"Fail to unwrap network record" exception when using Jmeter's Keystore configuration with bzm-http2 plugin

[syampol13]

Jmeter: 5.6.2
bzm-http2: 2.0.5

I have a target endpoint that require client certificate for communicating.
Certificate added to the JKS

keystore entry:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

crossperf.eu, Jun 15, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 96:A5:A9:5C:02:04:CA:26:88:5E:22:D2:98:F1:36:4E:A9:12:F9:2E:39:AC:FB:F1:E0:78:55:48:BA:B3:CE:8A
rgs cross-site cpppgstress, Mar 21, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 68:34:BD:86:C5:C1:92:00:14:35:23:64:0F:C7:03:A1:34:47:C3:FF:03:FE:57:B2:C8:AB:F2:E3:BE:25:29:9E

Jmeter test plan contains keystore configuration:

and certAlias is set to "rgs cross-site cpppgstress"

javax.net.ssl.* parameters pointed to the keystore and specify the password

However, when running test plan, I'm getting an " javax.net.ssl.SSLException: Fail to unwrap network record" exception trying to establish a connection.

java.util.concurrent.ExecutionException: javax.net.ssl.SSLException: Fail to unwrap network record
at com.blazemeter.jmeter.http2.core.HTTP2FutureResponseListener.getResult(HTTP2FutureResponseListener.java:121)
at com.blazemeter.jmeter.http2.core.HTTP2FutureResponseListener.get(HTTP2FutureResponseListener.java:93)
at com.blazemeter.jmeter.http2.core.HTTP2JettyClient.getContent(HTTP2JettyClient.java:413)
at com.blazemeter.jmeter.http2.core.HTTP2JettyClient.send(HTTP2JettyClient.java:402)
at com.blazemeter.jmeter.http2.core.HTTP2JettyClient.sample(HTTP2JettyClient.java:356)
at com.blazemeter.jmeter.http2.sampler.HTTP2Sampler.sample(HTTP2Sampler.java:182)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1311)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1300)
at org.apache.jmeter.threads.JMeterThread.doSampling(JMeterThread.java:651)
at org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:570)
at org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:501)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:268)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLException: Fail to unwrap network record
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:470)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
at org.eclipse.jetty.io.ssl.SslConnection.unwrap(SslConnection.java:398)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:721)
at org.eclipse.jetty.io.NegotiatingClientConnection.fill(NegotiatingClientConnection.java:102)
at org.eclipse.jetty.io.NegotiatingClientConnection.onFillable(NegotiatingClientConnection.java:84)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
... 1 more
Suppressed: java.io.IOException: Broken pipe
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:1138)
at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
at org.eclipse.jetty.io.WriteFlusher.write(WriteFlusher.java:275)
at org.eclipse.jetty.io.WriteFlusher.write(WriteFlusher.java:254)
at org.eclipse.jetty.io.AbstractEndPoint.write(AbstractEndPoint.java:386)
at org.eclipse.jetty.client.http.HttpSenderOverHTTP$HeadersCallback.process(HttpSenderOverHTTP.java:205)
at org.eclipse.jetty.util.IteratingCallback.processing(IteratingCallback.java:243)
at org.eclipse.jetty.util.IteratingCallback.iterate(IteratingCallback.java:224)
at org.eclipse.jetty.client.http.HttpSenderOverHTTP.sendHeaders(HttpSenderOverHTTP.java:79)
at org.eclipse.jetty.client.HttpSender$ContentConsumer.onContent(HttpSender.java:496)
at org.eclipse.jetty.client.util.AbstractRequestContent$AbstractSubscription.notifyContent(AbstractRequestContent.java:207)
at org.eclipse.jetty.client.util.AbstractRequestContent$AbstractSubscription.processContent(AbstractRequestContent.java:181)
at org.eclipse.jetty.client.util.BytesRequestContent$SubscriptionImpl.produceContent(BytesRequestContent.java:83)
at org.eclipse.jetty.client.util.AbstractRequestContent$AbstractSubscription.produce(AbstractRequestContent.java:117)
at org.eclipse.jetty.client.util.AbstractRequestContent$AbstractSubscription.demand(AbstractRequestContent.java:93)
at org.eclipse.jetty.client.HttpSender.demand(HttpSender.java:237)
at org.eclipse.jetty.client.HttpSender.send(HttpSender.java:83)
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.send(HttpChannelOverHTTP.java:79)
at org.eclipse.jetty.client.HttpChannel.send(HttpChannel.java:122)
at org.eclipse.jetty.client.HttpConnection.send(HttpConnection.java:111)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP$Delegate.send(HttpConnectionOverHTTP.java:301)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.send(HttpConnectionOverHTTP.java:146)
at org.eclipse.jetty.client.HttpDestination.send(HttpDestination.java:440)
at org.eclipse.jetty.client.HttpDestination.process(HttpDestination.java:416)
at org.eclipse.jetty.client.HttpDestination.process(HttpDestination.java:371)
at org.eclipse.jetty.client.HttpDestination.send(HttpDestination.java:354)
at org.eclipse.jetty.client.HttpDestination.succeeded(HttpDestination.java:288)
at org.eclipse.jetty.client.AbstractConnectionPool.proceed(AbstractConnectionPool.java:309)
at org.eclipse.jetty.client.AbstractConnectionPool$FutureConnection.succeeded(AbstractConnectionPool.java:556)
at org.eclipse.jetty.client.AbstractConnectionPool$FutureConnection.succeeded(AbstractConnectionPool.java:534)
at org.eclipse.jetty.util.Promise$Wrapper.succeeded(Promise.java:163)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onOpen(HttpConnectionOverHTTP.java:154)
at org.eclipse.jetty.io.AbstractEndPoint.upgrade(AbstractEndPoint.java:451)
at org.eclipse.jetty.io.NegotiatingClientConnection.replaceConnection(NegotiatingClientConnection.java:117)
at org.eclipse.jetty.io.NegotiatingClientConnection.onFillable(NegotiatingClientConnection.java:87)
... 11 more
Caused by: java.lang.NullPointerException
at org.apache.jmeter.util.keystore.JmeterKeyStore.getAlias(JmeterKeyStore.java:308)
at com.blazemeter.jmeter.http2.core.JMeterJettySslContextFactory$WrappedX509KeyManager.chooseEngineClientAlias(JMeterJettySslContextFactory.java:137)
at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createClientPossession(X509Authentication.java:237)
at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createPossession(X509Authentication.java:206)
at java.base/sun.security.ssl.X509Authentication.createPossession(X509Authentication.java:90)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.choosePossession(CertificateMessage.java:1081)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:1102)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:958)
at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:1011)
at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:874)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:418)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
... 17 more

java.net.ssl log attached
java.net.ssl.log

Note that when I remove/disable the keystore configuration element; clear SSL cache and run TP again - it works fine (javax.net.ssl.* parameters remain set).
The problem is that I need to have more than one certificate to work with. That's why I need keystore configuration to be a part of the TP where I can select needed certificate via the 'Variable name holding certificate alias'