Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate `javax.net.ssl.X509KeyManager.chooseClientAlias` method in multiple iterations while performing client authentication. One key type per call.
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements `javax.net.ssl.X509KeyManager`, ensure that the code logic in that implementation does not assume that all keytypes are passed in the `keyType` String array in the first call to chooseClientAlias: `String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)`