<div dir="ltr">I verified this using a local HAProxy (i.e., this is not related to running this in AWS). It's independent of using Proxy Protocol v1 or v2. I filed a bug: <a href="https://issues.jboss.org/browse/UNDERTOW-1536">https://issues.jboss.org/browse/UNDERTOW-1536</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 9, 2019 at 1:57 PM Ulrich Herberg <<a href="mailto:ulrich.herberg@verizonmedia.com">ulrich.herberg@verizonmedia.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<br><br>I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final behind an AWS Network Load Balancer), mutual TLS doesn't work: The server doesn't send the Certificate Request as part of the Server Hello.<br>I compared it with disabling Proxy Protocol on the load balancer, and then it works correctly, Undertow includes the Certificate Request, and therefore the client sends its certs. I am trying to understand what the cause is; there are some differences in Undertow.java when using the Proxy Protocol (which in itself shouldn't modify the TCP contents, and therefore not cause this change of behavior):<br><br>if (listener.useProxyProtocol) {<br> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener = ChannelListeners.openListenerAdapter(new ProxyProtocolOpenListener(openListener, xnioSsl, buffers, socketOptionsWithOverrides));<br> sslServer = worker.createStreamConnectionServer(new InetSocketAddress(Inet4Address.getByName(listener.host), listener.port), (ChannelListener) acceptListener, socketOptionsWithOverrides);<br>} else {<br> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener = ChannelListeners.openListenerAdapter(openListener);<br> sslServer = xnioSsl.createSslConnectionServer(worker, new InetSocketAddress(Inet4Address.getByName(listener.host), listener.port), (ChannelListener) acceptListener, socketOptionsWithOverrides);<br>}<br><br>Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?<br><br>Best regards<br>Ulrich</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><a href="http://www.verizonmedia.com/" style="color:rgb(0,136,206);font-family:NeueFont,sans-serif;font-size:14px;padding-bottom:1em;display:inline-block" target="_blank"><img src="https://s.yimg.com/cv/apiv2/default/20190416/verizonmedia_emailsig_400x89.jpg" width="145" height="33" style="height: 33px; width: 145px;"></a><br style="color:rgb(0,0,0);font-family:NeueFont,sans-serif;font-size:14px"><p style="margin:0px;padding:0px;color:black;font-size:1em;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:14px"><span style="font-weight:bold">Ulrich Herberg, Ph.D.</span><br><br>Principal Software Engineer<br>ePay<br><br>M 408 663 8091<br>701 1st Ave<br>Sunnyvale, CA 94089<br></p></div></div>