bug: mTLS stream data to external server, APISIX not sending client certificate

### Current Behavior

Issue: mTLS is enabled on the external server. APISIX is configured as a client to send the data  along with client certificate, But the external server is reporting client certificate is not part of the request

### Expected Behavior

APISIX sends the configured client certificate to external server which has mTLS enabled (TLS Verify ON)

### Error Logs

Error in TLS server,
```
ERROR
40A764BDA57F0000:error:0A0000C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:../ssl/statem/statem_srvr.c:3509:
shutting down SSL
CONNECTION CLOSED
```

Error in APISIX
```
2025/07/29 10:10:16 [crit] 51#51: *4363 SSL_read() failed (SSL: error:0A00045C:SSL routines::tlsv13 alert certificate required:SSL alert number 116) while proxying and reading from upstream, client: 100.64.64.1, server: 0.0.0.0:9100, upstream: "10.12.135.120:4433", bytes from/to client:10/0, bytes from/to upstream:0/10
```

### Steps to Reproduce


- Enabled stream on port 9100

```
  stream:
    enabled: true
    tcp:
    - addr: 9100 # Port for TCP proxy to tcp-server
```
- Configure stream route for mTLS using below API

```
curl http://127.0.0.1:9180/apisix/admin/stream_routes/1   -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"   -X PUT   -d '{
    "server_port": 9100,
    "upstream": {
      "scheme": "tls",
      "type": "roundrobin",
      "nodes": {
        "10.12.135.120:4433": 1
      },
      "tls": {
        "client_cert": "'"$(cat client.cer)"'",
        "client_key": "'"$(cat client.key)"'",
        "ca_cert": "'"$(cat ca.cer)"'",
        "verify": true
      }
    }
  }'
```

Start the TLS server,

```
openssl s_server -accept 4433 -cert server.cer -key server.key -CAfile ca.cer -Verify 1
```

Send data,
```
echo "mTLS test" | nc 10.177.193.251 9100
```

APISIX version - 3.11

### Environment

- APISIX version (run `apisix version`):  3.11
- Operating system (run `uname -a`): Helm Charts deployed in K3S
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx version: openresty/1.25.3.2
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): 10.1.0
- APISIX Dashboard version, if relevant: NA
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bug: mTLS stream data to external server, APISIX not sending client certificate #12472

Current Behavior

Expected Behavior

Error Logs

Steps to Reproduce

Environment

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

bug: mTLS stream data to external server, APISIX not sending client certificate #12472

Description

Current Behavior

Expected Behavior

Error Logs

Steps to Reproduce

Environment

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions