Hi,
I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final behind an AWS Network Load Balancer), mutual TLS doesn't work: The server doesn't send the Certificate Request as part of the Server Hello.
I compared it with disabling Proxy Protocol on the load balancer, and then it works correctly, Undertow includes the Certificate Request, and therefore the client sends its certs. I am trying to understand what the cause is; there are some differences in Undertow.java when using the Proxy Protocol (which in itself shouldn't modify the TCP contents, and therefore not cause this change of behavior):
if (listener.useProxyProtocol) {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener = ChannelListeners.openListenerAdapter(new ProxyProtocolOpenListener(openListener, xnioSsl, buffers, socketOptionsWithOverrides));
sslServer = worker.createStreamConnectionServer(new InetSocketAddress(Inet4Address.getByName(listener.host), listener.port), (ChannelListener) acceptListener, socketOptionsWithOverrides);
} else {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener = ChannelListeners.openListenerAdapter(openListener);
sslServer = xnioSsl.createSslConnectionServer(worker, new InetSocketAddress(Inet4Address.getByName(listener.host), listener.port), (ChannelListener) acceptListener, socketOptionsWithOverrides);
}
Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
Best regards
Ulrich