From 6b6a32d6cb1f6f11d5c7e82cffd30a64ee11492e Mon Sep 17 00:00:00 2001
From: Zixuan Liu <nodeces@gmail.com>
Date: Thu, 21 Apr 2022 11:09:05 +0800
Subject: [PATCH] [branch-2.9][broker] Full-support set ssl provider, ciphers
 and protocols (#15226)

---
 conf/broker.conf                              |   8 +-
 conf/standalone.conf                          |   8 +-
 .../pulsar/broker/ServiceConfiguration.java   |   4 +-
 .../service/PulsarChannelInitializer.java     |  15 +-
 .../internal/http/AsyncHttpConnector.java     |  26 +++-
 .../apache/pulsar/client/impl/HttpClient.java |  38 +++--
 .../client/impl/PulsarChannelInitializer.java |  47 +++++--
 .../util/NettyClientSslContextRefresher.java  |  43 ++++--
 .../util/NettyServerSslContextBuilder.java    |  16 ++-
 .../pulsar/common/util/SecurityUtility.java   |  71 ++++++----
 .../common/util/netty/SslContextTest.java     | 132 ++++++++++++++++++
 .../test/resources/ssl/jetty_client_key.jks   | Bin 0 -> 2679 bytes
 .../test/resources/ssl/jetty_client_trust.jks | Bin 0 -> 1207 bytes
 .../test/resources/ssl/jetty_server_key.jks   | Bin 0 -> 2679 bytes
 .../test/resources/ssl/jetty_server_trust.jks | Bin 0 -> 1207 bytes
 .../src/test/resources/ssl/my-ca/ca.pem       |  18 +++
 .../test/resources/ssl/my-ca/client-ca.pem    |  19 +++
 .../test/resources/ssl/my-ca/client-key.pem   |  28 ++++
 .../test/resources/ssl/my-ca/server-ca.pem    |  19 +++
 .../test/resources/ssl/my-ca/server-key.pem   |  28 ++++
 .../proxy/server/ProxyConfiguration.java      |   4 +-
 .../server/ServiceChannelInitializer.java     |  19 ++-
 22 files changed, 452 insertions(+), 91 deletions(-)
 create mode 100644 pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java
 create mode 100644 pulsar-common/src/test/resources/ssl/jetty_client_key.jks
 create mode 100644 pulsar-common/src/test/resources/ssl/jetty_client_trust.jks
 create mode 100644 pulsar-common/src/test/resources/ssl/jetty_server_key.jks
 create mode 100644 pulsar-common/src/test/resources/ssl/jetty_server_trust.jks
 create mode 100644 pulsar-common/src/test/resources/ssl/my-ca/ca.pem
 create mode 100644 pulsar-common/src/test/resources/ssl/my-ca/client-ca.pem
 create mode 100644 pulsar-common/src/test/resources/ssl/my-ca/client-key.pem
 create mode 100644 pulsar-common/src/test/resources/ssl/my-ca/server-ca.pem
 create mode 100644 pulsar-common/src/test/resources/ssl/my-ca/server-key.pem

diff --git a/conf/broker.conf b/conf/broker.conf
index e36892e358427..849121f9fe8c9 100644
--- a/conf/broker.conf
+++ b/conf/broker.conf
@@ -594,13 +594,15 @@ tlsCiphers=
 # authentication.
 tlsRequireTrustedClientCertOnConnect=false
 
+# Specify the TLS provider for the broker service:
+# When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.
+# When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc.
+tlsProvider=
+
 ### --- KeyStore TLS config variables --- ###
 # Enable TLS with KeyStore type configuration in broker.
 tlsEnabledWithKeyStore=false
 
-# TLS Provider for KeyStore type
-tlsProvider=
-
 # TLS KeyStore type configuration in broker: JKS, PKCS12
 tlsKeyStoreType=JKS
 
diff --git a/conf/standalone.conf b/conf/standalone.conf
index 577a6ffad42cd..16312125a0254 100644
--- a/conf/standalone.conf
+++ b/conf/standalone.conf
@@ -357,13 +357,15 @@ tlsCiphers=
 # authentication.
 tlsRequireTrustedClientCertOnConnect=false
 
+# Specify the TLS provider for the broker service:
+# When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.
+# When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc.
+tlsProvider=
+
 ### --- KeyStore TLS config variables --- ###
 # Enable TLS with KeyStore type configuration in broker.
 tlsEnabledWithKeyStore=false
 
-# TLS Provider for KeyStore type
-tlsProvider=
-
 # TLS KeyStore type configuration in broker: JKS, PKCS12
 tlsKeyStoreType=JKS
 
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
index fa8464376fce6..1e7eac5ef9a1a 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
@@ -2237,7 +2237,9 @@ public class ServiceConfiguration implements PulsarConfiguration {
 
     @FieldContext(
             category = CATEGORY_KEYSTORE_TLS,
-            doc = "TLS Provider for KeyStore type"
+            doc = "TLS Provider for Specify the SSL provider for the broker service: \n"
+                    + "When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.\n"
+                    + "When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc."
     )
     private String tlsProvider = null;
 
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java
index 831e56f4f5d53..e75c518a50f02 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java
@@ -28,6 +28,7 @@
 import io.netty.handler.flow.FlowControlHandler;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
 import java.net.SocketAddress;
 import java.util.concurrent.TimeUnit;
 import lombok.Builder;
@@ -92,10 +93,18 @@ public PulsarChannelInitializer(PulsarService pulsar, PulsarChannelOptions opts)
                         serviceConfig.getTlsProtocols(),
                         serviceConfig.getTlsCertRefreshCheckDurationSec());
             } else {
-                sslCtxRefresher = new NettyServerSslContextBuilder(serviceConfig.isTlsAllowInsecureConnection(),
-                        serviceConfig.getTlsTrustCertsFilePath(), serviceConfig.getTlsCertificateFilePath(),
+                SslProvider sslProvider = null;
+                if (serviceConfig.getTlsProvider() != null) {
+                    sslProvider = SslProvider.valueOf(serviceConfig.getTlsProvider());
+                }
+                sslCtxRefresher = new NettyServerSslContextBuilder(
+                        sslProvider,
+                        serviceConfig.isTlsAllowInsecureConnection(),
+                        serviceConfig.getTlsTrustCertsFilePath(),
+                        serviceConfig.getTlsCertificateFilePath(),
                         serviceConfig.getTlsKeyFilePath(),
-                        serviceConfig.getTlsCiphers(), serviceConfig.getTlsProtocols(),
+                        serviceConfig.getTlsCiphers(),
+                        serviceConfig.getTlsProtocols(),
                         serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
                         serviceConfig.getTlsCertRefreshCheckDurationSec());
             }
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
index 3e17a38da2b34..1f302f6586cd5 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -21,6 +21,7 @@
 import io.netty.handler.codec.http.HttpRequest;
 import io.netty.handler.codec.http.HttpResponse;
 import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslProvider;
 import io.netty.util.concurrent.DefaultThreadFactory;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -137,21 +138,32 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
                     JsseSslEngineFactory sslEngineFactory = new JsseSslEngineFactory(sslCtx);
                     confBuilder.setSslEngineFactory(sslEngineFactory);
                 } else {
+                    SslProvider sslProvider = null;
+                    if (conf.getSslProvider() != null) {
+                        sslProvider = SslProvider.valueOf(conf.getSslProvider());
+                    }
                     SslContext sslCtx = null;
                     if (authData.hasDataForTls()) {
                         sslCtx = authData.getTlsTrustStoreStream() == null
                                 ? SecurityUtility.createAutoRefreshSslContextForClient(
-                                        conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
-                                        conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
-                                        authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
+                                sslProvider,
+                                conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+                                conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
+                                authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
                                 : SecurityUtility.createNettySslContextForClient(
-                                        conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
-                                        authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
-                                        authData.getTlsPrivateKey());
+                                sslProvider,
+                                conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+                                authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
+                                authData.getTlsPrivateKey(),
+                                conf.getTlsCiphers(),
+                                conf.getTlsProtocols());
                     } else {
                         sslCtx = SecurityUtility.createNettySslContextForClient(
+                                sslProvider,
                                 conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
-                                conf.getTlsTrustCertsFilePath());
+                                conf.getTlsTrustCertsFilePath(),
+                                conf.getTlsCiphers(),
+                                conf.getTlsProtocols());
                     }
                     confBuilder.setSslContext(sslCtx);
                 }
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index c295975ecd36a..2a7e434cd3885 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -18,24 +18,24 @@
  */
 package org.apache.pulsar.client.impl;
 
+import io.netty.channel.EventLoopGroup;
+import io.netty.handler.codec.http.HttpRequest;
+import io.netty.handler.codec.http.HttpResponse;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslProvider;
 import java.io.Closeable;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
 import java.net.URI;
 import java.net.URL;
+import java.security.GeneralSecurityException;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
-
-import io.netty.channel.EventLoopGroup;
-import io.netty.handler.codec.http.HttpRequest;
-import io.netty.handler.codec.http.HttpResponse;
-import io.netty.handler.ssl.SslContext;
 import javax.net.ssl.SSLContext;
 import lombok.extern.slf4j.Slf4j;
-
 import org.apache.pulsar.PulsarVersion;
 import org.apache.pulsar.client.api.Authentication;
 import org.apache.pulsar.client.api.AuthenticationDataProvider;
@@ -111,25 +111,33 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
                     JsseSslEngineFactory sslEngineFactory = new JsseSslEngineFactory(sslCtx);
                     confBuilder.setSslEngineFactory(sslEngineFactory);
                 } else {
+                    SslProvider sslProvider = null;
+                    if (conf.getSslProvider() != null) {
+                        sslProvider = SslProvider.valueOf(conf.getSslProvider());
+                    }
                     SslContext sslCtx = null;
                     if (authData.hasDataForTls()) {
                         sslCtx = authData.getTlsTrustStoreStream() == null
-                                ? SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
-                                        conf.getTlsTrustCertsFilePath(), authData.getTlsCertificates(),
-                                        authData.getTlsPrivateKey())
-                                : SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
-                                        authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
-                                        authData.getTlsPrivateKey());
-                    }
-                    else {
+                                ? SecurityUtility.createNettySslContextForClient(sslProvider,
+                                conf.isTlsAllowInsecureConnection(),
+                                conf.getTlsTrustCertsFilePath(), authData.getTlsCertificates(),
+                                authData.getTlsPrivateKey(), conf.getTlsCiphers(), conf.getTlsProtocols())
+                                : SecurityUtility.createNettySslContextForClient(sslProvider,
+                                conf.isTlsAllowInsecureConnection(),
+                                authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
+                                authData.getTlsPrivateKey(), conf.getTlsCiphers(), conf.getTlsProtocols());
+                    } else {
                         sslCtx = SecurityUtility.createNettySslContextForClient(
+                                sslProvider,
                                 conf.isTlsAllowInsecureConnection(),
-                                conf.getTlsTrustCertsFilePath());
+                                conf.getTlsTrustCertsFilePath(), conf.getTlsCiphers(), conf.getTlsProtocols());
                     }
                     confBuilder.setSslContext(sslCtx);
                 }
 
                 confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
+            } catch (GeneralSecurityException e) {
+                throw new PulsarClientException.InvalidConfigurationException(e);
             } catch (Exception e) {
                 throw new PulsarClientException.InvalidConfigurationException(e);
             }
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
index b7a5fbadb4237..497793d792d8e 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
@@ -18,6 +18,13 @@
  */
 package org.apache.pulsar.client.impl;
 
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
 import java.net.InetSocketAddress;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
@@ -36,13 +43,6 @@
 import org.apache.pulsar.common.util.SecurityUtility;
 import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;
 
-import io.netty.channel.Channel;
-import io.netty.channel.ChannelInitializer;
-import io.netty.channel.socket.SocketChannel;
-import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslHandler;
-
 @Slf4j
 public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel> {
 
@@ -93,19 +93,36 @@ public PulsarChannelInitializer(ClientConfigurationData conf, Supplier<ClientCnx
 
             sslContextSupplier = new ObjectCache<SslContext>(() -> {
                 try {
+                    SslProvider sslProvider = null;
+                    if (conf.getSslProvider() != null) {
+                        sslProvider = SslProvider.valueOf(conf.getSslProvider());
+                    }
+
                     // Set client certificate if available
                     AuthenticationDataProvider authData = conf.getAuthentication().getAuthData();
                     if (authData.hasDataForTls()) {
                         return authData.getTlsTrustStoreStream() == null
-                                ? SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
-                                        conf.getTlsTrustCertsFilePath(),
-                                        authData.getTlsCertificates(), authData.getTlsPrivateKey())
-                                : SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
-                                        authData.getTlsTrustStoreStream(),
-                                        authData.getTlsCertificates(), authData.getTlsPrivateKey());
+                                ? SecurityUtility.createNettySslContextForClient(
+                                sslProvider,
+                                conf.isTlsAllowInsecureConnection(),
+                                conf.getTlsTrustCertsFilePath(),
+                                authData.getTlsCertificates(),
+                                authData.getTlsPrivateKey(),
+                                conf.getTlsCiphers(),
+                                conf.getTlsProtocols())
+                                : SecurityUtility.createNettySslContextForClient(sslProvider,
+                                conf.isTlsAllowInsecureConnection(),
+                                authData.getTlsTrustStoreStream(),
+                                authData.getTlsCertificates(), authData.getTlsPrivateKey(),
+                                conf.getTlsCiphers(),
+                                conf.getTlsProtocols());
                     } else {
-                        return SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
-                                conf.getTlsTrustCertsFilePath());
+                        return SecurityUtility.createNettySslContextForClient(
+                                sslProvider,
+                                conf.isTlsAllowInsecureConnection(),
+                                conf.getTlsTrustCertsFilePath(),
+                                conf.getTlsCiphers(),
+                                conf.getTlsProtocols());
                     }
                 } catch (Exception e) {
                     throw new RuntimeException("Failed to create TLS context", e);
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
index 560746df7f608..e1fef9aaa9b10 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
@@ -19,10 +19,12 @@
 package org.apache.pulsar.common.util;
 
 import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslProvider;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.cert.X509Certificate;
+import java.util.Set;
 import javax.net.ssl.SSLException;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.pulsar.client.api.AuthenticationDataProvider;
@@ -33,19 +35,33 @@
 @Slf4j
 public class NettyClientSslContextRefresher extends SslContextAutoRefreshBuilder<SslContext> {
     private volatile SslContext sslNettyContext;
-    private boolean tlsAllowInsecureConnection;
+    private final boolean tlsAllowInsecureConnection;
     protected final FileModifiedTimeUpdater tlsTrustCertsFilePath;
-    private AuthenticationDataProvider authData;
+    protected final FileModifiedTimeUpdater tlsCertsFilePath;
+    protected final FileModifiedTimeUpdater tlsPrivateKeyFilePath;
+    private final AuthenticationDataProvider authData;
+    private final SslProvider sslProvider;
+    private final Set<String> ciphers;
+    private final Set<String> protocols;
 
-    public NettyClientSslContextRefresher(boolean allowInsecure,
+    public NettyClientSslContextRefresher(SslProvider sslProvider, boolean allowInsecure,
                                           String trustCertsFilePath,
                                           AuthenticationDataProvider authData,
+                                          Set<String> ciphers,
+                                          Set<String> protocols,
                                           long delayInSeconds)
             throws IOException, GeneralSecurityException {
         super(delayInSeconds);
         this.tlsAllowInsecureConnection = allowInsecure;
         this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(trustCertsFilePath);
         this.authData = authData;
+        this.tlsCertsFilePath = new FileModifiedTimeUpdater(
+                authData != null ? authData.getTlsCerificateFilePath() : null);
+        this.tlsPrivateKeyFilePath = new FileModifiedTimeUpdater(
+                authData != null ? authData.getTlsPrivateKeyFilePath() : null);
+        this.sslProvider = sslProvider;
+        this.ciphers = ciphers;
+        this.protocols = protocols;
     }
 
     @Override
@@ -53,15 +69,16 @@ public synchronized SslContext update()
             throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
         if (authData != null && authData.hasDataForTls()) {
             this.sslNettyContext = authData.getTlsTrustStoreStream() == null
-                    ? SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
-                            tlsTrustCertsFilePath.getFileName(), (X509Certificate[]) authData.getTlsCertificates(),
-                            authData.getTlsPrivateKey())
-                    : SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
-                            authData.getTlsTrustStoreStream(), (X509Certificate[]) authData.getTlsCertificates(),
-                            authData.getTlsPrivateKey());
+                    ? SecurityUtility.createNettySslContextForClient(this.sslProvider, this.tlsAllowInsecureConnection,
+                    tlsTrustCertsFilePath.getFileName(), (X509Certificate[]) authData.getTlsCertificates(),
+                    authData.getTlsPrivateKey(), this.ciphers, this.protocols)
+                    : SecurityUtility.createNettySslContextForClient(this.sslProvider, this.tlsAllowInsecureConnection,
+                    authData.getTlsTrustStoreStream(), (X509Certificate[]) authData.getTlsCertificates(),
+                    authData.getTlsPrivateKey(), this.ciphers, this.protocols);
         } else {
-            this.sslNettyContext = SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
-                    this.tlsTrustCertsFilePath.getFileName());
+            this.sslNettyContext =
+                    SecurityUtility.createNettySslContextForClient(this.sslProvider, this.tlsAllowInsecureConnection,
+                            this.tlsTrustCertsFilePath.getFileName(), this.ciphers, this.protocols);
         }
         return this.sslNettyContext;
     }
@@ -73,6 +90,8 @@ public SslContext getSslContext() {
 
     @Override
     public boolean needUpdate() {
-        return  tlsTrustCertsFilePath.checkAndRefresh();
+        return tlsTrustCertsFilePath.checkAndRefresh() || tlsCertsFilePath.checkAndRefresh()
+                || tlsPrivateKeyFilePath.checkAndRefresh();
+
     }
 }
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyServerSslContextBuilder.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyServerSslContextBuilder.java
index 250e628f0def7..e9fbb1f5e3ecf 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyServerSslContextBuilder.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyServerSslContextBuilder.java
@@ -19,6 +19,7 @@
 package org.apache.pulsar.common.util;
 
 import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslProvider;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
@@ -36,8 +37,10 @@ public class NettyServerSslContextBuilder extends SslContextAutoRefreshBuilder<S
     protected final Set<String> tlsCiphers;
     protected final Set<String> tlsProtocols;
     protected final boolean tlsRequireTrustedClientCertOnConnect;
+    protected final SslProvider sslProvider;
 
-    public NettyServerSslContextBuilder(boolean allowInsecure, String trustCertsFilePath, String certificateFilePath,
+    public NettyServerSslContextBuilder(SslProvider sslProvider, boolean allowInsecure, String trustCertsFilePath,
+                                        String certificateFilePath,
                                         String keyFilePath, Set<String> ciphers, Set<String> protocols,
                                         boolean requireTrustedClientCertOnConnect,
                                         long delayInSeconds) {
@@ -49,14 +52,17 @@ public NettyServerSslContextBuilder(boolean allowInsecure, String trustCertsFile
         this.tlsCiphers = ciphers;
         this.tlsProtocols = protocols;
         this.tlsRequireTrustedClientCertOnConnect = requireTrustedClientCertOnConnect;
+        this.sslProvider = sslProvider;
     }
 
     @Override
     public synchronized SslContext update()
-        throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
-        this.sslNettyContext = SecurityUtility.createNettySslContextForServer(tlsAllowInsecureConnection,
-                tlsTrustCertsFilePath.getFileName(), tlsCertificateFilePath.getFileName(), tlsKeyFilePath.getFileName(),
-                tlsCiphers, tlsProtocols, tlsRequireTrustedClientCertOnConnect);
+            throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
+        this.sslNettyContext =
+                SecurityUtility.createNettySslContextForServer(this.sslProvider, tlsAllowInsecureConnection,
+                        tlsTrustCertsFilePath.getFileName(), tlsCertificateFilePath.getFileName(),
+                        tlsKeyFilePath.getFileName(),
+                        tlsCiphers, tlsProtocols, tlsRequireTrustedClientCertOnConnect);
         return this.sslNettyContext;
     }
 
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index db8f861c789a3..d5a0c5a576722 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -21,6 +21,7 @@
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import java.io.BufferedReader;
 import java.io.File;
@@ -111,7 +112,7 @@ public static Provider getProvider() {
             return getBCProviderFromClassPath();
         } catch (Exception e) {
             log.warn("Not able to get Bouncy Castle provider for both FIPS and Non-FIPS from class path:", e);
-            throw new RuntimeException(e);
+            return null;
         }
     }
 
@@ -201,10 +202,13 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Certi
         return createSslContext(allowInsecureConnection, trustCertificates, (Certificate[]) null, (PrivateKey) null);
     }
 
-    public static SslContext createNettySslContextForClient(boolean allowInsecureConnection, String trustCertsFilePath)
+    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean allowInsecureConnection,
+                                                            String trustCertsFilePath, Set<String> ciphers,
+                                                            Set<String> protocols)
             throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
-        return createNettySslContextForClient(allowInsecureConnection, trustCertsFilePath, (Certificate[]) null,
-                (PrivateKey) null);
+        return createNettySslContextForClient(sslProvider, allowInsecureConnection, trustCertsFilePath,
+                (Certificate[]) null,
+                (PrivateKey) null, ciphers, protocols);
     }
 
     public static SSLContext createSslContext(boolean allowInsecureConnection, String trustCertsFilePath,
@@ -230,12 +234,15 @@ public static SSLContext createSslContext(boolean allowInsecureConnection, Strin
      * @throws FileNotFoundException
      * @throws IOException
      */
-    public static SslContext createAutoRefreshSslContextForClient(boolean allowInsecureConnection,
-            String trustCertsFilePath, String certFilePath, String keyFilePath, String sslContextAlgorithm,
-            int refreshDurationSec, ScheduledExecutorService executor)
+    public static SslContext createAutoRefreshSslContextForClient(SslProvider sslProvider,
+                                                                  boolean allowInsecureConnection,
+                                                                  String trustCertsFilePath, String certFilePath,
+                                                                  String keyFilePath, String sslContextAlgorithm,
+                                                                  int refreshDurationSec,
+                                                                  ScheduledExecutorService executor)
             throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
         KeyManagerProxy keyManager = new KeyManagerProxy(certFilePath, keyFilePath, refreshDurationSec, executor);
-        SslContextBuilder sslContexBuilder = SslContextBuilder.forClient();
+        SslContextBuilder sslContexBuilder = SslContextBuilder.forClient().sslProvider(sslProvider);
         sslContexBuilder.keyManager(keyManager);
         if (allowInsecureConnection) {
             sslContexBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
@@ -246,46 +253,62 @@ public static SslContext createAutoRefreshSslContextForClient(boolean allowInsec
         return sslContexBuilder.build();
     }
 
-    public static SslContext createNettySslContextForClient(boolean allowInsecureConnection, String trustCertsFilePath,
-            String certFilePath, String keyFilePath)
+    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean allowInsecureConnection,
+                                                            String trustCertsFilePath,
+                                                            String certFilePath, String keyFilePath,
+                                                            Set<String> ciphers,
+                                                            Set<String> protocols)
             throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
         X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath);
         PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
-        return createNettySslContextForClient(allowInsecureConnection, trustCertsFilePath, certificates, privateKey);
+        return createNettySslContextForClient(sslProvider, allowInsecureConnection, trustCertsFilePath, certificates,
+                privateKey, ciphers, protocols);
     }
 
-    public static SslContext createNettySslContextForClient(boolean allowInsecureConnection, String trustCertsFilePath,
-            Certificate[] certificates, PrivateKey privateKey)
+    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean allowInsecureConnection,
+                                                            String trustCertsFilePath,
+                                                            Certificate[] certificates, PrivateKey privateKey,
+                                                            Set<String> ciphers,
+                                                            Set<String> protocols)
             throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
 
         if (StringUtils.isNotBlank(trustCertsFilePath)) {
             try (FileInputStream trustCertsStream = new FileInputStream(trustCertsFilePath)) {
-                return createNettySslContextForClient(allowInsecureConnection, trustCertsStream, certificates,
-                        privateKey);
+                return createNettySslContextForClient(sslProvider, allowInsecureConnection, trustCertsStream,
+                        certificates,
+                        privateKey, ciphers, protocols);
             }
         } else {
-            return createNettySslContextForClient(allowInsecureConnection, (InputStream) null, certificates,
-                    privateKey);
+            return createNettySslContextForClient(sslProvider, allowInsecureConnection, (InputStream) null,
+                    certificates,
+                    privateKey, ciphers, protocols);
         }
     }
 
-    public static SslContext createNettySslContextForClient(boolean allowInsecureConnection,
-            InputStream trustCertsStream, Certificate[] certificates, PrivateKey privateKey)
+    public static SslContext createNettySslContextForClient(SslProvider sslProvider, boolean allowInsecureConnection,
+                                                            InputStream trustCertsStream, Certificate[] certificates,
+                                                            PrivateKey privateKey, Set<String> ciphers,
+                                                            Set<String> protocols)
             throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
-        SslContextBuilder builder = SslContextBuilder.forClient();
+        SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(sslProvider);
         setupTrustCerts(builder, allowInsecureConnection, trustCertsStream);
         setupKeyManager(builder, privateKey, (X509Certificate[]) certificates);
+        setupCiphers(builder, ciphers);
+        setupProtocols(builder, protocols);
         return builder.build();
     }
 
-    public static SslContext createNettySslContextForServer(boolean allowInsecureConnection, String trustCertsFilePath,
-            String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols,
-            boolean requireTrustedClientCertOnConnect)
+    public static SslContext createNettySslContextForServer(SslProvider sslProvider, boolean allowInsecureConnection,
+                                                            String trustCertsFilePath,
+                                                            String certFilePath, String keyFilePath,
+                                                            Set<String> ciphers, Set<String> protocols,
+                                                            boolean requireTrustedClientCertOnConnect)
             throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
         X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath);
         PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath);
 
