3:57 p.m.
Hi,
I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
doesn't send the Certificate Request as part of the Server Hello.
I compared it with disabling Proxy Protocol on the load balancer, and then
it works correctly, Undertow includes the Certificate Request, and
therefore the client sends its certs. I am trying to understand what the
cause is; there are some differences in Undertow.java when using the Proxy
Protocol (which in itself shouldn't modify the TCP contents, and therefore
not cause this change of behavior):
if (listener.useProxyProtocol) {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener =
ChannelListeners.openListenerAdapter(new
ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
socketOptionsWithOverrides));
sslServer = worker.createStreamConnectionServer(new
InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
(ChannelListener) acceptListener, socketOptionsWithOverrides);
} else {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener =
ChannelListeners.openListenerAdapter(openListener);
sslServer = xnioSsl.createSslConnectionServer(worker, new
InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
(ChannelListener) acceptListener, socketOptionsWithOverrides);
}
Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
Best regards
Ulrich
12:25 p.m.
I verified this using a local HAProxy (i.e., this is not related to running
this in AWS). It's independent of using Proxy Protocol v1 or v2. I filed a
bug: https://issues.jboss.org/browse/UNDERTOW-1536
On Thu, May 9, 2019 at 1:57 PM Ulrich Herberg <
ulrich.herberg(a)verizonmedia.com> wrote:
Hi,
I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
doesn't send the Certificate Request as part of the Server Hello.
I compared it with disabling Proxy Protocol on the load balancer, and then
it works correctly, Undertow includes the Certificate Request, and
therefore the client sends its certs. I am trying to understand what the
cause is; there are some differences in Undertow.java when using the Proxy
Protocol (which in itself shouldn't modify the TCP contents, and therefore
not cause this change of behavior):
if (listener.useProxyProtocol) {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
= ChannelListeners.openListenerAdapter(new
ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
socketOptionsWithOverrides));
sslServer = worker.createStreamConnectionServer(new
InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
(ChannelListener) acceptListener, socketOptionsWithOverrides);
} else {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener =
ChannelListeners.openListenerAdapter(openListener);
sslServer = xnioSsl.createSslConnectionServer(worker, new
InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
(ChannelListener) acceptListener, socketOptionsWithOverrides);
}
Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
Best regards
Ulrich
--
<http://www.verizonmedia.com/>
Ulrich Herberg, Ph.D.
Principal Software Engineer
ePay
M 408 663 8091
701 1st Ave
Sunnyvale, CA 94089
2:20 p.m.
I fixed this in https://github.com/undertow-io/undertow/pull/756
Please consider reviewing and merging it.
Regards
Ulrich
On Fri, May 10, 2019 at 10:25 AM Ulrich Herberg <
ulrich.herberg(a)verizonmedia.com> wrote:
I verified this using a local HAProxy (i.e., this is not related to
running this in AWS). It's independent of using Proxy Protocol v1 or v2. I
filed a bug: https://issues.jboss.org/browse/UNDERTOW-1536
On Thu, May 9, 2019 at 1:57 PM Ulrich Herberg <
ulrich.herberg(a)verizonmedia.com> wrote:
> Hi,
>
> I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
> behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
> doesn't send the Certificate Request as part of the Server Hello.
> I compared it with disabling Proxy Protocol on the load balancer, and
> then it works correctly, Undertow includes the Certificate Request, and
> therefore the client sends its certs. I am trying to understand what the
> cause is; there are some differences in Undertow.java when using the Proxy
> Protocol (which in itself shouldn't modify the TCP contents, and therefore
> not cause this change of behavior):
>
> if (listener.useProxyProtocol) {
> ChannelListener<AcceptingChannel<StreamConnection>>
acceptListener
> = ChannelListeners.openListenerAdapter(new
> ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
> socketOptionsWithOverrides));
> sslServer = worker.createStreamConnectionServer(new
> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
> (ChannelListener) acceptListener, socketOptionsWithOverrides);
> } else {
> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
> = ChannelListeners.openListenerAdapter(openListener);
> sslServer = xnioSsl.createSslConnectionServer(worker, new
> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
> (ChannelListener) acceptListener, socketOptionsWithOverrides);
> }
>
> Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
>
> Best regards
> Ulrich
>
--
<http://www.verizonmedia.com/>
Ulrich Herberg, Ph.D.
Principal Software Engineer
ePay
M 408 663 8091
701 1st Ave
Sunnyvale, CA 94089
--
<http://www.verizonmedia.com/>
Ulrich Herberg, Ph.D.
Principal Software Engineer
ePay
M 408 663 8091
701 1st Ave
Sunnyvale, CA 94089
2068
days inactive
2069
days old
2 comments
1 participants
participants (1)
-
Ulrich Herberg