Skip to content

Fix SSL configuration selection for multiple outbound connections with different certificates#35132

Open
una-tapa wants to merge 1 commit into
OpenLiberty:integrationfrom
una-tapa:34391-Incorrect-SSL-Config-Selection
Open

Fix SSL configuration selection for multiple outbound connections with different certificates#35132
una-tapa wants to merge 1 commit into
OpenLiberty:integrationfrom
una-tapa:34391-Incorrect-SSL-Config-Selection

Conversation

@una-tapa

Copy link
Copy Markdown
Member

This PR fixes issue #34391 where multiple outbound connections with different clientCertificate attributes were incorrectly accumulating certificate aliases.

Problem

When configuring multiple <outboundConnection> entries with different clientCertificate attributes, the SSL configuration alias was being accumulated across iterations (e.g., sslConfigId:cert1:cert2:cert3) instead of maintaining separate aliases for each connection (e.g., sslConfigId:cert1, sslConfigId:cert2).

Root Cause

The sslCfgAlias parameter was being modified directly in the loop, causing subsequent iterations to append to the already-modified value.

Solution

  • Introduced a local variable currentSslCfgAlias to avoid modifying the original sslCfgAlias parameter
  • Removed unnecessary special check for host * and port *
  • Updated debug trace message for clarity
  • Added comprehensive unit tests to verify the fix

Testing

Added OutboundSSLSelectionsTest.java with 7 test cases covering:

  • Single outbound connection with certificate
  • Multiple connections with same certificate
  • Multiple connections with different certificates (the bug scenario)
  • Mixed connections with and without certificates
  • Alias format parseability
  • Host-only connections
  • Stress test with many connections

Fixes: #34391

…h different certificates

This fix addresses issue OpenLiberty#34391 where multiple outbound connections with different clientCertificate attributes were incorrectly accumulating certificate aliases (e.g., 'sslConfigId:cert1:cert2:cert3') instead of maintaining separate aliases for each connection (e.g., 'sslConfigId:cert1', 'sslConfigId:cert2').

The root cause was that the sslCfgAlias parameter was being modified directly in the loop, causing subsequent iterations to append to the already-modified value.

Changes:

- Introduced a local variable 'currentSslCfgAlias' to avoid modifying the original sslCfgAlias parameter

- Removed unnecessary special check for host '*' and port '*'

- Updated debug trace message for clarity

- Added comprehensive unit tests to verify the fix

Ported from: https://github.ibm.com/websphere/open-liberty-service/pull/1741
@una-tapa

una-tapa commented Jun 18, 2026

Copy link
Copy Markdown
Member Author

!build (view Open Liberty Personal Build - ❌ completed with errors/failures.)

Note: Target locations of links might be accessible only to IBM employees.

@LibbyBot

Copy link
Copy Markdown
Member

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 1 product code files were changed.
  • Please describe in a separate comment how you tested your changes.

@LibbyBot

Copy link
Copy Markdown
Member

The following files contain comments noting GenAI assistance:

  • dev/com.ibm.ws.ssl/test/com/ibm/ws/ssl/config/OutboundSSLSelectionsTest.java

1 similar comment
@LibbyBot

Copy link
Copy Markdown
Member

The following files contain comments noting GenAI assistance:

  • dev/com.ibm.ws.ssl/test/com/ibm/ws/ssl/config/OutboundSSLSelectionsTest.java

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Liberty Fails to Select Correct SSL Configuration When Multiple OutboundConnections Are Defined

2 participants