-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate Authenticaton does not work #24792
Comments
It's a known issue that client certificate authentication doesn't work on HTTP/2, not only in GlassFish but on any server. This is because of an inherent incompatibility between the authentication mechanism and the HTTP/2 protocol. We can only improve the user experience in GlassFish to either provide a warning that instructs to disable HTTP/2, or automatically disable HTTP/2 if the app uses CLIENT-CERT method. For example, IIS also doesn't support certificate auth on HTTP2, and falls back to HTTP1: https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported More details of why HTTP2 and client certs don't work: https://datatracker.ietf.org/doc/html/draft-thomson-http2-client-certs-01 There were several attempts to standardize a new mechanism for client cert authentication on HTTP/2 but they are all dead now. Tee most recent one https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-secondary-certs/ is in status "Expired Internet-Draft", with a dead working group. |
So, if we want to improve this area in GlassFish, we need to implement a mechanism, that detects that the CLIENT-CERT mechanism is used in the app and that the listener uses HTTP/2. And then either issue a warning at some point in time (at deployment? - but it's possible that a listener is added/updated after deployment), or fail deployment, or implement a mechanism that automatically disables HTTP2 when an app with cert client auth is running on an HTTP2 listener. |
If this was a question addressed to me I would prefer a hard error at start/deployment time saying clearly you can't use client cert authentication along with HTTP/2. By the way is there another way of tracing SSL/TLS problems on glassfish apart from starting it with In regard to TLS 1.3 I would like to ask if client cert authentication should work with 1.3 enabled? If yes I will test it this evening. |
Nope, the TLS 1.3 implementation for Java was done via JEP 332, which explicitly states it doesn't support that. The feature on which certificate authentication depends is "Post-handshake authentication", which for unknown reasons is just not supported. See https://mail.openjdk.org/pipermail/security-dev/2021-March/024780.html I think @XueleiFan would be the one to ask to start supporting "Post-handshake authentication" in Java. Additionally see: |
Ok I understand. I can do without HTTP/2 and TLS 1.3 but for guys like me and the one on Stackoverflow It would be nice if Glassfish would throw an error saying you can't use a listener configured to use HTTP/2 or TLS 1.3 along with cert authentication. I think everything is said now nothing left to do than to thank you for your kind support and enlightening readings. |
Environment Details
Problem Description
I have an application with certificate authentication:
I spent days but couldn't deploy it on glassfish. The client always ran into timeout. I had no idea till I found this post https://stackoverflow.com/questions/74915517/payara-ssl-certificate-realm . The problem sounded familiar so I made the settings according to the post. In glassfish I had to do it on the commandline because I could not find it in the web console.
And suddenly it worked!
Two things come to my mind:
a) Is this a bug or feature? Is there a reasen why certificate realm authentication should not work along with TLS1.3 and HTTP/2?
b) If somebody is interested to investigate this behaviour I look forward to assist.
Steps to reproduce
I have a minimal JSF application to reproduce it. It is an adaption of the cert realm example in David Heffelfinger's Glassfish book. I can upload it if needed.
Impact of Issue
No certificate authentication with the default configuration possible.
The text was updated successfully, but these errors were encountered: