My Oracle Support Banner

Wrong SSL Session is Used in the ClientHello Message To the Origin Server When There are Two Or More Origin Servers in a Pool (Doc ID 2421471.1)

Last updated on JUNE 20, 2024

Applies to:

Oracle Traffic Director - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

Symptoms

OTD is configured to load balance requests to two origin servers that have SSL enabled. Occasionally request fails with error like "A connection to the server has failed. (status=504)" in the browser window.

The OTD logs has the following corresponding to the event:

[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 write client hello A (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 5/5 bytes
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 16030300 51------ -------- -------- |....Q |
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 81/81 bytes
....
....
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 read server hello A (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 process tls extension (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSL3 post/by-pass tls extension processing (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 5/5 bytes
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 16030307 3a------ ---
...
....
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzosp_bio_write : processed=7, ret=0
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbiowrite: write 7/7 bytes
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 15030300 02022a-- -------- -------- |......* |
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Alert : write - fatal - bad certificate
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Alert : write - fatal - bad certificate
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : error in SSLv3 read server certificate B
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzos_Handshake : Handshake error(cb=0,rc=-1,rer=1,ser=336134367) - error:140900DF:SSL routines:SSL3_GET_SERVER_CERTIFICATE:sslv3 alert peer error certificate
[2018-06-28T12:29:26-07:00] [otd_instance] [TRACE:32] [] [] [pid: 14637] NZ trace : nzos_Handshake : exit
...
...

[2018-06-28T12:29:26-07:00] [otd_instance] [NOTIFICATION:1] [OTD-11007] [] [ecid: <ECID>] [rid: 0] [pid: 14637] for host <IP> trying to POST /em/j_security_check, log-headers reports: response headers sent to client :[[
HTTP/1.1 504 Gateway Timeout
Server: Oracle-Traffic-Director/12.2.1.3.0
Date: Thu, 28 Jun 2018 19:29:26 GMT
Content-length: 232
Content-type: text/html

As you can see the 504 status code is thrown because the SSL handshake fails between the OTD and the origin server due to the "bad certificate" error initiated by the OTD.



Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.