OHS 12c as Proxy for Web Service Fails With NZ Handshake Error: TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN: unsupported Extension (Doc ID 2225987.1)

Last updated on JANUARY 24, 2017

Applies to:

Oracle HTTP Server - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

Symptoms

On : Oracle HTTP Server 12.2.1.0.0 version, OSSL Module

When invoking a remote web service from an application (deployed to weblogic, going through OHS as a outbound proxy), an ssl handshake cannot be made due to TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN:unsupported error.

This connection is an SSL connection to the remote host using mod_ossl and the SSLProxyEngine directive. Web Service application is deployed on Oracle WebLogic Server and making a request to an external vendor through Oracle HTTP Server. SSL certificates for all connected remote hosts installed into the wallet used by SSLProxyWallet. There are other remote hosts that can connect successfully.

Issue persists when using TLS1.0, TLS1.1, or TLS1.2.

On the external vendor side, the error presents itself as a "502 Proxy Error: Error reading from remote server."

Errors seen in OHS logs:

OHS:2077, 28750
...
OHS:2183 NZ Trace Handshake Error
...
OHS:2183 NZ Trace message: Handshake error(1,738779252)- error:2C08E074:TLS EXT routines:TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN:unsupported extension
...
ossl_engine_io.c(471): [remote :443] nzos_Handshake() -> 28750

TCPDUMP capture shows fatal alert (21) with unsupported extension:

No. Time Source Destination Protocol
Length Info
648 13:00:26.742132 <the two involved IP addresses> TLSv1.2
73 Alert (Level: Fatal, Description: Unsupported Extension)
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unsupported Extension)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Unsupported Extension (110)

Changes

The issue can be reproduced at will with the following steps:

1. Deploy web services application to WLS
2. Install OHS and configure mod_ossl and mod_rewrite using SSLProxyEngine with SSLProxyWallet
3. Connection to OHS successful handshake
4. Connection to external vendor cannot be made

For example:

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms