[undertow-dev] Undertow with Proxy Protocol enabled doesn't send Certificate Request header (for mutual TLS)
Ulrich Herberg
ulrich.herberg at verizonmedia.com
Thu May 9 16:57:45 EDT 2019
Hi,
I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
doesn't send the Certificate Request as part of the Server Hello.
I compared it with disabling Proxy Protocol on the load balancer, and then
it works correctly, Undertow includes the Certificate Request, and
therefore the client sends its certs. I am trying to understand what the
cause is; there are some differences in Undertow.java when using the Proxy
Protocol (which in itself shouldn't modify the TCP contents, and therefore
not cause this change of behavior):
if (listener.useProxyProtocol) {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener =
ChannelListeners.openListenerAdapter(new
ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
socketOptionsWithOverrides));
sslServer = worker.createStreamConnectionServer(new
InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
(ChannelListener) acceptListener, socketOptionsWithOverrides);
} else {
ChannelListener<AcceptingChannel<StreamConnection>> acceptListener =
ChannelListeners.openListenerAdapter(openListener);
sslServer = xnioSsl.createSslConnectionServer(worker, new
InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
(ChannelListener) acceptListener, socketOptionsWithOverrides);
}
Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
Best regards
Ulrich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20190509/e1df8d2d/attachment.html
More information about the undertow-dev
mailing list