Certificate Authenticaton does not work

[dumischbaenger]

Environment Details

• GlassFish Version (and build number): Eclipse GlassFish 7.0.11 (commit: ad98c44)
• JDK version: openjdk version "11.0.21" 2023-10-17
• OS: Fedora 39
• Database: none

---

Problem Description

I have an application with certificate authentication:

    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>certificate</realm-name>
    </login-config>

I spent days but couldn't deploy it on glassfish. The client always ran into timeout. I had no idea till I found this post https://stackoverflow.com/questions/74915517/payara-ssl-certificate-realm . The problem sounded familiar so I made the settings according to the post. In glassfish I had to do it on the commandline because I could not find it in the web console.

glassfish/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls13-enabled=false
glassfish/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.http.http2-enabled=false

And suddenly it worked!

Two things come to my mind:

a) Is this a bug or feature? Is there a reasen why certificate realm authentication should not work along with TLS1.3 and HTTP/2?
b) If somebody is interested to investigate this behaviour I look forward to assist.

Steps to reproduce

I have a minimal JSF application to reproduce it. It is an adaption of the cert realm example in David Heffelfinger's Glassfish book. I can upload it if needed.

Impact of Issue

No certificate authentication with the default configuration possible.

[OndroMih]

It's a known issue that client certificate authentication doesn't work on HTTP/2, not only in GlassFish but on any server. This is because of an inherent incompatibility between the authentication mechanism and the HTTP/2 protocol.

We can only improve the user experience in GlassFish to either provide a warning that instructs to disable HTTP/2, or automatically disable HTTP/2 if the app uses CLIENT-CERT method.

For example, IIS also doesn't support certificate auth on HTTP2, and falls back to HTTP1: https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported

More details of why HTTP2 and client certs don't work: https://datatracker.ietf.org/doc/html/draft-thomson-http2-client-certs-01
In short: "(For client cert authentication) HTTP/1.1 servers rely on TLS renegotiation that is triggered by a request to a protected resource. HTTP/2 made this pattern impossible by forbidding the use of TLS renegotiation."

There were several attempts to standardize a new mechanism for client cert authentication on HTTP/2 but they are all dead now. Tee most recent one https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-secondary-certs/ is in status "Expired Internet-Draft", with a dead working group.

[OndroMih]

So, if we want to improve this area in GlassFish, we need to implement a mechanism, that detects that the CLIENT-CERT mechanism is used in the app and that the listener uses HTTP/2. And then either issue a warning at some point in time (at deployment? - but it's possible that a listener is added/updated after deployment), or fail deployment, or implement a mechanism that automatically disables HTTP2 when an app with cert client auth is running on an HTTP2 listener.

[dumischbaenger]

If this was a question addressed to me I would prefer a hard error at start/deployment time saying clearly you can't use client cert authentication along with HTTP/2.

By the way is there another way of tracing SSL/TLS problems on glassfish apart from starting it with -Djavax.net.debug=ssl,handshake. The only message I got from glassfish was Unable to write GOAWAY. Terminating session. On the other hand was the output of javax.net.debug way to verbose and for people like me that don't know the SSL protocol by heart useless because there was no real error message the client stopped at one point and was stuck till time-out.

In regard to TLS 1.3 I would like to ask if client cert authentication should work with 1.3 enabled? If yes I will test it this evening.

[arjantijms]

In regard to TLS 1.3 I would like to ask if client cert authentication should work with 1.3 enabled? If yes I will test it this evening.

Nope, the TLS 1.3 implementation for Java was done via JEP 332, which explicitly states it doesn't support that. The feature on which certificate authentication depends is "Post-handshake authentication", which for unknown reasons is just not supported.

See https://mail.openjdk.org/pipermail/security-dev/2021-March/024780.html

I think @XueleiFan would be the one to ask to start supporting "Post-handshake authentication" in Java.

Additionally see:

• https://stackoverflow.com/questions/64182147/springboot-mvc-warning-org-apache-tomcat-util-net-sslutilbase-the-jsse-tls
• https://mail.openjdk.org/pipermail/security-dev/2022-August/031568.html
• https://bugs.openjdk.org/browse/JDK-8206923

[dumischbaenger]

Ok I understand.

I can do without HTTP/2 and TLS 1.3 but for guys like me and the one on Stackoverflow It would be nice if Glassfish would throw an error saying you can't use a listener configured to use HTTP/2 or TLS 1.3 along with cert authentication.

I think everything is said now nothing left to do than to thank you for your kind support and enlightening readings.