/com/couchbase/analytics/client/java/AnalyticsOkHttpClient.java
@@ -120,15 +120,16 @@ public AnalyticsOkHttpClient(ClusterOptions.Unmodifiable options, HttpUrl url, C
     TrustManagerFactory trustManagerFactory = trustSource.trustManagerFactory();
 
     HandshakeCertificates handshakeCertificates = getHandshakeCertificates(credential, options.security().trustSource());
+    KeyManager[] keyManagers = new KeyManager[]{handshakeCertificates.keyManager()};
 
     if (trustSource.isInsecure()) {
       clientBuilder.hostnameVerifier(insecureHostnameVerifier);
-      clientBuilder.sslSocketFactory(insecureSslSocketFactory, insecureTrustManager);
+      clientBuilder.sslSocketFactory(newInsecureSocketFactory(keyManagers), insecureTrustManager);
 
     } else if (trustManagerFactory != null) {
       clientBuilder.sslSocketFactory(
         newSocketFactory(
-          new KeyManager[]{handshakeCertificates.keyManager()}, // get client certs from usual place
+          keyManagers, // get client certs from usual place
           trustManagerFactory // let user override the "trust" side of things
         ),
         firstX509TrustManager(trustManagerFactory)
@@ -291,10 +292,8 @@ public String toString() {
     }
   };
 
-  private static final SSLSocketFactory insecureSslSocketFactory = newInsecureSocketFactory();
-
-  private static SSLSocketFactory newInsecureSocketFactory() {
-    return newSocketFactory(null, new TrustManager[]{insecureTrustManager});
+  private static SSLSocketFactory newInsecureSocketFactory(KeyManager @Nullable [] keyManagers) {
+    return newSocketFactory(keyManagers, new TrustManager[]{insecureTrustManager});
   }
 
   private static SSLSocketFactory newSocketFactory(KeyManager @Nullable [] keyManagers, TrustManagerFactory trustManagerFactory) {