-        SslContextBuilder builder = SslContextBuilder.forServer(privateKey, (X509Certificate[]) certificates);
+        SslContextBuilder builder =
+                SslContextBuilder.forServer(privateKey, (X509Certificate[]) certificates).sslProvider(sslProvider);
         setupCiphers(builder, ciphers);
         setupProtocols(builder, protocols);
         if (StringUtils.isNotBlank(trustCertsFilePath)) {
diff --git a/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java b/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java
new file mode 100644
index 0000000000000..0fbd2521ae08d
--- /dev/null
+++ b/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.pulsar.common.util.netty;
+
+import static org.testng.Assert.assertThrows;
+import com.google.common.io.Resources;
+import io.netty.handler.ssl.SslProvider;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.HashSet;
+import java.util.Set;
+import javax.net.ssl.SSLException;
+import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.apache.pulsar.client.api.KeyStoreParams;
+import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
+import org.apache.pulsar.common.util.NettyServerSslContextBuilder;
+import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+public class SslContextTest {
+    @DataProvider(name = "caCertSslContextDataProvider")
+    public static Object[][] getSslContextDataProvider() {
+        Set<String> ciphers = new HashSet<>();
+        ciphers.add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
+        ciphers.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
+        ciphers.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
+        ciphers.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
+        ciphers.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
+
+        // Note: OPENSSL doesn't support these ciphers.
+        return new Object[][]{
+                new Object[]{SslProvider.JDK, ciphers},
+                new Object[]{SslProvider.JDK, null},
+
+                new Object[]{SslProvider.OPENSSL, ciphers},
+                new Object[]{SslProvider.OPENSSL, null},
+
+                new Object[]{null, ciphers},
+                new Object[]{null, null},
+        };
+    }
+
+    @DataProvider(name = "cipherDataProvider")
+    public static Object[] getCipher() {
+        Set<String> cipher = new HashSet<>();
+        cipher.add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
+        cipher.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
+        cipher.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
+        cipher.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
+        cipher.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
+
+        return new Object[]{null, cipher};
+    }
+
+    @Test(dataProvider = "cipherDataProvider")
+    public void testServerKeyStoreSSLContext(Set<String> cipher) throws Exception {
+        NettySSLContextAutoRefreshBuilder contextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(null,
+                "JKS", Resources.getResource("ssl/jetty_server_key.jks").getPath(),
+                "jetty_server_pwd", false, "JKS",
+                Resources.getResource("ssl/jetty_server_trust.jks").getPath(),
+                "jetty_server_pwd", true, cipher,
+                null, 600);
+        contextAutoRefreshBuilder.update();
+    }
+
+    private static class ClientAuthenticationData implements AuthenticationDataProvider {
+        @Override
+        public KeyStoreParams getTlsKeyStoreParams() {
+            return null;
+        }
+    }
+
+    @Test(dataProvider = "cipherDataProvider")
+    public void testClientKeyStoreSSLContext(Set<String> cipher) throws Exception {
+        NettySSLContextAutoRefreshBuilder contextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(null,
+                false, "JKS", Resources.getResource("ssl/jetty_server_trust.jks").getPath(),
+                "jetty_server_pwd", cipher, null, 0, new ClientAuthenticationData());
+        contextAutoRefreshBuilder.update();
+    }
+
+    @Test(dataProvider = "caCertSslContextDataProvider")
+    public void testServerCaCertSslContextWithSslProvider(SslProvider sslProvider, Set<String> ciphers)
+            throws GeneralSecurityException, IOException {
+        NettyServerSslContextBuilder sslContext = new NettyServerSslContextBuilder(sslProvider,
+                true, Resources.getResource("ssl/my-ca/ca.pem").getPath(),
+                Resources.getResource("ssl/my-ca/server-ca.pem").getPath(),
+                Resources.getResource("ssl/my-ca/server-key.pem").getPath(),
+                ciphers,
+                null,
+                true, 60);
+        if (ciphers != null) {
+            if (sslProvider == null || sslProvider == SslProvider.OPENSSL) {
+                assertThrows(SSLException.class, sslContext::update);
+                return;
+            }
+        }
+        sslContext.update();
+    }
+
+    @Test(dataProvider = "caCertSslContextDataProvider")
+    public void testClientCaCertSslContextWithSslProvider(SslProvider sslProvider, Set<String> ciphers)
+            throws GeneralSecurityException, IOException {
+        NettyClientSslContextRefresher sslContext = new NettyClientSslContextRefresher(sslProvider,
+                true, Resources.getResource("ssl/my-ca/ca.pem").getPath(),
+                null, ciphers, null, 0);
+        if (ciphers != null) {
+            if (sslProvider == null || sslProvider == SslProvider.OPENSSL) {
+                assertThrows(SSLException.class, sslContext::update);
+                return;
+            }
+        }
+        sslContext.update();
+    }
+}
diff --git a/pulsar-common/src/test/resources/ssl/jetty_client_key.jks b/pulsar-common/src/test/resources/ssl/jetty_client_key.jks
new file mode 100644
index 0000000000000000000000000000000000000000..2b8ea64347ddc536209770871a3629a62e806b04
GIT binary patch
literal 2679
zcma)+c{J1u8^>qH%$Q+FmaJK_T+7gpGDC*!%h)1Z*+RA{WQ)i;cTAa5A>lS-Np=(2
z)r2TS!ia1oyM`#tgmk@~^S<Za^Zxa|e>~?o&*%GmzkhxKB2Od)%mom6&~T(G*^>O7
z56lfNB=Q`E5_!abVG)1`tNt$uMuQSzdB1S>ugQS({>O#l0YeIjFvDLE2L$}>fbjw6
z0G)qM6rctb?(Jm`w&pdWD`__usFO&%hhSMa1oE2z1S|`n;D~=GLXa>Ja1@U8CR>92
zxu9TGsDQ;<?WgEyaAOlE8r6*hyr4wrkWto-w8-)l^JPc>l0;cFo?FM$EYqFP0BdOQ
zOW2Hc$=;m$0C^bRSZl3fEO;l&2s5JHyEm2{!fO*0THA6&$|mJUHHYCPsG4s=^7)gK
zoZ{8nam4&_g$GSLyevUJRY`AuovLjT-!LlGJ9OH*Q*vE&eWi_1BXry|Sz7F;a&0yA
zQ(s4V(7f$I!CPzI8|jv2%W<aO0}Dc!$-oo!Cit<Jx)w$;B}J-#3}i@$2~p5*)Z=Aa
zMH;*`lgtABR8IQ>3y*B(QdGBF;%zQ}k>$8kM)zc3=}UXe;ogMXKv>q~(^a>#WN9j$
zG-M6PdmVnfS1SLFTJ(@^#o9f~WQUsmmgFJI?cbJ{;vy}>H%#ajU4P`!!+pmUbU8`e
zhc2lW)bGcKOT2haTI<p0RCfOIy$RBa&GotJNlJ95yL+_K_<Do6eyT7+zCLDzKjYM7
z;Q>PTOzhxV)+_cC>1Vo`9nAcsc65^0QDzQ|@euELH}pPzW6?DY_xNg`rMG>Pe*&e|
zbsLj!VYL|VvOa1$xkA&hz{qAXQpXf$xVtOhp~;#``vI&F;~_Mn-SEZU+asl|p27S9
z8%VTwoB9@Sq`#On|93t!$qDqJ5@9tPDVo+D`PTE`a73gm(M7<0=ldMHSR$|y>r66g
zB1|WBo%yMqQB4p<Z~2_O$BnV2IwO}r>^hv-LHUCshs@I)*gh*!U082}z4VBouwYw$
zR)kFQau3;4i#0zw*q#XpYajO<YkzobS5zgK|NCX8<mMf`scv4{xPK*ds7?{Z`{BGf
z7b9wV-@Zl#RD+CVJ>}!NROW~6{VO4=o-!qZcmN&9_8n`8K=+f)IT6ijJJ}<;8?@-*
z`f(s;zEDsu$ZfT9Z7U&}`99UKAk1N^>f&NYE}sPuOkF8Cv_+COa^kpinjaSHS4nDA
zwxVY!Uhqt&-|LSj$BoLo(K964putKVh)TB;7?uyDOI!<{t@y${qHTp2u;L3ff8au~
z+xHlwtuII%xRhoWof=;EWU=PuxUF-OcQ(a;q`BhM6pb1Vi~~=A%pLD1`e8E=<n-Rv
z8-o%<UJ(ui=jQ{px1Reo+DgpmO4aUTvtAkN;s%VI46jp1ppL8`-+-Q*8Ab|LrmdCk
zU?apVx<O+ASueBGvQcp+dq{=cY~N3HH}_pT-wA8E-=#FJso07?Udrk#U3tyT|DJ{0
zZ82NS?59Su{Urvi2{=_3|0TF}Aa%kh=%|%5VmI0#B42B^NBtX|7QyoEDkILSh9R)g
zPqRe5SA7FyV5MF+Y+XxG13_;#dd->z4LahXJTapqc1TI{oLc(_$?W89<KXUn$YVK-
zW<A<W7fJipsdI1(?ziYjXA;_g8H?7Hs~Q#`Si0RlfSvKPVp6F9Tc|R?6_r7WZcV5f
z-#wRUiPWzwXc=Xjrjorer8Q?&W?4Hw5&fAI$75%{WU;HJrLNFYuXg#UTX*MT)9*5=
z<CP+exfw!E!<<&y)nh-=k8Y|04j)xwJLLv>?rL-9dJ@$x<(TCZTnw&#zVOvehNeC6
z^|DBg5MBRL@gpgx)yR2}OJ=dP+x9WsOk$Hkfbff(WF8GlF8<}F{i)mi`b$if^cxC&
zL(>2d|GO@c!kQ>)9#9A<7IX>Z4~hlk{*gp9g`t8@gb;sOP0UFhO&ttYO9u-801@i*
z_Y*g~kO+1Bh3p_;(643jj{^Q*C9U>nO9xX*|H7^Kpr`s@4N+EoKhpl6k~Z$cCx?C<
zX~HV8M=umjI3^RhhN`6)+|T^nf#Z5}rZ*PbjWevmFrx}XmI@E5kJFk4refCI)79;W
z`~wW%A_jJO3fij$k0?G6o78JDq$R0+9GB#IZ?zFB{;l+d!sc=C{Lp)wb=mTV2(~lf
zd%5tyEB*mLF+>PnaTiKT)vU{Yy~d9S-c0z$#W{bf{NlE!G~Yxz#Po~y7Ydh8HO=Cs
zufvxB<}FIfx>K}{-LdpGt@3p-lt>h+{Q+dCgud|ekicK(GU3HafzshO{U#PZ4Cfks
zzNQ=z2JS2n2-Zs><-|?In^Xl~|9zS_W!AWNw}4-@>XJH%3xnsZ1oqfob&HCdS8mWa
z{OX;PeBIg&zolM#V@!Hd8!Th4rCMFyq|y5NSF#KxMfot#y=*v^@QKhJuAe1_;h>eF
zA9Hl{lkb7dt0Q+t6%rKLQAalVn$(`f`80@=;*@<$%Chx1;*2SW^my&Dfwasg*rr@w
zW*=7_%jXmQbL+6nSUJ8~MRhLsGGUcMp2|xWO_#|g)ok?~&y9Oqww&71d}R@P?u5^q
zFeLcI{rguAsbbnr&;M*0e%LR^9OxJhpnf`Os_C~?bj5i`d+kZz-P@wJ#E~G2TKTo|
zn$Ee!<r~YFt6p_)j>){KtNG-OI^AdD`p8R-wPkAJ(;YjS_>(au8MwMP(e+@1!QENz
zQT=$w6$jf1IhA$xtHuz7B4)2-RHZchN99rVxNY3IH1vfRPd$|0KW}ml@+&$Y+J~z-
zA!O-Ta1H6IG({E1g}ETNP4yd<eQ1Rjf)j0uuXi;URlL5~u3!=xo1kyz5~DYgQc=P{
zpVCTjQoH$`2?Q^62&Cl)PA__(Sp6&4VwPo==?1{DcKw{7B>S_u(M=TRd>zZ=mz7~;
zzDlv@U%3_XP+8*XW-_uQp`I8SklWk)juwrxp9LV%@xfPpwRXeq>6Tzw-H&f7!lQad
ztnI_YP52g?HtI{=-f7gC`a5ux6`?k3CU}-&)X6M9_MvwLgnBlCH~jI1-slxO^0b3c
z9vyN=`IckGzR4LYR07qZtzYNFhv47Z;1(f_juXWTPH#MxLh;ipSB1%;XnnPO$&o$&
z=HEs3jK6DlkSY!KYO!r0W}RAfDsaby`;60|+l&3X#4fY9<!1I1ns`EG&81AdVWO<=
z^BU5r97InH5u7=ib@*j>SZaN|edJ%^8g_4*yKo9hB0UwLkk>X_cg1#}x>sw+RSQap
z@)k;sbCS=yZzmQGYv}Haeb~B1Uye!{%9>}Fs2)=hYH|0SbQ5!#_PVIIUTDhk44UrG
zo_+BJFaYELBpjy3&jpcyfuO>OwKJQG@j<qj(^6-4E8?F^@OzM<!g047CFoDi(sbTs
T&cM<AZidB2#35W@a^b%K$sf>t

