From f46dca47936166d4ad5546d3a0c5fa8c6b80e832 Mon Sep 17 00:00:00 2001
From: Eugene Galkin <eungenue@gmail.com>
Date: Tue, 11 Jan 2022 17:07:30 +0300
Subject: [PATCH 01/10] support x509 ssl certificate authentication

---
 src/Access/Authentication.cpp                 | 54 +++++++++++++++++
 src/Access/Authentication.h                   |  2 +
 src/Access/Common/AuthenticationData.cpp      | 23 ++++++-
 src/Access/Common/AuthenticationData.h        | 10 ++++
 src/Access/Credentials.cpp                    | 14 +++++
 src/Access/Credentials.h                      | 12 ++++
 src/Access/UsersConfigAccessStorage.cpp       | 27 ++++++++-
 .../ClickHouseDictionarySource.cpp            |  2 +-
 src/Interpreters/Session.cpp                  | 25 ++++++++
 src/Interpreters/Session.h                    |  2 +
 src/Parsers/Access/ASTCreateUserQuery.cpp     |  1 +
 src/Server/HTTP/HTTPServerRequest.cpp         |  7 +++
 src/Server/HTTP/HTTPServerRequest.h           |  2 +
 src/Server/HTTPHandler.cpp                    | 60 ++++++++++++++-----
 src/Server/TCPHandler.cpp                     |  2 +-
 15 files changed, 221 insertions(+), 22 deletions(-)

diff --git a/src/Access/Authentication.cpp b/src/Access/Authentication.cpp
index 6bc9aeec4c2..7bbf8ec5efa 100644
--- a/src/Access/Authentication.cpp
+++ b/src/Access/Authentication.cpp
@@ -5,6 +5,7 @@
 #include <Access/LDAPClient.h>
 #include <Access/GSSAcceptor.h>
 #include <Common/Exception.h>
+#include <Poco/Net/SecureStreamSocketImpl.h>
 #include <Poco/SHA1Engine.h>
 #include <Common/typeid_cast.h>
 
@@ -14,6 +15,7 @@ namespace DB
 namespace ErrorCodes
 {
     extern const int NOT_IMPLEMENTED;
+    extern const int WRONG_PASSWORD;
 }
 
 namespace
@@ -67,6 +69,23 @@ namespace
     }
 }
 
+std::string getPeerCertificateCommonName(const Poco::Net::SocketImpl * socketImpl)
+{
+    std::string cn;
+
+    if (socketImpl->secure())
+    {
+        // expect socket is an instance of SecureStreamSocket
+        const Poco::Net::SecureStreamSocketImpl * secureSocketImpl = dynamic_cast<const Poco::Net::SecureStreamSocketImpl *>(socketImpl);
+        if (secureSocketImpl && secureSocketImpl->havePeerCertificate())
+        {
+            Poco::Crypto::X509Certificate cert = secureSocketImpl->peerCertificate();
+            cn = cert.commonName();
+        }
+    }
+
+    return cn;
+}
 
 bool Authentication::areCredentialsValid(const Credentials & credentials, const AuthenticationData & auth_data, const ExternalAuthenticators & external_authenticators)
 {
@@ -87,6 +106,9 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
             case AuthenticationType::KERBEROS:
                 return external_authenticators.checkKerberosCredentials(auth_data.getKerberosRealm(), *gss_acceptor_context);
 
+            case AuthenticationType::SSL_CERTIFICATE:
+                throw Authentication::Require<BasicCredentials>("ClickHouse X.509 Authentication");
+
             case AuthenticationType::MAX:
                 break;
         }
@@ -110,6 +132,9 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
             case AuthenticationType::KERBEROS:
                 throw Authentication::Require<BasicCredentials>("ClickHouse Basic Authentication");
 
+            case AuthenticationType::SSL_CERTIFICATE:
+                throw Authentication::Require<BasicCredentials>("ClickHouse X.509 Authentication");
+
             case AuthenticationType::MAX:
                 break;
         }
@@ -137,6 +162,35 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
             case AuthenticationType::KERBEROS:
                 throw Authentication::Require<GSSAcceptorContext>(auth_data.getKerberosRealm());
 
+            case AuthenticationType::SSL_CERTIFICATE:
+                throw Authentication::Require<BasicCredentials>("ClickHouse X.509 Authentication");
+
+            case AuthenticationType::MAX:
+                break;
+        }
+    }
+
+    if (const auto * certificate_credentials = typeid_cast<const CertificateCredentials *>(&credentials))
+    {
+        switch (auth_data.getType())
+        {
+            case AuthenticationType::NO_PASSWORD:
+            case AuthenticationType::PLAINTEXT_PASSWORD:
+            case AuthenticationType::SHA256_PASSWORD:
+            case AuthenticationType::DOUBLE_SHA1_PASSWORD:
+            case AuthenticationType::LDAP:
+                throw Authentication::Require<BasicCredentials>("ClickHouse Basic Authentication");
+
+            case AuthenticationType::KERBEROS:
+                throw Authentication::Require<GSSAcceptorContext>(auth_data.getKerberosRealm());
+
+            case AuthenticationType::SSL_CERTIFICATE:
+                // N.B. the certificate should only be trusted when 'strict' SSL mode is enabled
+                if (!auth_data.containsSSLCertificateCommonName(certificate_credentials->getX509CommonName()))
+                    throw Exception("X.509 certificate is not on allowed list", ErrorCodes::WRONG_PASSWORD);
+
+                return true;
+
             case AuthenticationType::MAX:
                 break;
         }
diff --git a/src/Access/Authentication.h b/src/Access/Authentication.h
index 000ba8ca324..e081f8211f6 100644
--- a/src/Access/Authentication.h
+++ b/src/Access/Authentication.h
@@ -2,6 +2,7 @@
 
 #include <Access/Common/AuthenticationData.h>
 #include <Common/Exception.h>
+#include <Poco/Net/SocketImpl.h>
 #include <base/types.h>
 
 
@@ -15,6 +16,7 @@ namespace ErrorCodes
 class Credentials;
 class ExternalAuthenticators;
 
+std::string getPeerCertificateCommonName(const Poco::Net::SocketImpl * socketImpl);
 
 /// TODO: Try to move this checking to Credentials.
 struct Authentication
diff --git a/src/Access/Common/AuthenticationData.cpp b/src/Access/Common/AuthenticationData.cpp
index 7412d7336e3..6fee41c3dd3 100644
--- a/src/Access/Common/AuthenticationData.cpp
+++ b/src/Access/Common/AuthenticationData.cpp
@@ -59,6 +59,11 @@ const AuthenticationTypeInfo & AuthenticationTypeInfo::get(AuthenticationType ty
             static const auto info = make_info("KERBEROS");
             return info;
         }
+        case AuthenticationType::SSL_CERTIFICATE:
+        {
+            static const auto info = make_info("SSL_CERTIFICATE");
+            return info;
+        }
         case AuthenticationType::MAX:
             break;
     }
@@ -112,6 +117,7 @@ void AuthenticationData::setPassword(const String & password_)
         case AuthenticationType::NO_PASSWORD:
         case AuthenticationType::LDAP:
         case AuthenticationType::KERBEROS:
+        case AuthenticationType::SSL_CERTIFICATE:
             throw Exception("Cannot specify password for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
 
         case AuthenticationType::MAX:
@@ -149,7 +155,7 @@ void AuthenticationData::setPasswordHashHex(const String & hash)
 
 String AuthenticationData::getPasswordHashHex() const
 {
-    if (type == AuthenticationType::LDAP || type == AuthenticationType::KERBEROS)
+    if (type == AuthenticationType::LDAP || type == AuthenticationType::KERBEROS || type == AuthenticationType::SSL_CERTIFICATE)
         throw Exception("Cannot get password hex hash for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
 
     String hex;
@@ -194,6 +200,7 @@ void AuthenticationData::setPasswordHashBinary(const Digest & hash)
         case AuthenticationType::NO_PASSWORD:
         case AuthenticationType::LDAP:
         case AuthenticationType::KERBEROS:
+        case AuthenticationType::SSL_CERTIFICATE:
             throw Exception("Cannot specify password binary hash for authentication type " + toString(type), ErrorCodes::LOGICAL_ERROR);
 
         case AuthenticationType::MAX:
@@ -202,4 +209,18 @@ void AuthenticationData::setPasswordHashBinary(const Digest & hash)
     throw Exception("setPasswordHashBinary(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
 }
 
+void AuthenticationData::clearAllowedCertificates()
+{
+    allowed_certificates.clear();
+}
+
+void AuthenticationData::addSSLCertificateCommonName(const String & x509CommonName)
+{
+    allowed_certificates.insert(x509CommonName);
+}
+
+bool AuthenticationData::containsSSLCertificateCommonName(const String & x509CommonName) const
+{
+    return allowed_certificates.find(x509CommonName) != allowed_certificates.end();
+}
 }
diff --git a/src/Access/Common/AuthenticationData.h b/src/Access/Common/AuthenticationData.h
index 8b390fd0900..152ba55b73d 100644
--- a/src/Access/Common/AuthenticationData.h
+++ b/src/Access/Common/AuthenticationData.h
@@ -1,6 +1,7 @@
 #pragma once
 
 #include <base/types.h>
+#include <set>
 #include <vector>
 
 namespace DB
@@ -27,6 +28,10 @@ enum class AuthenticationType
     /// Kerberos authentication performed through GSS-API negotiation loop.
     KERBEROS,
 
+    /// Authentication is done in SSL by checking user certificate.
+    /// Certificates may only be trusted if 'strict' SSL mode is enabled.
+    SSL_CERTIFICATE,
+
     MAX,
 };
 
@@ -79,6 +84,10 @@ public:
     const String & getKerberosRealm() const { return kerberos_realm; }
     void setKerberosRealm(const String & realm) { kerberos_realm = realm; }
 
+    void clearAllowedCertificates();
+    void addSSLCertificateCommonName(const String & x509CommonName);
+    bool containsSSLCertificateCommonName(const String & x509CommonName) const;
+
     friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
     friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }
 
@@ -97,6 +106,7 @@ private:
     Digest password_hash;
     String ldap_server_name;
     String kerberos_realm;
+    std::set<String> allowed_certificates;
 };
 
 }
diff --git a/src/Access/Credentials.cpp b/src/Access/Credentials.cpp
index c2850ad4d4f..79876cddcfe 100644
--- a/src/Access/Credentials.cpp
+++ b/src/Access/Credentials.cpp
@@ -48,6 +48,20 @@ void AlwaysAllowCredentials::setUserName(const String & user_name_)
     user_name = user_name_;
 }
 
+CertificateCredentials::CertificateCredentials(const String & user_name_, const String & x509CommonName_)
+    : Credentials(user_name_)
+    , x509CommonName(x509CommonName_)
+{
+    is_ready = true;
+}
+
+const String & CertificateCredentials::getX509CommonName() const
+{
+    if (!isReady())
+        throwNotReady();
+    return x509CommonName;
+}
+
 BasicCredentials::BasicCredentials()
 {
     is_ready = true;
diff --git a/src/Access/Credentials.h b/src/Access/Credentials.h
index 4992199f64c..f667d60bde3 100644
--- a/src/Access/Credentials.h
+++ b/src/Access/Credentials.h
@@ -38,6 +38,18 @@ public:
     void setUserName(const String & user_name_);
 };
 
+class CertificateCredentials
+    : public Credentials
+{
+public:
+    explicit CertificateCredentials(const String & user_name_, const String & x509CommonName_);
+
+    const String & getX509CommonName() const;
+
+private:
+    String x509CommonName;
+};
+
 class BasicCredentials
     : public Credentials
 {
diff --git a/src/Access/UsersConfigAccessStorage.cpp b/src/Access/UsersConfigAccessStorage.cpp
index 5bd2da97445..5d7933190d5 100644
--- a/src/Access/UsersConfigAccessStorage.cpp
+++ b/src/Access/UsersConfigAccessStorage.cpp
@@ -62,13 +62,16 @@ namespace
         bool has_ldap = config.has(user_config + ".ldap");
         bool has_kerberos = config.has(user_config + ".kerberos");
 
-        size_t num_password_fields = has_no_password + has_password_plaintext + has_password_sha256_hex + has_password_double_sha1_hex + has_ldap + has_kerberos;
+        const auto certificates_config = user_config + ".certificates";
+        bool has_certificates = config.has(certificates_config);
+
+        size_t num_password_fields = has_no_password + has_password_plaintext + has_password_sha256_hex + has_password_double_sha1_hex + has_ldap + has_kerberos + has_certificates;
         if (num_password_fields > 1)
-            throw Exception("More than one field of 'password', 'password_sha256_hex', 'password_double_sha1_hex', 'no_password', 'ldap', 'kerberos' are used to specify password for user " + user_name + ". Must be only one of them.",
+            throw Exception("More than one field of 'password', 'password_sha256_hex', 'password_double_sha1_hex', 'no_password', 'ldap', 'kerberos', 'certificates' are used to specify authentication info for user " + user_name + ". Must be only one of them.",
                 ErrorCodes::BAD_ARGUMENTS);
 
         if (num_password_fields < 1)
-            throw Exception("Either 'password' or 'password_sha256_hex' or 'password_double_sha1_hex' or 'no_password' or 'ldap' or 'kerberos' must be specified for user " + user_name + ".", ErrorCodes::BAD_ARGUMENTS);
+            throw Exception("Either 'password' or 'password_sha256_hex' or 'password_double_sha1_hex' or 'no_password' or 'ldap' or 'kerberos' or 'certificates' must be specified for user " + user_name + ".", ErrorCodes::BAD_ARGUMENTS);
 
         if (has_password_plaintext)
         {
@@ -105,6 +108,24 @@ namespace
             user->auth_data = AuthenticationData{AuthenticationType::KERBEROS};
             user->auth_data.setKerberosRealm(realm);
         }
+        else if (has_certificates)
+        {
+            user->auth_data = AuthenticationData{AuthenticationType::SSL_CERTIFICATE};
+
+            /// Fill list of allowed certificates.
+            Poco::Util::AbstractConfiguration::Keys keys;
+            config.keys(certificates_config, keys);
+            user->auth_data.clearAllowedCertificates();
+            for (const String & key : keys)
+            {
+                if (key.starts_with("common_name"))
+                {
+                    String value = config.getString(certificates_config + "." + key);
+                    user->auth_data.addSSLCertificateCommonName(value);
+                }
+                else
+                    throw Exception("Unknown certificate pattern type: " + key, ErrorCodes::BAD_ARGUMENTS);            }
+        }
 
         const auto profile_name_config = user_config + ".profile";
         if (config.has(profile_name_config))
diff --git a/src/Dictionaries/ClickHouseDictionarySource.cpp b/src/Dictionaries/ClickHouseDictionarySource.cpp
index bd9a1f7776e..deecc3c983e 100644
--- a/src/Dictionaries/ClickHouseDictionarySource.cpp
+++ b/src/Dictionaries/ClickHouseDictionarySource.cpp
@@ -277,7 +277,7 @@ void registerDictionarySourceClickHouse(DictionarySourceFactory & factory)
         {
             /// We should set user info even for the case when the dictionary is loaded in-process (without TCP communication).
             Session session(global_context, ClientInfo::Interface::LOCAL);
-            session.authenticate(configuration.user, configuration.password, {});
+            session.authenticate(configuration.user, configuration.password, Poco::Net::SocketAddress{});
             context = session.makeQueryContext();
         }
         else
diff --git a/src/Interpreters/Session.cpp b/src/Interpreters/Session.cpp
index 2af9a2b6bbc..d05f438bb80 100644
--- a/src/Interpreters/Session.cpp
+++ b/src/Interpreters/Session.cpp
@@ -1,6 +1,7 @@
 #include <Interpreters/Session.h>
 
 #include <Access/AccessControl.h>
+#include <Access/Authentication.h>
 #include <Access/Credentials.h>
 #include <Access/ContextAccess.h>
 #include <Access/User.h>
@@ -297,6 +298,30 @@ void Session::authenticate(const String & user_name, const String & password, co
     authenticate(BasicCredentials{user_name, password}, address);
 }
 
+void Session::authenticate(const String & user_name, const String & password, const Poco::Net::StreamSocket & socket)
+{
+    switch (getAuthenticationType(user_name))
+    {
+        case AuthenticationType::NO_PASSWORD:
+        case AuthenticationType::PLAINTEXT_PASSWORD:
+        case AuthenticationType::DOUBLE_SHA1_PASSWORD:
+        case AuthenticationType::SHA256_PASSWORD:
+        case AuthenticationType::LDAP:
+            authenticate(BasicCredentials{user_name, password}, socket.peerAddress());
+            break;
+
+        case AuthenticationType::KERBEROS:
+            throw Authentication::Require<BasicCredentials>("ClickHouse Basic Authentication");
+
+        case AuthenticationType::SSL_CERTIFICATE:
+            authenticate(CertificateCredentials{user_name, getPeerCertificateCommonName(socket.impl())}, socket.peerAddress());
+            break;
+
+        case AuthenticationType::MAX:
+            break;
+    }
+}
+
 void Session::authenticate(const Credentials & credentials_, const Poco::Net::SocketAddress & address_)
 {
     if (session_context)
diff --git a/src/Interpreters/Session.h b/src/Interpreters/Session.h
index 71964130412..b65de2f3533 100644
--- a/src/Interpreters/Session.h
+++ b/src/Interpreters/Session.h
@@ -4,6 +4,7 @@
 #include <Access/Common/AuthenticationData.h>
 #include <Interpreters/ClientInfo.h>
 #include <Interpreters/Context_fwd.h>
+#include <Poco/Net/StreamSocket.h>
 
 #include <chrono>
 #include <memory>
@@ -49,6 +50,7 @@ public:
     /// Sets the current user, checks the credentials and that the specified address is allowed to connect from.
     /// The function throws an exception if there is no such user or password is wrong.
     void authenticate(const String & user_name, const String & password, const Poco::Net::SocketAddress & address);
+    void authenticate(const String & user_name, const String & password, const Poco::Net::StreamSocket & socket);
     void authenticate(const Credentials & credentials_, const Poco::Net::SocketAddress & address_);
 
     /// Returns a reference to session ClientInfo.
diff --git a/src/Parsers/Access/ASTCreateUserQuery.cpp b/src/Parsers/Access/ASTCreateUserQuery.cpp
index 18030a5ed80..70f29a02d85 100644
--- a/src/Parsers/Access/ASTCreateUserQuery.cpp
+++ b/src/Parsers/Access/ASTCreateUserQuery.cpp
@@ -78,6 +78,7 @@ namespace
                 }
 
                 case AuthenticationType::NO_PASSWORD: [[fallthrough]];
+                case AuthenticationType::SSL_CERTIFICATE: [[fallthrough]];
                 case AuthenticationType::MAX:
                     throw Exception("AST: Unexpected authentication type " + toString(auth_type), ErrorCodes::LOGICAL_ERROR);
             }
diff --git a/src/Server/HTTP/HTTPServerRequest.cpp b/src/Server/HTTP/HTTPServerRequest.cpp
index f9ef14765c9..db0ccecf46f 100644
--- a/src/Server/HTTP/HTTPServerRequest.cpp
+++ b/src/Server/HTTP/HTTPServerRequest.cpp
@@ -9,9 +9,11 @@
 #include <Server/HTTP/HTTPServerResponse.h>
 #include <Server/HTTP/ReadHeaders.h>
 
+#include <Poco/Crypto/X509Certificate.h>
 #include <Poco/Net/HTTPHeaderStream.h>
 #include <Poco/Net/HTTPStream.h>
 #include <Poco/Net/NetException.h>
+#include <Poco/Net/SecureStreamSocketImpl.h>
 
 namespace DB
 {
@@ -69,6 +71,11 @@ bool HTTPServerRequest::checkPeerConnected() const
     return true;
 }
 
+Poco::Net::SocketImpl * HTTPServerRequest::getSocket() const
+{
+    return socket;
+}
+
 void HTTPServerRequest::readRequest(ReadBuffer & in)
 {
     char ch;
diff --git a/src/Server/HTTP/HTTPServerRequest.h b/src/Server/HTTP/HTTPServerRequest.h
index 33463177743..85fe3a6f80a 100644
--- a/src/Server/HTTP/HTTPServerRequest.h
+++ b/src/Server/HTTP/HTTPServerRequest.h
@@ -38,6 +38,8 @@ public:
     /// Returns the server's address.
     const Poco::Net::SocketAddress & serverAddress() const { return server_address; }
 
+    Poco::Net::SocketImpl * getSocket() const;
+
 private:
     /// Limits for basic sanity checks when reading a header
     enum Limits
diff --git a/src/Server/HTTPHandler.cpp b/src/Server/HTTPHandler.cpp
index 673edfb6719..118a929323d 100644
--- a/src/Server/HTTPHandler.cpp
+++ b/src/Server/HTTPHandler.cpp
@@ -322,10 +322,35 @@ bool HTTPHandler::authenticateUser(
     std::string user = request.get("X-ClickHouse-User", "");
     std::string password = request.get("X-ClickHouse-Key", "");
     std::string quota_key = request.get("X-ClickHouse-Quota", "");
+    std::string x509_auth = request.get("X-ClickHouse-X509Authentication", "");
 
     std::string spnego_challenge;
+    std::string certificate_common_name;
 
-    if (user.empty() && password.empty() && quota_key.empty())
+    LOG_DEBUG(log, "X-ClickHouse-X509Authentication=\"{}\"", x509_auth);
+
+    bool has_basic_auth = request.hasCredentials() || params.has("user") || params.has("password") || params.has("quota_key");
+    bool has_header_auth = !(user.empty() && password.empty() && quota_key.empty());
+    bool has_x509_auth = !user.empty() && (x509_auth == "yes"); // header values are case sensitive
+
+    if (has_x509_auth)
+    {
+        if (has_header_auth || has_basic_auth)
+            throw Exception("Invalid authentication: it is not allowed to use SSL X.509 certificate authentication and other authentication methods simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
+
+        certificate_common_name = getPeerCertificateCommonName(request.getSocket());
+        if (certificate_common_name.empty())
+            throw Exception("Invalid authentication: empty X.509 certificate Common Name", ErrorCodes::AUTHENTICATION_FAILED);
+
+        LOG_DEBUG(log, "certificate_common_name=\"{}\"", certificate_common_name);
+    }
+    else if (has_header_auth)
+    {
+        /// It is prohibited to mix different authorization schemes.
+        if (has_basic_auth)
+            throw Exception("Invalid authentication: it is not allowed to use X-ClickHouse HTTP headers and other authentication methods simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
+    }
+    else
     {
         /// User name and password can be passed using query parameters
         /// or using HTTP Basic auth (both methods are insecure).
@@ -365,26 +390,17 @@ bool HTTPHandler::authenticateUser(
 
         quota_key = params.get("quota_key", "");
     }
-    else
-    {
-        /// It is prohibited to mix different authorization schemes.
-        if (request.hasCredentials() || params.has("user") || params.has("password") || params.has("quota_key"))
-            throw Exception("Invalid authentication: it is not allowed to use X-ClickHouse HTTP headers and other authentication methods simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
-    }
 
-    if (spnego_challenge.empty()) // I.e., now using user name and password strings ("Basic").
+    if (!certificate_common_name.empty())
     {
         if (!request_credentials)
-            request_credentials = std::make_unique<BasicCredentials>();
+            request_credentials = std::make_unique<CertificateCredentials>(user, certificate_common_name);
 
-        auto * basic_credentials = dynamic_cast<BasicCredentials *>(request_credentials.get());
-        if (!basic_credentials)
-            throw Exception("Invalid authentication: unexpected 'Basic' HTTP Authorization scheme", ErrorCodes::AUTHENTICATION_FAILED);
-
-        basic_credentials->setUserName(user);
-        basic_credentials->setPassword(password);
+        auto * certificate_credentials = dynamic_cast<CertificateCredentials *>(request_credentials.get());
+        if (!certificate_credentials)
+            throw Exception("Invalid authentication: expected SSL certificate authorization scheme", ErrorCodes::AUTHENTICATION_FAILED);
     }
-    else
+    else if (!spnego_challenge.empty())
     {
         if (!request_credentials)
             request_credentials = server.context()->makeGSSAcceptorContext();
@@ -411,6 +427,18 @@ bool HTTPHandler::authenticateUser(
             return false;
         }
     }
+    else // I.e., now using user name and password strings ("Basic").
+    {
+        if (!request_credentials)
+            request_credentials = std::make_unique<BasicCredentials>();
+
+        auto * basic_credentials = dynamic_cast<BasicCredentials *>(request_credentials.get());
+        if (!basic_credentials)
+            throw Exception("Invalid authentication: expected 'Basic' HTTP Authorization scheme", ErrorCodes::AUTHENTICATION_FAILED);
+
+        basic_credentials->setUserName(user);
+        basic_credentials->setPassword(password);
+    }
 
     /// Set client info. It will be used for quota accounting parameters in 'setUser' method.
     ClientInfo & client_info = session->getClientInfo();
diff --git a/src/Server/TCPHandler.cpp b/src/Server/TCPHandler.cpp
index 6fa2b25d181..d4112dd8bc7 100644
--- a/src/Server/TCPHandler.cpp
+++ b/src/Server/TCPHandler.cpp
@@ -1177,7 +1177,7 @@ void TCPHandler::receiveHello()
         return;
     }
 
-    session->authenticate(user, password, socket().peerAddress());
+    session->authenticate(user, password, socket());
 }
 
 

From f2612d42dcf994dd1f0340e27881ac1bf3d0d173 Mon Sep 17 00:00:00 2001
From: Eugene Galkin <eungenue@gmail.com>
Date: Wed, 17 Nov 2021 20:48:57 +0300
Subject: [PATCH 02/10] Implement SSL X.509 certificate authentication

---
 src/Server/HTTP/HTTPServerRequest.cpp | 1 +
 src/Server/HTTP/HTTPServerRequest.h   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/src/Server/HTTP/HTTPServerRequest.cpp b/src/Server/HTTP/HTTPServerRequest.cpp
index db0ccecf46f..1deecbf550d 100644
--- a/src/Server/HTTP/HTTPServerRequest.cpp
+++ b/src/Server/HTTP/HTTPServerRequest.cpp
@@ -22,6 +22,7 @@ HTTPServerRequest::HTTPServerRequest(ContextPtr context, HTTPServerResponse & re
     , max_fields_number(context->getSettingsRef().http_max_fields)
     , max_field_name_size(context->getSettingsRef().http_max_field_name_size)
     , max_field_value_size(context->getSettingsRef().http_max_field_value_size)
+    , stream_socket(session.socket())
 {
     response.attachRequest(this);
 
diff --git a/src/Server/HTTP/HTTPServerRequest.h b/src/Server/HTTP/HTTPServerRequest.h
index 85fe3a6f80a..fbf7e0890ea 100644
--- a/src/Server/HTTP/HTTPServerRequest.h
+++ b/src/Server/HTTP/HTTPServerRequest.h
@@ -32,6 +32,8 @@ public:
 
     bool isSecure() const { return secure; }
 
+    std::string getPeerCertificateCommonName() const;
+
     /// Returns the client's address.
     const Poco::Net::SocketAddress & clientAddress() const { return client_address; }
 
@@ -55,6 +57,7 @@ private:
 
     std::unique_ptr<ReadBuffer> stream;
     Poco::Net::SocketImpl * socket;
+    Poco::Net::StreamSocket & stream_socket;
     Poco::Net::SocketAddress client_address;
     Poco::Net::SocketAddress server_address;
 

From 30a741a19f2eb3a71a000709d892c2e8da3bfcf9 Mon Sep 17 00:00:00 2001
From: Eugene Galkin <eungenue@gmail.com>
Date: Mon, 17 Jan 2022 15:47:25 +0300
Subject: [PATCH 03/10] fix header authentication check condition

---
 src/Server/HTTPHandler.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Server/HTTPHandler.cpp b/src/Server/HTTPHandler.cpp
index 118a929323d..d29d113ad8e 100644
--- a/src/Server/HTTPHandler.cpp
+++ b/src/Server/HTTPHandler.cpp
@@ -330,7 +330,7 @@ bool HTTPHandler::authenticateUser(
     LOG_DEBUG(log, "X-ClickHouse-X509Authentication=\"{}\"", x509_auth);
 
     bool has_basic_auth = request.hasCredentials() || params.has("user") || params.has("password") || params.has("quota_key");
-    bool has_header_auth = !(user.empty() && password.empty() && quota_key.empty());
+    bool has_header_auth = !user.empty() && !password.empty() && !quota_key.empty();
     bool has_x509_auth = !user.empty() && (x509_auth == "yes"); // header values are case sensitive
 
     if (has_x509_auth)

From 0681bb4bede2877bf0fa63508a1937e97809f8a5 Mon Sep 17 00:00:00 2001
From: Eugene Galkin <eungenue@gmail.com>
Date: Mon, 17 Jan 2022 18:48:04 +0300
Subject: [PATCH 04/10] remove unused var and function declaration

---
 src/Server/HTTP/HTTPServerRequest.cpp | 1 -
 src/Server/HTTP/HTTPServerRequest.h   | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/src/Server/HTTP/HTTPServerRequest.cpp b/src/Server/HTTP/HTTPServerRequest.cpp
index 1deecbf550d..db0ccecf46f 100644
--- a/src/Server/HTTP/HTTPServerRequest.cpp
+++ b/src/Server/HTTP/HTTPServerRequest.cpp
@@ -22,7 +22,6 @@ HTTPServerRequest::HTTPServerRequest(ContextPtr context, HTTPServerResponse & re
     , max_fields_number(context->getSettingsRef().http_max_fields)
     , max_field_name_size(context->getSettingsRef().http_max_field_name_size)
     , max_field_value_size(context->getSettingsRef().http_max_field_value_size)
-    , stream_socket(session.socket())
 {
     response.attachRequest(this);
 
diff --git a/src/Server/HTTP/HTTPServerRequest.h b/src/Server/HTTP/HTTPServerRequest.h
index fbf7e0890ea..85fe3a6f80a 100644
--- a/src/Server/HTTP/HTTPServerRequest.h
+++ b/src/Server/HTTP/HTTPServerRequest.h
@@ -32,8 +32,6 @@ public:
 
     bool isSecure() const { return secure; }
 
-    std::string getPeerCertificateCommonName() const;
-
     /// Returns the client's address.
     const Poco::Net::SocketAddress & clientAddress() const { return client_address; }
 
@@ -57,7 +55,6 @@ private:
 
     std::unique_ptr<ReadBuffer> stream;
     Poco::Net::SocketImpl * socket;
-    Poco::Net::StreamSocket & stream_socket;
     Poco::Net::SocketAddress client_address;
     Poco::Net::SocketAddress server_address;
 

From 513060c1811988768eeccb0772dcd4ef53e6b396 Mon Sep 17 00:00:00 2001
From: Eugene Galkin <eungenue@gmail.com>
Date: Wed, 19 Jan 2022 12:27:40 +0300
Subject: [PATCH 05/10] add SSL x.509 authentication docs draft

---
 .../external-authenticators/index.md          |  1 +
 .../external-authenticators/ssl-x509.md       | 24 +++++++++++++++++++
 .../external-authenticators/index.md          |  1 +
 .../external-authenticators/ssl-x509.md       | 24 +++++++++++++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 docs/en/operations/external-authenticators/ssl-x509.md
 create mode 100644 docs/ru/operations/external-authenticators/ssl-x509.md

diff --git a/docs/en/operations/external-authenticators/index.md b/docs/en/operations/external-authenticators/index.md
index 13b07b8e51e..850b6594b71 100644
--- a/docs/en/operations/external-authenticators/index.md
+++ b/docs/en/operations/external-authenticators/index.md
@@ -12,5 +12,6 @@ The following external authenticators and directories are supported:
 
 - [LDAP](./ldap.md#external-authenticators-ldap) [Authenticator](./ldap.md#ldap-external-authenticator) and [Directory](./ldap.md#ldap-external-user-directory)
 - Kerberos [Authenticator](./kerberos.md#external-authenticators-kerberos)
+- [SSL X.509 authentication](./ssl-x509.md#ssl-external-authentication)
 
 [Original article](https://clickhouse.com/docs/en/operations/external-authenticators/index/) <!--hide-->
diff --git a/docs/en/operations/external-authenticators/ssl-x509.md b/docs/en/operations/external-authenticators/ssl-x509.md
new file mode 100644
index 00000000000..deea837fb27
--- /dev/null
+++ b/docs/en/operations/external-authenticators/ssl-x509.md
@@ -0,0 +1,24 @@
+# SSL X.509 certificate authentication {#ssl-external-authentication}
+
+[SSL 'strict' option](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) enables mandatory certificate validation for the incoming connections. In this case, only connections with trusted certificates can be established. Connections with untrusted certificates will be rejected. Thus, certificate verification allows to uniquely authenticate an incoming connection. `Common Name` field of the certificate is used to identify connected user. This allows to associate multiple certificates with the same user. Additionally, reissuing and revoking of the certificates does not affect the ClickHouse configuration.
+
+To enable SSL certificate authentication, a list of `Common Name`'s for each ClickHouse user must be sspecified in the settings file `config.xml `:
+
+**Example**
+```xml
+<clickhouse>
+    <!- ... -->
+    <users>
+        <user_name>
+            <certificates>
+                <common_name>host.domain.com:example_user</common_name>
+                <common_name>host.domain.com:example_user_dev</common_name>
+                <!-- More names -->
+            </certificates>
+            <!-- Other settings -->
+        </user_name>
+    </users>
+</clickhouse>
+```
+
+For the SSL [`chain of trust`](https://en.wikipedia.org/wiki/Chain_of_trust) to work correctly, it is also important to make sure that the [`caConfig`](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) parameter is configured properly.
\ No newline at end of file
diff --git a/docs/ru/operations/external-authenticators/index.md b/docs/ru/operations/external-authenticators/index.md
index 8465e57d792..9fb07450d7c 100644
--- a/docs/ru/operations/external-authenticators/index.md
+++ b/docs/ru/operations/external-authenticators/index.md
@@ -12,5 +12,6 @@ ClickHouse поддерживает аутентификацию и управл
 
 - [LDAP](./ldap.md#external-authenticators-ldap) [аутентификатор](./ldap.md#ldap-external-authenticator) и [каталог](./ldap.md#ldap-external-user-directory)
 - Kerberos [аутентификатор](./kerberos.md#external-authenticators-kerberos)
+- [SSL X.509 аутентификация](./ssl-x509.md#ssl-external-authentication)
 
 [Оригинальная статья](https://clickhouse.com/docs/ru/operations/external-authenticators/index/) <!--hide-->
diff --git a/docs/ru/operations/external-authenticators/ssl-x509.md b/docs/ru/operations/external-authenticators/ssl-x509.md
new file mode 100644
index 00000000000..bba1874086e
--- /dev/null
+++ b/docs/ru/operations/external-authenticators/ssl-x509.md
@@ -0,0 +1,24 @@
+# Аутентификация по сертификату SSL X.509  {#ssl-external-authentication}
+
+[Опция 'strict'](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) включает обязательную проверку сертификатов входящих соединений в библиотеке `SSL`. В этом случае могут быть установлены только соединения, представившие действительный сертификат. Соединения с недоверенными сертификатами будут отвергнуты. Таким образом, проверка сертификата позволяет однозначно аутентифицировать входящее соединение. Идентификация пользователя осуществляется по полю `Common Name` сертификата. Это позволяет ассоциировать несколько сертификатов с одним и тем же пользователем. Дополнительно, перевыпуск и отзыв сертификата не требуют изменения конфигурации ClickHouse.
+
+Для включения аутентификации по SSL сертификату, необходимо указать список `Common Name` для каждого пользователя ClickHouse в файле настройки `config.xml`:
+
+**Example**
+```xml
+<clickhouse>
+    <!- ... -->
+    <users>
+        <user_name>
+            <certificates>
+                <common_name>host.domain.com:example_user</common_name>
+                <common_name>host.domain.com:example_user_dev</common_name>
+                <!-- More names -->
+            </certificates>
+            <!-- Other settings -->
+        </user_name>
+    </users>
+</clickhouse>
+```
+
+Для правильной работы SSL `trust chain` важно также убедиться в правильной настройке параметра [`caConfig`](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl)

From cb03e7765f7ef7b158087180f61c2d93b2f52e20 Mon Sep 17 00:00:00 2001
From: Eugene Galkin <eungenue@gmail.com>
Date: Wed, 19 Jan 2022 13:04:40 +0300
Subject: [PATCH 06/10] minor fix SSL authentication docs

---
 docs/en/operations/external-authenticators/ssl-x509.md | 2 +-
 docs/ru/operations/external-authenticators/ssl-x509.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/en/operations/external-authenticators/ssl-x509.md b/docs/en/operations/external-authenticators/ssl-x509.md
index deea837fb27..dd4f35257bb 100644
--- a/docs/en/operations/external-authenticators/ssl-x509.md
+++ b/docs/en/operations/external-authenticators/ssl-x509.md
@@ -1,6 +1,6 @@
 # SSL X.509 certificate authentication {#ssl-external-authentication}
 
-[SSL 'strict' option](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) enables mandatory certificate validation for the incoming connections. In this case, only connections with trusted certificates can be established. Connections with untrusted certificates will be rejected. Thus, certificate verification allows to uniquely authenticate an incoming connection. `Common Name` field of the certificate is used to identify connected user. This allows to associate multiple certificates with the same user. Additionally, reissuing and revoking of the certificates does not affect the ClickHouse configuration.
+[SSL 'strict' option](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) enables mandatory certificate validation for the incoming connections. In this case, only connections with trusted certificates can be established. Connections with untrusted certificates will be rejected. Thus, certificate validation allows to uniquely authenticate an incoming connection. `Common Name` field of the certificate is used to identify connected user. This allows to associate multiple certificates with the same user. Additionally, reissuing and revoking of the certificates does not affect the ClickHouse configuration.
 
 To enable SSL certificate authentication, a list of `Common Name`'s for each ClickHouse user must be sspecified in the settings file `config.xml `:
 
diff --git a/docs/ru/operations/external-authenticators/ssl-x509.md b/docs/ru/operations/external-authenticators/ssl-x509.md
index bba1874086e..12ae7e4eec3 100644
--- a/docs/ru/operations/external-authenticators/ssl-x509.md
+++ b/docs/ru/operations/external-authenticators/ssl-x509.md
@@ -21,4 +21,4 @@
 </clickhouse>
 ```
 
-Для правильной работы SSL `trust chain` важно также убедиться в правильной настройке параметра [`caConfig`](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl)
+Для правильной работы SSL [`chain of trust`](https://en.wikipedia.org/wiki/Chain_of_trust) важно также убедиться в правильной настройке параметра [`caConfig`](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl)

From 12291d95ddc9a79357cc9be7dd210870628f5803 Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Fri, 18 Feb 2022 21:12:03 +0700
Subject: [PATCH 07/10] Add test for SSL certificate authentication.

---
 .../test_ssl_cert_authentication/__init__.py  |  0
 .../certs/ca-cert.pem                         | 32 ++++++
 .../certs/ca-cert.srl                         |  1 +
 .../certs/ca-key.pem                          | 52 ++++++++++
 .../certs/client1-cert.pem                    | 30 ++++++
 .../certs/client1-key.pem                     | 52 ++++++++++
 .../certs/client1-req.pem                     | 27 ++++++
 .../certs/client2-cert.pem                    | 30 ++++++
 .../certs/client2-key.pem                     | 52 ++++++++++
 .../certs/client2-req.pem                     | 27 ++++++
 .../certs/client3-cert.pem                    | 30 ++++++
 .../certs/client3-key.pem                     | 52 ++++++++++
 .../certs/client3-req.pem                     | 27 ++++++
 .../certs/generate_certs.sh                   | 23 +++++
 .../certs/server-cert.pem                     | 31 ++++++
 .../certs/server-ext.cnf                      |  1 +
 .../certs/server-key.pem                      | 52 ++++++++++
 .../certs/server-req.pem                      | 27 ++++++
 .../certs/wrong-cert.pem                      | 32 ++++++
 .../certs/wrong-key.pem                       | 52 ++++++++++
 .../configs/ssl_config.xml                    | 36 +++++++
 .../configs/users_with_ssl_auth.xml           | 22 +++++
 .../test_ssl_cert_authentication/test.py      | 97 +++++++++++++++++++
 23 files changed, 785 insertions(+)
 create mode 100644 tests/integration/test_ssl_cert_authentication/__init__.py
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/ca-cert.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/ca-cert.srl
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/ca-key.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client1-cert.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client1-key.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client1-req.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client2-cert.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client2-key.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client2-req.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client3-cert.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client3-key.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/client3-req.pem
 create mode 100755 tests/integration/test_ssl_cert_authentication/certs/generate_certs.sh
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/server-cert.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/server-ext.cnf
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/server-key.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/server-req.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/wrong-cert.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/certs/wrong-key.pem
 create mode 100644 tests/integration/test_ssl_cert_authentication/configs/ssl_config.xml
 create mode 100644 tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml
 create mode 100644 tests/integration/test_ssl_cert_authentication/test.py

diff --git a/tests/integration/test_ssl_cert_authentication/__init__.py b/tests/integration/test_ssl_cert_authentication/__init__.py
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/tests/integration/test_ssl_cert_authentication/certs/ca-cert.pem b/tests/integration/test_ssl_cert_authentication/certs/ca-cert.pem
new file mode 100644
index 00000000000..293e1c7f564
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/ca-cert.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFhTCCA22gAwIBAgIUVRNcr0jCH3vSTxg8QYQH6CCtyF4wDQYJKoZIhvcNAQEL
+BQAwUjELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCY2EwHhcNMjIwMjE4
+MDk0MzA2WhcNMzIwMjE2MDk0MzA2WjBSMQswCQYDVQQGEwJSVTETMBEGA1UECAwK
+U29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQsw
+CQYDVQQDDAJjYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALwojNvu
+fXQYQ4tucqNOEDHf2sNgxwxqY6QdtJ+zNfVjsK4I3Vqo8TtzxfDYGolkYem/bYJM
+xQar9ehUm9ok/0kJgIo8vDXxxDJtvjz5Fd5oFWJLMxojLE9NSa0A4m18jGfbFNsF
+XoU0njiInyzNaU9d4bMpaweseCZdt9Y4LR93FkuhSU/v18lWQPob8SSIij059IZP
+sEUxpDOTxclAmG/Knd/6v3ecVFiQgexZM0gCtf7kcw41mxsAaP/mOexodIZDR70Y
+LYjL7R2ZGhpClfQc8SO5NSpfEqsfreDX7XoaCTsy7/rqr3Nfiby6sc//awG0Ww/f
+FRf2+2BU2xEwOVa3i5wU5raYY6eqFLK9q9c2IWPSqYzAmvhK2pqWQ/iaCU/Q89ow
+SbKudJTLK8Y6v9LW4Q8ZLZF+CzS5cI+QEfIYqTLFdInH1BLoxx7cymEv07CDkcTo
+2WtV8GdMph2P3U/9NoXQDonjCSj0lQUjgUdcrBPaIIVbIn6/5vfw8LQa8PoGDhIx
+AYQkqPR+LHxCqIMzdqKZ+OXD/HPhiigpxLhF7mVRLvvoyrOZVJbcu1qmgCcQw0IE
+fWzvWne+9cYC9lgt8+/k6d6B1uhYsIwwhgoj0dffFjc0sF6zfceGK+H1K2JCE0aY
+zT1HlvSoZdA7lEs5xbGJnkBHqlOvQ63ynXCzAgMBAAGjUzBRMB0GA1UdDgQWBBTn
+AtgFU20JF7kTZCKlY7/hi0kYRzAfBgNVHSMEGDAWgBTnAtgFU20JF7kTZCKlY7/h
+i0kYRzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCpiWgJ1XUw
+a8Bdeznsa57oy+5mqQZWpRVkzTQRHEGV850OGh7WQ6u9kVAHefaHH9hsVxyggton
+6/MDsu4KL5jqKmJaIAepPIOw6DTc2zs044I7W/rxRp+w1hL2TS+EahMrSPwdzCcl
+NNAM0dXocGylf6qwwMqiYAR1K3UIrlyq4QTr1oEPIqJBkDg1JDYrt4T2DroPjW20
+5hlCQ/tft5ddGL0EFEaKWwAcPFm7jAwJiz2eUqmT6PcmaZ24qPn5RXVkaBAkrSga
+1WgM8r3LGu2EKhdiDc5hRJKjS8RZyLvZNNzlL3+N42nGmGZkND5bV6u82OD+qn17
+LRZOt0Cr70HqszSYk/67ijjaa4n/fuuAqorV+yYB8accRXtoi00nxykT+H+yI1rD
+swvcrfDvhUgY5zmunWyQUYh0q/2Hj75GbLup3Cd0B4MrBwqyCqcEugM4OSf6aRMr
+e/vjeggTVPN08xE1LUkugalx0B0aoO6qFahJ2CmkAcYLLlS2N+F7TMuPavc0kVxD
+I3qA5G9zvNCliSLX2+kM+LzslI8+pP/A98bvh6nW4HtZkI0jq1ks7XR0GeOhCI8E
+0l/YuElxxgKhN4INKhhMoDKqPib4z8gbmkenR2CenQCpfLMIrhTXZgtw+gvEgpIE
+/QK97G8XPqga6zn471wrYJnuyJli+sP7aw==
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/ca-cert.srl b/tests/integration/test_ssl_cert_authentication/certs/ca-cert.srl
new file mode 100644
index 00000000000..c02cd0a4526
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/ca-cert.srl
@@ -0,0 +1 @@
+05F10C67567FE30795D77AF2540F6AC8D4CF2461
diff --git a/tests/integration/test_ssl_cert_authentication/certs/ca-key.pem b/tests/integration/test_ssl_cert_authentication/certs/ca-key.pem
new file mode 100644
index 00000000000..e85dca8553e
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/ca-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC8KIzb7n10GEOL
+bnKjThAx39rDYMcMamOkHbSfszX1Y7CuCN1aqPE7c8Xw2BqJZGHpv22CTMUGq/Xo
+VJvaJP9JCYCKPLw18cQybb48+RXeaBViSzMaIyxPTUmtAOJtfIxn2xTbBV6FNJ44
+iJ8szWlPXeGzKWsHrHgmXbfWOC0fdxZLoUlP79fJVkD6G/EkiIo9OfSGT7BFMaQz
+k8XJQJhvyp3f+r93nFRYkIHsWTNIArX+5HMONZsbAGj/5jnsaHSGQ0e9GC2Iy+0d
+mRoaQpX0HPEjuTUqXxKrH63g1+16Ggk7Mu/66q9zX4m8urHP/2sBtFsP3xUX9vtg
+VNsRMDlWt4ucFOa2mGOnqhSyvavXNiFj0qmMwJr4StqalkP4mglP0PPaMEmyrnSU
+yyvGOr/S1uEPGS2Rfgs0uXCPkBHyGKkyxXSJx9QS6Mce3MphL9Owg5HE6NlrVfBn
+TKYdj91P/TaF0A6J4wko9JUFI4FHXKwT2iCFWyJ+v+b38PC0GvD6Bg4SMQGEJKj0
+fix8QqiDM3aimfjlw/xz4YooKcS4Re5lUS776MqzmVSW3LtapoAnEMNCBH1s71p3
+vvXGAvZYLfPv5OnegdboWLCMMIYKI9HX3xY3NLBes33Hhivh9StiQhNGmM09R5b0
+qGXQO5RLOcWxiZ5AR6pTr0Ot8p1wswIDAQABAoICAQCO/c4Wccb7TFlAhD4wpumd
+zX5GDq0WXV+94CldWGdARnOFvwzhkhRJ1zDtWH3KPfQ/HJBPfqIY8OQfnPUYMhej
+3MnHxGJQKJyuqkHxumYJMFZX7cg3K9XHqne8NzjcddOKNa9Cx3DOkG9RjVpSRQSs
+IS+d5XMGUOa6WWyVKvn3uJvD/B1n12DJDHiy2jtHRVCxOPMAg1z1KMWdwMaFrEZs
+ZrHV/ow1jSN4btGd2SgkqJLA08IwYUKvoX8qQj9wzu0G/+hr5wzrsfZQEQMKQ+IL
+s1b6jAzAV6IrVBbjEZXSviiXyZ0gteuCJW/acpMg+/3JPNQbWrCAFt1wluwowto/
+JAFIvlh29hfE5c+HEMpQNa0tdj7jepBn/0YEbgwpayMikKiLZXEpgheWCGypAQWp
+Hm+N0Ym7HSGe82obxi8EjKRnNwFUtotWzUBKeo9aFwPZHLFlspljd+5ynDvKqXnk
+txYZj6K3TtMs30HAG6fqxSPyiZ5W+5yF7nt6qLODs6m4Os+lrk1GnoqC0/uLMzIU
+CRJKulrJOK4/Z2tPn9IAhcREbS4oROUeNqqo0Cfs3ssvkV7JTHF4IsKhCmElMmGa
+bevOI+pvdjfECShy0Jnbtni6ece/II4/edfUp9kWN45xZLpzDjfqCVD66JS9g6ZU
+i/EVll+d5zaI2TzzwZgHUQKCAQEA3d8siwXbq7x0cAB013+tvkvGMJ2EuS1TWdLk
+a2P6CAnlZMWvv2cPSd2WpimHjqKxrbn6VE79mOc2l9Y1NOUUWWZATrhN7V8xMapQ
+0YiYCHeaMERUAUKdzCgRN2/mRbZCBzpPBbWbb6NtKfRFJsD9zAe2JBwDVh9hvAL8
+YVBoczrEfj1ILnmtPhAJVI6s6rDsA4MgKjLs0Tt7Cc7rQxqNSpHEvwv1yLQmjp0N
+L5b1TEt7fqVJ9dirykJquBYEKf55Z1qZhQzmnbu9OPnzeqGDakl5F/UsXDB5Bokp
+ilcV+nFbh175Q+gTEhaSacGW8gzRw6j18PuciBjeWVEM5hhxOwKCAQEA2RnRMjv9
+46jQarJTFbIHg1SqrR87GSLnt6672M5TX9frzxMCuVDjKgdecstvLjm6X+/cPQKT
+Q3javJnJXT4cx//1J7RLO6ZBVSCZf3//XntdHdFVJf5ySQtK+MJyfxjpzP6KBPfb
+WPrva8p29ejbBdtsOT0M6gY5tPfadU2XEaf+BoyX9NUmu1U46Iqi+eCOjR+GVvhP
+pJzGgLeOsaRVCfc9I7XPoVu3AEx5Kt55yRYm4fyGPsAd+mRDbIXMXdL0k8CfWWDr
+8TT5rqKI+gFPFQCwToBW3DwHIGY+3RmoXFfQ0IJaKwOk4AB7m6HC3mv1crtjTFSM
+9p74oQzNX7UG6QKCAQBEs2cygRTdH5SaXbnQRKvC4emzggLn5/4IMUIjcqioNpA+
+XOwngzz7rU6JkxBzfTMxTQYTdwYVg3qnF2AQSeK8L+o3teADYVd1PnyZ9QbGkGpB
+CddNMJh17+4s0UxnR6E4Zbi0VuCTd/JEbGvBLT8pHzYqBjaOQ1dbBT2q0GAXVhoj
+0Mv6ABlBv2t0MF2gqjnaeI7MIkqsGxPlHJpChAU+EtbuJUDs7cOGo2DC3KaGAlVy
+CLJXGslO7rPm3oJZkn97HlWtGiqKquhTrSnUThDIJ4oEfhlHTocbG/ut53tZuiIS
+T7k1arYFAtJBRv17Y7bMNBQ7k12L0s9+rpck5GqjAoIBAQCVBPSkj6tZbpII+viu
+5rHjguVYyhwtx9jYK1eDnTR7kGGrlPgErjIPslkxYNSjHTsCCUnakv70jGtQlBs1
+JqJo4hesNkSB4D/uJ99VNk3a08D566uP1dUqsFa44/flp/ssG/gvKtbkf/KBwcrg
+RwK4RYJG09IefUF1J8BLToQIuZBTfIP9qaXZZskWTbtK28ndsqrq3a0FaBuVVOnc
+o9k/avcLoQuxTZwS12tAcs+TqOHtswGO5x5stg/V2Q2LxXbeSJTYq/+oZN2R8r0l
+JmrbFsruR4fXylh189jouWjoYdrSlPdBmVG99HbkQCfbtq0XIOsrBMpxqnMtUPVT
+4ZWpAoIBAQCrao4XHpRM3KsfPqdkg0vqFDBA+LzKlWu1fl8w5TGpFK8H1tv5kHNv
+h0XmeU5cXwiweri3KjQz7h+qVBHZeAvyrEoxJQdImax+5OUy7lysDs+SL02gLZb3
+Z7g+u4Buwx+cv4O7hwUEDDk/5X3NBFk7/iwztKUtM+Fl8jt9K3K24s87xXp9YevI
+UEawden9jVcuXQjEUrwz8cjoz/y25vK5pQ6k82PVImkMZK99/PmgmGyOl7hdRA3F
+ff0Kb8pRGmV/cWRKzHaC8QchW8jdU2EGxMkrFl1DvoVKLbyDf1glRncKP9iozHAR
++s184IJCUvyMxH83uKKAiBGaDRC+Lbm7
+-----END PRIVATE KEY-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client1-cert.pem b/tests/integration/test_ssl_cert_authentication/certs/client1-cert.pem
new file mode 100644
index 00000000000..bd6eea62094
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client1-cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMDCCAxgCFAXxDGdWf+MHldd68lQPasjUzyRfMA0GCSqGSIb3DQEBCwUAMFIx
+CzAJBgNVBAYTAlJVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAmNhMB4XDTIyMDIxODA5NDMw
+OVoXDTMyMDIxNjA5NDMwOVowVzELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUt
+U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UE
+AwwHY2xpZW50MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMBU0fao
+RrITeF4kpN81p7qirX/Gc56+Cux6u7RF1O6WU9v+V5jLw8chQZ87z4QSrFiT1ZnT
+pwWYPwJ+pDk6AWEoiKuOaceOh0bjZCuxADHs+qQrye5D8GXvyFvWE2cT1pD5JNEZ
+DSl2YHqNs4uTGRP9BP817iRDcuvdxpanaWxfXGfehJRMiEVgKDs+RUpoW4aVNivI
+InrUWc4RXXkzaJKqhpCU3jAJBV4jSD5ZnA8PUfcoAj6z6T3I6phuDfRP5ldA3br8
+yg0hCB7Y5QrO5lRAgEoIuNnC+U6/AIwWPI36Rjiwg3EUwI/BIiL4AWjzkjSdr0mn
+zyHPRk4pcn01T0GTpQi6tfZZpumDD3LkPuEy9svMpJ8ntqDnAsIJVjbg1S60hHes
+yYHoQw1HxU0vrncxwcQkVaPLx0uGlioaLlvu83AVnWXbylZXsV/pLy6dE3H51GBF
+DX3Zj6nkuJitk8/hNp440/Lve7SaKFPo5NdH+8ACWGdFdz3zxgPuhBDoxEeqj4c1
+FQA1ABXx2akW3lQ5VxTAg5AYORvVhJTozosr+Kn3MlRdZjl94tnVByD8MGLLE0C4
+L/qXR/IlbkOCz5LHapdC5j62ZEBwiElmMO/tMGl4ORV9tdTBrRZ9DMmKek2E8Qwz
+y770PGkhp1cTzZt6UfZEympowmfjtiZfHIq1AgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggIBAHwRpqnpcD3EW588GSDZhZrVf3nS9M06ljQGtDUqNSI4XJp1cVT1sMaa4LjM
+cWgHtayFw+jbDLwioXHjMlV+8tERH+0x+qsADG349caDYT/OF13v/jyuboUZ9AqE
+KpfOQH7jCLU7rEbEl6kvT3F3xaHJg8mE7msyRFfguB2JrqZkKIj4HANxJUJo4PwB
+5bq9nE3AVNAgUeQEwfu0r5SjroNpcHfm7xWqMK2mDMCsy/DvI7n97Q7vZajcTT0x
+UXfgx+3CLEvLMpa2myE5OIMOeLzfZwxrxyNH7BdZsROnkGv1cX+9HZpYcue/UDxp
+P2OApbTuZKaTJOyMADc17s0seE0DTAHnHAWrJwVhf8wYKKtEs+i+Sw5LNSkh5fgS
+hTzGF93yClDYzWEqMSKhKPeimtpz4ZBNuGf471KbpVbUKJJvJmOxqoZ5S0kpFILL
+YMALf652uf5or5d0cDNvcJTwvMi6evchIV17d/jH+MxyJQs9VCkMpJxFbMrXb3YB
+b57K3Z25P6w3Qfj4zuKQFANari7Gs6qSiaUBiEhEdTQlGspkq+FLndtX818sbMk5
+LAK6JaUH0ywV2jn5XSW0irQLDXqb6Q0bSyw6pdpDjk0o4UW67JCE4kGagRDnfSqL
+ZODvO/dEtVLyAsjmOx8MkqLyseI7VESVd8eiJAyL0sifh+/E
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client1-key.pem b/tests/integration/test_ssl_cert_authentication/certs/client1-key.pem
new file mode 100644
index 00000000000..8bc1e656566
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client1-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDAVNH2qEayE3he
+JKTfNae6oq1/xnOevgrseru0RdTullPb/leYy8PHIUGfO8+EEqxYk9WZ06cFmD8C
+fqQ5OgFhKIirjmnHjodG42QrsQAx7PqkK8nuQ/Bl78hb1hNnE9aQ+STRGQ0pdmB6
+jbOLkxkT/QT/Ne4kQ3Lr3caWp2lsX1xn3oSUTIhFYCg7PkVKaFuGlTYryCJ61FnO
+EV15M2iSqoaQlN4wCQVeI0g+WZwPD1H3KAI+s+k9yOqYbg30T+ZXQN26/MoNIQge
+2OUKzuZUQIBKCLjZwvlOvwCMFjyN+kY4sINxFMCPwSIi+AFo85I0na9Jp88hz0ZO
+KXJ9NU9Bk6UIurX2Wabpgw9y5D7hMvbLzKSfJ7ag5wLCCVY24NUutIR3rMmB6EMN
+R8VNL653McHEJFWjy8dLhpYqGi5b7vNwFZ1l28pWV7Ff6S8unRNx+dRgRQ192Y+p
+5LiYrZPP4TaeONPy73u0mihT6OTXR/vAAlhnRXc988YD7oQQ6MRHqo+HNRUANQAV
+8dmpFt5UOVcUwIOQGDkb1YSU6M6LK/ip9zJUXWY5feLZ1Qcg/DBiyxNAuC/6l0fy
+JW5Dgs+Sx2qXQuY+tmRAcIhJZjDv7TBpeDkVfbXUwa0WfQzJinpNhPEMM8u+9Dxp
+IadXE82belH2RMpqaMJn47YmXxyKtQIDAQABAoICAAEBsKOg19XgwjWD7ZT5e+o/
+JbdQe5RuHDKGperYnres871oBF9ZWan2I5jIwFpJmrtP8sM+V1ZxKItDzGo8QnuW
+sbhsI2OW/GBDmmecIosgWWN4kzL7CgwOiDbq1OkqMmpJ04aAohAAfZrGmRT27R+s
+qFUJnDh2XeicHYj2UVfu29XzVTBNgj0StsMwnT45c5ktuL3b60pHSD0K3DlhKn/y
+AohJLyyDL5MBjkQ9RdLSWrR3ciOP332iSpAHq20G6ga04TQ0VH5jGN7IddJrqMry
+F3nLt+Pz4EgoOcGB8Ekx8SIk0ltKJ4PZF+uk7qT0+WPrG1rAVRYxNoX8M4wyNjr4
+TcAZsV2DnGdnp+2u0SSzMczeop5hPTJKxaLaPw1JOoIk5fqW94MbEHqGnEXEIN+D
+OWeUKWZ/B1YubavOeR+c3STZrh2SgmhKk6g5NMFlfnyvolPu47H8NOrewOhVG+TZ
+gsQoGxSyOXwZTQ/Jd6Yg9lek8nKJBc4Res7ia/x3H+gjjRoNFI+L2HQnWztx5YMZ
+H9M6hcpclZubO/w4iLq9OB2QUHn7aIT3lWRV/xS0Yh2zGCufasaMA1KSKC5zq0Fk
+gCzAkYDq/ymrJs3LQQ0wegKd1akL4z5fxmXTn2v2BGoEd52uuxhL0mM/9zzRxdR2
+IsOgAym+siLXMCHTDbdVAoIBAQDuMcea66WKidS+A9frCEsabYccKzrdMEhs6Mle
+orFieMC+3ZpzFIBkXPZ522I+M4nIdBKuRw9PnYTE5t30euOj60Oq905j2a+Ho4ki
+kW6dC+tNDF49Hqxn9e99xbvTUi97dREcERlHA+AnRektEciyD17bi88aUy9w83Mw
+G5Z+ej+9o40w8+TDopE2SIJhUAHR6LOAMq1v5y1lmTn0sbTuxZFLA0qWX9aGLi+T
+4RD0MzJAtKJDbr3yPTLHAXmaMSKHhWYYgWTH9iwEhGQAm5VJy3oNJUkM7ej7Yfs7
+aTDOk61egCKhEHdWavP68MqmNOPHgnq4/edmvQnhfKtI8SMnAoIBAQDOtWDi/OnU
+ZjZPnmJwwoPuXe6IjYg47bFRGv94xEpSesCAYdXNaNLPl0f/Ut9y3nXr+j+XqJWo
+UqtRGFu2i9lUK3cu90GLXEaLbYWGcgL8YnJu0senLxkqxPWcGxoKmbo3xMjqk/pF
+EVZ5e1qqVTlrB4q7QWmLKrS8YlcaTnChPeSBRFfryg/xvQ11Hxtq89SKkTH4ps16
+0KtiCxvfQHVASyRLIKLdyabPInB+yP3Fsn4BIx8jGtOQ/OCY01TXq9OyaRu2hJTk
+qsjOLnqf6huM2so3X0Tw8AdgNoF96JJvfhwiPI5CSo9UKjhuvus1Ip5ZFFNo4Ngy
+n3Zlgp1HxZzDAoIBAQC9ffqmo3sxqI8Hj3UxdIqS/rlyzm1o0+V6RwMT92gYx6nG
+7fLWRGQT8+TdcotIoqWlQ7oszTlABDdAkc3XlgANQre1hkLlqqM6y/3n8zzFUVsj
+E4jRJNrRZdTeAPV4mzRNCgfPhUbPuSSU+cgT48b+6L10+VeMQMtIF1T226uw+L5G
+tps3a3/9pxHQ1oRquESKYo6SmT5i/M2fuvNhWBJxtdjtjTPER4AZhRqykWV0cFo1
+Ib7I2Ivh74+6w9Ciux4WJCjhq+aqMYw5F72awitU5rw1QwlHcOldO0irrfZ3EQLm
+YBesfLYDmNh6NR9ydDcVXBcXnl593DvFF/IH+FYXAoIBAQCQZydLCzHy3oC8eEH+
+0fRGljooDO+IDYzcwwaLgF0HZ5eJWE97EuqKeP2kAWn2HjC07Hp2YSBDmZTyrxiK
+2wG1CjRVjAeu6oShrJ4mAQnS9JdKkldFlOJ4/WUza79yflgX05IkRcIFdAo8DY+W
+BLl66qbhD95CiU//dpew2fFWwx0ZrPvazar7zn1TP6rwuWvWbX5CXYyYaqP/dxE+
+khIXGyc8kI0WcWPlugJqn9CgxoO+GaIL7Ra1Z+MjACd6DyBxt3nTtKUrZZ+oYdHq
+Wypp6QJxUk2gH56XeRxXMBz0ZF4VEMa0ys98FY6c1yULVqbWRhvK3aBLJRkZ6vgj
+BorvAoIBAASy89mnP7d9jY7pSg/8znsUF8fQwKpRJZKS+8xgbzsZP+zT7CjxCbPL
+xcNK0fl6pRBv+gyIM013R7J1uvZJ3W6rspVxlXOvofvwYSuLOjwsZA26RM8s7Do5
+e62Bg7PUHbbaD+C8HzbJlyXeQ++oddWPbIkxJMwhP1Uvy3wA6c7E7w/UACZvv20J
+KriU33QmW/o0YpOX8xBVwgsCld+IfUIYm1S1mpU6k3oUfGIA5iyKx1XLTMhlaYUG
+dTdExwxQp73Jk585qWSpaiQ05OrgYyzZ8OHA2kRTPK+54HSwRfn6senf3TakZHBi
+zjy/DZmOU/a/EiR7MCGg+jS1x9GBxOE=
+-----END PRIVATE KEY-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client1-req.pem b/tests/integration/test_ssl_cert_authentication/certs/client1-req.pem
new file mode 100644
index 00000000000..b821609068b
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client1-req.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEnDCCAoQCAQAwVzELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHY2xp
+ZW50MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMBU0faoRrITeF4k
+pN81p7qirX/Gc56+Cux6u7RF1O6WU9v+V5jLw8chQZ87z4QSrFiT1ZnTpwWYPwJ+
+pDk6AWEoiKuOaceOh0bjZCuxADHs+qQrye5D8GXvyFvWE2cT1pD5JNEZDSl2YHqN
+s4uTGRP9BP817iRDcuvdxpanaWxfXGfehJRMiEVgKDs+RUpoW4aVNivIInrUWc4R
+XXkzaJKqhpCU3jAJBV4jSD5ZnA8PUfcoAj6z6T3I6phuDfRP5ldA3br8yg0hCB7Y
+5QrO5lRAgEoIuNnC+U6/AIwWPI36Rjiwg3EUwI/BIiL4AWjzkjSdr0mnzyHPRk4p
+cn01T0GTpQi6tfZZpumDD3LkPuEy9svMpJ8ntqDnAsIJVjbg1S60hHesyYHoQw1H
+xU0vrncxwcQkVaPLx0uGlioaLlvu83AVnWXbylZXsV/pLy6dE3H51GBFDX3Zj6nk
+uJitk8/hNp440/Lve7SaKFPo5NdH+8ACWGdFdz3zxgPuhBDoxEeqj4c1FQA1ABXx
+2akW3lQ5VxTAg5AYORvVhJTozosr+Kn3MlRdZjl94tnVByD8MGLLE0C4L/qXR/Il
+bkOCz5LHapdC5j62ZEBwiElmMO/tMGl4ORV9tdTBrRZ9DMmKek2E8Qwzy770PGkh
+p1cTzZt6UfZEympowmfjtiZfHIq1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEA
+fGx/D6rNeaVO/vSUGX5q1iJKd8Gnw+/8NRgbuvCDuDOSy8LyqnLmVntj8q9FHpJM
+SRH3LnylMVFZdybso2ZbhR1UDReGvHCtKICG3LLP1uWwy5nS3mkGBHFm9COyFP21
+kWOit1+106gEhg2f/NXh31HFmh+myepLjPEj5KxvnQhQfaQESsDYDZAs6/qT1mqp
+A7GixOXh7hIFBJ97cU7fKby0Wtv7GqKAYQkaf26ImoGijtMPIlzvwJboJWmOYzIH
+zrOHqspFkJD8YvYOwLIKdahViqXU7POL9uRn0vFyaXVcyXRq83Pz+bPSW9AFYsYG
+ukSZiJs1yCINZI/Mk1vlfaZWYPIbBkJZ0Ny0vw112dIEilWAkVdsmJyV95aBddQI
+Md64CYWZbV5P7/0QOX+v2ZQpWVnaV0m07K6VVuTL3bw6BQ9fcj7vaql6wl8jl/9l
+nEotaZiY1f1pUUko3XzXpZEFB1lGBHupuS/Plz8pfFefN/7sOZoWn1VhD9I1A8uh
+b2mg6hyQ7pe2NrHOTY1+L1xxxKKHt01kvDhws09qxRXtNsLrL8tl94i1ndLjHIwD
+/VRnVU04E/VoTKaEXuETLZwOZu8pLwdiejrWEAmtsbmmcKq/Bk42wa+Wrmge2Chs
+V8EOAtq91AjUcQeh7s2fV6yWweMGm1J6pdkNWckCsUs=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client2-cert.pem b/tests/integration/test_ssl_cert_authentication/certs/client2-cert.pem
new file mode 100644
index 00000000000..886cc533fcc
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client2-cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMDCCAxgCFAXxDGdWf+MHldd68lQPasjUzyRgMA0GCSqGSIb3DQEBCwUAMFIx
+CzAJBgNVBAYTAlJVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAmNhMB4XDTIyMDIxODA5NDMw
+OVoXDTMyMDIxNjA5NDMwOVowVzELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUt
+U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UE
+AwwHY2xpZW50MjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOGIanwq
+rZCqMT+ePwRkiQnD0gyVt5+kwkb8X+fdBJRF0kr70YfzMpKdZP4l4W6C0Jv/ysIH
+usrI5pQxcFAIe/7DLW0JPkMLKgXsOtPNZPIkc7WYkq3cbzB0ZTsK8O3IYhwn0dAY
+O49T//YqM3TLTFsG89B6uCEg7dQiP9hh6boic8M/WyAseOkJNfw+wYcTWhl1toKc
+dLbo8ehESUtVhCOPVT602zBUYFkleqKPeHJ/gzl3/mTnqfeUBljGI2aXwOl7r6rI
+D/or7wew2HZ81dTGDqB+yqUhBIVNseJPHOuKbke2E2qWVzAkRnX4b2ehsSaSknpC
+KGWyLibaQyR0/Gt8Duu1XIsZKeFjCw27yogSTQ6xTUhLDF1anQyoJX9btSQZsTbD
+3vtHbD1O07KSfiG0Z1p8LaR10RAFA7f3HLwwy6c9ExpGu5ED+co8aO5Xp5wysg8X
+fYZYx4CaY3moQPJPDS6eOpUXd/6h27Fm34h9VdSj2p6j9JYsmTeEgb0x+JjAQyRS
++Koj/tbSbBqjbvO+FUaldRlHCHYCQTnjsSNBf7SxqE9lfgFitcgiHKSdD7QIfwNB
+EK1o7L8OugC/SQtHGe3ngUGuNmHI9w6ItGuVqoJYP3Hwa6ClGmYlTRLoAj8NkBib
+toxwGIspTlTzmmLXpqeZTPaA2K5eiq8O5DKvAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggIBALp4L1aky2jfgk18tney56sUL2Us2aHqyOz9LlowWFdNMtCKo0WKpZ1qXGfQ
+92QE+zc/MEdmv3V/H1MmSr7trTq1u7E5vVVI9Lq2lNbRLDQLi1+qd9E7Kdl6Oxw/
+Ecc8oxIbg86p83HhzPfJG64m3x6S6m2c4sNrHRAO/gxxJex6ZSFfQwYJZFlcvvBX
+CH70RBtBG/ggasVtwqBuuIRNJ2gAtiWG2RtyGlOjPiAg7nUQiYlXLHVOjvrKDvrI
+KTjzRdEUMqKtIrNUBHSbWZlxKZ2Ddavshg/0T0reAN/u5KTDxiGaQxlVEA7xfm+j
+etqjzTz7LnKuRsA+Z8UUYaV6mKYfKObDoUs/12IomRCUTQi1K8MP3fGmmk+4Xiyu
++t15EqWJzhjuT2RjCAL47X6ksdOtonX9t29l6ykCvYpK1mlzG+EhqDyMIn62TNfx
+OFjWwhIFgyEUWtwkihIKtv3ZVtrJVO/j+HCUfq+6IpjYHdlpdb4OaHgBtpokOtM8
+PmTHJbP2bxmNIMAU1WTfV+e/JkdTKHJclC5DTGF48yRgdKSOTq0G1eJYh4DhlEIM
+vOw2rXeWR6VSkvA5vF7HANEptl1tkT3dsKR4BXkSIO16ldWBEHMM4UeXx85GGM0k
+TRON4FWBMi6PXX6mrmPXcUW7AyKG2JL9gNlxRgWHVK7xmZyp
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client2-key.pem b/tests/integration/test_ssl_cert_authentication/certs/client2-key.pem
new file mode 100644
index 00000000000..462916c0670
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client2-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDhiGp8Kq2QqjE/
+nj8EZIkJw9IMlbefpMJG/F/n3QSURdJK+9GH8zKSnWT+JeFugtCb/8rCB7rKyOaU
+MXBQCHv+wy1tCT5DCyoF7DrTzWTyJHO1mJKt3G8wdGU7CvDtyGIcJ9HQGDuPU//2
+KjN0y0xbBvPQerghIO3UIj/YYem6InPDP1sgLHjpCTX8PsGHE1oZdbaCnHS26PHo
+RElLVYQjj1U+tNswVGBZJXqij3hyf4M5d/5k56n3lAZYxiNml8Dpe6+qyA/6K+8H
+sNh2fNXUxg6gfsqlIQSFTbHiTxzrim5HthNqllcwJEZ1+G9nobEmkpJ6Qihlsi4m
+2kMkdPxrfA7rtVyLGSnhYwsNu8qIEk0OsU1ISwxdWp0MqCV/W7UkGbE2w977R2w9
+TtOykn4htGdafC2kddEQBQO39xy8MMunPRMaRruRA/nKPGjuV6ecMrIPF32GWMeA
+mmN5qEDyTw0unjqVF3f+oduxZt+IfVXUo9qeo/SWLJk3hIG9MfiYwEMkUviqI/7W
+0mwao27zvhVGpXUZRwh2AkE547EjQX+0sahPZX4BYrXIIhyknQ+0CH8DQRCtaOy/
+DroAv0kLRxnt54FBrjZhyPcOiLRrlaqCWD9x8GugpRpmJU0S6AI/DZAYm7aMcBiL
+KU5U85pi16anmUz2gNiuXoqvDuQyrwIDAQABAoICAHZuu3RuuOxB41DEGdWFsczV
+7wS6zk1gKME8IGTS1GfEbpT/vd1FYaZKTtGDNOlieoehAGl5w6Zfb24ctBzjB7IV
+7lHWy8JLJ4sqrQ2ySzM43yZac5QnMKBiTxJ9QV2sn5CnfG9pekVe2Af9yz2m0Hbw
+pLIy72Q+NYXzYlGPwTwEgYPjTkgL8oZ1VssabWgwSl0aSng2DrhKhVXyHgcYZiaC
+S0J9mKi9dkb5/ndFHfwKZ++Syp1UZhXjvp15lvd181DoqavmGTXHQmNog5NdJLDy
+PJYdXu7t8sDJtwLfhpFOBXFU9MdBIZHfSr0CdAYYi710tMTM3wfgVIoEjcOkRzRx
+36O66ehHfcyNsK52Z+DZ6uR4c+MOG0kzTiHQhyxjiu+3nYMGw1XdyE+k+eZDMPd3
+vTaR7kYOQvVvdOVAUuFZG9mK2p0mpofb9cFxFD0vJUqTYXxSdKUNIexR4mWQJw/h
+rWOg/42GK4iLY2X6/CsDh6pTsM+HCzwmTGGkL54FvDsB2AhAhXPz/kGiBRTrh9/p
+QBxacSPoqN+kF3u2qZRPEmjuimiW2AaXARbTABNSBQJIEmWzWOVdgUBVetGoN/ML
+8mcYDmXhAc6F96eqPj0dX8cHfqYPguPhtzLj5V6XGym7hYQyOLBcE7tr2BcdjUfM
+V6OFHsPNmsYWZ9F6zCv5AoIBAQD3M6gziCA0G0cG05ef0C3D9OVGWpHqr0yiR3MO
+ZKsYbJJn4WOtWWvo8N5oqZBQ8VIoyGd1eiSIDuxXEWniFWjn57QN2nrDNTsEQPgk
+HzomgFzuDZ7V4JsjJ9F2nAG5i2HoEwKNHdzfni6mhwGaapd+4GlET0jlC71p+h0X
+CPsD6Jwabp6OUyT+xm8XW3mTWskBzKfq0OPbsdv8UB1dPt6jVrkjoe76TlTsWXWi
+U9p9/h6kI984R9T10J61c21dokuL/KlHqb6TIQY3RcCgm2bfucmuawIq6vs1PBrK
+VCvMX1BuTva9CYg/+hxm9Ky08jFWSCEEtzaORyN+4mmf4maFAoIBAQDpj1NoI7RP
+mYqG9vHyXSDUUNbchpLOFKIaeh2DGk0sFmLi/obglsxOKu8K3r/EobNt+vpDTBxI
+1EjPWdKuaXNYYjNjrVmPHdHPoHD8JmXzJDbZnXSylV9MVYSMNF+7BWUiPg3/QC7b
+1a+ljJH/KEWFb0xrIfNPxVzyq8dyFOxcmLfRVLYlEW+fRYeaZ3QApxGi/BoYK8KN
+vG8f/a8jpPwYCVa3JJ7/donEtsbxTkm66aacn8Vo2Y/tdo0nxyqC9PyBU+tV0u4w
+aYtEZ28kpC9QheRx8D7WzhvsFc/KsshiB6jddjOVR6VgiUFCo+b/5PqpyZVTVrcs
+tj8062A3KvyjAoIBAGRPn/eZS4gZcY8BmcuODKQx4j/UTNXw4KYRXE0A6LT2icqB
+mZMkcDeMVpQeCqPt6SsHd4QiVmSnuZvzQwYtLe69BUGB4MMJ/LLTMl5mFZC+Efe/
+qy6bABkZ9VOuJr0GJGqqHCTrc0+CvudwbWQd0O/5XH4NtkTLqMcyaU+Jo2KIp5/K
+N6kFcEO6fiX6RrFW665BP/p3XZ8u41fVorTN6EZb0LD26yTDWI64FpYSdN0fm4t7
+yv7ply9QwrZa6oxOaV2a345nASBvDDito2cI6IvstjyCy9RimiGWDEECOuup2deJ
+T3KSRanAcnoM23Bpvz+F8XAacJb3ox2//qCUnIkCggEBAJHl2XllTF6pEFLs8giv
+SjG26fFKE2yukPCvNb5O8MRIm68mxkSHjsqJoVeN/Act57MdI7ZkVgrcqTr15ljT
+QJ2GgomSoS54tzbXB51Ls0XmamkYJezkyGobxbf7g42Fej6guwenJV5oJtfobs8Q
+bhVDiF4oECDVrhFdYzKNhXT2ZWVbYIjZUnwQ5/t5Aorh0m+Ywgg1VcxKWLSIOR6w
+ElZFhyjStIvqlXcPokjc2cvr5wtR9vRfa7wv4U9m59R0i0OSk6DCKc6OL9QkNNaT
+xYasjR7rr6VpjSG2Il6BvhEWrdLh4qku30zlkKG7VzKk7Dyh0ykDM1u34NYC7tCn
+hrcCggEBAO+Rnkk5eYYqGk/64+Qy5qA7djvvZ8AgihwJL3+ZUDSOxh0W+Er4NB6n
+j0kI22N//D2j6hg93TNj9jI6lISfmY+TSikr/P+bQPGXl8wvekQxpjT5JhCYI93M
+LXnSULuy7J1ujkMGdxEvfOTjvmD0ejtnuaGd+jM7hx4QNBbJj4VdV+r5BQOJAlfY
+gk6n3RgAnu86szquWM6dObIz9BWtIcMVGlxA7yDmxjVDDHLwGpcwG+MTQRcHoeT6
+2+b7FtVN1NFLazfgPS3bxKs5jaUB+Ibm9BD8B7THviNikqRYqwoJMWpJgdWo/lOQ
+X0ueOR40kfa077G7jNfb03qOPUR1mFw=
+-----END PRIVATE KEY-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client2-req.pem b/tests/integration/test_ssl_cert_authentication/certs/client2-req.pem
new file mode 100644
index 00000000000..846f6db84dc
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client2-req.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEnDCCAoQCAQAwVzELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHY2xp
+ZW50MjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOGIanwqrZCqMT+e
+PwRkiQnD0gyVt5+kwkb8X+fdBJRF0kr70YfzMpKdZP4l4W6C0Jv/ysIHusrI5pQx
+cFAIe/7DLW0JPkMLKgXsOtPNZPIkc7WYkq3cbzB0ZTsK8O3IYhwn0dAYO49T//Yq
+M3TLTFsG89B6uCEg7dQiP9hh6boic8M/WyAseOkJNfw+wYcTWhl1toKcdLbo8ehE
+SUtVhCOPVT602zBUYFkleqKPeHJ/gzl3/mTnqfeUBljGI2aXwOl7r6rID/or7wew
+2HZ81dTGDqB+yqUhBIVNseJPHOuKbke2E2qWVzAkRnX4b2ehsSaSknpCKGWyLiba
+QyR0/Gt8Duu1XIsZKeFjCw27yogSTQ6xTUhLDF1anQyoJX9btSQZsTbD3vtHbD1O
+07KSfiG0Z1p8LaR10RAFA7f3HLwwy6c9ExpGu5ED+co8aO5Xp5wysg8XfYZYx4Ca
+Y3moQPJPDS6eOpUXd/6h27Fm34h9VdSj2p6j9JYsmTeEgb0x+JjAQyRS+Koj/tbS
+bBqjbvO+FUaldRlHCHYCQTnjsSNBf7SxqE9lfgFitcgiHKSdD7QIfwNBEK1o7L8O
+ugC/SQtHGe3ngUGuNmHI9w6ItGuVqoJYP3Hwa6ClGmYlTRLoAj8NkBibtoxwGIsp
+TlTzmmLXpqeZTPaA2K5eiq8O5DKvAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEA
+3DJlf7AkZklzzswgm487f+y2bB7IYr55JwENASDxQEOdVcdgLC3IWu3hLiFwdqac
+0Sw2OHZuETwJiIX3fD+qUT6TgbsP21W7wEQ4jfKg/bsXFMbrvw/ILkOW2JLTH4Cc
+9ylCN+46dQ9heATkiF/Co+uASz9IoSDdtoycA3BuKGBZI8VGa56QmJOOsMM5NgxT
+RTh2r23tV4E8AGYj3HC+b1rzK1RTlsj/m5nM9Jv0/NqoV1cprS1ONr8CBhN0ttuA
+WLrG+DUZTMJYFabqTptlgejQFhiFp5HT5A+eXgZ8uEUX1I3q5jq1BEWtLdmJNZ45
+QViSJOokH/+1kfRSWiAH7pdBz4URLBcsDhAag4J7kV38t7fgdaIizY8R2Ss82iEP
+xqa4A0PA065wB44zng/VrPrHoH1YnGRugXEnrqgcipC0FxUl3oQjvwOSR/E7yFU0
+GIr1MpRcyrd0z4p16783qnMpE1Aa0msED2SBKIK13WcNY+CtDF/wO47ZNywl1hBo
+VkM+ohPpmonaVXNGdpdoZpeGjkBUbqkn+so4aYkX/WuZ6vY2vwdV0prD1vdAFfD2
+AeJx5ypu5aeKn6nK0eMy6W/VEJx6RLCiYVOCIcssgy31rmk4iLQJP2StYVK2mZKp
+5aSR4eTv1/XlMujq+ZqcuUqA1id9wP7908Xr0DzdNdA=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client3-cert.pem b/tests/integration/test_ssl_cert_authentication/certs/client3-cert.pem
new file mode 100644
index 00000000000..ce9a472cb9a
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client3-cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMDCCAxgCFAXxDGdWf+MHldd68lQPasjUzyRhMA0GCSqGSIb3DQEBCwUAMFIx
+CzAJBgNVBAYTAlJVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAmNhMB4XDTIyMDIxODA5NDMw
+OVoXDTMyMDIxNjA5NDMwOVowVzELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUt
+U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UE
+AwwHY2xpZW50MzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN8Bt8gv
+50J66lQ+l/NUW+lqW4DesmSLv1BnjDd5SSA8tfczt999/l1epAGeEN/Pl4dAxXP/
+cxpx+J+xF6SKNxQ0RP+PHQMiDzCUgBq4OKs09kDQ/uvycUZlQuWPtR610TWjZR5r
+VrNSwJQp3VGDdNyEbKj/yd6Yi5NC1iLuqPC20fw5/9BVTm1P2wWX7nv1AWs235s2
+yAG7pLNcgPiTfSmXyyT31YBjb9Onun7gv7exI/3K9mS+aWq6ci1xAXtykVCs551T
+OQmDAUxda041YghEThO4MrZa6uSZqVwnoUcXTla+8biLYb3+9CnIjM5whAOTR+9r
+jpsuuXEUOsrX9Mgb1HTS+ksmrA+Eka7MdVi60Hoon09uNvcTM8CSKNgnTzcPCM6t
+J4NHDiimJM5WA/eY8i3NNCTa1HUGEeIK51UOdjIFKsvzG0TCI2FM7jQLJK5S38tI
+deZ98iQbguVGhoCvRotLEAwW1M2rSOu7bxAZU4QJ93IuUfkLn2BipOuyuR55Z/6F
+z5Jij/1lK2/pKWhntUHTIpG+bBHDF++0LN0aB29uIwYRkoz9JUgnNz4FDVbLvJ+z
+5Ywr61t8AujZdfMZDpRYlzfWPGej8pm7/Eux5jgx/3jcLtqfqkfZLSuFjBKfkUU1
+eGsC80RupMJKIeppv541W6nQJlmJYKv7DCvrAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggIBAD+YMVntBdeq7xJEL7xU4QEHzUGhDWodGMJfmswcxe7gf5Nztcq5YIug+akL
+ewg0wzgCA5YGz00J92sKDF16RmYyPfkxmrCYdNGwISjNJyEEcPEVkdAzwILjv2Lq
+0shFlSsf+Zp/M4XhHeirmzz/jJ9KHlzEYoCz1WOn+UGF12KgV2oQOamJSWOMCoMh
+81oy90V5IlCBqnYfZCYj7cbYLBd5jZMZ+7lsVnxttzPTg1gIoP6vrLT32Ubnzx9N
+IoAeiUg7az/fbnuOkJtu0cjz9aSdpjm2h2giyVAFJ8DkQ9C92tdr9DWZKn7rDO16
+TMdv0q8NFjRGhqdmqWUG6o2cUmQsJ/ZiIcHx5X1b7j7PYSS+ae9zi1tcpHAN6kCw
+WHguIf5I8MIZxE741ZMBokFSIqd6Bh1EP/TUx1+g2a/nH3ZaNd4/KKADxfUU2Y58
+UwdKeX9YpcRz+NNO+1h3NoE1a/i0dhwiBf4OzBiV0WpAjQHT95IlQxTxfHFp42IH
+GrbqIS3qK5DKlNFkBBk1beKxBGKmTH+Pw6fhjkuPYQzjmGo4xluivfeT8SiBT2iO
+uIGLd+sitIooom0KEjHuHS9cdZ5XEPIUDAFhmIt7Y5K8J2fs+xtYzhibg3n0Q6qh
+xTx7GzhTA1HSUE/467af5J3CSfpGAjZQZo/t2/A6tCumzk9F
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client3-key.pem b/tests/integration/test_ssl_cert_authentication/certs/client3-key.pem
new file mode 100644
index 00000000000..b7464eb2866
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client3-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDfAbfIL+dCeupU
+PpfzVFvpaluA3rJki79QZ4w3eUkgPLX3M7ffff5dXqQBnhDfz5eHQMVz/3Macfif
+sRekijcUNET/jx0DIg8wlIAauDirNPZA0P7r8nFGZULlj7UetdE1o2Uea1azUsCU
+Kd1Rg3TchGyo/8nemIuTQtYi7qjwttH8Of/QVU5tT9sFl+579QFrNt+bNsgBu6Sz
+XID4k30pl8sk99WAY2/Tp7p+4L+3sSP9yvZkvmlqunItcQF7cpFQrOedUzkJgwFM
+XWtONWIIRE4TuDK2WurkmalcJ6FHF05WvvG4i2G9/vQpyIzOcIQDk0fva46bLrlx
+FDrK1/TIG9R00vpLJqwPhJGuzHVYutB6KJ9Pbjb3EzPAkijYJ083DwjOrSeDRw4o
+piTOVgP3mPItzTQk2tR1BhHiCudVDnYyBSrL8xtEwiNhTO40CySuUt/LSHXmffIk
+G4LlRoaAr0aLSxAMFtTNq0jru28QGVOECfdyLlH5C59gYqTrsrkeeWf+hc+SYo/9
+ZStv6SloZ7VB0yKRvmwRwxfvtCzdGgdvbiMGEZKM/SVIJzc+BQ1Wy7yfs+WMK+tb
+fALo2XXzGQ6UWJc31jxno/KZu/xLseY4Mf943C7an6pH2S0rhYwSn5FFNXhrAvNE
+bqTCSiHqab+eNVup0CZZiWCr+wwr6wIDAQABAoIB/0I0QFst3XnfA7H+4x1Z7e9d
+o8yeUFeJJUK5eub9Grh3TY4VzICM5vbRId9ZDalj95gvom7NZ15yd1zxNhOi9LcK
+zXERC4vikJ/bdix4hFpPXsvfP87MKtS7OyDriNmVIIbL+zkMpLCX4JQb2ZhZblgI
++DkztrpejxEoxmmYcI8Ft1Ep5sfyi1XoXx1J/YLPOZyarcdme/oHut2EmMUzA/VV
+GvnemYOEAa7UHImOL1xZOlYd6wf9f04wC7Vx1v7PBFTu/9O04TnxqnEBStns/y11
+GbjA9k0ssI8tDxpMqZRxVtBp31jqCBpflhzRbPvca1SkZLavN6baODNZzhpqAkDX
+3R4lU5C7wu4jtzydUyEsCFNdtkGKlxpZRbRZk+keUC+HeCmXPED7p9egwF6Zi8VI
+oaXl1KvHZO2W5x/BV9I1taEPhmOuRR49KxkU4e+IjqaWYN1qsqYqCs/od22Rah72
+KT+thr0mdxC4lb+pvteafricUQuq/dSbEY/lva7PhPQRKVX/VxOaAxBnhA1LHVgZ
+imsW8W3eOQYJbxniTrz9EblWAg4dCcupsjMDUDUyACB/E6isDtYU1J2im6p4gbqw
+tXg3bRh7KruIHbPSJyrFm1uqe+v97TLhpwPHKCsxE4HiJgRzaQDRckLJQebqNp3Y
+e7kLLjg6uGsjAl6OwKECggEBAP5bLGVrmBmAz8RYPnG1MQWlsFg/eIhMFCqMjT3P
+swPUU2VJKC3TC3OwFLxlAr0lkXol+8L8aEvxGjHksleA+1z0lav43b1/2jKgLgI6
+Ym5BxMJa+sUJpI6K7CedJ6wf2ozbpVXazvNBZ3o2l0QbC/KpX886CZH9YJgn7N0M
+TfPe9er5zmETdHGTWtA0sDI8fZ8XndKmnWG9KTQCGur6gemF8SKuzGv/BnL+BZnv
+bDqSvyN8Wjk35KPNeKVW78ROxRuEdB5brryGk955hX50PRRoofW8GSmLJNKNYvIj
+VRkKrDKpz8gW1C2/xa9j5tQkGRFMDAptmk+yvtmDxfZz38UCggEBAOByrXLMTcwR
+bz4MYcSmEdLv2VA/bZ+y0kW0frUU5il2fyQseoFbunVbTDiXYf40uueMbOONZktM
+w04CXKRaTbnS/s6SGU5VW19jv+xzwrzpB2Shm08APwgFnSw40bKCpN4ZWQbOyFVq
+QIMXfA0+Go3zJz37MsSgY+mzhHp4WITobVFpdlhaLvrLPCB78uInZrFsvNN6NP+K
+OIbOoTA9u+BP73THHkpQdrRJaJWowpqejz8kzQ/Xu0Xe6AG1EGVp39phKpWH9TPF
+8xoxjbdIGPkzCzYO3hgz6PlnWVj8iyTxklnaUblqKkY2mOlMA00ujcdF3d3IHvaM
+Xolej+XeZ+8CggEBAKeZDdzaE4Oic8RtXN/xwxZ0gYj0cYhlkNgkeqCi7dL1IepY
+VQg0ypP1DwTADhjx2zTAOG7XgCWh/V+o0LaFv5sVclW5iuplhzHah9ZiAB+kaHCk
+IB6a5vohoc/MZqqs5oXv6LZ0ke6JRxSpSezPYYUIg5/5Hvs6GF7J1/IjPG4XmLS2
+23zto8l+jdUpEnxXjXK5zf1SWdtgF/kz9ealH9rurd/ri7kRdn9oz+oJb6f8r8ND
+GfQf1yDzr65KZXxVZt1l3llukemZR2/NZN/Y2bJL64QO6AmOrLmr/emMzHLOrH5J
+lCbEnBR1C14xFpTsIDRchoaMh6RCJC0Q/e0Rlv0CggEAAOIysJsBS2ZeK75cvCtz
+MoNjNZ+qTNClZ0TYotncNhmTUo8iRFQaHdAoMqjV5+xJOBQjcZni5zT8J9h2iOca
+GzsraaDFnLtVSsDXxpSGFbxNHSZNuDfmB6AOCFiI6sz83Sr4YMB7pWpvqpRzFpJC
+BIEKjIHqpz+CZS8hvGGw54UKuSFTJ/Hi8XXPXMlgIWfKTbSB4cs/XiorIsy5cbks
+fiuSY8FM6zn53afUU5KAgZ9SLQt2CzPsNtAz1Z3i3KNYEEIFquUIIBYNaPL8/dW4
+03JR/vp8AVhi+Ghhv6nu2kxhKR1k6Pf0Bqa8X16/PJSMVlZ+Extwk8Pls2C97Ee9
+3QKCAQEAgjcbHKBjd7AeyNpPSzNpv81Rry5qqOc+Cxx8LtOHBl1wc5VB5FPxfbuX
+MX2skvWPnokDoXcI1a1WQwdjaZUsSoqdeyPtw8pFWiNLJZkYImiP3zMCZXYUEkzk
+3EXQZryWEqBYBqxlEvTyjbBmnrAwOPOUKARFi1l9JKJ4QpdELXo9Yl+w2IQEQ5N9
+jrSY7LwS/cb25rhEc6oh/89aY83HPyABh4lC9bsciXki54YIeS+y9ijN8yCRxikr
+mVGfQ0Y/qcY9spAj05yr/vnlENBB5ohxwKKsemOnH93E2GFxc1dzmWCGvISjUduB
+I68TOg71OfCKgfeixNgcOvQoN+xngA==
+-----END PRIVATE KEY-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/client3-req.pem b/tests/integration/test_ssl_cert_authentication/certs/client3-req.pem
new file mode 100644
index 00000000000..7b4445b3609
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/client3-req.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEnDCCAoQCAQAwVzELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHY2xp
+ZW50MzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN8Bt8gv50J66lQ+
+l/NUW+lqW4DesmSLv1BnjDd5SSA8tfczt999/l1epAGeEN/Pl4dAxXP/cxpx+J+x
+F6SKNxQ0RP+PHQMiDzCUgBq4OKs09kDQ/uvycUZlQuWPtR610TWjZR5rVrNSwJQp
+3VGDdNyEbKj/yd6Yi5NC1iLuqPC20fw5/9BVTm1P2wWX7nv1AWs235s2yAG7pLNc
+gPiTfSmXyyT31YBjb9Onun7gv7exI/3K9mS+aWq6ci1xAXtykVCs551TOQmDAUxd
+a041YghEThO4MrZa6uSZqVwnoUcXTla+8biLYb3+9CnIjM5whAOTR+9rjpsuuXEU
+OsrX9Mgb1HTS+ksmrA+Eka7MdVi60Hoon09uNvcTM8CSKNgnTzcPCM6tJ4NHDiim
+JM5WA/eY8i3NNCTa1HUGEeIK51UOdjIFKsvzG0TCI2FM7jQLJK5S38tIdeZ98iQb
+guVGhoCvRotLEAwW1M2rSOu7bxAZU4QJ93IuUfkLn2BipOuyuR55Z/6Fz5Jij/1l
+K2/pKWhntUHTIpG+bBHDF++0LN0aB29uIwYRkoz9JUgnNz4FDVbLvJ+z5Ywr61t8
+AujZdfMZDpRYlzfWPGej8pm7/Eux5jgx/3jcLtqfqkfZLSuFjBKfkUU1eGsC80Ru
+pMJKIeppv541W6nQJlmJYKv7DCvrAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEA
+Rggrols8hXGEcWeIEGn66kY9IVTzaTUf3oMfEbdf/2Q1QzHzmqp53yamHl5ioMgX
+o5UBVxthgh1VOxkvCxIzlKDJprzVFkfwwc7h9c0HGt3No/ERobHDT6YRaGukAL5g
+muIGBUseyBAOIfyqc5kbCRWfPrAOttAH4gd8XMBgO8XdfHAvyXBC8Ha55O6oriX9
+IAKL5+3nVJkBle+62OmROnstbcdKyK4UtOeki/6ptYVE0d9I+NfKjuk3eKtICW8Q
+Pn3IEcNEZoFG2UQ19ENWwYEZyMZJt0aunqnm7L4RYiZT5w4meeendzXSKLKR6+Ye
+ULt1sDRskgKoNRzmeCVzci05BG48jv/E7Az6aV/qhGiU2qIAPMdVXncWUhR3fj+E
+CL/uLifOvfC6SnKw/7qQmgjUvEe4Duvi670a5QuImpm/mAIN22cXPc+QquSdR5xy
+loz/o3JJQZemPAOM0CMIHZ+cGESxH30QCBNn5HfcOf5fRZVCss4Hl6JxHR2G4yN3
+RKEIUXR03qgSK91WHl3WvqwXgmIAiUuvPjo2i7kSuaUUHilZiXK1ngIqYfUTB5SQ
+O8pG0fx3fbhVDA3RQfXeJE6FA2AyLvqOcsseRzvcQjQm4MU7p+RVaY17rI6/EkS8
+ac3E7BPwnXqSAkPSEgoiezv/Z0Hkmrcu6fIsUuf4ETU=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/generate_certs.sh b/tests/integration/test_ssl_cert_authentication/certs/generate_certs.sh
new file mode 100755
index 00000000000..d6126d361f5
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/generate_certs.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# 1. Generate CA's private key and self-signed certificate
+openssl req -newkey rsa:4096 -x509 -days 3650 -nodes -batch -keyout ca-key.pem -out ca-cert.pem -subj "/C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ca"
+
+# 2. Generate server's private key and certificate signing request (CSR)
+openssl req -newkey rsa:4096 -nodes -batch -keyout server-key.pem -out server-req.pem -subj "/C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server"
+
+# 3. Use CA's private key to sign server's CSR and get back the signed certificate
+openssl x509 -req -days 3650 -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -extfile server-ext.cnf -out server-cert.pem
+
+# 4. Generate client's private key and certificate signing request (CSR)
+openssl req -newkey rsa:4096 -nodes -batch -keyout client1-key.pem -out client1-req.pem -subj "/C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=client1"
+openssl req -newkey rsa:4096 -nodes -batch -keyout client2-key.pem -out client2-req.pem -subj "/C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=client2"
+openssl req -newkey rsa:4096 -nodes -batch -keyout client3-key.pem -out client3-req.pem -subj "/C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=client3"
+
+# 5. Use CA's private key to sign client's CSR and get back the signed certificate
+openssl x509 -req -days 3650 -in client1-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client1-cert.pem
+openssl x509 -req -days 3650 -in client2-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client2-cert.pem
+openssl x509 -req -days 3650 -in client3-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client3-cert.pem
+
+# 6. Generate one more self-signed certificate and private key for using as wrong certificate (because it's not signed by CA)
+openssl req -newkey rsa:4096 -x509 -days 3650 -nodes -batch -keyout wrong-key.pem -out wrong-cert.pem -subj "/C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=client"
diff --git a/tests/integration/test_ssl_cert_authentication/certs/server-cert.pem b/tests/integration/test_ssl_cert_authentication/certs/server-cert.pem
new file mode 100644
index 00000000000..6f8e5a3c6b1
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/server-cert.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSTCCAzGgAwIBAgIUBfEMZ1Z/4weV13ryVA9qyNTPJF4wDQYJKoZIhvcNAQEL
+BQAwUjELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCY2EwHhcNMjIwMjE4
+MDk0MzA2WhcNMzIwMjE2MDk0MzA2WjBWMQswCQYDVQQGEwJSVTETMBEGA1UECAwK
+U29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8w
+DQYDVQQDDAZzZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8
+jV8igQGgCvu/7BJDI5VQl43VGAFjH2Na/E9P4E5uwkSlJVED1WKvIlxRWhOaQOfC
+587nZVhQtHpdbCvBdKrHml4SVbTchs5SN2kZsHeqaQzcGnejnczE0SYo4xNyniSv
+GiQ1M8G3fiZNflEIPM/+Ob2oI3YnVWFGy0a5rQcHZWS45KuGILMP0aRHyzyh/31c
+K3i2xA7A3V2jBNuD4kHG8TLgfDeoCecTI0iU/LJnDOolX5XdpyeoJ6YyYOGg3F9e
+bRmbNlJN3Iky3Vzyc4jYG7y6f5DqfebYMW6hCvLpf9lN6/gPNOb2KjL3hvJ+hbj+
+b9EkVAzpw7mW1VHEy+WbtYMPoKy08JTc7zr1tv/vQGr3XExwlC9iixZXMaVt1kP1
+TEVHv2FiUOiZsVaqtoFpS/wBvKeQdkzNy+66pRpG9bLuOnL4hlz+rwHkdBmHGk+q
+cXdwglqIDqXKlCpIMSkFPH1364KLdJ2qBgWWoWCJjUmgbrA8/LU6DX+GBbEiw45T
+PQKP//RMkOrHOYRD33WTU0iKP61zn5+9RD5OLxEUOtCvL7AfB+jt4vYrMTT2U3Kl
+OckWxNx55bYLdLfGKtepGV2r5xzce0UMbWQrXQRuka3a/j5VJUTuUgcwgd6FoP4N
+4ObW2H1YEtE5M30xpa1kcqJ1RGEWagakISgn2Z3TywIDAQABoxMwETAPBgNVHREE
+CDAGhwQKBaxNMA0GCSqGSIb3DQEBCwUAA4ICAQCE2eJVcvsMmJu6xAfoE6/u6BrD
+opMicCtlC2qt0BgSIzzDQ/iWjnWKGM1C+pO+2G0WTczj7ugsxjPzhkyBpuEZaWt0
+9/tJTKIrgaRZvEe0ifsJxyqL5LJgfxK7TbDPcUBKr1v+TOxPVRq0FuG16x+yka4C
+rwxfBHU43FmtEFfgu13r515F3ggXcdlojkce8ZKtTAGEcN0MpbJ6XS90BHU0sy5A
+APTm0fR0vM3kg1nuBLbSGF5KfASdw13gb6QsDbll0IqK8LvXYiX5CaVfkAe/pFkO
+/2iIxYW74yC2gV+DcFdRPVfFxSKrdg0tDER35OYg1/vXRjV5BWr1EjE3qjrCcUZy
+rlF3fms7Arr20ka2nSa8avn4ALpyJZmKasoxNAAsxivingNVZkql48OqsJ3n0qGk
+LI6Yu+UM/pc78a3NHsdsCbnf8qvae4oJa1kyiochJu+gUOzHvs4Ydti9iTQn2Byo
+2A2LzyVPBmSOhzdQ7SwpvHA4A2ftao+dZoA/+o4rmBtbmgxjpBPyPJTN0ZfKlpKl
+Oyi57ov+cJmZctSUbP3M11gBva7aYu1Rd7/eXeCEl1FHhmKL/Ee+UrNZLiwspb2E
+Sa+pOHdJX8VgsIYXku2UKaGT2QFITxO7fnxghioxgsyCKrQ+m1gL9vgXj/gJu+48
+c+5CZ9SobLdMkVOtQQ==
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/server-ext.cnf b/tests/integration/test_ssl_cert_authentication/certs/server-ext.cnf
new file mode 100644
index 00000000000..83d9b03ccb7
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/server-ext.cnf
@@ -0,0 +1 @@
+subjectAltName=IP:10.5.172.77
diff --git a/tests/integration/test_ssl_cert_authentication/certs/server-key.pem b/tests/integration/test_ssl_cert_authentication/certs/server-key.pem
new file mode 100644
index 00000000000..065a2290749
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/server-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC8jV8igQGgCvu/
+7BJDI5VQl43VGAFjH2Na/E9P4E5uwkSlJVED1WKvIlxRWhOaQOfC587nZVhQtHpd
+bCvBdKrHml4SVbTchs5SN2kZsHeqaQzcGnejnczE0SYo4xNyniSvGiQ1M8G3fiZN
+flEIPM/+Ob2oI3YnVWFGy0a5rQcHZWS45KuGILMP0aRHyzyh/31cK3i2xA7A3V2j
+BNuD4kHG8TLgfDeoCecTI0iU/LJnDOolX5XdpyeoJ6YyYOGg3F9ebRmbNlJN3Iky
+3Vzyc4jYG7y6f5DqfebYMW6hCvLpf9lN6/gPNOb2KjL3hvJ+hbj+b9EkVAzpw7mW
+1VHEy+WbtYMPoKy08JTc7zr1tv/vQGr3XExwlC9iixZXMaVt1kP1TEVHv2FiUOiZ
+sVaqtoFpS/wBvKeQdkzNy+66pRpG9bLuOnL4hlz+rwHkdBmHGk+qcXdwglqIDqXK
+lCpIMSkFPH1364KLdJ2qBgWWoWCJjUmgbrA8/LU6DX+GBbEiw45TPQKP//RMkOrH
+OYRD33WTU0iKP61zn5+9RD5OLxEUOtCvL7AfB+jt4vYrMTT2U3KlOckWxNx55bYL
+dLfGKtepGV2r5xzce0UMbWQrXQRuka3a/j5VJUTuUgcwgd6FoP4N4ObW2H1YEtE5
+M30xpa1kcqJ1RGEWagakISgn2Z3TywIDAQABAoICAQC11lTwLp/Fm7IL9fvquc9P
+CMmkv2DfGi80WO2YJ8ccM8gFyEYoP0rLgYSshAUxlvSr1+iG6grQ0izMGfzctcnZ
+c3rTjco9fthNG9kFCFVvh536SqAkr5MCIH3/onZn7DGOmNRgZoikkEkaJP66xgME
+tuS72W8iIcoNfw63FDIaJOONGCJ+2Nw3HkOjZVIVHRLlp5rkD5H218Vs6MtWlgY/
+eO9K5SC7sskhgL6HyGe40BCjeFpMh97L4Wj7XslZ3A0xQGAYervHES9TWX5A58EK
+QT2yUkIMktzklE+PicKYA08rQa1Z5Pf0YOAELSWBdS7iWi3FLjXB35sE5rbT5puH
+9hZXSDWLggbefuaUJyowDEZy2aHP5pvXKBDhEANRbU8VaDyHhlNLqVNquE5Cn4HO
+zPeH+KLFbbABUok7yYZmIC9Bfn+rXvNzTX6A13AdJI/HcKA5RBGtpAY/168Pt/Aq
+dzuqepu42rFAvS45RNevp72IIavx/QdAA1OTgKxh3c2Mf85pIXJ51aWWLnn+EZ5/
+EsE0crfwkuKJvjubNC4oOwMTFMIBI2WsjvaAw8pQw0Kb0ksExKd0wz9mKcqR/v0I
+K9oYsaHkx5je0NOZds385+zCoQHYaw1aKUd7ZLqr5G/Nf/2TEYpMWco4ETA8lzu3
+Ty/8XkNw8jd4p+7bUuz1mQKCAQEA4MNU7GWDPwUKNNSz335nGH2oBvSGbYiwLcRM
+D+x2+RTfOAFSSJ+Q5tQ+327ZkAB5dK2mxmDYKB+Ln1UBIneViUflkMyh4fuutIXI
+wYo+BL71r89MqhRvvMK9hWnCGtJTJedf2iQENJzVn4J76BvTPRYywBv9pofPOlj1
+MtwwMA4CZAmQpCUaF5NQr4nliYx+slkcKwlm+cOxeZGa8mkNgQdmCcTZkRz6qsiR
+vQDEDiS1+5lCJ6nWW4L2tOPejNN//hVlbPGMaA0oiu7I7w4aSxnTlLhDgJzJwmN8
+NFYl+u5AcPq9iRtBnzfPmd87S9bg10zcIiMKxw898sU24Pa0jQKCAQEA1sG5hO3c
+4API//k7NEWXsx5Ns2JE/AV1LtmBgqXkn1DAJ+b6V1nIUppTs0zspEWrae9KrsAk
+z47qIbPaTLHuptLrvEXk2LVfzcK32a7fXXDOB5KkBhzlJM1J3PTRQFR9lr7qX6vr
+EDc4p7p55IDEGnJdXa7x+z56QjpAZaHlzexQxvoWWoLBkDuoT389sdU7CbgTa4A+
+CR6D6qKd6H6tfmv5sPlvp+aje+ObacP9I4WyVjscWkzBHxS3n/fTLjY6OFv+o8PM
+TdytN4+HZnu4MDJlF3vx9P6CbnnVCaScXDxPGcoSJPcoEQqoyxuvUQLDUQkzWF14
+02EvXW0dbgiPtwKCAQA0EUwFD2ceHD7HClc4+QFNDR71rYPOsBGQKJ8uOSs+fHVR
+dgznwf9BWf3OqNFBqLp6KxgtcJXihZxEpt6Ca416pesqZh1CSpmoPC3LmAjR9KLZ
+vX4XEHDqG3roAx3yNLMKXtU3pYxL2+Eo+INXu8ptpkzPcCyMfX2mGKGEzLllCHnJ
+TuXxAJ9QwtG4OIuyF5fqHPaHicAPMCRW80If0fJM57fdn3p/QWVYVupcDGdel2aJ
+CHHo2lFMFcStFvShTwWhiLdcS4CpQhMYTETEDFJO/4aiNyV8D9Y1b/J/9U0LGlJX
+Wd66elPzXGx9StdjtD2V4rpENjXy8zb4nHMgHkapAoIBACvvtmTbxTSPka/M7a/k
+DQU4Te1FTZfCBhdvqG9yQTPW8Xk4aD82vyUnLbihJEj3d/pUWpMl/GH6eywp/59x
+R8IZpOD/67HqaY9PJw4CGPClA4HJHoWho7/DwDjUXXsrzgXpSUoJgi3vHkgyfn2h
+Wn2OqEtiX19niNvDzyj71mgq0Nvkjm42EiPQEL8y6QxY85spbc+wjQCQnayDWIsY
+X6ZdsNfkMFPJe+j8x+77ie6ai8HYlhRjX59cPbUcnrf1oDOnnpEincnQPCAB3VG6
+PhSeOtBzKy1UZJr1kgBHDTZRoF1GWi/14NybsazcHSIVzp/lofuSJAYa+/XBPSQl
+3EECggEBALSLZPdg13906LEyznYnjgq+nMh88usegvU9qsBAFExClLLfr6Ak77og
+boNoOwbaFn+xiz5M8BTJIPizJcm5GjYaqg58zotTtG51h6VgMri+fb/BUpVr7p7n
+aSq3kXDZlrwZnmooCT+KcGx++w2N2SYSyZX1TELt/dpfuWJvph+E37PkONEEiHPF
+ZtSA/f9lpfP5/nx1pLmv4ksKdXqpz3/kNqaf9zbhQLgOm/VoBHL4NVPYRylGpCJb
+R68/7yvHBd2EskZoJB53TlJmwu+fC6ee1UiG6aqTULfEsiGidi6jIt56Gz52ox66
+BHL/JsJ0Be5xM3V4x4PtihQ3Dw546FY=
+-----END PRIVATE KEY-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/server-req.pem b/tests/integration/test_ssl_cert_authentication/certs/server-req.pem
new file mode 100644
index 00000000000..be2f756cc7b
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/server-req.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEmzCCAoMCAQAwVjELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGc2Vy
+dmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvI1fIoEBoAr7v+wS
+QyOVUJeN1RgBYx9jWvxPT+BObsJEpSVRA9ViryJcUVoTmkDnwufO52VYULR6XWwr
+wXSqx5peElW03IbOUjdpGbB3qmkM3Bp3o53MxNEmKOMTcp4krxokNTPBt34mTX5R
+CDzP/jm9qCN2J1VhRstGua0HB2VkuOSrhiCzD9GkR8s8of99XCt4tsQOwN1dowTb
+g+JBxvEy4Hw3qAnnEyNIlPyyZwzqJV+V3acnqCemMmDhoNxfXm0ZmzZSTdyJMt1c
+8nOI2Bu8un+Q6n3m2DFuoQry6X/ZTev4DzTm9ioy94byfoW4/m/RJFQM6cO5ltVR
+xMvlm7WDD6CstPCU3O869bb/70Bq91xMcJQvYosWVzGlbdZD9UxFR79hYlDombFW
+qraBaUv8AbynkHZMzcvuuqUaRvWy7jpy+IZc/q8B5HQZhxpPqnF3cIJaiA6lypQq
+SDEpBTx9d+uCi3SdqgYFlqFgiY1JoG6wPPy1Og1/hgWxIsOOUz0Cj//0TJDqxzmE
+Q991k1NIij+tc5+fvUQ+Ti8RFDrQry+wHwfo7eL2KzE09lNypTnJFsTceeW2C3S3
+xirXqRldq+cc3HtFDG1kK10EbpGt2v4+VSVE7lIHMIHehaD+DeDm1th9WBLROTN9
+MaWtZHKidURhFmoGpCEoJ9md08sCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQAb
+FDegAoUBz9O4JR1u68IMnGkO5nINGAPQOqf9a2BxGujnSB7Lw6SHukjkUqqgnfQ0
+x/aWOI8JVAi/ptscojgMQUDsVNsij5v+jbJE+ZAobxnTmKP0wTc2ktpf4d8UMVc8
+gyM85jLHZ8caCcuy0D97W81vgIv33dNHWtP+sfbQhX9wJ2YQTahIC8NpuQfLAOUH
+EFxWil0mfN+9vRQ1C5naKtvrOPqyM0RPrWiudIJ5QjI4aSXxUCupxxnaQMoI0Y50
+MvVVT3VwWgP+hL4b+yEJFHRpE7BwCZijsLIXkXmVZoveHhiSMYen1HWIP1VMDEHP
+CUtG5UQcA78CBS8qg4nyFbDU4hWClAkAt96O8Y2epJYepIoYuBBSEfrgupESMLjS
+E9Hfq/H6Ac/Q3zWa320udvA+ysfS8pagkoiH9+TarrsDjhxLjg2h2bGcXKlrsP1R
+mRVZwfNOl3/ZNq5HBPb9Z5WXKvcsTCQAlnHJdaSmzdyArB0guwUHg8ZZNZqCdVgL
+TPsfE84yI/HlwRfuQILfGxq99p/UYFwnee5CoM/PPvaAT+9z/lykMWZA7osuBcK6
+zP8XneGmZOkmez5+YJgSC0xeaDxr2R52eQXlQEJGDbFDtQap/X+cJDGyqmGnbhSu
+6XkGy0l8mAkpcurMcy3wWf6+joskZAN4Joi4ZjKsQA==
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/wrong-cert.pem b/tests/integration/test_ssl_cert_authentication/certs/wrong-cert.pem
new file mode 100644
index 00000000000..ef95a73deba
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/wrong-cert.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIUL2Y/QpwqqHyi43PwPeA6ygdPYK4wDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCUlUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGY2xpZW50MB4XDTIy
+MDIxODA5NDMxMFoXDTMyMDIxNjA5NDMxMFowVjELMAkGA1UEBhMCUlUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDEPMA0GA1UEAwwGY2xpZW50MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEAxO2PSeaiNFMRRiFXpnMw07u6EIdEc1Jx3cPvZjEUg/pdEmMYkrSxr2MeqRkl
+tWH8TcIIoiWDLIcM6IU0mF6a5ULu84hFb9b20qRG3wRNb5yO86HnoyzU99t98++a
+9iaY1QAt03k8wq4jRjU2k/eoVSoLT5uVP5KxiNzdS2BTHFSsxrt/xcwdgkfJouHN
+p+MYUekk6qaQy5fTqTpqdkgO2v/JoYCi0whBNj205d+WnS7xfeyVSJP1OJWHRZ7K
+Y+LU6hz6wHIng4s/ag7VdAk0PArWs50BmH5g2zJfvt7VeTQebaJWUtSEY05odOqt
+KZteUmmhxW/2M73wGVF3WAJCnaxypsjcmMZFCpMXpwyTFrqobvC3APl6SOP+Ev1M
+LxhhCIDuLFu46P55KKEKjUCsYigd1VsHjjvoajGcqlPlMsVHJc9VChsQDz6agzDP
+Fb/LyYbrDTTmsI57/s1jAZyemq2SEYPApJvcdZ/ucl741jI0671EZPlip9iUQgt3
+MHlc3t53/GtF2W6GF5Fogch7c+0c2BhMupAHAXwfLABvv5X8GDyjsNlwB6ea9jeC
+Hw+0rEotZzCXId3daFytGNm1jI216kXLSbvz6uz1wMGS6Hrhk87whgvQ58RMNs1K
+SGDFw1WFv+QZeTO7wqcn8Y/eqF7q9RBhOpPMJMX8Sx/UXuECAwEAAaNTMFEwHQYD
+VR0OBBYEFCI7Iy7tY0D4HPa9BZCZxYuJ51mZMB8GA1UdIwQYMBaAFCI7Iy7tY0D4
+HPa9BZCZxYuJ51mZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+AIKYtBwTp3yvUGSXorV32dnU0Hp0MOie/itgx/la6b3h2bZSoCigKmcmvMaAaNzA
+pxeYSsf5wPnONpWfo9hsGrUDMT4ETnXdzA1dbidIrhJbGsY8CN217Qt3YZWNWkrz
+xLwxEwAovQZqnGDvtx+tRE8i6YJO6/kca+GB7liHFvUx8zaQ6gCwfloduG8rOAeq
+noeCpW/zqYQSQGK35ntQ8MTTRbi7jMOTCikvRlldS73ODQcAR7jywgBYf/i8ANtz
+NoWa4KbWuqKsQKMIGOi1fMLMaNlDSzJyw6UJ2GVCcL1NxkCZi0yudfAAxWlRis9G
+zLjm7YdNBiC6RVZudGhvzjlsLZpE9DgiwXqcDv3Y1dpstD5ikrNhlQo6THH1YeFy
+B8vjVGZZZu4B2JEo+QWH+zFGJosD66YoaKMVuwRPwoGDQoO0Pfbpq41A4KUhB3cf
+X49/rbInqwsN5MuGp4l4+T7k7Wm0Y1Qo4FXDVbFxHvvniyHUsZk9Llzf5wBLl84m
+xheUGgCHSflfXuuWi76yoADHCv+Eqi4/aLJmkUewKXJlm+XYs9bdBHUI+Y10KmhA
+hgcHXF56L+N4mLRwUuLxa5qwQIqNX32+piQoO9opxnVKKCptpATLE30TOMLEXBlp
+J+6b1e4BIasAAEGUhTgPj/SLL0u59Bv0K5SlSn7VZ0gI
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_ssl_cert_authentication/certs/wrong-key.pem b/tests/integration/test_ssl_cert_authentication/certs/wrong-key.pem
new file mode 100644
index 00000000000..b2213cd2675
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/certs/wrong-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDE7Y9J5qI0UxFG
+IVemczDTu7oQh0RzUnHdw+9mMRSD+l0SYxiStLGvYx6pGSW1YfxNwgiiJYMshwzo
+hTSYXprlQu7ziEVv1vbSpEbfBE1vnI7zoeejLNT3233z75r2JpjVAC3TeTzCriNG
+NTaT96hVKgtPm5U/krGI3N1LYFMcVKzGu3/FzB2CR8mi4c2n4xhR6STqppDLl9Op
+Omp2SA7a/8mhgKLTCEE2PbTl35adLvF97JVIk/U4lYdFnspj4tTqHPrAcieDiz9q
+DtV0CTQ8CtaznQGYfmDbMl++3tV5NB5tolZS1IRjTmh06q0pm15SaaHFb/YzvfAZ
+UXdYAkKdrHKmyNyYxkUKkxenDJMWuqhu8LcA+XpI4/4S/UwvGGEIgO4sW7jo/nko
+oQqNQKxiKB3VWweOO+hqMZyqU+UyxUclz1UKGxAPPpqDMM8Vv8vJhusNNOawjnv+
+zWMBnJ6arZIRg8Ckm9x1n+5yXvjWMjTrvURk+WKn2JRCC3cweVze3nf8a0XZboYX
+kWiByHtz7RzYGEy6kAcBfB8sAG+/lfwYPKOw2XAHp5r2N4IfD7SsSi1nMJch3d1o
+XK0Y2bWMjbXqRctJu/Pq7PXAwZLoeuGTzvCGC9DnxEw2zUpIYMXDVYW/5Bl5M7vC
+pyfxj96oXur1EGE6k8wkxfxLH9Re4QIDAQABAoICAQCjj/CAX/f/X7MsPYtQa8J1
+Sinbio42/pYmrJPNnBw/FhZxrC7/wucGFlyj9IgWZCEr8Go9SsztkeoNwn2RxJoA
+q5xOV7PclX4CLIHUv/0VI8Kz5pi/NgBZMUwm7K8Xna041OI7ECqARCR2LsJ7GasN
+uVMVttK6r7uXQmLnNUUydb3ffmI8xjEIQVnfWI74z60mc2+/GcOP5jXeC+/a+DSm
+fudYpcAXaXbId24ls5SkTxYzEepYEtQNQFzPXXkah49yN8mpR+c74c805scxjmd9
+Kz9yhYiKwQTvaqKNpQVHmxte0gPC3lJrLPejjDtxIGOyLZw4oaqrBSpDzR9D0PTE
+C+BR6VlXpVCTcAoiweuoDIxNTiJ5IbIJme3iMWxsAIJ4n10rSFFl9Cmmqbphp/6/
+XInB0X7Zyr1kBrwf+DH6DJhje5NXgGKVR9oe9jjW5v8V2tg1RrkzNU8iKBSxpvcI
+x4mKhhRLYgoq/iNeYBVQrwJYktIbweVCQ5Spj7/20IrMkn3FAmMsZxGMZmLisJ9t
+B0vvUkUgWxuJTsPJ2j+ytpGT0E2xIDYCpbG2EopDc8WvHcVNhagBvLC6xIjIKm7N
+2zpBU2W3fPNXoToCAmaLDPYeRRpG6XaGFQAfvKUQRLBDGTfQ177qr34UBnmgvxDq
+J2gA9rQm3XziLMuSlJexAQKCAQEA+yz49Ah7FFq0QffsoRb0qOJbfcmMGTRkaafb
+ztto4EFSnjH2EwoSShu4DfqWw+ws1KxHlItNHHko5pVNpS4lj1OpnobW3QD7kEIV
+mYKa3KowYUcCq1Gzq2RNDZqsC2BSXwx1MG0VVKYOahnu5bvzQq2Ft8W7CWBnbTbY
+0Jxjs4KaOza+bH7Vfb5Yre0tlW7U5vI/YO8+YKxpxfOU9kVo8ZLQ/9r/YH8nnLa+
+Fd91+WjcUW8CTKU+Oz3lb/Vwcs6YOoAraq/wtOCqWURunBXkQtzOIn0bgBh3WEk1
+EQ+MVDHshlVVjv/rfnL571ZTT1amCJuEIwQRzLSvbso883srMQKCAQEAyLXaG3Pp
+LYiRKu7Bqr5PPuqdT72UFabPpfgd5EtcFOL0xUpfRya6HyFdM25FWI8haXeg4e8N
+0cIs3gMG+RRgm1xISJIZi92L0Cwj+kLFu2U5SkvAKMqZFh5q350FRi4Bp7ae4YrL
+aguWLZCxhznh4D5xQGM6c8ObRfUUEMT+dnLPcj4zn9KHhoUudXjLKjPNw5v6nkbw
+xtRdwANlHx/LX/d4+iwt2plDWmT+d2OLvqZcPyyghTMqV45L0p9XAXBsLnz4Zipx
+7VJ8iH3jL5oaQ6YAFY+cXIrWBN0q3UYbXdkaA2ve6voioeF3KQNRmU10k7GKNRWl
+pRNn62+rAR8isQKCAQAZnPVqFS9P3QwCqiCEMM4UJrkDs7jInTIcIBTnHDKuo5qk
+LR4VxPImgnsbWdFj+0J7EXJfMHFVlPlZwiHf1TvZSMPEOaXRdZcxl7uSIuJd3DEA
+ynf4NmWm9Zxx5bLjmhfsP1336TfCoQhZQ3m8DZV52C4Jlm1DQIRre6tSYpA8LvZB
+UYzLjYeBwhZS7hu24E1vm4ZhASSQQSSsHfGzx1IzSDBt1swx7+V/MpdhrZ7fJxVI
+bJSEcllNOzuZViL4Yh7d4FINGBHor/xPDA5ndkgHlXKjy7QxNM1+wEBcFATQVSL0
+c+E8qtY918Wq5VergH9/4zPvSivyfv5gwtjCT24RAoIBABP6HbJb0BqrHB/U0cvn
+00Vk3rGAIgwhpUtUrcz6PzkI+enlJCSV0zKkBH3I/Pf6jw3LTWUPgSWemQ6j6H7E
+K3VrMvqeKBLGw1K+Afq3yKyFP7WIYqDswV31Oxf0rgC1NY7220uBoAt3CcSRQUo/
+VZ8XN/h7p+a70mmdIhklMlqhxMoPLN48eybFfMFOe5JAw7szfDdiwjZYDti8vcTi
+SkDMBeuImCvI025c3QMPEmqwbkAPdg6r8Av06tEU8PkAspPR9ntcwCgp7KE9Pm6P
+fQu8qwd6WsrPOswTI2AQyUqHAFLU2sQyj13jbhPT87w5fF/y7NmpxOnwS4igfbnH
+2pECggEBALO0FiJClb0GSqMXYJ+nbtRObD4AynYNVMEqYdZu5DBb6vb4T7uumTD5
+I1fKOa5SSELngUj23p2G6sVBsDyDHotGJYJwDGejHOFnEpY+J0Das0pGS40FsFC7
+qABIUaMoLKcIR9Ofcm9uu2n+koNULV2aaXj7A4OYhRCQi2PqiEx1wimdrLfGqTXn
+O4rSf826ODch87vuPbfFPCaIFG28R3nByp/ZBH5QNiB3NBmc3A0tiHFnZW3cpOfW
+Jm/Vu0PcNVVw32SroS2FCroR7qSWsvt61UzJtliLUiFHoUAxrXXiAxcZW1D2Hmpq
+neUhT/t9hHdcMJgoxm2IITf6ip8nTnY=
+-----END PRIVATE KEY-----
diff --git a/tests/integration/test_ssl_cert_authentication/configs/ssl_config.xml b/tests/integration/test_ssl_cert_authentication/configs/ssl_config.xml
new file mode 100644
index 00000000000..163449872be
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/configs/ssl_config.xml
@@ -0,0 +1,36 @@
+<clickhouse>
+    <!-- HTTP API with TLS (HTTPS).
+         You have to configure certificate to enable this interface.
+         See the openSSL section below.
+    -->
+    <https_port>8443</https_port>
+
+    <!-- Native interface with TLS.
+         You have to configure certificate to enable this interface.
+         See the openSSL section below.
+    -->
+    <!-- <tcp_port_secure>9440</tcp_port_secure> -->
+
+    <!-- Used with https_port and tcp_port_secure. Full ssl options list: https://github.com/ClickHouse-Extras/poco/blob/master/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h#L71 -->
+    <openSSL replace="replace">
+        <server> <!-- Used for https server AND secure tcp port -->
+            <certificateFile>/etc/clickhouse-server/config.d/server-cert.pem</certificateFile>
+            <privateKeyFile>/etc/clickhouse-server/config.d/server-key.pem</privateKeyFile>
+            <caConfig>/etc/clickhouse-server/config.d/ca-cert.pem</caConfig>
+            <verificationMode>relaxed</verificationMode>
+        </server>
+
+        <client> <!-- Used for connecting to https dictionary source and secured Zookeeper communication -->
+            <loadDefaultCAFile>true</loadDefaultCAFile>
+            <cacheSessions>true</cacheSessions>
+            <disableProtocols>sslv2,sslv3</disableProtocols>
+            <preferServerCiphers>true</preferServerCiphers>
+            <!-- Use for self-signed: <verificationMode>none</verificationMode> -->
+            <invalidCertificateHandler>
+                <!-- Use for self-signed: <name>AcceptCertificateHandler</name> -->
+                <name>RejectCertificateHandler</name>
+            </invalidCertificateHandler>
+        </client>
+    </openSSL>
+</clickhouse>
+  
\ No newline at end of file
diff --git a/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml b/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml
new file mode 100644
index 00000000000..700759dcd34
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <users>
+        <john>
+            <certificates>
+                <common_name>client1</common_name>
+            </certificates>
+        </john>
+        <lucy>
+            <certificates>
+                <common_name>client2</common_name>
+                <common_name>client3</common_name>
+            </certificates>
+        </lucy>
+        <peter>
+            <no_password/>
+        </peter>
+        <jane>
+            <password>qwe123</password>
+        </jane>
+    </users>
+</clickhouse>
diff --git a/tests/integration/test_ssl_cert_authentication/test.py b/tests/integration/test_ssl_cert_authentication/test.py
new file mode 100644
index 00000000000..4ac76f3dea6
--- /dev/null
+++ b/tests/integration/test_ssl_cert_authentication/test.py
@@ -0,0 +1,97 @@
+import pytest
+from helpers.cluster import ClickHouseCluster
+import urllib.request, urllib.parse
+import ssl
+import os.path
+
+HTTPS_PORT = 8443
+NODE_IP = '10.5.172.77' # It's important for the node to work at this IP because 'server-cert.pem' requires that (see server-ext.cnf).
+NODE_IP_WITH_HTTPS_PORT = NODE_IP + ':' + str(HTTPS_PORT)
+SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
+
+cluster = ClickHouseCluster(__file__)
+instance = cluster.add_instance('node', ipv4_address=NODE_IP,
+                                main_configs=['configs/ssl_config.xml', 'certs/server-key.pem', 'certs/server-cert.pem', 'certs/ca-cert.pem'],
+                                user_configs=["configs/users_with_ssl_auth.xml"])
+
+
+@pytest.fixture(scope="module", autouse=True)
+def started_cluster():
+    try:
+        cluster.start()
+        yield cluster
+
+    finally:
+        cluster.shutdown()
+
+
+def get_ssl_context(cert_name):
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    context.load_verify_locations(cafile=f'{SCRIPT_DIR}/certs/ca-cert.pem')
+    if cert_name:
+        context.load_cert_chain(f'{SCRIPT_DIR}/certs/{cert_name}-cert.pem', f'{SCRIPT_DIR}/certs/{cert_name}-key.pem')
+        context.verify_mode = ssl.CERT_REQUIRED
+    context.check_hostname = True
+    return context
+
+
+def execute_query_https(query, user, enable_ssl_auth=True, cert_name=None, password=None):
+    url = f'https://{NODE_IP_WITH_HTTPS_PORT}/?query={urllib.parse.quote(query)}'
+    request = urllib.request.Request(url)
+    request.add_header('X-ClickHouse-User', user)
+    if enable_ssl_auth:
+        request.add_header('X-ClickHouse-X509Authentication', 'yes')
+    if password:
+        request.add_header('X-ClickHouse-Key', password)
+    response = urllib.request.urlopen(request, context=get_ssl_context(cert_name)).read()
+    return response.decode('utf-8')
+
+
+def test_https():
+    assert execute_query_https("SELECT currentUser()", user="john", cert_name='client1') == "john\n"
+    assert execute_query_https("SELECT currentUser()", user="lucy", cert_name='client2') == "lucy\n"
+    assert execute_query_https("SELECT currentUser()", user="lucy", cert_name='client3') == "lucy\n"
+
+
+def test_https_wrong_cert():
+    # Wrong certificate: different user's certificate
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="john", cert_name='client2')
+    assert "HTTP Error 403" in str(err.value)
+
+    # Wrong certificate: self-signed certificate.
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="john", cert_name='wrong')
+    assert "unknown ca" in str(err.value)
+
+    # No certificate.
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="john")
+    assert "HTTP Error 403" in str(err.value)
+
+    # No header enabling SSL authentication.
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="john", enable_ssl_auth=False, cert_name='client1')
+
+
+def test_https_non_ssl_auth():
+    # Users with non-SSL authentication are allowed, in this case we can skip sending a client certificate at all (because "verificationMode" is set to "relaxed").
+    #assert execute_query_https("SELECT currentUser()", user="peter", enable_ssl_auth=False) == "peter\n"
+    assert execute_query_https("SELECT currentUser()", user="jane", enable_ssl_auth=False, password='qwe123') == "jane\n"
+
+    # But we still can send a certificate if we want.
+    assert execute_query_https("SELECT currentUser()", user="peter", enable_ssl_auth=False, cert_name='client1') == "peter\n"
+    assert execute_query_https("SELECT currentUser()", user="peter", enable_ssl_auth=False, cert_name='client2') == "peter\n"
+    assert execute_query_https("SELECT currentUser()", user="peter", enable_ssl_auth=False, cert_name='client3') == "peter\n"
+    
+    assert execute_query_https("SELECT currentUser()", user="jane", enable_ssl_auth=False, password='qwe123', cert_name='client1') == "jane\n"
+    assert execute_query_https("SELECT currentUser()", user="jane", enable_ssl_auth=False, password='qwe123', cert_name='client2') == "jane\n"
+    assert execute_query_https("SELECT currentUser()", user="jane", enable_ssl_auth=False, password='qwe123', cert_name='client3') == "jane\n"
+
+    # However if we send a certificate it must not be wrong.
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="peter", enable_ssl_auth=False, cert_name='wrong')
+    assert "unknown ca" in str(err.value)
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="jane", enable_ssl_auth=False, password='qwe123', cert_name='wrong')
+    assert "unknown ca" in str(err.value)

From 0d377de5f0dcfd0c76035d3e348dfddc7bde7d2d Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Sat, 19 Feb 2022 01:01:30 +0700
Subject: [PATCH 08/10] Support syntax CREATE USER IDENTIFIED WITH
 ssl_certificate CN ...

---
 src/Access/Authentication.cpp                 |  2 +-
 src/Access/Common/AuthenticationData.cpp      | 17 +-----
 src/Access/Common/AuthenticationData.h        |  9 ++-
 src/Access/UsersConfigAccessStorage.cpp       |  8 ++-
 src/Parsers/Access/ASTCreateUserQuery.cpp     | 61 +++++++++++++------
 src/Parsers/Access/ParserCreateUserQuery.cpp  | 18 ++++++
 src/Storages/System/StorageSystemUsers.cpp    | 18 ++++--
 .../test_ssl_cert_authentication/test.py      | 20 ++++++
 .../01316_create_user_syntax_hilite.reference |  2 +-
 .../02117_show_create_table_system.reference  |  2 +-
 10 files changed, 110 insertions(+), 47 deletions(-)

diff --git a/src/Access/Authentication.cpp b/src/Access/Authentication.cpp
index 7bbf8ec5efa..30a2f25d497 100644
--- a/src/Access/Authentication.cpp
+++ b/src/Access/Authentication.cpp
@@ -186,7 +186,7 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
 
             case AuthenticationType::SSL_CERTIFICATE:
                 // N.B. the certificate should only be trusted when 'strict' SSL mode is enabled
-                if (!auth_data.containsSSLCertificateCommonName(certificate_credentials->getX509CommonName()))
+                if (!auth_data.getSSLCertificateCommonNames().contains(certificate_credentials->getX509CommonName()))
                     throw Exception("X.509 certificate is not on allowed list", ErrorCodes::WRONG_PASSWORD);
 
                 return true;
diff --git a/src/Access/Common/AuthenticationData.cpp b/src/Access/Common/AuthenticationData.cpp
index 6fee41c3dd3..711b91b4098 100644
--- a/src/Access/Common/AuthenticationData.cpp
+++ b/src/Access/Common/AuthenticationData.cpp
@@ -97,7 +97,8 @@ AuthenticationData::Digest AuthenticationData::Util::encodeSHA1(const std::strin
 bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs)
 {
     return (lhs.type == rhs.type) && (lhs.password_hash == rhs.password_hash)
-        && (lhs.ldap_server_name == rhs.ldap_server_name) && (lhs.kerberos_realm == rhs.kerberos_realm);
+        && (lhs.ldap_server_name == rhs.ldap_server_name) && (lhs.kerberos_realm == rhs.kerberos_realm)
+        && (lhs.ssl_certificate_common_names == rhs.ssl_certificate_common_names);
 }
 
 
@@ -209,18 +210,4 @@ void AuthenticationData::setPasswordHashBinary(const Digest & hash)
     throw Exception("setPasswordHashBinary(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
 }
 
-void AuthenticationData::clearAllowedCertificates()
-{
-    allowed_certificates.clear();
-}
-
-void AuthenticationData::addSSLCertificateCommonName(const String & x509CommonName)
-{
-    allowed_certificates.insert(x509CommonName);
-}
-
-bool AuthenticationData::containsSSLCertificateCommonName(const String & x509CommonName) const
-{
-    return allowed_certificates.find(x509CommonName) != allowed_certificates.end();
-}
 }
diff --git a/src/Access/Common/AuthenticationData.h b/src/Access/Common/AuthenticationData.h
index 152ba55b73d..4d771ce3de3 100644
--- a/src/Access/Common/AuthenticationData.h
+++ b/src/Access/Common/AuthenticationData.h
@@ -1,7 +1,7 @@
 #pragma once
 
 #include <base/types.h>
-#include <set>
+#include <boost/container/flat_set.hpp>
 #include <vector>
 
 namespace DB
@@ -84,9 +84,8 @@ public:
     const String & getKerberosRealm() const { return kerberos_realm; }
     void setKerberosRealm(const String & realm) { kerberos_realm = realm; }
 
-    void clearAllowedCertificates();
-    void addSSLCertificateCommonName(const String & x509CommonName);
-    bool containsSSLCertificateCommonName(const String & x509CommonName) const;
+    const boost::container::flat_set<String> & getSSLCertificateCommonNames() const { return ssl_certificate_common_names; }
+    void setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_) { ssl_certificate_common_names = std::move(common_names_); }
 
     friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
     friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }
@@ -106,7 +105,7 @@ private:
     Digest password_hash;
     String ldap_server_name;
     String kerberos_realm;
-    std::set<String> allowed_certificates;
+    boost::container::flat_set<String> ssl_certificate_common_names;
 };
 
 }
diff --git a/src/Access/UsersConfigAccessStorage.cpp b/src/Access/UsersConfigAccessStorage.cpp
index 5d7933190d5..fd10150623b 100644
--- a/src/Access/UsersConfigAccessStorage.cpp
+++ b/src/Access/UsersConfigAccessStorage.cpp
@@ -115,16 +115,18 @@ namespace
             /// Fill list of allowed certificates.
             Poco::Util::AbstractConfiguration::Keys keys;
             config.keys(certificates_config, keys);
-            user->auth_data.clearAllowedCertificates();
+            boost::container::flat_set<String> common_names;
             for (const String & key : keys)
             {
                 if (key.starts_with("common_name"))
                 {
                     String value = config.getString(certificates_config + "." + key);
-                    user->auth_data.addSSLCertificateCommonName(value);
+                    common_names.insert(std::move(value));
                 }
                 else
-                    throw Exception("Unknown certificate pattern type: " + key, ErrorCodes::BAD_ARGUMENTS);            }
+                    throw Exception("Unknown certificate pattern type: " + key, ErrorCodes::BAD_ARGUMENTS);
+            }
+            user->auth_data.setSSLCertificateCommonNames(std::move(common_names));
         }
 
         const auto profile_name_config = user_config + ".profile";
diff --git a/src/Parsers/Access/ASTCreateUserQuery.cpp b/src/Parsers/Access/ASTCreateUserQuery.cpp
index 70f29a02d85..f8e1109886e 100644
--- a/src/Parsers/Access/ASTCreateUserQuery.cpp
+++ b/src/Parsers/Access/ASTCreateUserQuery.cpp
@@ -34,51 +34,62 @@ namespace
         }
 
         String auth_type_name = AuthenticationTypeInfo::get(auth_type).name;
-        String by_keyword = "BY";
-        std::optional<String> by_value;
+        String value_prefix;
+        std::optional<String> value;
+        const boost::container::flat_set<String> * values = nullptr;
 
-        if (
-            show_password ||
+        if (show_password ||
             auth_type == AuthenticationType::LDAP ||
-            auth_type == AuthenticationType::KERBEROS
-        )
+            auth_type == AuthenticationType::KERBEROS ||
+            auth_type == AuthenticationType::SSL_CERTIFICATE)
         {
             switch (auth_type)
             {
                 case AuthenticationType::PLAINTEXT_PASSWORD:
                 {
-                    by_value = auth_data.getPassword();
+                    value_prefix = "BY";
+                    value = auth_data.getPassword();
                     break;
                 }
                 case AuthenticationType::SHA256_PASSWORD:
                 {
                     auth_type_name = "sha256_hash";
-                    by_value = auth_data.getPasswordHashHex();
+                    value_prefix = "BY";
+                    value = auth_data.getPasswordHashHex();
                     break;
                 }
                 case AuthenticationType::DOUBLE_SHA1_PASSWORD:
                 {
                     auth_type_name = "double_sha1_hash";
-                    by_value = auth_data.getPasswordHashHex();
+                    value_prefix = "BY";
+                    value = auth_data.getPasswordHashHex();
                     break;
                 }
                 case AuthenticationType::LDAP:
                 {
-                    by_keyword = "SERVER";
-                    by_value = auth_data.getLDAPServerName();
+                    value_prefix = "SERVER";
+                    value = auth_data.getLDAPServerName();
                     break;
                 }
                 case AuthenticationType::KERBEROS:
                 {
-                    by_keyword = "REALM";
                     const auto & realm = auth_data.getKerberosRealm();
                     if (!realm.empty())
-                        by_value = realm;
+                    {
+                        value_prefix = "REALM";
+                        value = realm;
+                    }
+                    break;
+                }
+
+                case AuthenticationType::SSL_CERTIFICATE:
+                {
+                    value_prefix = "CN";
+                    values = &auth_data.getSSLCertificateCommonNames();
                     break;
                 }
 
                 case AuthenticationType::NO_PASSWORD: [[fallthrough]];
-                case AuthenticationType::SSL_CERTIFICATE: [[fallthrough]];
                 case AuthenticationType::MAX:
                     throw Exception("AST: Unexpected authentication type " + toString(auth_type), ErrorCodes::LOGICAL_ERROR);
             }
@@ -87,10 +98,26 @@ namespace
         settings.ostr << (settings.hilite ? IAST::hilite_keyword : "") << " IDENTIFIED WITH " << auth_type_name
                       << (settings.hilite ? IAST::hilite_none : "");
 
-        if (by_value)
+        if (!value_prefix.empty())
         {
-            settings.ostr << (settings.hilite ? IAST::hilite_keyword : "") << " " << by_keyword << " "
-                          << (settings.hilite ? IAST::hilite_none : "") << quoteString(*by_value);
+            settings.ostr << (settings.hilite ? IAST::hilite_keyword : "") << " " << value_prefix
+                          << (settings.hilite ? IAST::hilite_none : "");
+        }
+
+        if (value)
+        {
+            settings.ostr << " " << quoteString(*value);
+        }
+        else if (values)
+        {
+            settings.ostr << " ";
+            bool need_comma = false;
+            for (const auto & item : *values)
+            {
+                if (std::exchange(need_comma, true))
+                    settings.ostr << ", ";
+                settings.ostr << quoteString(item);
+            }
         }
     }
 
diff --git a/src/Parsers/Access/ParserCreateUserQuery.cpp b/src/Parsers/Access/ParserCreateUserQuery.cpp
index c5b8c9e37b3..cde14e632dd 100644
--- a/src/Parsers/Access/ParserCreateUserQuery.cpp
+++ b/src/Parsers/Access/ParserCreateUserQuery.cpp
@@ -52,6 +52,7 @@ namespace
             bool expect_hash = false;
             bool expect_ldap_server_name = false;
             bool expect_kerberos_realm = false;
+            bool expect_common_names = false;
 
             if (ParserKeyword{"WITH"}.ignore(pos, expected))
             {
@@ -65,6 +66,8 @@ namespace
                             expect_ldap_server_name = true;
                         else if (check_type == AuthenticationType::KERBEROS)
                             expect_kerberos_realm = true;
+                        else if (check_type == AuthenticationType::SSL_CERTIFICATE)
+                            expect_common_names = true;
                         else if (check_type != AuthenticationType::NO_PASSWORD)
                             expect_password = true;
 
@@ -96,6 +99,7 @@ namespace
             }
 
             String value;
+            boost::container::flat_set<String> common_names;
             if (expect_password || expect_hash)
             {
                 ASTPtr ast;
@@ -123,6 +127,18 @@ namespace
                     value = ast->as<const ASTLiteral &>().value.safeGet<String>();
                 }
             }
+            else if (expect_common_names)
+            {
+                if (!ParserKeyword{"CN"}.ignore(pos, expected))
+                    return false;
+
+                ASTPtr ast;
+                if (!ParserList{std::make_unique<ParserStringLiteral>(), std::make_unique<ParserToken>(TokenType::Comma), false}.parse(pos, ast, expected))
+                    return false;
+
+                for (const auto & ast_child : ast->children)
+                    common_names.insert(ast_child->as<const ASTLiteral &>().value.safeGet<String>());
+            }
 
             auth_data = AuthenticationData{*type};
             if (expect_password)
@@ -133,6 +149,8 @@ namespace
                 auth_data.setLDAPServerName(value);
             else if (expect_kerberos_realm)
                 auth_data.setKerberosRealm(value);
+            else if (expect_common_names)
+                auth_data.setSSLCertificateCommonNames(std::move(common_names));
 
             return true;
         });
diff --git a/src/Storages/System/StorageSystemUsers.cpp b/src/Storages/System/StorageSystemUsers.cpp
index ca88fa688a0..d9b94f21c61 100644
--- a/src/Storages/System/StorageSystemUsers.cpp
+++ b/src/Storages/System/StorageSystemUsers.cpp
@@ -102,17 +102,27 @@ void StorageSystemUsers::fillData(MutableColumns & res_columns, ContextPtr conte
         column_storage.insertData(storage_name.data(), storage_name.length());
         column_auth_type.push_back(static_cast<Int8>(auth_data.getType()));
 
-        if (
-            auth_data.getType() == AuthenticationType::LDAP ||
-            auth_data.getType() == AuthenticationType::KERBEROS
-        )
+        if (auth_data.getType() == AuthenticationType::LDAP ||
+            auth_data.getType() == AuthenticationType::KERBEROS ||
+            auth_data.getType() == AuthenticationType::SSL_CERTIFICATE)
         {
             Poco::JSON::Object auth_params_json;
 
             if (auth_data.getType() == AuthenticationType::LDAP)
+            {
                 auth_params_json.set("server", auth_data.getLDAPServerName());
+            }
             else if (auth_data.getType() == AuthenticationType::KERBEROS)
+            {
                 auth_params_json.set("realm", auth_data.getKerberosRealm());
+            }
+            else if (auth_data.getType() == AuthenticationType::SSL_CERTIFICATE)
+            {
+                Poco::JSON::Array::Ptr arr = new Poco::JSON::Array();
+                for (const auto & common_name : auth_data.getSSLCertificateCommonNames())
+                    arr->add(common_name);
+                auth_params_json.set("common_names", arr);
+            }
 
             std::ostringstream oss;         // STYLE_CHECK_ALLOW_STD_STRING_STREAM
             oss.exceptions(std::ios::failbit);
diff --git a/tests/integration/test_ssl_cert_authentication/test.py b/tests/integration/test_ssl_cert_authentication/test.py
index 4ac76f3dea6..bdc7310a6b0 100644
--- a/tests/integration/test_ssl_cert_authentication/test.py
+++ b/tests/integration/test_ssl_cert_authentication/test.py
@@ -95,3 +95,23 @@ def test_https_non_ssl_auth():
     with pytest.raises(Exception) as err:
         execute_query_https("SELECT currentUser()", user="jane", enable_ssl_auth=False, password='qwe123', cert_name='wrong')
     assert "unknown ca" in str(err.value)
+
+
+def test_create_user():
+    instance.query("CREATE USER emma IDENTIFIED WITH ssl_certificate CN 'client3'")
+    assert execute_query_https("SELECT currentUser()", user="emma", cert_name='client3') == "emma\n"
+    assert instance.query("SHOW CREATE USER emma") == "CREATE USER emma IDENTIFIED WITH ssl_certificate CN \\'client3\\'\n"
+
+    instance.query("ALTER USER emma IDENTIFIED WITH ssl_certificate CN 'client2'")
+    assert execute_query_https("SELECT currentUser()", user="emma", cert_name='client2') == "emma\n"
+    assert instance.query("SHOW CREATE USER emma") == "CREATE USER emma IDENTIFIED WITH ssl_certificate CN \\'client2\\'\n"
+
+    with pytest.raises(Exception) as err:
+        execute_query_https("SELECT currentUser()", user="emma", cert_name='client3')
+    assert "HTTP Error 403" in str(err.value)
+
+    assert instance.query("SHOW CREATE USER lucy") == "CREATE USER lucy IDENTIFIED WITH ssl_certificate CN \\'client2\\', \\'client3\\'\n"
+
+    assert instance.query("SELECT name, auth_type, auth_params FROM system.users WHERE name IN ['emma', 'lucy'] ORDER BY name") ==\
+        "emma\tssl_certificate\t{\"common_names\":[\"client2\"]}\n"\
+        "lucy\tssl_certificate\t{\"common_names\":[\"client2\",\"client3\"]}\n"
diff --git a/tests/queries/0_stateless/01316_create_user_syntax_hilite.reference b/tests/queries/0_stateless/01316_create_user_syntax_hilite.reference
index ed7daeb3609..d1e2cba5663 100644
--- a/tests/queries/0_stateless/01316_create_user_syntax_hilite.reference
+++ b/tests/queries/0_stateless/01316_create_user_syntax_hilite.reference
@@ -1 +1 @@
-CREATE USER user IDENTIFIED WITH plaintext_password BY 'hello'
+CREATE USER user IDENTIFIED WITH plaintext_password BY 'hello'
diff --git a/tests/queries/0_stateless/02117_show_create_table_system.reference b/tests/queries/0_stateless/02117_show_create_table_system.reference
index 234804f1078..44dbf86ee9c 100644
--- a/tests/queries/0_stateless/02117_show_create_table_system.reference
+++ b/tests/queries/0_stateless/02117_show_create_table_system.reference
@@ -60,7 +60,7 @@ CREATE TABLE system.table_functions\n(\n    `name` String\n)\nENGINE = SystemTab
 CREATE TABLE system.tables\n(\n    `database` String,\n    `name` String,\n    `uuid` UUID,\n    `engine` String,\n    `is_temporary` UInt8,\n    `data_paths` Array(String),\n    `metadata_path` String,\n    `metadata_modification_time` DateTime,\n    `dependencies_database` Array(String),\n    `dependencies_table` Array(String),\n    `create_table_query` String,\n    `engine_full` String,\n    `as_select` String,\n    `partition_key` String,\n    `sorting_key` String,\n    `primary_key` String,\n    `sampling_key` String,\n    `storage_policy` String,\n    `total_rows` Nullable(UInt64),\n    `total_bytes` Nullable(UInt64),\n    `lifetime_rows` Nullable(UInt64),\n    `lifetime_bytes` Nullable(UInt64),\n    `comment` String,\n    `has_own_data` UInt8,\n    `loading_dependencies_database` Array(String),\n    `loading_dependencies_table` Array(String),\n    `loading_dependent_database` Array(String),\n    `loading_dependent_table` Array(String),\n    `table` String\n)\nENGINE = SystemTables()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
 CREATE TABLE system.time_zones\n(\n    `time_zone` String\n)\nENGINE = SystemTimeZones()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
 CREATE TABLE system.user_directories\n(\n    `name` String,\n    `type` String,\n    `params` String,\n    `precedence` UInt64\n)\nENGINE = SystemUserDirectories()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
-CREATE TABLE system.users\n(\n    `name` String,\n    `id` UUID,\n    `storage` String,\n    `auth_type` Enum8(\'no_password\' = 0, \'plaintext_password\' = 1, \'sha256_password\' = 2, \'double_sha1_password\' = 3, \'ldap\' = 4, \'kerberos\' = 5),\n    `auth_params` String,\n    `host_ip` Array(String),\n    `host_names` Array(String),\n    `host_names_regexp` Array(String),\n    `host_names_like` Array(String),\n    `default_roles_all` UInt8,\n    `default_roles_list` Array(String),\n    `default_roles_except` Array(String),\n    `grantees_any` UInt8,\n    `grantees_list` Array(String),\n    `grantees_except` Array(String),\n    `default_database` String\n)\nENGINE = SystemUsers()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
+CREATE TABLE system.users\n(\n    `name` String,\n    `id` UUID,\n    `storage` String,\n    `auth_type` Enum8(\'no_password\' = 0, \'plaintext_password\' = 1, \'sha256_password\' = 2, \'double_sha1_password\' = 3, \'ldap\' = 4, \'kerberos\' = 5, \'ssl_certificate\' = 6),\n    `auth_params` String,\n    `host_ip` Array(String),\n    `host_names` Array(String),\n    `host_names_regexp` Array(String),\n    `host_names_like` Array(String),\n    `default_roles_all` UInt8,\n    `default_roles_list` Array(String),\n    `default_roles_except` Array(String),\n    `grantees_any` UInt8,\n    `grantees_list` Array(String),\n    `grantees_except` Array(String),\n    `default_database` String\n)\nENGINE = SystemUsers()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
 CREATE TABLE system.warnings\n(\n    `message` String\n)\nENGINE = SystemWarnings()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
 CREATE TABLE system.zeros\n(\n    `zero` UInt8\n)\nENGINE = SystemZeros()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'
 CREATE TABLE system.zeros_mt\n(\n    `zero` UInt8\n)\nENGINE = SystemZeros()\nCOMMENT \'SYSTEM TABLE is built on the fly.\'

From 765d136d2a4be1a07382c8bb6178b87acde904de Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Sat, 19 Feb 2022 03:26:49 +0700
Subject: [PATCH 09/10] A few improvements in the implementation of SSL
 certificate authentication.

---
 .../external-authenticators/ssl-x509.md       |   1 +
 .../external-authenticators/ssl-x509.md       |   1 +
 src/Access/Authentication.cpp                 |  27 +---
 src/Access/Authentication.h                   |   3 -
 src/Access/Common/AuthenticationData.cpp      |   8 ++
 src/Access/Common/AuthenticationData.h        |   2 +-
 src/Access/Credentials.cpp                    |   8 +-
 src/Access/Credentials.h                      |   9 +-
 src/Interpreters/Session.cpp                  |  25 ----
 src/Interpreters/Session.h                    |   2 -
 src/Server/HTTP/HTTPServerRequest.cpp         |  30 ++++-
 src/Server/HTTP/HTTPServerRequest.h           |   8 +-
 src/Server/HTTPHandler.cpp                    | 120 ++++++++++--------
 src/Server/TCPHandler.cpp                     |   2 +-
 14 files changed, 123 insertions(+), 123 deletions(-)
 create mode 120000 docs/ja/operations/external-authenticators/ssl-x509.md
 create mode 120000 docs/zh/operations/external-authenticators/ssl-x509.md

diff --git a/docs/ja/operations/external-authenticators/ssl-x509.md b/docs/ja/operations/external-authenticators/ssl-x509.md
new file mode 120000
index 00000000000..80b18e1b352
--- /dev/null
+++ b/docs/ja/operations/external-authenticators/ssl-x509.md
@@ -0,0 +1 @@
+../../../en/operations/external-authenticators/ssl-x509.md
\ No newline at end of file
diff --git a/docs/zh/operations/external-authenticators/ssl-x509.md b/docs/zh/operations/external-authenticators/ssl-x509.md
new file mode 120000
index 00000000000..80b18e1b352
--- /dev/null
+++ b/docs/zh/operations/external-authenticators/ssl-x509.md
@@ -0,0 +1 @@
+../../../en/operations/external-authenticators/ssl-x509.md
\ No newline at end of file
diff --git a/src/Access/Authentication.cpp b/src/Access/Authentication.cpp
index 30a2f25d497..f82cb564db5 100644
--- a/src/Access/Authentication.cpp
+++ b/src/Access/Authentication.cpp
@@ -5,7 +5,6 @@
 #include <Access/LDAPClient.h>
 #include <Access/GSSAcceptor.h>
 #include <Common/Exception.h>
-#include <Poco/Net/SecureStreamSocketImpl.h>
 #include <Poco/SHA1Engine.h>
 #include <Common/typeid_cast.h>
 
@@ -15,7 +14,6 @@ namespace DB
 namespace ErrorCodes
 {
     extern const int NOT_IMPLEMENTED;
-    extern const int WRONG_PASSWORD;
 }
 
 namespace
@@ -69,23 +67,6 @@ namespace
     }
 }
 
-std::string getPeerCertificateCommonName(const Poco::Net::SocketImpl * socketImpl)
-{
-    std::string cn;
-
-    if (socketImpl->secure())
-    {
-        // expect socket is an instance of SecureStreamSocket
-        const Poco::Net::SecureStreamSocketImpl * secureSocketImpl = dynamic_cast<const Poco::Net::SecureStreamSocketImpl *>(socketImpl);
-        if (secureSocketImpl && secureSocketImpl->havePeerCertificate())
-        {
-            Poco::Crypto::X509Certificate cert = secureSocketImpl->peerCertificate();
-            cn = cert.commonName();
-        }
-    }
-
-    return cn;
-}
 
 bool Authentication::areCredentialsValid(const Credentials & credentials, const AuthenticationData & auth_data, const ExternalAuthenticators & external_authenticators)
 {
@@ -170,7 +151,7 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
         }
     }
 
-    if (const auto * certificate_credentials = typeid_cast<const CertificateCredentials *>(&credentials))
+    if (const auto * ssl_certificate_credentials = typeid_cast<const SSLCertificateCredentials *>(&credentials))
     {
         switch (auth_data.getType())
         {
@@ -185,11 +166,7 @@ bool Authentication::areCredentialsValid(const Credentials & credentials, const
                 throw Authentication::Require<GSSAcceptorContext>(auth_data.getKerberosRealm());
 
             case AuthenticationType::SSL_CERTIFICATE:
-                // N.B. the certificate should only be trusted when 'strict' SSL mode is enabled
-                if (!auth_data.getSSLCertificateCommonNames().contains(certificate_credentials->getX509CommonName()))
-                    throw Exception("X.509 certificate is not on allowed list", ErrorCodes::WRONG_PASSWORD);
-
-                return true;
+                return auth_data.getSSLCertificateCommonNames().contains(ssl_certificate_credentials->getCommonName());
 
             case AuthenticationType::MAX:
                 break;
diff --git a/src/Access/Authentication.h b/src/Access/Authentication.h
index e081f8211f6..ab787851cb2 100644
--- a/src/Access/Authentication.h
+++ b/src/Access/Authentication.h
@@ -2,7 +2,6 @@
 
 #include <Access/Common/AuthenticationData.h>
 #include <Common/Exception.h>
-#include <Poco/Net/SocketImpl.h>
 #include <base/types.h>
 
 
@@ -16,8 +15,6 @@ namespace ErrorCodes
 class Credentials;
 class ExternalAuthenticators;
 
-std::string getPeerCertificateCommonName(const Poco::Net::SocketImpl * socketImpl);
-
 /// TODO: Try to move this checking to Credentials.
 struct Authentication
 {
diff --git a/src/Access/Common/AuthenticationData.cpp b/src/Access/Common/AuthenticationData.cpp
index 711b91b4098..e945b5e435b 100644
--- a/src/Access/Common/AuthenticationData.cpp
+++ b/src/Access/Common/AuthenticationData.cpp
@@ -210,4 +210,12 @@ void AuthenticationData::setPasswordHashBinary(const Digest & hash)
     throw Exception("setPasswordHashBinary(): authentication type " + toString(type) + " not supported", ErrorCodes::NOT_IMPLEMENTED);
 }
 
+
+void AuthenticationData::setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_)
+{
+    if (common_names_.empty())
+        throw Exception("The 'SSL CERTIFICATE' authentication type requires a non-empty list of common names.", ErrorCodes::BAD_ARGUMENTS);
+    ssl_certificate_common_names = std::move(common_names_);
+}
+
 }
diff --git a/src/Access/Common/AuthenticationData.h b/src/Access/Common/AuthenticationData.h
index 4d771ce3de3..3573d28d45e 100644
--- a/src/Access/Common/AuthenticationData.h
+++ b/src/Access/Common/AuthenticationData.h
@@ -85,7 +85,7 @@ public:
     void setKerberosRealm(const String & realm) { kerberos_realm = realm; }
 
     const boost::container::flat_set<String> & getSSLCertificateCommonNames() const { return ssl_certificate_common_names; }
-    void setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_) { ssl_certificate_common_names = std::move(common_names_); }
+    void setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_);
 
     friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
     friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }
diff --git a/src/Access/Credentials.cpp b/src/Access/Credentials.cpp
index 79876cddcfe..9878cdb9df3 100644
--- a/src/Access/Credentials.cpp
+++ b/src/Access/Credentials.cpp
@@ -48,18 +48,18 @@ void AlwaysAllowCredentials::setUserName(const String & user_name_)
     user_name = user_name_;
 }
 
-CertificateCredentials::CertificateCredentials(const String & user_name_, const String & x509CommonName_)
+SSLCertificateCredentials::SSLCertificateCredentials(const String & user_name_, const String & common_name_)
     : Credentials(user_name_)
-    , x509CommonName(x509CommonName_)
+    , common_name(common_name_)
 {
     is_ready = true;
 }
 
-const String & CertificateCredentials::getX509CommonName() const
+const String & SSLCertificateCredentials::getCommonName() const
 {
     if (!isReady())
         throwNotReady();
-    return x509CommonName;
+    return common_name;
 }
 
 BasicCredentials::BasicCredentials()
diff --git a/src/Access/Credentials.h b/src/Access/Credentials.h
index f667d60bde3..d0c9efcfd8c 100644
--- a/src/Access/Credentials.h
+++ b/src/Access/Credentials.h
@@ -38,16 +38,15 @@ public:
     void setUserName(const String & user_name_);
 };
 
-class CertificateCredentials
+class SSLCertificateCredentials
     : public Credentials
 {
 public:
-    explicit CertificateCredentials(const String & user_name_, const String & x509CommonName_);
-
-    const String & getX509CommonName() const;
+    explicit SSLCertificateCredentials(const String & user_name_, const String & common_name_);
+    const String & getCommonName() const;
 
 private:
-    String x509CommonName;
+    String common_name;
 };
 
 class BasicCredentials
diff --git a/src/Interpreters/Session.cpp b/src/Interpreters/Session.cpp
index d05f438bb80..2af9a2b6bbc 100644
--- a/src/Interpreters/Session.cpp
+++ b/src/Interpreters/Session.cpp
@@ -1,7 +1,6 @@
 #include <Interpreters/Session.h>
 
 #include <Access/AccessControl.h>
-#include <Access/Authentication.h>
 #include <Access/Credentials.h>
 #include <Access/ContextAccess.h>
 #include <Access/User.h>
@@ -298,30 +297,6 @@ void Session::authenticate(const String & user_name, const String & password, co
     authenticate(BasicCredentials{user_name, password}, address);
 }
 
-void Session::authenticate(const String & user_name, const String & password, const Poco::Net::StreamSocket & socket)
-{
-    switch (getAuthenticationType(user_name))
-    {
-        case AuthenticationType::NO_PASSWORD:
-        case AuthenticationType::PLAINTEXT_PASSWORD:
-        case AuthenticationType::DOUBLE_SHA1_PASSWORD:
-        case AuthenticationType::SHA256_PASSWORD:
-        case AuthenticationType::LDAP:
-            authenticate(BasicCredentials{user_name, password}, socket.peerAddress());
-            break;
-
-        case AuthenticationType::KERBEROS:
-            throw Authentication::Require<BasicCredentials>("ClickHouse Basic Authentication");
-
-        case AuthenticationType::SSL_CERTIFICATE:
-            authenticate(CertificateCredentials{user_name, getPeerCertificateCommonName(socket.impl())}, socket.peerAddress());
-            break;
-
-        case AuthenticationType::MAX:
-            break;
-    }
-}
-
 void Session::authenticate(const Credentials & credentials_, const Poco::Net::SocketAddress & address_)
 {
     if (session_context)
diff --git a/src/Interpreters/Session.h b/src/Interpreters/Session.h
index b65de2f3533..71964130412 100644
--- a/src/Interpreters/Session.h
+++ b/src/Interpreters/Session.h
@@ -4,7 +4,6 @@
 #include <Access/Common/AuthenticationData.h>
 #include <Interpreters/ClientInfo.h>
 #include <Interpreters/Context_fwd.h>
-#include <Poco/Net/StreamSocket.h>
 
 #include <chrono>
 #include <memory>
@@ -50,7 +49,6 @@ public:
     /// Sets the current user, checks the credentials and that the specified address is allowed to connect from.
     /// The function throws an exception if there is no such user or password is wrong.
     void authenticate(const String & user_name, const String & password, const Poco::Net::SocketAddress & address);
-    void authenticate(const String & user_name, const String & password, const Poco::Net::StreamSocket & socket);
     void authenticate(const Credentials & credentials_, const Poco::Net::SocketAddress & address_);
 
     /// Returns a reference to session ClientInfo.
diff --git a/src/Server/HTTP/HTTPServerRequest.cpp b/src/Server/HTTP/HTTPServerRequest.cpp
index db0ccecf46f..bb72c2a4010 100644
--- a/src/Server/HTTP/HTTPServerRequest.cpp
+++ b/src/Server/HTTP/HTTPServerRequest.cpp
@@ -9,11 +9,15 @@
 #include <Server/HTTP/HTTPServerResponse.h>
 #include <Server/HTTP/ReadHeaders.h>
 
-#include <Poco/Crypto/X509Certificate.h>
 #include <Poco/Net/HTTPHeaderStream.h>
 #include <Poco/Net/HTTPStream.h>
 #include <Poco/Net/NetException.h>
+
+#if USE_SSL
 #include <Poco/Net/SecureStreamSocketImpl.h>
+#include <Poco/Net/SSLException.h>
+#include <Poco/Net/X509Certificate.h>
+#endif
 
 namespace DB
 {
@@ -71,11 +75,31 @@ bool HTTPServerRequest::checkPeerConnected() const
     return true;
 }
 
-Poco::Net::SocketImpl * HTTPServerRequest::getSocket() const
+#if USE_SSL
+bool HTTPServerRequest::havePeerCertificate() const
 {
-    return socket;
+    if (!secure)
+        return false;
+
+    const Poco::Net::SecureStreamSocketImpl * secure_socket = dynamic_cast<const Poco::Net::SecureStreamSocketImpl *>(socket);
+    if (!secure_socket)
+        return false;
+
+    return secure_socket->havePeerCertificate();
 }
 
+Poco::Net::X509Certificate HTTPServerRequest::peerCertificate() const
+{
+    if (secure)
+    {
+        const Poco::Net::SecureStreamSocketImpl * secure_socket = dynamic_cast<const Poco::Net::SecureStreamSocketImpl *>(socket);
+        if (secure_socket)
+            return secure_socket->peerCertificate();
+    }
+    throw Poco::Net::SSLException("No certificate available");
+}
+#endif
+
 void HTTPServerRequest::readRequest(ReadBuffer & in)
 {
     char ch;
diff --git a/src/Server/HTTP/HTTPServerRequest.h b/src/Server/HTTP/HTTPServerRequest.h
index 85fe3a6f80a..cfaeb108095 100644
--- a/src/Server/HTTP/HTTPServerRequest.h
+++ b/src/Server/HTTP/HTTPServerRequest.h
@@ -3,9 +3,12 @@
 #include <Interpreters/Context_fwd.h>
 #include <IO/ReadBuffer.h>
 #include <Server/HTTP/HTTPRequest.h>
+#include <Common/config.h>
 
 #include <Poco/Net/HTTPServerSession.h>
 
+namespace Poco::Net { class X509Certificate; }
+
 namespace DB
 {
 
@@ -38,7 +41,10 @@ public:
     /// Returns the server's address.
     const Poco::Net::SocketAddress & serverAddress() const { return server_address; }
 
-    Poco::Net::SocketImpl * getSocket() const;
+#if USE_SSL
+    bool havePeerCertificate() const;
+    Poco::Net::X509Certificate peerCertificate() const;
+#endif
 
 private:
     /// Limits for basic sanity checks when reading a header
diff --git a/src/Server/HTTPHandler.cpp b/src/Server/HTTPHandler.cpp
index d29d113ad8e..1b8afd938ec 100644
--- a/src/Server/HTTPHandler.cpp
+++ b/src/Server/HTTPHandler.cpp
@@ -50,6 +50,10 @@
 #include <iomanip>
 #include <sstream>
 
+#if USE_SSL
+#include <Poco/Net/X509Certificate.h>
+#endif
+
 
 namespace DB
 {
@@ -106,6 +110,7 @@ namespace ErrorCodes
     extern const int BAD_REQUEST_PARAMETER;
     extern const int INVALID_SESSION_TIMEOUT;
     extern const int HTTP_LENGTH_REQUIRED;
+    extern const int SUPPORT_IS_DISABLED;
 }
 
 namespace
@@ -322,81 +327,90 @@ bool HTTPHandler::authenticateUser(
     std::string user = request.get("X-ClickHouse-User", "");
     std::string password = request.get("X-ClickHouse-Key", "");
     std::string quota_key = request.get("X-ClickHouse-Quota", "");
-    std::string x509_auth = request.get("X-ClickHouse-X509Authentication", "");
+
+    /// The header 'X-ClickHouse-SSL-Certificate-Auth: on' enables checking the common name
+    /// extracted from the SSL certificate used for this connection instead of checking password.
+    bool has_ssl_certificate_auth = (request.get("X-ClickHouse-X509Authentication", "") == "yes");
+    bool has_auth_headers = !user.empty() || !password.empty() || !quota_key.empty() || has_ssl_certificate_auth;
+
+    /// User name and password can be passed using HTTP Basic auth or query parameters
+    /// (both methods are insecure).
+    bool has_http_credentials = request.hasCredentials();
+    bool has_credentials_in_query_params = params.has("user") || params.has("password") || params.has("quota_key");
 
     std::string spnego_challenge;
     std::string certificate_common_name;
 
-    LOG_DEBUG(log, "X-ClickHouse-X509Authentication=\"{}\"", x509_auth);
-
-    bool has_basic_auth = request.hasCredentials() || params.has("user") || params.has("password") || params.has("quota_key");
-    bool has_header_auth = !user.empty() && !password.empty() && !quota_key.empty();
-    bool has_x509_auth = !user.empty() && (x509_auth == "yes"); // header values are case sensitive
-
-    if (has_x509_auth)
-    {
-        if (has_header_auth || has_basic_auth)
-            throw Exception("Invalid authentication: it is not allowed to use SSL X.509 certificate authentication and other authentication methods simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
-
-        certificate_common_name = getPeerCertificateCommonName(request.getSocket());
-        if (certificate_common_name.empty())
-            throw Exception("Invalid authentication: empty X.509 certificate Common Name", ErrorCodes::AUTHENTICATION_FAILED);
-
-        LOG_DEBUG(log, "certificate_common_name=\"{}\"", certificate_common_name);
-    }
-    else if (has_header_auth)
+    if (has_auth_headers)
     {
         /// It is prohibited to mix different authorization schemes.
-        if (has_basic_auth)
-            throw Exception("Invalid authentication: it is not allowed to use X-ClickHouse HTTP headers and other authentication methods simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
-    }
-    else
-    {
-        /// User name and password can be passed using query parameters
-        /// or using HTTP Basic auth (both methods are insecure).
-        if (request.hasCredentials())
+        if (has_http_credentials)
+            throw Exception("Invalid authentication: it is not allowed to use SSL certificate authentication and Authorization HTTP header simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
+        if (has_credentials_in_query_params)
+            throw Exception("Invalid authentication: it is not allowed to use SSL certificate authentication and authentication via parameters simultaneously simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
+
+        if (has_ssl_certificate_auth)
         {
-            /// It is prohibited to mix different authorization schemes.
-            if (params.has("user") || params.has("password"))
-                throw Exception("Invalid authentication: it is not allowed to use Authorization HTTP header and authentication via parameters simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
+#if USE_SSL
+            if (!password.empty())
+                throw Exception("Invalid authentication: it is not allowed to use SSL certificate authentication and authentication via password simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
 
-            std::string scheme;
-            std::string auth_info;
-            request.getCredentials(scheme, auth_info);
+            if (request.havePeerCertificate())
+                certificate_common_name = request.peerCertificate().commonName();
 
-            if (Poco::icompare(scheme, "Basic") == 0)
-            {
-                HTTPBasicCredentials credentials(auth_info);
-                user = credentials.getUsername();
-                password = credentials.getPassword();
-            }
-            else if (Poco::icompare(scheme, "Negotiate") == 0)
-            {
-                spnego_challenge = auth_info;
+            if (certificate_common_name.empty())
+                throw Exception("Invalid authentication: SSL certificate authentication requires nonempty certificate's Common Name", ErrorCodes::AUTHENTICATION_FAILED);
+#else
+            throw Exception(
+                "SSL certificate authentication disabled because ClickHouse was built without SSL library",
+                ErrorCodes::SUPPORT_IS_DISABLED);
+#endif
+        }
+    }
+    else if (has_http_credentials)
+    {
+        /// It is prohibited to mix different authorization schemes.
+        if (has_credentials_in_query_params)
+            throw Exception("Invalid authentication: it is not allowed to use Authorization HTTP header and authentication via parameters simultaneously", ErrorCodes::AUTHENTICATION_FAILED);
 
-                if (spnego_challenge.empty())
-                    throw Exception("Invalid authentication: SPNEGO challenge is empty", ErrorCodes::AUTHENTICATION_FAILED);
-            }
-            else
-            {
-                throw Exception("Invalid authentication: '" + scheme + "' HTTP Authorization scheme is not supported", ErrorCodes::AUTHENTICATION_FAILED);
-            }
+        std::string scheme;
+        std::string auth_info;
+        request.getCredentials(scheme, auth_info);
+
+        if (Poco::icompare(scheme, "Basic") == 0)
+        {
+            HTTPBasicCredentials credentials(auth_info);
+            user = credentials.getUsername();
+            password = credentials.getPassword();
+        }
+        else if (Poco::icompare(scheme, "Negotiate") == 0)
+        {
+            spnego_challenge = auth_info;
+
+            if (spnego_challenge.empty())
+                throw Exception("Invalid authentication: SPNEGO challenge is empty", ErrorCodes::AUTHENTICATION_FAILED);
         }
         else
         {
-            user = params.get("user", "default");
-            password = params.get("password", "");
+            throw Exception("Invalid authentication: '" + scheme + "' HTTP Authorization scheme is not supported", ErrorCodes::AUTHENTICATION_FAILED);
         }
 
         quota_key = params.get("quota_key", "");
     }
+    else
+    {
+        /// If the user name is not set we assume it's the 'default' user.
+        user = params.get("user", "default");
+        password = params.get("password", "");
+        quota_key = params.get("quota_key", "");
+    }
 
     if (!certificate_common_name.empty())
     {
         if (!request_credentials)
-            request_credentials = std::make_unique<CertificateCredentials>(user, certificate_common_name);
+            request_credentials = std::make_unique<SSLCertificateCredentials>(user, certificate_common_name);
 
-        auto * certificate_credentials = dynamic_cast<CertificateCredentials *>(request_credentials.get());
+        auto * certificate_credentials = dynamic_cast<SSLCertificateCredentials *>(request_credentials.get());
         if (!certificate_credentials)
             throw Exception("Invalid authentication: expected SSL certificate authorization scheme", ErrorCodes::AUTHENTICATION_FAILED);
     }
diff --git a/src/Server/TCPHandler.cpp b/src/Server/TCPHandler.cpp
index d4112dd8bc7..6fa2b25d181 100644
--- a/src/Server/TCPHandler.cpp
+++ b/src/Server/TCPHandler.cpp
@@ -1177,7 +1177,7 @@ void TCPHandler::receiveHello()
         return;
     }
 
-    session->authenticate(user, password, socket());
+    session->authenticate(user, password, socket().peerAddress());
 }
 
 

From cb66a63aa4a5b4b3a9d55b0d041b755330dc7a17 Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Sat, 19 Feb 2022 03:58:58 +0700
Subject: [PATCH 10/10] Rename header and config setting for consistency.

---
 src/Access/UsersConfigAccessStorage.cpp                   | 2 +-
 src/Server/HTTPHandler.cpp                                | 2 +-
 .../configs/users_with_ssl_auth.xml                       | 8 ++++----
 tests/integration/test_ssl_cert_authentication/test.py    | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/Access/UsersConfigAccessStorage.cpp b/src/Access/UsersConfigAccessStorage.cpp
index fd10150623b..a06ceabd808 100644
--- a/src/Access/UsersConfigAccessStorage.cpp
+++ b/src/Access/UsersConfigAccessStorage.cpp
@@ -62,7 +62,7 @@ namespace
         bool has_ldap = config.has(user_config + ".ldap");
         bool has_kerberos = config.has(user_config + ".kerberos");
 
-        const auto certificates_config = user_config + ".certificates";
+        const auto certificates_config = user_config + ".ssl_certificates";
         bool has_certificates = config.has(certificates_config);
 
         size_t num_password_fields = has_no_password + has_password_plaintext + has_password_sha256_hex + has_password_double_sha1_hex + has_ldap + has_kerberos + has_certificates;
diff --git a/src/Server/HTTPHandler.cpp b/src/Server/HTTPHandler.cpp
index 1b8afd938ec..bae879066ad 100644
--- a/src/Server/HTTPHandler.cpp
+++ b/src/Server/HTTPHandler.cpp
@@ -330,7 +330,7 @@ bool HTTPHandler::authenticateUser(
 
     /// The header 'X-ClickHouse-SSL-Certificate-Auth: on' enables checking the common name
     /// extracted from the SSL certificate used for this connection instead of checking password.
-    bool has_ssl_certificate_auth = (request.get("X-ClickHouse-X509Authentication", "") == "yes");
+    bool has_ssl_certificate_auth = (request.get("X-ClickHouse-SSL-Certificate-Auth", "") == "on");
     bool has_auth_headers = !user.empty() || !password.empty() || !quota_key.empty() || has_ssl_certificate_auth;
 
     /// User name and password can be passed using HTTP Basic auth or query parameters
diff --git a/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml b/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml
index 700759dcd34..c41776f9e78 100644
--- a/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml
+++ b/tests/integration/test_ssl_cert_authentication/configs/users_with_ssl_auth.xml
@@ -2,15 +2,15 @@
 <clickhouse>
     <users>
         <john>
-            <certificates>
+            <ssl_certificates>
                 <common_name>client1</common_name>
-            </certificates>
+            </ssl_certificates>
         </john>
         <lucy>
-            <certificates>
+            <ssl_certificates>
                 <common_name>client2</common_name>
                 <common_name>client3</common_name>
-            </certificates>
+            </ssl_certificates>
         </lucy>
         <peter>
             <no_password/>
diff --git a/tests/integration/test_ssl_cert_authentication/test.py b/tests/integration/test_ssl_cert_authentication/test.py
index bdc7310a6b0..eceb4d10ae5 100644
--- a/tests/integration/test_ssl_cert_authentication/test.py
+++ b/tests/integration/test_ssl_cert_authentication/test.py
@@ -40,7 +40,7 @@ def execute_query_https(query, user, enable_ssl_auth=True, cert_name=None, passw
     request = urllib.request.Request(url)
     request.add_header('X-ClickHouse-User', user)
     if enable_ssl_auth:
-        request.add_header('X-ClickHouse-X509Authentication', 'yes')
+        request.add_header('X-ClickHouse-SSL-Certificate-Auth', 'on')
     if password:
         request.add_header('X-ClickHouse-Key', password)
     response = urllib.request.urlopen(request, context=get_ssl_context(cert_name)).read()