[cross-posted from https://community.oracle.com/thread/3919426?sr=stream&ru=232867, no reply there]
For an Oracle grown Application (it's actually beehive collab server) that is based on Oracle HTTP Server 10.1.3 (and, being on extended support, cannot be updated to more recent versions of OHS), we have the issue that a fronted NGINX reverse proxy has an issue with with one service (it's actually the server counterpart of the OBEO connector) that is run by a process ombd on Linux, so it appears to be the Oracle Message Broker Daemon:
This one service (only!) appears to be unwilling to accept NGINX proxied connections, and will report "nzos_Handshake failed" in its log files, e.g.
...
xsi:type="nsio-ssl-log"
timestamp="2016-04-05T12:57:54.412Z"
severity="severe"
message="nzssl(context 084163E4): nzos_Handshake failed, error: 28860" />
</log>
xsi:type="nsio-ssl-log"
timestamp="2016-04-05T12:57:54.412Z"
severity="severe"
message="nzssl(context 084163E4): nzos_Handshake failed, error: 28860" />
</log>
The various documents on MOS regarding nzos_Handshake failed, error: 28860 did not help.
The NGINX-Proxy, run with debug logging will report "SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" at the same moment:
...
2016/04/05 14:51:08 [debug] 13091#0: *19 http upstream request: "/beehive/redirect/secure-mx?"
2016/04/05 14:51:08 [debug] 13091#0: *19 http upstream process upstream
2016/04/05 14:51:08 [debug] 13091#0: *19 pipe read upstream: 1
2016/04/05 14:51:08 [debug] 13091#0: *19 SSL_read: -1
2016/04/05 14:51:08 [debug] 13091#0: *19 SSL_get_error: 1
2016/04/05 14:51:08 [error] 13091#0: *19 SSL_read() failed (SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number) while reading upstream, client: 172.31.23.5, server: beehive.site.com, request: "GET /beehive/redirect/secure-mx HTTP/1.0", upstream: "https://myip:myport/beehive/redirect/secure-mx" [^]
2016/04/05 14:51:08 [debug] 13091#0: *19 pipe recv chain: -1
2016/04/05 14:51:08 [debug] 13091#0: *19 event timer del: 34: 1459861268505
2016/04/05 14:51:08 [debug] 13091#0: *19 http upstream exit: 0000000000000000
2016/04/05 14:51:08 [debug] 13091#0: *19 finalize http upstream request: 502
2016/04/05 14:51:08 [debug] 13091#0: *19 finalize http proxy request
2016/04/05 14:51:08 [debug] 13091#0: *19 free rr peer 1 0
2016/04/05 14:51:08 [debug] 13091#0: *19 SSL_shutdown: 1
...
Wireshark reports "Alert (Level: Fatal, Description: Protocol Version)".
We do not want to front BigIP.
I believe we are seeing some incompatibility between Application Server using SSL-libraries from Certicom and the OpenSSL Libraries used in Linux.
Can somebody offer an idea on how to get this running: As a matter of fact, Oracle HTTP Server 10.1.3 will not accept SHA-1 certificates, and the current certificate will terminate in a few months.
Kind regards, Tom
For an Oracle grown Application (it's actually beehive collab server) that is based on Oracle HTTP Server 10.1.3 (and, being on extended support, cannot be updated to more recent versions of OHS), we have the issue that a fronted NGINX reverse proxy has an issue with with one service (it's actually the server counterpart of the OBEO connector) that is run by a process ombd on Linux, so it appears to be the Oracle Message Broker Daemon:
This one service (only!) appears to be unwilling to accept NGINX proxied connections, and will report "nzos_Handshake failed" in its log files, e.g.
...
xsi:type="nsio-ssl-log"
timestamp="2016-04-05T12:57:54.412Z"
severity="severe"
message="nzssl(context 084163E4): nzos_Handshake failed, error: 28860" />
</log>
xsi:type="nsio-ssl-log"
timestamp="2016-04-05T12:57:54.412Z"
severity="severe"
message="nzssl(context 084163E4): nzos_Handshake failed, error: 28860" />
</log>
The various documents on MOS regarding nzos_Handshake failed, error: 28860 did not help.
The NGINX-Proxy, run with debug logging will report "SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" at the same moment:
...
2016/04/05 14:51:08 [debug] 13091#0: *19 http upstream request: "/beehive/redirect/secure-mx?"
2016/04/05 14:51:08 [debug] 13091#0: *19 http upstream process upstream
2016/04/05 14:51:08 [debug] 13091#0: *19 pipe read upstream: 1
2016/04/05 14:51:08 [debug] 13091#0: *19 SSL_read: -1
2016/04/05 14:51:08 [debug] 13091#0: *19 SSL_get_error: 1
2016/04/05 14:51:08 [error] 13091#0: *19 SSL_read() failed (SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number) while reading upstream, client: 172.31.23.5, server: beehive.site.com, request: "GET /beehive/redirect/secure-mx HTTP/1.0", upstream: "https://myip:myport/beehive/redirect/secure-mx" [^]
2016/04/05 14:51:08 [debug] 13091#0: *19 pipe recv chain: -1
2016/04/05 14:51:08 [debug] 13091#0: *19 event timer del: 34: 1459861268505
2016/04/05 14:51:08 [debug] 13091#0: *19 http upstream exit: 0000000000000000
2016/04/05 14:51:08 [debug] 13091#0: *19 finalize http upstream request: 502
2016/04/05 14:51:08 [debug] 13091#0: *19 finalize http proxy request
2016/04/05 14:51:08 [debug] 13091#0: *19 free rr peer 1 0
2016/04/05 14:51:08 [debug] 13091#0: *19 SSL_shutdown: 1
...
Wireshark reports "Alert (Level: Fatal, Description: Protocol Version)".
We do not want to front BigIP.
I believe we are seeing some incompatibility between Application Server using SSL-libraries from Certicom and the OpenSSL Libraries used in Linux.
Can somebody offer an idea on how to get this running: As a matter of fact, Oracle HTTP Server 10.1.3 will not accept SHA-1 certificates, and the current certificate will terminate in a few months.
Kind regards, Tom