1 Reply Latest reply on Aug 28, 2017 11:47 AM by RENO4

    Enabling SSL on Oracle HTTP Server - nzos handshake error, nzos_Handshake returned 28858


      Hello everybody!


      There is the error

      [info] Connection to child 1 established (server yy.yy.yy:443, client xx.xx.xx.xx)

      [error] nzos handshake error, nzos_Handshake returned 28858(server yy.yy.yy:443, client xx.xx.xx.xx)

      [error] NZ Library Error: SSL protocol error [Hint: the client probably speaks HTTPS over HTTP protocol]

      [info] Connection to child 1 closed with standard shutdown(server yy.yy.yy:443, client xx.xx.xx.xx)

      which I got during the attempt to enter URL (https://yy.yy.yy:443/) in my browser (Chromium or FireFox or Opera).


      What does it mean?


      Currently I set up SSL (wallet with trusted & user certs, opmn.xml, ssl.conf) for Oracle HTTP Server (on port 443).


      # nmap --script ssl-enum-ciphers -p 443 yy.yy.yy

      Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-24 14:09 MSK

      Nmap scan report for yy.yy.yy (zz.zz.zz.zz)

      Host is up (0.0010s latency).


      443/tcp open  https

      | ssl-enum-ciphers:

      |   SSLv3:

      |     ciphers:

      |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

      |     compressors:

      |       NULL

      |_  least strength: strong



      Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds


      When I try to test my Oracle HTTPS connection by OpenSSL with command


      # openssl s_client -ssl3 -state -connect yy.yy.yy:443 -CAfile /home/master/MyCACert.pem


      SSL_connect:before/connect initialization

      SSL_connect:SSLv3 write client hello A

      SSL_connect:SSLv3 read server hello A

      depth=1 C = RU, ST = Moscow, O = XXCA, OU = CAD, CN = XXCA, emailAddress = support@sometelecom.ru

      verify return:1

      depth=0 CN = yy.yy.yy, O = XXCA, C = RU

      verify return:1

      SSL_connect:SSLv3 read server certificate A

      SSL_connect:SSLv3 read server key exchange A

      SSL_connect:SSLv3 read server done A

      SSL_connect:SSLv3 write client key exchange A

      SSL_connect:SSLv3 write change cipher spec A

      SSL_connect:SSLv3 write finished A

      SSL_connect:SSLv3 flush data

      SSL_connect:SSLv3 read finished A


      Certificate chain

      0 s:/CN=yy.yy.yy/O=XXCA/C=RU


      1 s:/C=RU/ST=Moscow/O=XXCA/OU=CAD/CN=XXCA/emailAddress=support@sometelecom.ru



      Server certificate

      -----BEGIN CERTIFICATE-----


      -----END CERTIFICATE-----




      No client certificate CA names sent

      Server Temp Key: DH, 1024 bits


      SSL handshake has read 2333 bytes and written 338 bytes


      New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

      Server public key is 1024 bit

      Secure Renegotiation IS NOT supported

      Compression: NONE

      Expansion: NONE


          Protocol  : SSLv3

          Cipher    : EDH-RSA-DES-CBC3-SHA




          Key-Arg   : None

          Krb5 Principal: None

          PSK identity: None

          PSK identity hint: None

          Start Time: 1503579764

          Timeout   : 7200 (sec)

          Verify return code: 0 (ok)






      then I got the following log:


      [Thu Aug 24 16:12:39 2017] [info] Connection to child 1 established (server yy.yy.yy:443, client xx.xx.xx.xx)

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(684): inside shmcb_store_session

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(690): session_id[0]=239, masked index=15

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1073): entering shmcb_insert_encoded_session, *queue->pos_count = 0

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(997): entering shmcb_expire_division

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1129): we have 14386 bytes and 133 indexes free - enough

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1158): storing in index 0, at offset 0

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1173): session_id[0]=239, idx->s_id2=55

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1184): leaving now with 145 bytes in the cache and 1 indexes

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(1188): leaving shmcb_insert_encoded_session

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(718): leaving shmcb_store successfully

      [Thu Aug 24 16:12:39 2017] [debug] ssl_scache_shmcb.c(413): shmcb_store successful

      [Thu Aug 24 16:12:39 2017] [info] Inter-Process Session Cache: request=SET status=OK id=EF37A1E4BD8DE1337508A0F83364AB6E timeout=300s (session caching)

      [Thu Aug 24 16:12:42 2017] [info] Connection to child 1 closed with standard shutdown(server yy.yy.yy:443, client xx.xx.xx.xx)


      So what I have to do else? Do I have to enable SSL for mod_oc4j & OC4J or not?





      P.S. Oracle Database, Oracle HTTP Server (AS