Apache HTTP's client auth support passes along any failure reasons in the SSL_CLIENT_VERIFY environment variable.  I'd like to be able to reproduce the same values of this variable with undertow, but any exceptions raised while validating the client cert chain aren't placed anywhere I can access after the fact.  

There are probably multiple places this info could be stored, but the SSLSessionInfo class comes to mind as a place that would make sense to get information regarding the success of the client cert negotiation later on in the request.