[undertow-dev] Undertow with Proxy Protocol enabled doesn't send Certificate Request header (for mutual TLS)
Ulrich Herberg
ulrich.herberg at verizonmedia.com
Fri May 10 13:25:00 EDT 2019
I verified this using a local HAProxy (i.e., this is not related to running
this in AWS). It's independent of using Proxy Protocol v1 or v2. I filed a
bug: https://issues.jboss.org/browse/UNDERTOW-1536
On Thu, May 9, 2019 at 1:57 PM Ulrich Herberg <
ulrich.herberg at verizonmedia.com> wrote:
> Hi,
>
> I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
> behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
> doesn't send the Certificate Request as part of the Server Hello.
> I compared it with disabling Proxy Protocol on the load balancer, and then
> it works correctly, Undertow includes the Certificate Request, and
> therefore the client sends its certs. I am trying to understand what the
> cause is; there are some differences in Undertow.java when using the Proxy
> Protocol (which in itself shouldn't modify the TCP contents, and therefore
> not cause this change of behavior):
>
> if (listener.useProxyProtocol) {
> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
> = ChannelListeners.openListenerAdapter(new
> ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
> socketOptionsWithOverrides));
> sslServer = worker.createStreamConnectionServer(new
> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
> (ChannelListener) acceptListener, socketOptionsWithOverrides);
> } else {
> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener =
> ChannelListeners.openListenerAdapter(openListener);
> sslServer = xnioSsl.createSslConnectionServer(worker, new
> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
> (ChannelListener) acceptListener, socketOptionsWithOverrides);
> }
>
> Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
>
> Best regards
> Ulrich
>
--
<http://www.verizonmedia.com/>
Ulrich Herberg, Ph.D.
Principal Software Engineer
ePay
M 408 663 8091
701 1st Ave
Sunnyvale, CA 94089
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20190510/4520f5aa/attachment-0001.html
More information about the undertow-dev
mailing list