Add connector config for requiring client authentication

2 files changed, 5 insertions, 0 deletions

diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index a8dbf66f537..af83a159b2d 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -135,6 +135,8 @@ public class ConnectorFactory {
         Ssl sslConfig = connectorConfig.ssl();
 
         final SslContextFactory factory = new SslContextFactory();
+        factory.setNeedClientAuth(sslConfig.needClientAuth());
+
         if (!sslConfig.excludeProtocol().isEmpty()) {
             final String[] prots = new String[sslConfig.excludeProtocol().size()];
             for (int i = 0; i < prots.length; i++) {
diff --git a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
index 00b089ae3f9..45821b92f0f 100644
--- a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
+++ b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
@@ -77,3 +77,6 @@ ssl.sslKeyManagerFactoryAlgorithm   string   default="SunX509"
 
 # The SSL protocol passed to SSLContext.getInstance()
 ssl.protocol                        string   default="TLS"
+
+# Whether connector requires client authentication. See SSLEngine.getNeedClientAuth() for details.
+ssl.needClientAuth                  bool     default=false