literal 0
HcmV?d00001

diff --git a/pulsar-common/src/test/resources/ssl/jetty_client_trust.jks b/pulsar-common/src/test/resources/ssl/jetty_client_trust.jks
new file mode 100644
index 0000000000000000000000000000000000000000..166a2e00fb371dd160b46c58c7fdda651b80476d
GIT binary patch
literal 1207
zcmV;o1W5ZZf&{Yy0Ru3C1Z)NgDuzgg_YDCD0ic2eT?B#zSulbGRWO1CQ3eSrhDe6@
z4FLxRpn?QKFoFa=0s#Opf&@1P2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1QaRAT1YBx`7GKgV^H{8>x*>HEztr3ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q5^M!Qal>5Fu9lG2=y3IQM{p1Hj5fkrUO$PsVgh_z>aVy6Owl
z_B9+#ZC|>KfcUL|7_CY&aO4xIf|96gWjHehp;Y4!>sS@?EWjQ=d+XsZg^7dp^TeY-
zzmjwZ9@gMR;!r&giVFFc<LXwMB%{BO;>?)qDf>!lsdCxaBa+rIK=D%ZxSF@q;=}sH
zU`O19^Av45I@o%cH&)LRjP0uu45d#_5!XkhqG@7f7r*OlNP|c%>f_<5_}+};6V)Ye
zo<&eUjqm%MmS6YE*Eo86+8~=D9_0!c34C{~kf;Ik0n2H34li!D_#G%HS5EXBPa4g1
zMZbWlwCjx`h<`-x=4tGu<tf^x_3W_)WwGEei94(?7oUPr`W47HTl>75Mxk3(#Z84s
zDUF@87lhI{F91%P>^+1ypM3H?3ir^XTWH#SfMogz_CvvQTOondxHfV=Mc!=BF@qE1
z+wFg<&CWA<EROZi!2-jy6%~zJfH)Hb>^go4=Eq76dLZn3Y69?Q3+Us-dr-jn^MvD>
zth`d6)$l^5<1*&malqV@mqlV3Aw%p<8c2hSEPo3oLUzYf*nhxH6!dw2KB-v(ZJF~j
zgI~)+$p&SJ%m!Z`1=CSOu?$E(F|qkajvaE1toh*9V(7iR+j^&|mzeX{a)Ed7?+r?Q
z>IpT!G`B9+XGP=uj+ZiF8k+HF2^-*-Ph^^l5{+)6_0oLnGnN!U*enujJW)y>3wQz2
z;f5ykk#&1Ld=Ooq6@lzy^K}rOV#U|&>&8T{xFg~Wj|Vr@Eo$U&!2IKr<D`AW`aA<a
zEJr^)4@!sl*ez-DfqWG~>a#PjkEK$)S_Fi%(FtbThGYxZF5Z`UpSYg?e2E)u!vTys
ze;3jUqo#IR=b`1Pf;YU|nS!fyv?ss>JBZ&EA&9{AB-j1(#1-J8QE&}mmGv0I*j9+L
ze@zWFisk;5)z#5mRS*q6Dv4u?poAuood3M$$9g4CmOT$O&@YwLl;|2%=|;o<m5#!U
zYZzAA0sF-AYd2>8+emn9ebOhnC?~#}$I^h@!r!!V#h5^OS=4h@@+Rx&ql41i_-s*j
zNR#b7c`+Vl@obamJi@l89PjWCP^gsBpoZ_fZe5gs{MoW~Qe*y3wWxU=YUB_kDt!Tg
zFkP!&rzfLU$z!l8PPH3s6n)}QGnb}TW4pQ4tBiBYKnSwgXOZ+Fv!V858yjfYFG4qK
zc=86Fmswe&6(HIi;SGFvXHjAYapq$y7DoYcN<?;SA^cmw1LgY?ZQexsHOv+iOuu#P
z)Y4Gt-lH%+Fd;Ar1_dh)0|FWa00b0i<uh`(90A;N-QT4OenVr+^bc4B6m<l+`}*b7
V6<Ze>W3>e4KzOF50RjU7hM@CGG!p;-

literal 0
HcmV?d00001

diff --git a/pulsar-common/src/test/resources/ssl/jetty_server_key.jks b/pulsar-common/src/test/resources/ssl/jetty_server_key.jks
new file mode 100644
index 0000000000000000000000000000000000000000..b6189b75c8ad01656e2d5e9102de21d82183b61f
GIT binary patch
literal 2679
zcma)+X*d*&7RP6pF$~#Fq~@K3!Jx5Z8)e_JXJ;5?DO<>vEsQZkVXWCT$@1EgY?Uly
zA4{^NM7CmNDe4v3=6arcpZ9(4r+Yt~=RD{4KmYULeE6gB&>$utGa3(-W?_>e8WML;
z0U<yN9(oRhhYFow0W=<5^IsCU2!sdco#5<~N@rpJkBb8eWTN1~nkP^l?fJI@d<yM=
zR{3Y-K%+qX>U9%^P@acFxtCpe;S$+O7Xt$>GBF{!nScm12Mg=JFEX)#0qAoqY_3E@
zpa(MuC<WqPTCH!S6-~DIJw~-xu*uOuc+gurH!``1b1;fSMl+O%&>%W^VX`cow3oFs
zo><#J99M7b-8cJe736RVi8p6?H;e0!c2%V{3MKW9k@>K{>ooT(Mq>S=E(e)=(vGU~
z7O1DD%$vW;Bv~wMwQXoGULh955g<f)sqT{F(d`C;Gl{bc@pR}SQ6tYVb@P6!Daw5E
z0cq@8goc^vN5Sq}I;q+U2`?98-KTbY?^M^|mba`SE=|{y(drY>QEPQ6MZMs=qH@6*
z5uS$`^Iw2p$PR7A#4+$f?gyZA@{10{Tw$IoCuQRkN_|w?L^TnkXPiHB>PiPU#@~5Y
z!9mF1LG@fNpYL=2QUdU?`?19gmN(@u`&sKl1Knp_h3*+SJKr<VdT-R|?<4ip%vaLF
zR`);_<0YHD$kz*d%+$fl<xv{WclTv=wo=bY3zJd-%ymA3G8Q&po@d7X8q19TT%=7y
z*iVZ)cU#{|0bll5S`<L$l3FKA+&~XsP7jEwI91J5t#i%#GheU;d3zCvWMJWNI`FGa
zOQ9s8c%;bW>@yAU*o~5!%{BgT*sYXC1;_qRcBeNkSefY;KcqnX_c5C<#P9as7(m8&
zr6jy+>7rW8w3jxFeSsYtc9KT#2lwF~QVzDb?MM=Y_4@9VG7b#L9%xeMN9a#Ih9(Nl
zuaqP<w$B6ha>VyLu)|ioncWPmAZv@eFd4Y6Im?(xT{(XNB|5NH4qo>@^X~B33{6j+
zj3o!x8}PX~jjA(o`4!)!9j5CwOS#AAyjA|SH~xn$vu^d4(kw%gQ1^W1o*~;FOR|`?
zP~|H7wlYqCQ8lBP;|8x4#(w6_=irHkEA_9pNo9p&DFVuZ+0psqzoX&R%!%#6eeAj=
zP~4)>1XvVo$P0^&pbw?Oja-m=*j-|KAZ$KI=mEm77`QEJqL{ra<gWfxMJ?bDZn;5U
zNwp`xKf!}Ge$!$tuXk62aZyD@!`&J%(!MtbAQ?kADi_TSgDtFFKiJX3D9INjS5(R`
z_JoKvHU0D-tZ|{vZetaD;XKsGYRv(fH|VY^I|LnMf$UjDBg;m^G}|Ji#U|3eRPlDi
zNaY=GQ%W7dbi?yy&pTXmh>HVK;TQcHVE?MB*U`f}%s>8wj9#+AF<bHw=kNl>w|u+6
zI#Z>9su`^hZOZN^zkcey#8J7%TXPCg{lEiZ_T6TbIyVI@IDc>YMcA`!R6~^!&%!VH
zio01fD{z?hTCFLJlh1PRrOLs|#a+r%vb^bJhbUV4K+=iujYH&B7=hlrraC)j5_?Gd
zXzgqnx)ky(pptTx3p!r^mtkI<OcdwtBeZBwir7?panBDpX=gOlo=idtkDM0U(HD2-
zSr4s$yeTbW#Fd%mlPcO4EqAxr7x6?gfql?^Jq)Fds_wdz1k#?ZLQASpou1CMjMO?_
z?)oTtrZRcWSJ;y^UjK)9KtNz$h(soDoZK~w!?CW&w?onFp0?4D7x6TS=hA#h5}VrK
zEVrQ^6l2Ip#d6<YexNZX!huL^W4oPwJklp<C!UmY39uK|xXY%vmK!Lg?3xuJW86il
z-YLDYH&;%@G$<S7hL4J6Nt06SL<Di1U?o3gvn0_7{TG4k`YoSZCaH35wWV_`H`~;7
zJ5HOE*7W4ApoRX9OE!Kv4mcFx2M7oF06YNU==1+b0&@HyUTZHu4}_eOqKce~k_uW?
z8I4BcLD&CYg0N8Vplc_{j0p%hX$Jo&!2cD}bns}ge~x~ISY!+&vUeqT8>TP$|AaKs
zb0_Pdzc&>U7_obEXsIt2&-_-qA200c`=i=p@SQ8t;*`ZIIh>LIX#c?$yN<eMelR^R
zf$dR<<@uZZby7_F(^@r)TJ0(u-?I9BZO(cfR>nxGx-@CG9V!L7FJ4KSuGqX<Y1#ns
z)wvz|iQ}FA$o#-HE=Njg$S(B`$3$oC&qwDMKKwkciN?6v&xpK^3U=gPDhrHa3fmcK
zda^CLQ6CE<W{dgqOn$vI@I~~x`eE{nw}P;{he9L`BG8+bOd8eGH;M7yNiYrVd((*5
zVK89ud?f?;mXY7U@W6XHPnCs1I>&B+6|BaW5Xv0*68j*#pS{@pz^mx^gY>19M-NN5
zrdu}_)JjON(q`$K^JzTBGCk{OU{XGDln_a=ZOJVYd-bwwdgM6`Xzk@vK0_bGO}5&f
z-SY^}80&9+E6cvf4C|N6SgZZ)jFgHB`URl|)_g2t(QFvM4E%wr2k@tr=I)Yv3MDkj
zO723hARR^mkM0}vU$|-?shl}5+{NKKz5Oir;wo-DkB>RB79(V7*$qdk9Xq)lpD||0
zX5wlNM^%&J$5&;GhCxo#+$ymdAF4nHrK$p*-|1&GQq1?KpO^nwJ+~?`cS(8qDOz59
zYQ1ob{l2g!Fr5J-8DB2^^Okl{;#SFWh`+sNXVajcdQ9dfY8KvR;nsnw$JJ@Xs8(&g
zKiV3RqlNdu3&TGj1Sug??R$<VQhAS>EGAzGOng-@KoJbojDry?5aN>~q;7s)v6(}4
zd75i6-ME&)pkQs#EsOfpHa9`ZY>YXM;OHU6<<O=jun1e#VmL9HLUmimFbQ_QV-6!o
zoNEg&6e1#)WP?n;jVF)y9kMRY60mj9Y2EB}k>b~0Kfjx$$TqxRP9Q?laVx({SEw|p
zsq>Yr49M9W-J9Z$2Ftt)w{0&O{Vod*@~smt_}FRP`sJ(ILS&W8ed8r*tMoXBF?ODy
z?E+S1Yj(=r+0^BD!^bawE!w`X;m+t+-3Y+2P7IL1*FrdD9J`b59n+Qzg~>4fytnR7
zd_FG%;<UPA;m{*P$1v-BYNx4Pfymf*k7@?*hQ*q!{7SU^hr;71M*6E-w<B&<g#zH4
z+*}u!46n`uk(?D4OYx}{a14xpcrJ4s<QH3>)6q&#__}pRBW_!=uGWOwKEb49x(9eJ
z()s{(+pgj?)%NF+lJ3#n!k8a>kGF<>*e&j%B|2rN9Nu9^s?~(t<36b*!Z0=F$ZD{M
zc;dmmOJ&^l9+c01mQrS6;DJsJ1)qpA_p4#>A+8$R>BAU)S~C}p=2qb)=dwVE3PgCy
zWT$&(%A&8J&!gE`z$i{;rZZpwh`%^7JT?I}quq=3p8No(`+aSzJp}R3&tU&3V+y$Q
VG@ehyINfadmm$iEi5W<w{0plN(R=^^

literal 0
HcmV?d00001

diff --git a/pulsar-common/src/test/resources/ssl/jetty_server_trust.jks b/pulsar-common/src/test/resources/ssl/jetty_server_trust.jks
new file mode 100644
index 0000000000000000000000000000000000000000..b09cc030a71c32b0304175bda4142a5c0680f85c
GIT binary patch
literal 1207
zcmV;o1W5ZZf&{Yy0Ru3C1Z)NgDuzgg_YDCD0ic2eT?B#zSulbGRWO1CQ3eSrhDe6@
z4FLxRpn?QKFoFa=0s#Opf&@1P2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1Qdwzb4e!LS8Je!>1{2WbhzDFg0%tyClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q6%HmdJvi=!x)|)(Hp2!0dp61HeN(zLVt~!UK$+y>FT6hquWc
zr{0$V-CjGyITpE#ztPRgd(`p)YFNC@C_yu^0N01Xe*q8KQ;UmCk%nnl+PypV^2qf+
zR5yLpp)DMAmu}*~$K;662hCCZ_{m5P2>T^RxB|+ZzD-qP4)!Vf&Fe=T+xF@JBdWoF
z{S1eg(YE3~A(q!fiujgl`J!f@`vN?5e2(Wnr{@>fso0GN%?f~^he4CIysbR?m{@;T
z)lx<?SFrB+Bhnf;85!fl?B(g31TXD%82}OP&19gXAVEsOcCKO$>{Nv%{~>sw_e}Vu
z;OD|xTR{ud@3X3lmr#6Ro};!0(F_X4b<M#=0|;bW0N%M1BF*^#to@zs^u11i<g~^~
zsL}IrB{!e?upk#?T1oI0(2zf_6P`1*?`<ldFw;`Hob9p%tR%An_bg!-)&SWW!O*6L
zFI#uqRHKR(F5Z9UTuu>$)6B2CCVUvrbIJI%)!`k3jnD-^f9Hn&cc$Ef*nIU{&(ehk
z4R22VpYJy+S=az>ufLVyHVq|?fZZWknJoD@*scGvYVB122|{OxC-%g;Spmd?ygmT&
z1UuMmhg!~l@A_`k$I(#?v*m2MZNoK?deqnSWE-bKmMedv9-u*ob~U|IwIh`Ueg_MH
zeXQjav8gD=;3htb*_c^RFSCP}^|s%9NRC#c)!<dnYE((S{NowTUWqQgV2}eU0H-<H
zVHd6FWru_fYmAAK^Do;XN<Z8KWDV3Vh!bk&9&linn6FUsKKo7JMW$F4a!J^A+zM36
zKP2&^S`ShWW2}48yHCCAKR^MU&2YOs{@>eor%_kzk)yd}&&o)?oP{(!!!N~pu3E;*
zY2Ww4*mK2JS_z11Dc^y@vC#}G7yiV?JYXeTBoq<&&RHuhLchZfDRcTptBPE03vJ(o
zg<1-94BM}s)}9%Pf<9eXy6+H`36S!$HUV+2q-G3Ll#XAY>s2f$UhNZ&>62r_1S!<|
z=y+ro10#ie1Fkq;i~FdC<r*)`qlmDu-dE6delsYKSrd$u=E8oHgnu{F=Tv#~Yx$@m
zJLuG-<<|kU>DE%T{rOjo-J9%3z?ah?$iQi?twj8Vg1Qlj?lMK93ubTbKujdc^9ACs
zc%-%U0zjYXYlz>Txj2xl%&TWzVev<D5lQ0lG4?Q)lzzg<%%CMvJ$Gb<bWfBvImm(h
zVuD9keHl4%J#eT8b$LH6TbC5DB}$9+00`Nx$*{H_ImrFCHCJM(9=;zN{i;{CSq89g
z2?^c-8fq{;Fd;Ar1_dh)0|FWa00b2BA$^^aFc{I@=V60PjP_-|OirH!6pxy3jrif7
V*lSXz5O#(_?f_5Ve*yymhM>X=IVS)B

