Calling getUserPrincipal() will perform a renegotiation requesting that the client provide a certificate chain. In this case, the ssl layer is raising an exception that the cert chain is null, however, Grizzly isn't throwing the exception (and it probably should). Because it doesn't throw it, the SSLEngine is left an in incorrect state leading to the exception you have described above.
I've logged an issue to better handle this case.