Hello!
According to the TLS protocol, "Whenever an implementation encounters a condition which is defined as a fatal alert, it MUST send the appropriate alert prior to closing the connection.", therefore a client that does not accept a server certificate for example because it has expired, must send a handshake_failure fatal alert before closing the connection.
I'm using SpringBoot version 3.2.6, and if you set up a WebClient like this:
final WebClient webClient = WebClient
.builder()
.clientConnector(new HttpComponentsClientHttpConnector(HttpAsyncClients.createDefault()))
.build();
and send a request to a server with an expired certificate, there is no fatal alert sent, the connection is just closed.
However if you use ReactorClientHttpConnector instead, it works as expected and the fatal alert is sent before closing the connection:
final WebClient webClient = WebClient
.builder()
.clientConnector(new ReactorClientHttpConnector(HttpClient.create()))
.build();
Comment From: wilkinsona
Thanks for the report but I don't think this is a Spring Boot issue. It's the underlying HTTP client and the JDK that handle the SSL handshake and Spring Boot isn't really involved. I suspect that you'll see the same problem if you use HttpAsyncClients.createDefault() on its own without any involvement from Spring Framework or Spring Boot. If you've observed that this isn't the case and you would like us to spend some time investigating further, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.
Comment From: rubenwilhelmsen
Ah right, that makes sense, thank you!