Quarkus TLS authentication throws 401 if certificate expires. How to update/change it to throw 5xx error code instead

[ngarg-panw]

Hi,

I have Certificate based authentication configured successfully.

Here are the contents for docker file:
xec java $JAVA_OPTS $APM_JAVA_OPTS "-Djavax.net.ssl.trustStore=${TRUSTSTORE_LOCATION}" "-Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}" '-Djavax.net.ssl.trustStoreType=jks' -jar app.jar

Here are the contents from application.yml
http: ssl-port: 8080 port: 0 test-port: 0 ssl: certificate: key-store-file: ${KEYSTORE_LOCATION} key-store-password: ${KEYSTORE_PASSWORD} key-store-file-type: JKS

in case the certificate is expired, the framework throws 401-UnAuthorized error. I want to change it to throw 5xx instead with appropriate error message. How can I achieve that?

[sberyozkin]

500 would indicate it is a server error, while with MTLS the expired (client) certificate is indeed an authentication error. Why do you think it should be 500 ?

[ngarg-panw]

In our code, we are validating using the user token as well. If the token is invalid, then the API throws 401 and UI logs the user out, which is a valid scenario from user perspective. But for certificate expired, its not user authentication error, its application error, and we want to distinguish it from user authentication. Therefore throwing 500 with appropriate error message makes more sense. In that case, our specific feature data will not be returned, but user will not be logged out from complete UI which is a combination of multiple features. Hope this makes sense.

[sberyozkin]

@ngarg-panw I think it makes sense, I thought you were talking about the client certificates, in which case it would be 401, would it be possible for you to create a simple reproducer ?