[undertow-dev] Undertow with Proxy Protocol enabled doesn't send Certificate Request header (for mutual TLS)
Ulrich Herberg
ulrich.herberg at verizonmedia.com
Fri May 10 15:20:52 EDT 2019
I fixed this in https://github.com/undertow-io/undertow/pull/756
Please consider reviewing and merging it.
Regards
Ulrich
On Fri, May 10, 2019 at 10:25 AM Ulrich Herberg <
ulrich.herberg at verizonmedia.com> wrote:
> I verified this using a local HAProxy (i.e., this is not related to
> running this in AWS). It's independent of using Proxy Protocol v1 or v2. I
> filed a bug: https://issues.jboss.org/browse/UNDERTOW-1536
>
> On Thu, May 9, 2019 at 1:57 PM Ulrich Herberg <
> ulrich.herberg at verizonmedia.com> wrote:
>
>> Hi,
>>
>> I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
>> behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
>> doesn't send the Certificate Request as part of the Server Hello.
>> I compared it with disabling Proxy Protocol on the load balancer, and
>> then it works correctly, Undertow includes the Certificate Request, and
>> therefore the client sends its certs. I am trying to understand what the
>> cause is; there are some differences in Undertow.java when using the Proxy
>> Protocol (which in itself shouldn't modify the TCP contents, and therefore
>> not cause this change of behavior):
>>
>> if (listener.useProxyProtocol) {
>> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
>> = ChannelListeners.openListenerAdapter(new
>> ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
>> socketOptionsWithOverrides));
>> sslServer = worker.createStreamConnectionServer(new
>> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
>> (ChannelListener) acceptListener, socketOptionsWithOverrides);
>> } else {
>> ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
>> = ChannelListeners.openListenerAdapter(openListener);
>> sslServer = xnioSsl.createSslConnectionServer(worker, new
>> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
>> (ChannelListener) acceptListener, socketOptionsWithOverrides);
>> }
>>
>> Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
>>
>> Best regards
>> Ulrich
>>
>
>
> --
> <http://www.verizonmedia.com/>
>
> Ulrich Herberg, Ph.D.
>
> Principal Software Engineer
> ePay
>
> M 408 663 8091
> 701 1st Ave
> Sunnyvale, CA 94089
>
--
<http://www.verizonmedia.com/>
Ulrich Herberg, Ph.D.
Principal Software Engineer
ePay
M 408 663 8091
701 1st Ave
Sunnyvale, CA 94089
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20190510/6a5bca5d/attachment.html
More information about the undertow-dev
mailing list