[jboss-jira] [JBoss JIRA] (ELY-1191) Undertow CLIENT_CERT via Elytron and HTTP/2 does not work

Undertow CLIENT_CERT via Elytron and HTTP/2 does not work --------------------------------------------------------- Key: ELY-1191 URL: https://issues.jboss.org/browse/ELY-1191 Project: WildFly Elytron Issue Type: Bug Reporter: Stuart Douglas Assignee: Stuart Douglas Priority: Blocker Fix For: 1.1.0.Beta48 When I setup CLIENT_CERT authentication for an application (see Steps to Reproduce) and utilize HTTP/2 protocol, I get always 403 Forbidden even in case I use correct client certificate that should allow me access to a secured content. I can see following TRACE messages in server.log: {code} 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) X500 principal [CN=client] decoded as name [client] (attribute values: [client]) 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post-realm rewritten: [client], realm rewritten: [client] 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [gooduser] 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Authorizing principal client. 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Authorizing against the following attributes: [] => [] 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Permission mapping: identity [client] with roles [gooduser] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Authorization succeed 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Authentication succeed for principal [CN=client] 2017-05-23 10:58:31,117 TRACE [org.wildfly.security] (default task-10) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost' protocol='https' 2017-05-23 10:58:31,117 TRACE [org.wildfly.security] (default task-10) CLIENT-CERT no SSL session {code} Authentication seems that it succeed just fine. But notice the last line - {{CLIENT-CERT no SSL session}}. When I disable 'http2' in https-listener: {code} /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enable-http2,value=false) reload {code} I can now access secured content as expected. Also trace log contains different (more healthy) messages now. This happens both when I utilize HTTP/2 with EAP 'alpn-hack' mechanism and also with ALPN provided by OpenSSL library. As described in JBEAP-9803, Undertow needs to write into ssl-context when HTTP/2 with ALPN is utilized. Maybe this might be the source of this problem?