Using --tls_client_certificate for http_archive downloads

[mrkkrp]

We need to use an SSL client certificate in order to download some archives with http_archive. --tls_client_certificate together with --tls_client_key seemed promising, but we couldn't find a connection between this functionality and http_archive in the source code of Bazel. In addition to that, it seems like even if we set these options to non-existing files, we do not get error messages about them missing; instead we get GET returned 400 Bad Request error messages. So, it looks like the download proceeds without taking --tls_client_certificate and --tls_client_key into account.

Are we missing something? Is there a way to make Bazel use an SSL client certificate for its http downloads?

[jherland]

It is possible to make this work by configuring the underlying JVM with a custom keystore containing your certificate + key. Follow the instructions on https://blog.kunicki.org/blog/2015/09/10/ssl-client-certificates-on-the-jvm/, in particular use a command like openssl pkcs12 -export -out keystore.p12 -in client.crt -inkey client.key to create a password-protected keystore file in the PKCS#12 format, and then add something like this to a suitable .bazelrc:

startup --host_jvm_args=-Djavax.net.ssl.keyStore=keystore.p12 \
        --host_jvm_args=-Djavax.net.ssl.keyStoreType=pkcs12 \
        --host_jvm_args=-Djavax.net.ssl.keyStorePassword=<password>

[guw]

Cross linking feature request: #26733