KAFKA-9771: Port patch for inter-worker Connect SSL from Jetty 9.4.25

connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java

@@ -22,6 +22,7 @@
 import org.apache.kafka.connect.runtime.WorkerConfig;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
+import javax.net.ssl.X509ExtendedKeyManager;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
@@ -64,7 +65,20 @@ public static SslContextFactory createServerSideSslContextFactory(WorkerConfig c
     public static SslContextFactory createClientSideSslContextFactory(WorkerConfig config) {
         Map<String, Object> sslConfigValues = config.valuesWithPrefixAllOrNothing("listeners.https.");
 
-        final SslContextFactory.Client ssl = new SslContextFactory.Client();
+        // Override this method in order to avoid running into
+        // https://github.com/eclipse/jetty.project/issues/4385, which would otherwise cause this to
+        // break when the keystore contains multiple certificates.
+        // The override here matches the bug fix in Jetty for that issue:
+        // https://github.com/eclipse/jetty.project/pull/4404/files#diff-58640db0f8f2cd84b7e653d1c1540913R2188-R2193
+        // TODO: Remove this override when the version of Jetty for the framework is bumped to
+        //       9.4.25 or later
+        final SslContextFactory.Client ssl = new SslContextFactory.Client() {
+            @Override
+            @SuppressWarnings("deprecation")
+            protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager) {
+                return keyManager;
+            }
+        };
 
         configureSslContextFactoryKeyStore(ssl, sslConfigValues);
         configureSslContextFactoryTrustStore(ssl, sslConfigValues);