OHS 12c as Proxy for Web Service Fails With NZ Handshake Error: TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN: unsupported Extension
Last updated on JANUARY 24, 2017
Applies to:Oracle HTTP Server - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
On : Oracle HTTP Server 18.104.22.168.0 version, OSSL Module
When invoking a remote web service from an application (deployed to weblogic, going through OHS as a outbound proxy), an ssl handshake cannot be made due to TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN:unsupported error.
This connection is an SSL connection to the remote host using mod_ossl and the SSLProxyEngine directive. Web Service application is deployed on Oracle WebLogic Server and making a request to an external vendor through Oracle HTTP Server. SSL certificates for all connected remote hosts installed into the wallet used by SSLProxyWallet. There are other remote hosts that can connect successfully.
Issue persists when using TLS1.0, TLS1.1, or TLS1.2.
On the external vendor side, the error presents itself as a "502 Proxy Error: Error reading from remote server."
Errors seen in OHS logs:
OHS:2183 NZ Trace Handshake Error
OHS:2183 NZ Trace message: Handshake error(1,738779252)- error:2C08E074:TLS EXT routines:TLS_EXT_F_EXT_LIST_NEGOTIATE_EXTN:unsupported extension
ossl_engine_io.c(471): [remote :443] nzos_Handshake() -> 28750
TCPDUMP capture shows fatal alert (21) with unsupported extension:
No. Time Source Destination Protocol
648 13:00:26.742132 <the two involved IP addresses> TLSv1.2
73 Alert (Level: Fatal, Description: Unsupported Extension)
Secure Sockets Layer
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unsupported Extension)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Level: Fatal (2)
Description: Unsupported Extension (110)
The issue can be reproduced at will with the following steps:
1. Deploy web services application to WLS
2. Install OHS and configure mod_ossl and mod_rewrite using SSLProxyEngine with SSLProxyWallet
3. Connection to OHS successful handshake
4. Connection to external vendor cannot be made
- Initial inbound request to OHS and application works (3):
browser --> ohs/mod_ossl,mod_wl_ohs --> weblogic
- Outbound connection from WLS through OHS to external vendor fails (4):
vendor <-- OHS/mod_proxy <-- WLS
(Notice reverse direction and is not to the initial browser. After application gains data from the vendor then it communicates back to the browser and would otherwise work if it connected to the external vendor)
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms