Wrong SSL Session is Used in the ClientHello Message To the Origin Server When There are Two Or More Origin Servers in a Pool
(Doc ID 2421471.1)
Last updated on MARCH 28, 2024
Applies to:
Oracle Traffic Director - Version 12.2.1.0.0 and laterInformation in this document applies to any platform.
Symptoms
OTD is configured to load balance requests to two origin servers that have SSL enabled. Occasionally request fails with error like "A connection to the server has failed. (status=504)" in the browser window.
The OTD logs has the following corresponding to the event:
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 write client hello A (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 5/5 bytes
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 16030300 51------ -------- -------- |....Q |
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 81/81 bytes
....
....
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 read server hello A (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 process tls extension (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSL3 post/by-pass tls extension processing (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 5/5 bytes
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 16030307 3a------ ---
...
....
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzosp_bio_write : processed=7, ret=0
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbiowrite: write 7/7 bytes
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 15030300 02022a-- -------- -------- |......* |
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Alert : write - fatal - bad certificate
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Alert : write - fatal - bad certificate
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : error in SSLv3 read server certificate B
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzos_Handshake : Handshake error(cb=0,rc=-1,rer=1,ser=336134367) - error:140900DF:SSL routines:SSL3_GET_SERVER_CERTIFICATE:sslv3 alert peer error certificate
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzos_Handshake : exit
...
...
[2018-06-28T12:29:26-07:00] [otd_instance] [NOTIFICATION:1] [OTD-11007] [] [ecid: <ECID>] [rid: 0] [pid: 14637] for host <IP> trying to POST /em/j_security_check, log-headers reports: response headers sent to client :[[
HTTP/1.1 504 Gateway Timeout
Server: Oracle-Traffic-Director/12.2.1.3.0
Date: Thu, 28 Jun 2018 19:29:26 GMT
Content-length: 232
Content-type: text/html
As you can see the 504 status code is thrown because the SSL handshake fails between the OTD and the origin server due to the "bad certificate" error initiated by the OTD.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |