Mutual TLS support in InfluxDB3 Java Client

AnshJ · September 29, 2025, 10:40am

Hi InfluxDB Community,

I’m currently integrating the InfluxDB3 Java client (v1.2.0) into Kafka Connect environments and have encountered some SSL/TLS limitations compared to the Influxdb v2 Java client and other standard HTTP clients

Current InfluxDB3 SSL Support:

Server certificate validation (enable/disable)
Custom CA certificates (PEM format only)
Basic TLS protocol selection (v1.2/v1.3)

Missing Enterprise Features:

Mutual TLS (mTLS) - No client certificate authentication support
Multiple certificate formats - Only PEM supported, no JKS/PKCS12
Keystore support - Cannot load client certificates from keystores
Advanced SSL configuration - No hostname verification control, trust strategies, etc.

These limitations prevent deployment in enterprise environments requiring client certificate authentication or existing PKI infrastructure using JKS/PKCS12 formats.

Questions:

Are there plans to enhance SSL/TLS capabilities in future releases?
Is there a roadmap for mTLS support?

suyash · September 30, 2025, 11:30am

Thanks for raising these @AnshJ, discussing these internally.

bednar · October 2, 2025, 11:35am

Hi @AnshJ, thanks for reaching out.

Can you please clarify how you configure extended SSL options in the v2 client? Am I correct in assuming that you’re using a custom OkHttpBuilder?

Thanks for your response—it will help us better understand your requirements.

Best

AnshJ · October 4, 2025, 3:10pm

Hi @bednar @suyash,

Yes, you’re absolutely correct.

The v2 client enables extended SSL options through custom OkHttpClient configuration:

OkHttpClient.Builder httpBuilder = new OkHttpClient.Builder()

.sslSocketFactory(sslContext.getSocketFactory(), 

                  (X509TrustManager) tmf.getTrustManagers()\[0\])

.hostnameVerifier(customHostnameVerifier);

Would it be feasible to add similar support for SSL/TLS in V3 either through HTTP client injection to v3, or extending ClientConfig with enterprise SSL options like:

keyStorePath / keyStorePassword
keyStoreType (JKS/PKCS12)
customTrust Store support

This would enable enterprise adoption without requiring infrastructure changes to accommodate PEM-only workflows.

AnshJ · October 23, 2025, 8:36am

Following up @bednar , @suyash
Did you guys checked this? It is required to have SSL enabled for Self hosted databases.

suyash · October 27, 2025, 1:24pm

Hi @AnshJ can you please open this as issue here, be easier to track and see updates: GitHub · Where software is built Thanks!

Topic		Replies	Views
Influxdb is not sending a client certificate during TLS handshake influxdb	7	1320	August 13, 2020
InfluxDB 3 tls-cert and tls-key influxdb	1	54	April 7, 2025
Telegraf TLS Client Authentication in Influxdb output Telegraf influxdb , telegraf	4	3859	November 7, 2017
Issue when enable https with influxDB influxdb , telegraf	4	4502	July 23, 2018
Setting up password less auth to connect to influxdb	7	3129	May 9, 2018

Mutual TLS support in InfluxDB3 Java Client

Related topics