Client cert renegotiation is mutex with HTTP/2 and TLSv1.3

Brad Wood

unread,

Aug 9, 2022, 2:01:45 PM8/9/22

to Undertow Dev

For once, I'm posting a question I already know the answer to :) It took me days to figure this out and there is precious little information at all on the Internet or in the Undertow docs on this. I was only able to solve it after lots of testing and reading the source code.

Basically, if you are using the client cert authentication mechanism with SSL renegotiation enabled (the default) or just attempting to manually ask for renegotiation during an SSL request in order to get the user's browser to prompt them for a client cert on pages of your choice, it likely won't work. The reason it doesn't work isn't reflected anywhere in the docs, nor in any sort of log messages from Undertow. But the hang up is that HTTP/2 does not support SSL renegotiation AND TLSv1.3 also does not support SSL renegotiation. So, for any server in which you want to have a user hit the home page without being asked for a cert (client auth mode: NOT_REQUESTED), and then ask for renegotiation on the requests where you want to collect a client cert, you will need to disable both HTTP/2 and TLSv1.3 or nothing will happen in the browser and Undertow's authentication will just fail without logging any errors.

I have found IIS appears to do the same thing when configuring the main site to "ignore" client certs and then configuring certain directories or locations in require client certs.

This has some alarming consequences in regards to the fact that I assume this workaround will only work for so long until such a point comes that TLSv1.3 or higher is required by most browsers. Hopefully, the JDK will have support for TLS's new method of renegotiation which is not currently supported by then.

Thanks!

~Brad

Developer Advocate

Ortus Solutions, Corp

E-mail: br...@coldbox.org

ColdBox Platform: http://www.coldbox.org

Blog: http://www.codersrevolution.com

Flavia Rainone

unread,

Aug 10, 2022, 2:30:31 AM8/10/22

to Undertow Dev

Hi Brad,

Can you walk me through the steps you are following to trigger the renegotiation?

I see we have an exception to indicate that renegotiation is not available for HTTP2 here: https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/protocol/http2/Http2SslSessionInfo.java#L91

Best regards,

Flavia

Brad Wood

unread,

Aug 10, 2022, 12:00:56 PM8/10/22

to Flavia Rainone, Undertow Dev

Hi Flavia, I'm not clear if you're asking for the steps that don't work or the steps that do work. Basically, SSL renegotiation will not work if HTTP/2 is in use OR TLS 1.3 is in use. This of course, is because the RFCs for those technologies explicitly forbid SSL renegotiation.

You already linked to the line of code that prevents an HTTP2 SSL session from renegotiating. And here is the check that prevents it from working when the SSL protocol is TLSv1.3

https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/ConnectionSSLSessionInfo.java#L128-L132

While I don't fault Undertow for clearly following the spec, I do fault it for needlessly discarding useful debugging messages which made this rather hard to track down. Both the "Renegotiation not supported" exceptions are an IOException that get caught here and ignored

https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java#L131

I was testing with Undertow's loggers set to TRACE and couldn't figure this out until I inspected the code. A trace level log indicating the reason would have been helpful. Which also means it would be quite helpful to not just throw the default error message, but a more descriptive one that says something like

SSL renegotiation is not possible over HTTP/2. HTTP/1 is required.
SSL renegotiation is not supported over TLSv1.3. TLSv1.2 or lower is required.

Thanks!

~Brad

Developer Advocate

Ortus Solutions, Corp

E-mail: br...@coldbox.org

ColdBox Platform: http://www.coldbox.org

Blog: http://www.codersrevolution.com

--
You received this message because you are subscribed to the Google Groups "Undertow Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to undertow-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/undertow-dev/a2766f01-5339-4b23-a047-aec6697231f2n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Flavia Rainone

unread,

Sep 5, 2022, 3:55:36 PM9/5/22

to Undertow Dev

Brad,

Now I see what you mean. These are good points, I'm in favor of any suggestions that make errors easier to track.