My Oracle Support Banner

OHS 12c as Proxy for Web Service Fails With NZ Handshake Error: TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN: unsupported Extension (Doc ID 2225987.1)

Last updated on MARCH 09, 2020

Applies to:

Oracle HTTP Server - Version and later
Information in this document applies to any platform.


On : Oracle HTTP Server version, OSSL Module

When invoking a remote web service from an application (deployed to weblogic, going through OHS as a outbound proxy), an ssl handshake cannot be made due to TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN:unsupported error.

This connection is an SSL connection to the remote host using mod_ossl and the SSLProxyEngine directive. Web Service application is deployed on Oracle WebLogic Server and making a request to an external vendor through Oracle HTTP Server. SSL certificates for all connected remote hosts installed into the wallet used by SSLProxyWallet. There are other remote hosts that can connect successfully.

Issue persists when using TLS1.0, TLS1.1, or TLS1.2.

On the external vendor side, the error presents itself as a "502 Proxy Error: Error reading from remote server."

Errors seen in OHS logs:

OHS:2077, 28750
OHS:2183 NZ Trace Handshake Error
OHS:2183 NZ Trace message: Handshake error(1,738779252)- error:2C08E074:TLS EXT routines:TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN:unsupported extension
ossl_engine_io.c(471): [remote :443] nzos_Handshake() -> 28750

TCPDUMP capture shows fatal alert (21) with unsupported extension:

No. Time Source Destination Protocol
Length Info
648 13:00:26.742132 <the two involved IP addresses> TLSv1.2
73 Alert (Level: Fatal, Description: Unsupported Extension)
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unsupported Extension)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Unsupported Extension (110)


The issue can be reproduced with the following steps:

1. Deploy web services application to WLS
2. Install OHS and configure mod_ossl and mod_rewrite using SSLProxyEngine with SSLProxyWallet
3. Connection to OHS successful handshake
4. Connection to external vendor cannot be made

For example:


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.