literal 0
HcmV?d00001

diff --git a/pulsar-common/src/test/resources/ssl/my-ca/ca.pem b/pulsar-common/src/test/resources/ssl/my-ca/ca.pem
new file mode 100644
index 0000000000000..3d5a80e234784
--- /dev/null
+++ b/pulsar-common/src/test/resources/ssl/my-ca/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9DCCAdygAwIBAgIUNbNkV2+K2Hf4Q1V5gdAENZQiLokwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAxMGUHVsc2FyMCAXDTIyMDExNDA0MjgwMFoYDzIxMjIwMTE2
+MDQyODAwWjARMQ8wDQYDVQQDEwZQdWxzYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDBR2K5EKVziLqdsz78efEW4lOwKiJ32e97uxn1Z6oKgkgImpVP
+Z9aoJB4EwSnDg+6FV2YULdWPm7C6W33tDmWRaU/Hlo/cOejnK8UmiMu/EyDpE2Wj
+n0RimGmwOkBi2IWIcIzWMmPDZ9kZc65OUeEmwZedKRy62PQyfCeNU4OOHQn3PXjI
+NbXJZD5TvBmn4SJn2RP9EgmIPaBAh/Mng045ZeHHLhwMKC8EOyHc2aB7AL6brymR
+xzsiYWdcJn4mqqMvT82mVvhkgAMOcR4CXYF8eYnsG6ZbDHb13CawcvLVREJZk7AB
+XZi9Rd5xczxHILM8rdkIZfunaG1X5hbih5wJAgMBAAGjQjBAMA4GA1UdDwEB/wQE
+AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTCC1lYG+62cUPjNk9q4jCm
+Ps65njANBgkqhkiG9w0BAQsFAAOCAQEAKV2Lpu5cH5EsG53EWsYxEKvuQZ0LTxCE
+wCDf/NxJaQbzfv0tsbZatMge0vcZ/5r8tZZoOC+pGTwk6MaRbEFH8PmvlH1LIQvu
+Y34/YQZOy8wBTWwaIfFMnYWc0iAFoFt2Lzuq+GOI+svTFp729Ae8r7UxY/f9Lioc
+ttdGr7vA6PpcIMoEIPjVp+m41uL9IDfX8eOxg4gVlwtqpbHdTzMrOz0YY+3qH/WK
+6Qffw4pwitzAEj2zCn2lvGC5cbpd13SAaqtB3xL/Aet0SS2r3g9qDo1RruQhXUng
+06U/Hqtn5K1fNQv3pivi3Jg5z1DfJWHkH37luAoIlOZHRmPK6rhp/g==
+-----END CERTIFICATE-----
diff --git a/pulsar-common/src/test/resources/ssl/my-ca/client-ca.pem b/pulsar-common/src/test/resources/ssl/my-ca/client-ca.pem
new file mode 100644
index 0000000000000..adcae3393ade1
--- /dev/null
+++ b/pulsar-common/src/test/resources/ssl/my-ca/client-ca.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgSgAwIBAgIUJJpmKX3DnbUwJ7tUhCt8MTiwz0owDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAxMGUHVsc2FyMCAXDTIyMDExNDA0MjgwMFoYDzIxMjExMjIx
+MDQyODAwWjARMQ8wDQYDVQQDEwZQdWxzYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDZN+CNZ1i1WaXulbwSASOfXErWXhGV9DHqavPp3DohgQdundfS
+648T/X80uWQlyxu4L4j0oc97jtzc1AyZFXj5nocVsveEO9aDjnYCc5NdBNJLQHgl
+IO59fEpTd55NO24g9a8/sxgn0ADCenMlngk1Ou+2QJBONw7W12/WUSUg6ICe+b+x
+qPzgApue16oGw9HxhPwa3oEvVZrEnFIWLjsSWtezhgFHMCH9/ngk0KlRyes/EZCz
+ZgkO5mgii2fmNDg+yuWUfw7Q0x6BJskGIrxisJiJBRR1+DIvJqgqxJsNmeeEQrZK
+YHBukj5RWDFOpOHgqFbPsv45sVKoLrGFrMnNAgMBAAGjajBoMA4GA1UdDwEB/wQE
+AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
+BBSwkx93xjYP4I+dcFF3xS9NLesmFjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJ
+KoZIhvcNAQELBQADggEBAAK3ZF63w46pT76QIOeSM3ocUm6izvW/IrxLUESfgRC4
+gg0/5VfPiHHUe6orn15KuPXHe7xCUFqc2oFn5aIU1B/6iOPeNItvMJidU0a3UAiw
+hFK9MSFgESNBiEnu1dE5tPcIIxTyCFQ/8loeY3dsdcNVoguH/2J9v/XcMMga46A1
+wudaaa1nb+ZYnXkRuyObKVJQN7EqC+4edinMOTPBbF9wtRMAMBRHXXENXb9zFthi
+Dbdn4YvadYsNHxh5ar+hQn/HSPMuCUPY/uUqxtBagb6aS0YnSoUscSLs1Jizg5NX
+d+QV8X/5E6W4xWnptUZwVxOemkdnr6A8MH1eQKKFZTM=
+-----END CERTIFICATE-----
diff --git a/pulsar-common/src/test/resources/ssl/my-ca/client-key.pem b/pulsar-common/src/test/resources/ssl/my-ca/client-key.pem
new file mode 100644
index 0000000000000..5b08b151c8094
--- /dev/null
+++ b/pulsar-common/src/test/resources/ssl/my-ca/client-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDZN+CNZ1i1WaXu
+lbwSASOfXErWXhGV9DHqavPp3DohgQdundfS648T/X80uWQlyxu4L4j0oc97jtzc
+1AyZFXj5nocVsveEO9aDjnYCc5NdBNJLQHglIO59fEpTd55NO24g9a8/sxgn0ADC
+enMlngk1Ou+2QJBONw7W12/WUSUg6ICe+b+xqPzgApue16oGw9HxhPwa3oEvVZrE
+nFIWLjsSWtezhgFHMCH9/ngk0KlRyes/EZCzZgkO5mgii2fmNDg+yuWUfw7Q0x6B
+JskGIrxisJiJBRR1+DIvJqgqxJsNmeeEQrZKYHBukj5RWDFOpOHgqFbPsv45sVKo
+LrGFrMnNAgMBAAECggEATeVZ45uiFja16J9NuG8sJSPluoY1bD8L/3KnUcAmIImy
+7powIXVT8+k+StwI6/ywThbN2FyGmVqcHZz1f5hRr8KH0uJBHOyQetEFxM9Jk1v9
+Rfsymq36mImP5erJnAyp66vvUrqY+P4Ap71duam4x5wBBqyUk1fvPGA5vPOQiwHs
+TN9JHizGobY25fpigWKIMamyE7HWXEUzVdOo83ZiNx53ths+WcF/kqto2v5LtyfJ
+HgoPocfZI8tRz9tfgc8zOkvyjsvgdd6rLhd0r2oExnyQBJdktGFpQZMGambU328u
+NqcdJscjP/HWAHRzuSdOvCMOEn8E5GIjcWEnQqOmSQKBgQDcpb655/UdcVxrv2Ou
+8juucDJMpf6i/UcmlXVXx+3zGSuQZcCC2fupe3JcxPdK7bo65YlC3OoRihggh2sS
+cnFMNHMfyoE3G/doXIr3QyL9UAQt4yb+7Nz7jRXYcg4Ytv+FVS6BSzIDEK17v+es
+GuWDM3JwtigtzYS4tRh7lgmuBwKBgQD8BXp7yIyVv657B8OJJSoeGataziFPhZux
+WKoS3gq24169ZWXwLc+nwrdgvBNrRaHuX+cYh93RF9+2WZrRcRL41XqN938adasY
+zPsfOJa9IOgUzQtGUMSe1/WqvHfcvqZCqYq4u/LSdf+I67woP4tCqqn4E928aIZb
+6PjLH+dUiwKBgH1ntn7y1t1lEKIspPtJsaHzIqNttMvuKAJF7+t0Nkl0hM4NBt1Y
+BzDMeLNBP0vW0YGn89uMs3xEgHH8hV52rO4i4UuwTMCFpJgsAM+H2NsgHz/1WrSI
+6xANn9zk9h4V5CRjxYq2sjYLxI4RBBtNLiTjmKd24F8n78cLJl8XZ2kBAoGAGoHF
+ATH1v2ZaxqvpYApdpK7UfAeEL2YBGyUVNkjOXbAKbec1Uo6u8ZkkSnNdo4G+Z2EE
+4Gqh5PUa3YYNJ4w6D5v8eOQYJUNNDJ26p+z+xcOpRU7PqcSi+YYDW8LY5InU2NwW
+MBnsj0BD8TXCI4WTcx6aI/KK9t8TiqU1Tb/8R8MCgYANVinOLz2enB+Qzu4o88W/
+witKHI3D9+z/uWjp0Q4rwmr3OL4FD9vZWvL4qwbDgpfLirJ4e3UVfN1/FoytAKlk
+Kykf8oDWciCIdxStt/yUpgQv78IL3vM5d9B8Qb7KCRtJ0BIXGJ7Gle3xJeuduZLe
++F+hwI3Dpv5HPqa9o6ttJw==
+-----END PRIVATE KEY-----
diff --git a/pulsar-common/src/test/resources/ssl/my-ca/server-ca.pem b/pulsar-common/src/test/resources/ssl/my-ca/server-ca.pem
new file mode 100644
index 0000000000000..df5f69298e258
--- /dev/null
+++ b/pulsar-common/src/test/resources/ssl/my-ca/server-ca.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgSgAwIBAgIUVQHD0/oi9Ca50HA7DFLYOO2wEzYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAxMGUHVsc2FyMCAXDTIyMDExNDA0MjgwMFoYDzIxMjExMjIx
+MDQyODAwWjARMQ8wDQYDVQQDEwZQdWxzYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDBcqDkMhjLd9ik//UQijqbajQP5t6dvVZNn9gODQrS9oB/URur
+NzCcPWYPJZfEJlTkV8mlmgq4dBjwghpy5ALOGiERk55JPIN4cy01hQ6j7YSPFvMv
+BjqZvm5dpGDNTr7GY7THegMM1wpk9EaUOm7tBOHtf6ZnANjSMcQM74RCSBt0Koqw
+06CKVDCbgJ5NNE1LgwYeVQAwtQAhY8rqqQKJvCorFbq7OiisFBnz5pRBT6N4kMo1
+9LZo3Oe2F2w9eH9vacQ0NjSOCNXqal9Xl/Pwy9JgKKppwZ/3nCgRc+yfjrnkRz0f
+b+llb2NpR5Ge+tNMakqelE8bDSw/5BPjRPftAgMBAAGjajBoMA4GA1UdDwEB/wQE
+AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
+BBRXws5mmLbW+xOLflUyUZ0I0uN96zAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJ
+KoZIhvcNAQELBQADggEBAKMklpYJIkp4icz9Ea5wWQiRXWb94lGdyCA833VHeGB2
+fKvNXj1d6lEiy26pOjhDmycroKelj70WqOsqVgi4xh4Y9sj6pwb8Q423Tu3qNO1k
+qaScTar2DANSigNzqlSbLshPWQ2ZyDwkvZPuqPgHzOXekzbUGwxgCiySaQkl2mCS
+mBaG3XnESwiMIKkLphEv0MAvTVaImbSRWYEQ4OECwcHXxx+14wK8NLcdDIHcSzki
+8Eq24CxDOeL5QxciGMi5tylsdCpT+D/BXTKiu46yoRjXUsTLYL53yUZZIqQ3A4CV
+enZ/vHhP0Ev9RcRigFTqrBm7EC3b2AUpvqgRMnPwQZo=
+-----END CERTIFICATE-----
diff --git a/pulsar-common/src/test/resources/ssl/my-ca/server-key.pem b/pulsar-common/src/test/resources/ssl/my-ca/server-key.pem
new file mode 100644
index 0000000000000..a3f3a36b73c37
--- /dev/null
+++ b/pulsar-common/src/test/resources/ssl/my-ca/server-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBcqDkMhjLd9ik
+//UQijqbajQP5t6dvVZNn9gODQrS9oB/URurNzCcPWYPJZfEJlTkV8mlmgq4dBjw
+ghpy5ALOGiERk55JPIN4cy01hQ6j7YSPFvMvBjqZvm5dpGDNTr7GY7THegMM1wpk
+9EaUOm7tBOHtf6ZnANjSMcQM74RCSBt0Koqw06CKVDCbgJ5NNE1LgwYeVQAwtQAh
+Y8rqqQKJvCorFbq7OiisFBnz5pRBT6N4kMo19LZo3Oe2F2w9eH9vacQ0NjSOCNXq
+al9Xl/Pwy9JgKKppwZ/3nCgRc+yfjrnkRz0fb+llb2NpR5Ge+tNMakqelE8bDSw/
+5BPjRPftAgMBAAECggEBAJm2JsgMUo1ihn/dbnIdFCKoCgRUs7FtYCVADOJlVKN7
+AXGpFi4/JV4Qn4cLnQNcXfovE2iF9VzJy4NYLgH60YvJUVtxC8Yv0lukUVkEiDST
+p9A3MTa9YVUG7xVzZwPcPVTQpzYV6lSKjpTXUTm5EKk/RvJ7itKv5plmt9x7eYFb
+/JwqXo1Z6C4gfIFR85LWmrCsNUK5T9oooLz88D6+ZH3+fWlr75RDff2kqdLshMTs
+N0Ov7NXcRFeruFs/IPrgTxjBMeNa2LFdYVPeeQ41L4uOI49uVBAmSn1be+THvDoj
+Do+6wTEF/h6/VLoOaIFZZdHlqd4is+xcEg8gwVkCn2ECgYEAxqVvGKc9qaqEVwBx
+U5Ru9OFx0NqEBvkYZRbCg1REcMFd3lqFTHvHiF3pmCp0XgLJKYuy42618IJXhj6D
+Y15/p9jX0025MpnH/AdwpO6x5pv6gb/JOMnHOnq8sI3R+V6TVsv1WZj0sOj94mF0
++Od++bQkUnSlfE4X7v+cJfo/Q8UCgYEA+Uz1yOyI9Dv1dEdBMdBA8MTriYU0uJCV
+dVKzL/uC9XyguVBWu1HX0MvEKyjPRycvLB7TuQqAFLgCtC8EEuPGBpWtyXOm9Jxw
+ToCfUZFuBQeMuf4vZcFgJjiEKTdKBxrvjkhyIhPR6JAy0WUr8Ry+ZtqvmG5NOEz5
+ptm1tznYngkCgYEAlckeyV8p/uqF2biKu3QcamgoU0zB6yQfAfK0fySmasNTzZtC
+EhbvsOLnhgbVMiI1ny8ol5fedtlBuAchOWeDKIQ40as0r3QHuQG/LY6S9Im+zeFY
+kIqNwInWB+cYYkmvHe6zNXlBYLh+4BmOgzTDqPPtw4MTWXTlVSDGlFhrJeUCgYBX
+7rlS4Xt9ChkNpoRsWZROWGbr3rw1zWmqND1X01Lh28+lDZ1J/RguYXET+BUEd+G/
+oi/zuKxsomrxuxOoxgZ3FBx0TgK5jORgDCYl0zIHPB57DBkTvx123cBf+Ux3LR0K
+BqubMXp8mUATc6gIJ6dRCBmfnmhGT4BPRcM+mXy6YQKBgGEGH37VABus+Oi3g1bk
+qEAaUI1asRLJIfbY2ImxEroLIQAbTFuIQUsZTKpT7jJZubjYvy1Fev0LU/n7Kv2w
+7ym41z70ro5uxwUBfJjnF3RtgncNcftn4b3siNzvBfKEBuhegMeS5YAbBIwABUpR
+4mVpm9BLOiX4yENIT6JdUQFc
+-----END PRIVATE KEY-----
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
index 0231251e3f79c..a29158f39026c 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
@@ -410,7 +410,9 @@ public class ProxyConfiguration implements PulsarConfiguration {
 
