New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 647241 link

Starred by 13 users
Status: Fixed
Owner:
mattm@chromium.org
Closed: Sep 2016
Cc:
svaldez@chromium.org
sdy@chromium.org
davidben@chromium.org
rsesek@chromium.org
nhar...@chromium.org
erikc...@chromium.org
cbentzel@chromium.org
smut@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Error (This site can’t be reached) for every site

Reported by j...@externl.com, Sep 15 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Example URL:
https://www.google.com/

Steps to reproduce the problem:
1. Open new tab
2. Enter adresss
3. Press enter

What is the expected behavior?
Page will load

What went wrong?
Always getting:

This site can’t be reached

The webpage at https://www.google.com/ might be temporarily down or it may have moved permanently to a new web address.
ERR_FAILED

Did this work before? N/A 

Chrome version: 55.0.2861.0  Channel: canary
OS Version: OS X 10.12.0
Flash Version: Shockwave Flash 23.0 r0

Stable channel works, as did Canary prior to updating to this version.
net-internals-log.json
745 KB View Download

Comment 1 by j...@externl.com, Sep 15 2016 

Looks like this applies only to HTTPS pages.

Comment 2 Deleted

Comment 4 by mmenke@chromium.org, Sep 15 2016

Components: -Internals>Network Internals>Network>SSL
SSL_CONNECT is failing after a SSL_CERTIFICATES_RECEIVED event with ERR_FAILED.  I guess this means we don't like the cert for some reason or something.  Only see connections to google domains in the log.

Comment 5 by j...@externl.com, Sep 16 2016 

Https://google.com was the domain I was testing. It happens with all https:// websites I've tried so far. Http is fine.

Comment 6 by rsa...@gmail.com, Sep 16 2016 

Seeing the same issue as well on 55.0.2861.0 

This site can’t be reached

The webpage at https://www.google.com/ might be temporarily down or it may have moved permanently to a new web address.
ERR_FAILED

Comment 7 by rsleevi@chromium.org, Sep 16 2016 

 Issue 647524  has been merged into this issue.

Comment 8 by rsleevi@chromium.org, Sep 16 2016

Cc: rsesek@chromium.org sdy@chromium.org
Labels: Needs-Feedback
rsesek: Are you aware of any sandbox changes with Sierra?
sdy: FYI, since you filed that other Sierra bug :)

For folks seeing this, are you using Parental Controls at all? That's routinely caused network issues for Chrome.

Comment 9 by j...@externl.com, Sep 16 2016 

No parental controls here.

Comment 10 by rsa...@gmail.com, Sep 16 2016 

rsleevi: In previous Sierra builds this has worked just fine. On 16A319 for the last week or so this was not an issue until the build bumped up to 55.0.2861.0

Comment 11 by sdy@chromium.org, Sep 16 2016 

Thanks for the cc. I see the same issue (this Sierra machine is in a pretty clean state, no parental controls or similar).

Happy to test patches.

Comment 12 by rsleevi@chromium.org, Sep 16 2016

Cc: cbentzel@chromium.org nhar...@chromium.org
re comment #4: In the past, we've seen Safari's parental controls killing the connection right at that point. I don't know why - some sort of networking filtering at the TLS layer?

Since I'm still super suspicious of the OS X Security layer & interceptions, few more quick things:
1) Does changing "Token Binding" to disabled on chrome://flags/ help?
2) sdy@ - If you launch Chrome w/ a terminal attached (or if you can get the console logs), are there any useful messages like "Unknown error mapped to ERR_FAILED" ?

Comment 13 by jrad...@gmail.com, Sep 16 2016 

re #12:
1) Problem is still reproducible with "Token Binding" both enabled and disabled.
2) The only relevant error is:
[23865:29187:0916/100959:ERROR:cert_verify_proc_mac.cc(67)] Unknown error mapped to ERR_FAILED: Error Domain=NSOSStatusErrorDomain Code=-50 "r: r" (-50)

Canary worked just fine in build 55.0.2860.0

Comment 15 by vladimir...@gmail.com, Sep 16 2016 

Same issue – please fix !

Comment 16 by ellyjo...@chromium.org, Sep 16 2016

Labels: -Pri-2 Pri-0
Status: Untriaged (was: Unconfirmed)
This reproduces reliably on my desktop. Since all SSL is broken on canary I think this is P0. Marking for net triage.

Comment 17 by mmenke@chromium.org, Sep 16 2016

Labels: ReleaseBlock-Dev

Comment 18 by mmenke@chromium.org, Sep 16 2016

Labels: M-55

Comment 19 by cbentzel@chromium.org, Sep 16 2016

Cc: svaldez@chromium.org
Owner: davidben@chromium.org
Status: Assigned (was: Untriaged)

Comment 20 by ellyjo...@chromium.org, Sep 16 2016 

Here is a cert chain from one of the ERR_FAILED SSL requests:
                             -----BEGIN CERTIFICATE-----
                             MIIFcTCCBFmgAwIBAgIUJT3a+Y4lK4b+yc3FlMZXAc2UIZEwDQYJKoZIhvcNAQEL
                             BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
                             HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
                             c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
                             QTIwHhcNMTUxMjE3MTYwNDA2WhcNMTYxMjE3MTYwNDAzWjBgMQswCQYDVQQGEwJV
                             UzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRswGQYDVQQKExJUaGUg
                             TmV3IFlvcmsgVGltZXMxFDASBgNVBAMTC255dGltZXMuY29tMIIBIjANBgkqhkiG
                             9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5d/IMvwFrxSsFvo6Ps/2L3tRmEE4RU5esex8
                             gXDcgFAxRvTTmWQfmlPDaFoLHJThWq4A+IVk2+x7Q1gWng/D0I4kQXULIbBOmzhN
                             lEKQyGSFcbMzEQmVZZ5S2yMDmdIEoHxKgcYR1qZvdUJdTlu/U96Q+jrrSIxyRxcP
                             7wh1HHCklS3OO7KCIuSk0crH+0SatyPSv5D7bjTxvCcS6wIydryafcPayCvkFCku
                             y+QCXRyQmii3fa25ZLh/IxvZeA2Rv3PeRJbzVXxy/rZta0zVVJY6CmT2YudPEqs1
                             khdK8efetxEcVgEm+OvtK3l3IbHBwNNdFJev0HnqgxmR6gOwjQIDAQABo4IB8zCC
                             Ae8wDAYDVR0TAQH/BAIwADBMBgNVHSAERTBDMEEGCSsGAQQBsT4BMjA0MDIGCCsG
                             AQUFBwIBFiZodHRwczovL3NlY3VyZS5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeTCB
                             rwYIKwYBBQUHAQEEgaIwgZ8wLQYIKwYBBQUHMAGGIWh0dHA6Ly92YXNzZzE0Mi5v
                             Y3NwLm9tbmlyb290LmNvbTA2BggrBgEFBQcwAoYqaHR0cHM6Ly9jYWNlcnQuYS5v
                             bW5pcm9vdC5jb20vdmFzc2cxNDIuY3J0MDYGCCsGAQUFBzAChipodHRwczovL2Nh
                             Y2VydC5hLm9tbmlyb290LmNvbS92YXNzZzE0Mi5kZXIwMAYDVR0RBCkwJ4ILbnl0
                             aW1lcy5jb22CCSoubnl0LmNvbYINKi5ueXRpbWVzLmNvbTAOBgNVHQ8BAf8EBAMC
                             BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPi9
                             +q9zd8bHG/lLTRGn0TOvr3IRMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92YXNz
                             ZzE0Mi5jcmwub21uaXJvb3QuY29tL3Zhc3NnMTQyLmNybDAdBgNVHQ4EFgQUeOec
                             5NSBV7lp9Crs65+wJlintpYwDQYJKoZIhvcNAQELBQADggEBACO7fPx3n66NexgW
                             fs9qiYsRkzVBfIgGrBnE8V5mtFXvNFzYe5E80lL9a5u5x0Iqs5nGcjPUXM+JUEGU
                             5E8FGeHFjwNJuOOUMttnQ2i+yc8dwYCCvKgkK9yteIS+cpoExHtb/str/rNl/MHz
                             +aek64zV2g3pTVTFLEdl4DzgZPxzWHCVL6hpw0LHQhip/uX9mmV3nRxeBHOlh03L
                             DW42XB5bu7/U8mJf1sMrzN3Nxc88qfAYSJ4pGVFp0n2u69VY0K+nTAh5Xndm3OOj
                             I7j/dFc8WqspDNPBI6CZ+DQd2DeNRhYshe6K0OgAsAWuX09chmzwro+KxwJ9Gqbn
                             CpVLjJo=
                             -----END CERTIFICATE-----
                             
                             -----BEGIN CERTIFICATE-----
                             MIIFHzCCBAegAwIBAgIEByekazANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
                             RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
                             VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDQwMjE0MzYxMFoX
                             DTIxMDQwMjE0MzU1MlowgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJk
                             YW0xJTAjBgNVBAoTHFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNV
                             BAsTCkN5YmVydHJ1c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2
                             ZXIgQ0EgRzE0LVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDd
                             bp4CaQK1o5kuCGQyalnzxp6mIAfSSNGok8fqR4+DOUDXIF2Nmrqr2HDsnYjRvWL2
                             2+ydXjUBdgMj5W/Sr0Y1WVpc0agjwevpINRJ1j8A2Kgi3kN5gazppJL1d3AFHly2
                             oPeQpM2rKCyQwucPw68cR1nVhC7fJgdFI1rG6JDIhUuMFh5g+QET8RQf5ugU7cXS
                             b2MobnKMSa4IcseTlbQLDK6PmmeE9Vcb24HXF51BEUMZvW1Khe2PcCWrZqv2+m0c
                             PKvtF71WhOHbdTOyKEuZjvlLgjNQn5JT7fqtD5Wco/LLYPB3HckBi18thr6/Nrgk
                             lhN8wYZabMFIKn8+k2DFAgMBAAGjggG3MIIBszASBgNVHRMBAf8ECDAGAQH/AgEC
                             MEwGA1UdIARFMEMwQQYJKwYBBAGxPgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v
                             c2VjdXJlLm9tbmlyb290LmNvbS9yZXBvc2l0b3J5MIG6BggrBgEFBQcBAQSBrTCB
                             qjAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2JhbHRpbW9y
                             ZXJvb3QwOQYIKwYBBQUHMAKGLWh0dHBzOi8vY2FjZXJ0Lm9tbmlyb290LmNvbS9i
                             YWx0aW1vcmVyb290LmNydDA5BggrBgEFBQcwAoYtaHR0cHM6Ly9jYWNlcnQub21u
                             aXJvb3QuY29tL2JhbHRpbW9yZXJvb3QuZGVyMA4GA1UdDwEB/wQEAwIBxjAfBgNV
                             HSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDegNaAzhjFo
                             dHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIwMjUuY3Js
                             MB0GA1UdDgQWBBT4vfqvc3fGxxv5S00Rp9Ezr69yETANBgkqhkiG9w0BAQsFAAOC
                             AQEAgNl67XIFN49hqnN8mmr8/gHiGYFwByUysPBvO8dqKD3kUYfmfoLsrkinsXc4
                             wtZWr4/yAfxlZRAJ93QptQ6S7pCY0YiiZbfNnA6nhpgovK4Vg7Ya1x3sGdp6jkD5
                             mRXVfaW6q/0mmG6cQTu2gRjscEjXbn+m4Xcl1t1i6FLzjBY5Z+IiDXcu+xFs5N04
                             tCdfA6g9ROLyhEuE/Vamnk17ohZPB/U0JHKlovoWZiqkSg7IDSdEnHfUEhCH0gAs
                             eruOiCKRFb6iWco04BxhlIYgM83nTF07kj7L1i3qVPr7r1T1qMULyouHAOaf5pW/
                             t8SjWfUWbF8+aVWAOfZ1UBQ+Mg==
                             -----END CERTIFICATE-----
                             
                             -----BEGIN CERTIFICATE-----
                             MIIEFTCCA36gAwIBAgIEByeO7TANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
                             UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
                             cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
                             b2JhbCBSb290MB4XDTEyMDQxODE2MzYxOFoXDTE4MDgxMzE2MzUxN1owWjELMAkG
                             A1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVz
                             dDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZI
                             hvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKrmD1X6CZymrV51Cni4eiVgLGw41uO
                             KymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsBUnuId9Mcj8e6uYi1agnn
                             c+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/CG9VwcPCP
                             wBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPg
                             kAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFc
                             B5kpvcY67Oduhjprl3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaOCAUcw
                             ggFDMBIGA1UdEwEB/wQIMAYBAf8CAQMwSgYDVR0gBEMwQTA/BgRVHSAAMDcwNQYI
                             KwYBBQUHAgEWKWh0dHA6Ly9jeWJlcnRydXN0Lm9tbmlyb290LmNvbS9yZXBvc2l0
                             b3J5MA4GA1UdDwEB/wQEAwIBBjCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYT
                             AlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJl
                             clRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3Qg
                             R2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVi
                             bGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwDQYJKoZIhvcN
                             AQEFBQADgYEAkx3+i65G7MupD6vl78qyaBZo2I/6E6mvs8st50tujmkqwisQCo32
                             rnO2ufsU/V9tuFC2xIrWQH7Xw8tz3MldW6+wQbU36+rcIJHENGr0ofOWnTeGl+Fx
                             pN19+kSElK7XCQQidg9kUTWpJA/5C9sy2sL+wbkqXHonE8qxSDpx0EM=
                             -----END CERTIFICATE-----

Comment 21 by davidben@chromium.org, Sep 16 2016

Cc: davidben@chromium.org
Components: -Internals>Network>SSL Internals>Network>Certificate
Owner: mattm@chromium.org
If it's in CertVerifyProcMac and comment #14's guess is correct (seems very plausible), this probably should go to mattm.

ellyjones: Since you can repro, I don't suppose you have time to do a bisect to confirm if it's https://chromium.googlesource.com/chromium/src/+/9cedf75377d817c6b32a01f1d30fbe10663b8bb8 ?

Comment 22 by svaldez@chromium.org, Sep 16 2016 

Is anyone able to reliably reproduce on 55.0.2862.0? Can't repro it locally.

Comment 23 by j...@externl.com, Sep 16 2016 

I can still reproduce on 55.0.2862.0 every time.

Comment 24 by j...@externl.com, Sep 16 2016 

Maybe limited to macOS Sierra?

Comment 25 by sdy@chromium.org, Sep 16 2016 

svaldez@: Are you testing on 10.12?

Comment 26 by ellyjo...@chromium.org, Sep 16 2016 

I can confirm that it is 9cedf75377d817c6b32a01f1d30fbe10663b8bb8. If I revert that change, HTTPS connections in my ToT build work again.

Comment 27 by davidben@chromium.org, Sep 16 2016 

Thanks! Let's just revert that for now and we can sort out what's up with it asynchronously.

Comment 29 by svaldez@chromium.org, Sep 16 2016 

Ah no, I hadn't updated to Sierra yet. I suspect some of the Sierra SecKey changes broke the CL. Are any of the Mac trybots getting updated to Sierra?

Comment 30 by shrike@chromium.org, Sep 16 2016

Cc: erikc...@chromium.org
erikchen@ - what do we need to do to get a 10.12 trybot running, once 10.12 is publically released?

Comment 31 by erikc...@chromium.org, Sep 16 2016

Cc: smut@chromium.org
you probably want 10.12 on the CQ, rather than just a single trybot? I imagine that since we're pretty much always over capacity, we'd need to coordinate with infra to get some of the 10.9, or 10.10 machines upgraded to 10.12. Historically, smut@ has taken point on a lot of this.

Comment 32 by davidben@chromium.org, Sep 16 2016 

Given that most generic teams do not readily have stateless Macs on hand we can switch versions at will, I think we would actually need a try bot and not just CQ. If capacity is an issue, perhaps it should be not in the default set.

Comment 33 by asanka@chromium.org, Sep 16 2016 

 Issue 647577  has been merged into this issue.

Comment 34 by davidben@chromium.org, Sep 16 2016 

 Issue 647565  has been merged into this issue.
Project Member

Comment 35 by bugdroid1@chromium.org, Sep 16 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/03a7397bd4ed8c059a7f5977a7672769fb783626

commit 03a7397bd4ed8c059a7f5977a7672769fb783626
Author: davidben <davidben@chromium.org>
Date: Fri Sep 16 19:21:15 2016

Revert of CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop. (patchset #11 id:300001 of https://codereview.chromium.org/2101303005/ )

Reason for revert:
This breaks verification on OS X 10.12 and probably needs some further investigation.

Original issue's description:
> CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop.
>
> This also removes the native hostname checking workarounds.
>
> BUG= 570909 ,588789, 621684 
>
> Committed: https://crrev.com/9cedf75377d817c6b32a01f1d30fbe10663b8bb8
> Cr-Commit-Position: refs/heads/master@{#418732}

TBR=rsleevi@chromium.org,mattm@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 570909 ,588789, 621684 , 647241 

Review-Url: https://codereview.chromium.org/2347893002
Cr-Commit-Position: refs/heads/master@{#419245}

[modify] https://crrev.com/03a7397bd4ed8c059a7f5977a7672769fb783626/net/BUILD.gn
[modify] https://crrev.com/03a7397bd4ed8c059a7f5977a7672769fb783626/net/cert/cert_verify_proc_mac.cc
[modify] https://crrev.com/03a7397bd4ed8c059a7f5977a7672769fb783626/net/cert/cert_verify_proc_unittest.cc
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/cert/test_keychain_search_list_mac.cc
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/cert/test_keychain_search_list_mac.h
[modify] https://crrev.com/03a7397bd4ed8c059a7f5977a7672769fb783626/net/data/ssl/certificates/README
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/certificates/multi-root-BFE.keychain
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/certificates/tripadvisor-verisign-chain.pem
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/certificates/verisign_class3_g5_crosssigned-trusted.keychain
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/certificates/verisign_class3_g5_crosssigned.pem
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/scripts/generate-keychain.sh
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh
[delete] https://crrev.com/afc2a8c12033ede8c9cedb501299e47270f75cb8/net/data/ssl/scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh
[modify] https://crrev.com/03a7397bd4ed8c059a7f5977a7672769fb783626/net/net.gypi
[modify] https://crrev.com/03a7397bd4ed8c059a7f5977a7672769fb783626/net/url_request/url_request_unittest.cc

Comment 36 by mmenke@chromium.org, Sep 16 2016 

This is a bit tangential, but when whatever was failed here fails, could we get a more useful error code than ERR_FAILED?

Comment 37 by davidben@chromium.org, Sep 16 2016 

Well, it failed in the codepath where we don't know why it failed, so there's not much in the way of a net error code to route up here. :-P

https://cs.chromium.org/chromium/src/net/cert/cert_verify_proc_mac.cc?rcl=0&l=56

Comment 38 by mmenke@chromium.org, Sep 16 2016 

Hrm....I suppose ERR_UNKNOWN_ERROR wouldn't be much clearer than ERR_FAILED.  :)

Comment 39 by davidben@chromium.org, Sep 16 2016 

From [23865:29187:0916/100959:ERROR:cert_verify_proc_mac.cc(67)] Unknown error mapped to ERR_FAILED: Error Domain=NSOSStatusErrorDomain Code=-50 "r: r" (-50), it looks like the error is errSecParam.

It appears errSecParam is Apple's generic "you passed in a parameter you won't supposed to, go away" error code.

Could one of the Mac folks with easy access to a Sierra machine print a stack trace at that ERR_FAILED line (before the revert went in) so we know what call failed?

Comment 40 by mattm@chromium.org, Sep 17 2016

Labels: -Pri-0 -Needs-Feedback -ReleaseBlock-Dev Pri-2
Status: Started (was: Assigned)
Borrowed a sierra mac so I could debug it. Looks like Sierra doesn't like the CreateSSLServerPolicy with no hostname.

(Lowering priority and removing releaseblock since the CL was already reverted.)

Comment 41 by j...@externl.com, Sep 17 2016 

Everytying is working again in 55.0.2863.0 since that commit was reverted.

Comment 42 by mmenke@chromium.org, Sep 19 2016 

 Issue 647841  has been merged into this issue.

Comment 43 by shrike@chromium.org, Sep 19 2016 

Re: c#39, here is a stack trace from the point you requested:

