1 Reply Latest reply on Aug 28, 2017 11:47 AM by RENO4

    Enabling SSL on Oracle HTTP Server - nzos handshake error, nzos_Handshake returned 28858

    RENO4

      Hello everybody!

       

      There is the error

      [info] Connection to child 1 established (server yy.yy.yy:443, client xx.xx.xx.xx)

      [error] nzos handshake error, nzos_Handshake returned 28858(server yy.yy.yy:443, client xx.xx.xx.xx)

      [error] NZ Library Error: SSL protocol error [Hint: the client probably speaks HTTPS over HTTP protocol]

      [info] Connection to child 1 closed with standard shutdown(server yy.yy.yy:443, client xx.xx.xx.xx)

      which I got during the attempt to enter URL (https://yy.yy.yy:443/) in my browser (Chromium or FireFox or Opera).

       

      What does it mean?

       

      Currently I set up SSL (wallet with trusted & user certs, opmn.xml, ssl.conf) for Oracle HTTP Server (on port 443).

       

      # nmap --script ssl-enum-ciphers -p 443 yy.yy.yy

      Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-24 14:09 MSK

      Nmap scan report for yy.yy.yy (zz.zz.zz.zz)

      Host is up (0.0010s latency).

      PORT    STATE SERVICE

      443/tcp open  https

      | ssl-enum-ciphers:

      |   SSLv3:

      |     ciphers:

      |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

      |     compressors:

      |       NULL

      |_  least strength: strong

       

       

      Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

       

      When I try to test my Oracle HTTPS connection by OpenSSL with command

       

      # openssl s_client -ssl3 -state -connect yy.yy.yy:443 -CAfile /home/master/MyCACert.pem

      CONNECTED(00000003)

      SSL_connect:before/connect initialization

      SSL_connect:SSLv3 write client hello A

      SSL_connect:SSLv3 read server hello A

      depth=1 C = RU, ST = Moscow, O = XXCA, OU = CAD, CN = XXCA, emailAddress = support@sometelecom.ru

      verify return:1

      depth=0 CN = yy.yy.yy, O = XXCA, C = RU

      verify return:1

      SSL_connect:SSLv3 read server certificate A

      SSL_connect:SSLv3 read server key exchange A

      SSL_connect:SSLv3 read server done A

      SSL_connect:SSLv3 write client key exchange A

      SSL_connect:SSLv3 write change cipher spec A

      SSL_connect:SSLv3 write finished A

      SSL_connect:SSLv3 flush data

      SSL_connect:SSLv3 read finished A

      ---

      Certificate chain

      0 s:/CN=yy.yy.yy/O=XXCA/C=RU

         i:/C=RU/ST=Moscow/O=XXCA/OU=CAD/CN=XXCA/emailAddress=support@sometelecom.ru

      1 s:/C=RU/ST=Moscow/O=XXCA/OU=CAD/CN=XXCA/emailAddress=support@sometelecom.ru

         i:/C=RU/ST=Moscow/O=XXCA/OU=CAD/CN=XXCA/emailAddress=support@sometelecom.ru

      ---

      Server certificate

      -----BEGIN CERTIFICATE-----

      ....

      -----END CERTIFICATE-----

      subject=/CN=yy.yy.yy/O=XXCA/C=RU

      issuer=/C=RU/ST=Moscow/O=XXCA/OU=CAD/CN=XXCA/emailAddress=support@sometelecom.ru

      ---

      No client certificate CA names sent

      Server Temp Key: DH, 1024 bits

      ---

      SSL handshake has read 2333 bytes and written 338 bytes

      ---

      New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

      Server public key is 1024 bit

      Secure Renegotiation IS NOT supported

      Compression: NONE

      Expansion: NONE

      SSL-Session:

          Protocol  : SSLv3

          Cipher    : EDH-RSA-DES-CBC3-SHA

          Session-ID: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

          Session-ID-ctx:

          Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

          Key-Arg   : None

          Krb5 Principal: None

          PSK identity: None

          PSK identity hint: None

          Start Time: 1503579764

          Timeout   : 7200 (sec)

          Verify return code: 0 (ok)

      ---

      Q

      DONE

      ----

       

      then I got the following log:

       

      [Thu Aug 24 16:12:39 2017] [info] Connection to child 1 established (server yy.yy.yy:443, client xx.xx.xx.xx)

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(684): inside shmcb_store_session

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(690): session_id[0]=239, masked index=15

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1073): entering shmcb_insert_encoded_session, *queue->pos_count = 0

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(997): entering shmcb_expire_division

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1129): we have 14386 bytes and 133 indexes free - enough

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1158): storing in index 0, at offset 0

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1173): session_id[0]=239, idx->s_id2=55

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1184): leaving now with 145 bytes in the cache and 1 indexes

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1188): leaving shmcb_insert_encoded_session

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(718): leaving shmcb_store successfully

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(413): shmcb_store successful

      [Thu Aug 24 16:12:39 2017] [info] Inter-Process Session Cache: request=SET status=OK id=EF37A1E4BD8DE1337508A0F83364AB6E timeout=300s (session caching)

      [Thu Aug 24 16:12:42 2017] [info] Connection to child 1 closed with standard shutdown(server yy.yy.yy:443, client xx.xx.xx.xx)

       

      So what I have to do else? Do I have to enable SSL for mod_oc4j & OC4J or not?

       

      Regards,

      Oleg

       

      P.S. Oracle Database 10.2.0.5, Oracle HTTP Server (AS 10.1.3.3)