One thing that was lost in the switch to separate SSL context configuration was the ability to perform client SSL authentication using certificates or other credentials configured in the authentication client configuration.

There should be a configuration option to replace the key manager for the client SSL context with one which uses the authentication configuration to retrieve, at minimum, certificate credentials. Plus whatever is necessary to forward or set a GSSCredential for Kerberos-based mechanisms.