SpringBoot SslConfigurationValidator should check if the configured key alias is for a key and certificate

When using a PKCS12 keystore without a password, one will simply receive errors such as this on the clientside:

* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).

This is due to the Sun keystore loading the key, but not the certificate entries from a PKCS12 store without a password.

org.springframework.boot.web.server.SslConfigurationValidator#validateKeyAlias validates that the configured key alias is present (which it is), but no corresponding certificate alias will be present, which leads to a handshake failure deep down in the guts of the JDK's SSL handshaker.

SslConfigurationValidator could potentially use keyStore.isCertificateEntry(keyAlias) and keyStore.isKeyEntry(keyAlias) to check for this case.

I am unaware if every TLS ciphersuites requires a certificate, but potentially having a warning here would be nice to avoid chasing this problem.

Some references to OpenJDK not "truly" supporting PKCS12 without a password can also be found here: https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot

Comment From: philwebb

We'll look at detecting this, but we'll also want to offer a property to opt-out in case the user has a different JVM.

Comment From: shartte

@philwebb Shouldn't Keystore#isCertificateEntry/isKeyEntry still return true even for other JVMs if the entry is to be used for a TLS-server?

Another option might be limiting checks to certain keystore providers (i.e. SUN).

Comment From: raviu

I would like to contribute towards this issue.

For the case of no certificate alias, is logging a warning sufficient and if so we can avoid opt-out property?