[undertow-dev] Undertow with Proxy Protocol enabled doesn't send Certificate Request header (for mutual TLS)

Ulrich Herberg ulrich.herberg at verizonmedia.com
Fri May 10 15:20:52 EDT 2019 

I fixed this in https://github.com/undertow-io/undertow/pull/756

Please consider reviewing and merging it.

Regards
Ulrich

On Fri, May 10, 2019 at 10:25 AM Ulrich Herberg <
ulrich.herberg at verizonmedia.com> wrote:

> I verified this using a local HAProxy (i.e., this is not related to
> running this in AWS). It's independent of using Proxy Protocol v1 or v2. I
> filed a bug: https://issues.jboss.org/browse/UNDERTOW-1536
>
> On Thu, May 9, 2019 at 1:57 PM Ulrich Herberg <
> ulrich.herberg at verizonmedia.com> wrote:
>
>> Hi,
>>
>> I noticed that when using the Proxy Protocol (using Undertow 2.0.20.Final
>> behind an AWS Network Load Balancer), mutual TLS doesn't work: The server
>> doesn't send the Certificate Request as part of the Server Hello.
>> I compared it with disabling Proxy Protocol on the load balancer, and
>> then it works correctly, Undertow includes the Certificate Request, and
>> therefore the client sends its certs. I am trying to understand what the
>> cause is; there are some differences in Undertow.java when using the Proxy
>> Protocol (which in itself shouldn't modify the TCP contents, and therefore
>> not cause this change of behavior):
>>
>> if (listener.useProxyProtocol) {
>>        ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
>> = ChannelListeners.openListenerAdapter(new
>> ProxyProtocolOpenListener(openListener, xnioSsl, buffers,
>> socketOptionsWithOverrides));
>>        sslServer = worker.createStreamConnectionServer(new
>> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
>> (ChannelListener) acceptListener, socketOptionsWithOverrides);
>> } else {
>>       ChannelListener<AcceptingChannel<StreamConnection>> acceptListener
>> = ChannelListeners.openListenerAdapter(openListener);
>>       sslServer = xnioSsl.createSslConnectionServer(worker, new
>> InetSocketAddress(Inet4Address.getByName(listener.host), listener.port),
>> (ChannelListener) acceptListener, socketOptionsWithOverrides);
>> }
>>
>> Not sure if this xnioSSL vs worker has anything to do with it. Thoughts?
>>
>> Best regards
>> Ulrich
>>
>
>
> --
> <http://www.verizonmedia.com/>
>
> Ulrich Herberg, Ph.D.
>
> Principal Software Engineer
> ePay
>
> M 408 663 8091
> 701 1st Ave
> Sunnyvale, CA 94089
>


-- 
<http://www.verizonmedia.com/>

Ulrich Herberg, Ph.D.

Principal Software Engineer
ePay

M 408 663 8091
701 1st Ave
Sunnyvale, CA 94089
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20190510/6a5bca5d/attachment.html

More information about the undertow-dev mailing list