[96989:26115:0919/140243:ERROR:cert_verify_proc_mac.cc(67)] Unknown error mapped to ERR_FAILED: Error Domain=NSOSStatusErrorDomain Code=-50 "r: r" (-50)
[96989:26115:0919/140243:FATAL:cert_verify_proc_mac.cc(68)] Check failed: false. 
0   libbase.dylib                       0x00000001078b31c3 _ZN4base5debug10StackTraceC1Ev + 19
1   libbase.dylib                       0x00000001078d1877 _ZN7logging10LogMessageD2Ev + 71
2   libnet.dylib                        0x00000001088e7950 _ZN3net12_GLOBAL__N_120NetErrorFromOSStatusEi + 208
3   libnet.dylib                        0x00000001088e6635 _ZN3net17CertVerifyProcMac14VerifyInternalEPNS_15X509CertificateERKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEESB_iPNS_6CRLSetERKNS3_6vectorI13scoped_refptrIS1_ENS7_ISG_EEEEPNS_16CertVerifyResultE + 261
4   libnet.dylib                        0x00000001088e5558 _ZN3net14CertVerifyProc6VerifyEPNS_15X509CertificateERKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEESB_iPNS_6CRLSetERKNS3_6vectorI13scoped_refptrIS1_ENS7_ISG_EEEEPNS_16CertVerifyResultE + 312
5   libnet.dylib                        0x00000001088f0a02 _ZN3net22DoVerifyOnWorkerThreadERK13scoped_refptrINS_14CertVerifyProcEERKS0_INS_15X509CertificateEERKNSt3__112basic_stringIcNS9_11char_traitsIcEENS9_9allocatorIcEEEESH_iRKS0_INS_6CRLSetEERKNS9_6vectorIS6_NSD_IS6_EEEEPiPNS_16CertVerifyResultE + 82
6   libnet.dylib                        0x00000001088f17a8 _ZN4base8internal7InvokerINS0_9BindStateIPFvRK13scoped_refptrIN3net14CertVerifyProcEERKS3_INS4_15X509CertificateEERKNSt3__112basic_stringIcNSD_11char_traitsIcEENSD_9allocatorIcEEEESL_iRKS3_INS4_6CRLSetEERKNSD_6vectorISA_NSH_ISA_EEEEPiPNS4_16CertVerifyResultEEJS6_SA_SJ_SJ_iSN_SS_SV_SX_EEEFvvEE3RunEPNS0_13BindStateBaseE + 56
7   libbase.dylib                       0x00000001079317e8 _ZN4base12_GLOBAL__N_121PostTaskAndReplyRelay19RunTaskAndPostReplyEv + 24
8   libbase.dylib                       0x000000010793b9e5 _ZN4base12_GLOBAL__N_112WorkerThread10ThreadMainEv + 645
9   libbase.dylib                       0x0000000107931697 _ZN4base12_GLOBAL__N_110ThreadFuncEPv + 87
10  libsystem_pthread.dylib             0x00007fff9afe3abb _pthread_body + 180
11  libsystem_pthread.dylib             0x00007fff9afe3a07 _pthread_body + 0
12  libsystem_pthread.dylib             0x00007fff9afe3231 thread_start + 13

Comment 44 by manoranj...@chromium.org, Sep 22 2016 

joe@, Thank you for confirming the revert.
Project Member

Comment 45 by bugdroid1@chromium.org, Sep 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af868e7814f899b9be9d2d3f8231d02b9b4d5f64

commit af868e7814f899b9be9d2d3f8231d02b9b4d5f64
Author: mattm <mattm@chromium.org>
Date: Fri Sep 23 23:25:20 2016

Try #2: CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop.

This also removes the native hostname checking workarounds.

BUG= 570909 ,588789, 621684 , 647241 

Review-Url: https://codereview.chromium.org/2362533002
Cr-Commit-Position: refs/heads/master@{#420782}

[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/BUILD.gn
[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/cert/cert_verify_proc_mac.cc
[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/cert/cert_verify_proc_unittest.cc
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/cert/test_keychain_search_list_mac.cc
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/cert/test_keychain_search_list_mac.h
[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/cert/x509_util_mac.cc
[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/certificates/README
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/certificates/multi-root-BFE.keychain
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/certificates/tripadvisor-verisign-chain.pem
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/certificates/verisign_class3_g5_crosssigned-trusted.keychain
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/certificates/verisign_class3_g5_crosssigned.pem
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/scripts/generate-keychain.sh
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh
[add] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/data/ssl/scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh
[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/net.gypi
[modify] https://crrev.com/af868e7814f899b9be9d2d3f8231d02b9b4d5f64/net/url_request/url_request_unittest.cc

Comment 46 by mattm@chromium.org, Sep 27 2016

Status: Fixed (was: Started)

Sign in to add a comment