[JENKINS-75676] Client certificate credentials not handled properly

Add a custom TlsSocketStrategy implementation to retrieve an SSLContext from a specific HttpContext or delegate it to DefaultClientTlsSocketStrategy if it is not present. This way, the SSLContext created from a keyStore (client certificate) is configured to be used by the underlying HttpConnection of the shared connection pool. The HttpContext is created each time a new Bitbucket client is instantiated, which means that the HttpContext is bound to the lifecycle of the client instance.

Author: nfalco79

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/client/BitbucketTlsSocketStrategy.java

@@ -0,0 +1,66 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, Falco Nikolas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package com.cloudbees.jenkins.plugins.bitbucket.impl.client;
+
+import java.io.IOException;
+import java.net.Socket;
+import java.security.NoSuchAlgorithmException;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
+import org.apache.hc.core5.annotation.Contract;
+import org.apache.hc.core5.annotation.ThreadingBehavior;
+import org.apache.hc.core5.http.protocol.HttpContext;
+
+/**
+ * Custom implementation of a TlsSocketStrategu to replicate what
+ * {@code org.apache.http.impl.conn.DefaultHttpClientConnectionOperator#getSocketFactoryRegistry(HttpContext)}
+ * did in Apache Client HTTP 4 implementation.
+ */
+@Contract(threading = ThreadingBehavior.SAFE)
+public class BitbucketTlsSocketStrategy implements TlsSocketStrategy {
+    public static final String SOCKET_FACTORY_REGISTRY = "http.socket-factory-registry";
+
+    private TlsSocketStrategy defaultStrategy;
+
+    @Override
+    public SSLSocket upgrade(Socket socket, String target, int port, Object attachment, HttpContext context) throws IOException {
+        TlsSocketStrategy strategy = defaultStrategy;
+
+        Object value = context.getAttribute(SOCKET_FACTORY_REGISTRY);
+        if (value instanceof SSLContext sslContext) {
+            strategy = new DefaultClientTlsStrategy(sslContext);
+        } else if (defaultStrategy == null) {
+            try {
+                strategy = new DefaultClientTlsStrategy(SSLContext.getDefault());
+            } catch (NoSuchAlgorithmException e) {
+                throw new IOException(e);
+            }
+            defaultStrategy = strategy;
+        }
+        return strategy.upgrade(socket, target, port, attachment, context);
+    }
+
+}

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketClientCertificateAuthenticator.java

@@ -26,34 +26,24 @@
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketException;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.client.BitbucketTlsSocketStrategy;
 import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
 import hudson.util.Secret;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
-import java.util.logging.Logger;
 import javax.net.ssl.SSLContext;
 import org.apache.hc.client5.http.protocol.HttpClientContext;
-import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
-import org.apache.hc.client5.http.socket.PlainConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.HttpsSupport;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.core5.http.URIScheme;
-import org.apache.hc.core5.http.config.Registry;
-import org.apache.hc.core5.http.config.RegistryBuilder;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.ssl.SSLContexts;
 
 /**
  * Authenticates against Bitbucket using a TLS client certificate
  */
 public class BitbucketClientCertificateAuthenticator implements BitbucketAuthenticator {
-    private static final Logger logger = Logger.getLogger(BitbucketClientCertificateAuthenticator.class.getName());
-    private static final String SOCKET_FACTORY_REGISTRY = "http.socket-factory-registry";
-
     private final String credentialsId;
     private final KeyStore keyStore;
     private final Secret password;
@@ -72,11 +62,7 @@ public BitbucketClientCertificateAuthenticator(StandardCertificateCredentials cr
     @Override
     public void configureContext(HttpClientContext context, HttpHost host) {
         try {
-            Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
-                .register(URIScheme.HTTP.id, PlainConnectionSocketFactory.getSocketFactory())
-                .register(URIScheme.HTTPS.id, new SSLConnectionSocketFactory(buildSSLContext(), HttpsSupport.getDefaultHostnameVerifier()))
-                .build();
-            context.setAttribute(SOCKET_FACTORY_REGISTRY, registry); // override SSL registry for this context
+            context.setAttribute(BitbucketTlsSocketStrategy.SOCKET_FACTORY_REGISTRY, buildSSLContext()); // override SSL registry for this context
         } catch (NoSuchAlgorithmException | UnrecoverableKeyException | KeyStoreException | KeyManagementException e) {
             throw new BitbucketException("Failed to set up SSL context from provided client certificate", e);
         }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/server/client/BitbucketServerAPIClient.java

@@ -39,6 +39,7 @@
 import com.cloudbees.jenkins.plugins.bitbucket.client.repository.UserRoleInRepository;
 import com.cloudbees.jenkins.plugins.bitbucket.filesystem.BitbucketSCMFile;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.client.AbstractBitbucketApi;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.client.BitbucketTlsSocketStrategy;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketAccessTokenAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketClientCertificateAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketUsernamePasswordAuthenticator;
@@ -141,6 +142,7 @@ public class BitbucketServerAPIClient extends AbstractBitbucketApi implements Bi
     private static final HttpClientConnectionManager connectionManager = connectionManagerBuilder()
             .setMaxConnPerRoute(20)
             .setMaxConnTotal(40 /* should be 20 * number of server instances */)
+            .setTlsSocketStrategy(new BitbucketTlsSocketStrategy())
             .build();
 
     /**