     @FieldContext(
             category = CATEGORY_KEYSTORE_TLS,
-            doc = "TLS Provider"
+            doc = "Specify the TLS provider for the broker service: \n"
+                    + "When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.\n"
+                    + "When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc."
     )
     private String tlsProvider = null;
 
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
index a033a87912d87..12abf871b5078 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
@@ -21,6 +21,7 @@
 import static org.apache.commons.lang3.StringUtils.isEmpty;
 
 import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
 import io.netty.handler.timeout.ReadTimeoutHandler;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Supplier;
@@ -79,7 +80,13 @@ public ServiceChannelInitializer(ProxyService proxyService, ProxyConfiguration s
                         serviceConfig.getTlsProtocols(),
                         serviceConfig.getTlsCertRefreshCheckDurationSec());
             } else {
-                serverSslCtxRefresher = new NettyServerSslContextBuilder(serviceConfig.isTlsAllowInsecureConnection(),
+                SslProvider sslProvider = null;
+                if (serviceConfig.getTlsProvider() != null) {
+                    sslProvider = SslProvider.valueOf(serviceConfig.getTlsProvider());
+                }
+                serverSslCtxRefresher = new NettyServerSslContextBuilder(
+                        sslProvider,
+                        serviceConfig.isTlsAllowInsecureConnection(),
                         serviceConfig.getTlsTrustCertsFilePath(), serviceConfig.getTlsCertificateFilePath(),
                         serviceConfig.getTlsKeyFilePath(), serviceConfig.getTlsCiphers(), serviceConfig.getTlsProtocols(),
                         serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
@@ -109,11 +116,19 @@ public ServiceChannelInitializer(ProxyService proxyService, ProxyConfiguration s
                         serviceConfig.getTlsCertRefreshCheckDurationSec(),
                         authData);
             } else {
+                SslProvider sslProvider = null;
+                if (serviceConfig.getBrokerClientSslProvider() != null) {
+                    sslProvider = SslProvider.valueOf(serviceConfig.getBrokerClientSslProvider());
+                }
                 clientSslCtxRefresher = new NettyClientSslContextRefresher(
+                        sslProvider,
                         serviceConfig.isTlsAllowInsecureConnection(),
                         serviceConfig.getBrokerClientTrustCertsFilePath(),
                         authData,
-                        serviceConfig.getTlsCertRefreshCheckDurationSec());
+                        serviceConfig.getBrokerClientTlsCiphers(),
+                        serviceConfig.getBrokerClientTlsProtocols(),
+                        serviceConfig.getTlsCertRefreshCheckDurationSec()
+                );
             }
         } else {
             this.clientSslCtxRefresher = null;