Wrong SSL Session is Used in the ClientHello Message To the Origin Server When There are Two Or More Origin Servers in a Pool

(Doc ID 2421471.1)

Last updated on JULY 10, 2018

Applies to:

Oracle Traffic Director - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

Symptoms

OTD is configured to load balance requests to two origin servers that have SSL enabled. Occasionally request fails with error like "A connection to the server has failed. (status=504)" in the browser window.

The OTD logs has the following corresponding to the event:

[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 write client hello A (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 5/5 bytes
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 16030300 51------ -------- -------- |....Q |
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 81/81 bytes
....
....
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 read server hello A (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSLv3 process tls extension (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : SSL3 post/by-pass tls extension processing (TLSv12 protocol)
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbioread: read 5/5 bytes
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 16030307 3a------ ---
...
....
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzosp_bio_write : processed=7, ret=0
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzbiowrite: write 7/7 bytes
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : 0: 15030300 02022a-- -------- -------- |......* |
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Alert : write - fatal - bad certificate
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Alert : write - fatal - bad certificate
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : SSL_Info : error in SSLv3 read server certificate B
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzos_Handshake : Handshake error(cb=0,rc=-1,rer=1,ser=336134367) - error:140900DF:SSL routines:SSL3_GET_SERVER_CERTIFICATE:sslv3 alert peer error certificate
[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [TRACE:32] [] [] [pid: 14637] NZ trace : nzos_Handshake : exit
...
...

[2018-06-28T12:29:26-07:00] [otd_OEM-13c-Secure-Console_hms13app] [NOTIFICATION:1] [OTD-11007] [] [ecid: TU4an050000000000] [rid: 0] [pid: 14637] for host 10.10.3.125 trying to POST /em/j_security_check, log-headers reports: response headers sent to client :[[
HTTP/1.1 504 Gateway Timeout
Server: Oracle-Traffic-Director/12.2.1.3.0
Date: Thu, 28 Jun 2018 19:29:26 GMT
Content-length: 232
Content-type: text/html

As you can see the 504 status code is thrown because the SSL handshake fails between the OTD and the origin server due to the "bad certificate" error initiated by the OTD.



Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms