My Oracle Support Banner

Oracle HTTP Server Two Way SSL Session is Killed once Common Access Card is Removed (Doc ID 2481876.1)

Last updated on MARCH 05, 2019

Applies to:

Oracle HTTP Server - Version 12.2.1.2.0 to 12.2.1.3.0 [Release 12c]
Information in this document applies to any platform.

Symptoms

The Oracle HTTP Server (OHS) is configured for two way ssl using Common Access Card(CAC) for the client certificate. Using version 12.2.1.2+, it is seen the behavior changes for ssl session cache reuse is handled. The behavior seen is as follows. This does not occur in versions below 12.2.1.2.
a) User establishes session with OHS and authenticates with the CAC.
b) CAC is removed from the card reader.
c) Within the ssl session cache timeout, the user comes back to reuse the session.
d) The session reuse fails with authentication failure.

SSL debug logs snip showing where the issue occurs is as follows.
New connection comes in with an existing session id which is found/cache hit. At this point the CAC is removed from the card reader.

    Inter-Process Session Cache: request=GET status=FOUND id=SessionValue (session reuse) session_ref=SessionRef
    OHS:2182 NZ Trace function: nzossc_Get
    OHS:2183 NZ Trace message: session data from cache: xxx bytes
    OHS:2182 NZ Trace function: nzossc_Get
    OHS:2183 NZ Trace message: Session data is valid
    OHS:2182 NZ Trace function: nzossc_Get

Validating the peer(client) certificate fails which leads to the session being killed.     

    OHS:2183 NZ Trace message: Peer certificate verification failed. Error:0
    AH00837: socache_shmcb_remove (0xaa -> subcache 12)
    AH00852: possible match at idx=0, data=0
    AH00853: shmcb_subcache_remove removing matching entry
    AH00839: leaving socache_shmcb_remove successfully

Cached session is removed.     

    Inter-Process Session Cache: request=REM status=OK id=SessionValue (session dead) session_ref=26fee0
    OHS:2182 NZ Trace function: nzossc_Get
    ...

New handshake takes place for the new session but fails as the CAC is not in the card reader.     

    OHS:2183 NZ Trace message:  certverify - CN=CAC Card
    ...
    OHS:2183 NZ Trace message: SSLv3 verify peer certificate (TLSv12 protocol)
    OHS:2182 NZ Trace function: SSL_Info
    OHS:2183 NZ Trace message: SSLv3 read client key exchange A (TLSv12 protocol)
    ...
    OHS:2182 NZ Trace function: SSL_Alert
    OHS:2183 NZ Trace message: read - fatal - handshake failure
    OHS:2182 NZ Trace function: SSL_Alert
    OHS:2183 NZ Trace message: read - fatal - handshake failure
    OHS:2182 NZ Trace function: SSL_Info
    OHS:2183 NZ Trace message: failed in SSLv3 read certificate verify A
    OHS:2182 NZ Trace function: nzos_Handshake
    OHS:2183 NZ Trace message: Handshake error(cb=x,rc=x,rer=x,ser=xxxx) - error:14095410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
    OHS:2182 NZ Trace function: nzos_Handshake
    OHS:2183 NZ Trace message: exit
    nzos_Handshake() -> 28860
    OHS:2079 Client SSL handshake error, nzos_Handshake returned 28860(server host:port)
    OHS:2171 NZ Library Error: SSL fatal alert
    AUDIT EVENT scope C type 0 method ClientCert flags <authn> role (none) reason SSL handshake failure id 00001
    Audit not enabled
    OHS:2182 NZ Trace function: SSL_Alert
    OHS:2183 NZ Trace message: write - warning - close notify
    OHS:2182 NZ Trace function: SSL_Alert
    OHS:2183 NZ Trace message: write - warning - close notify
    AH02001: Connection closed to child 88 with standard shutdown (server host:port)
    OHS:2182 NZ Trace function: nzos_DestroyCtx
    OHS:2183 NZ Trace message: entry
    OHS:2182 NZ Trace function: nzos_DestroyCtx
    OHS:2183 NZ Trace message: exit

 

 

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.