chromium/chrome 53.something+ fails to connect to tomcat server configured for http2 protocol upgrade
Reported by
fordf...@gmail.com,
Oct 18 2016
|
||||
Issue descriptionChromium Version : 55.0.2873.0 OS Version: Gentoo Linux URLs (if applicable) : https://pz.one2one.cz/ Other browsers tested: Chrome 55.0.2883.11 (FAIL), Chrome 54.0.2840.59 (FAIL), Chrome 54.0.2840.59 (FAIL), Firefox 49.0 (OK) What steps will reproduce the problem? 1. try to load the page https://pz.one2one.cz/ What is the expected result? the page should load without issues, using http2 protocol What happens instead of that? browser says the website is not accessible More info: the other side is tomcat server configured to allow browsers to upgrade to http2 protocol UserAgentString: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2873.0 Safari/537.36
,
Oct 18 2016
Firefox 49.0 says "Insecure Connection" when I try to access the site. Are you sure the site works fine on other browsers? I see ERR_CONNECTION_CLOSED and an error from CERT_CT_COMPLIANCE_CHECKED in the logs.
,
Oct 18 2016
Removing SSL. Event 1008 suggests it's an HTTP2 layer receiving an explicit close.
,
Oct 18 2016
i just started firefox with new profile and you are right, it says SEC_ERROR_UNKNOWN_ISSUER which means that Let's Encrypt Authority X3 is not built-in known authority and i can see in the firefox profile i use that i have added the certificate to firefox (some time ago). i should have tested that with clean firefox. anyway, the server certificate is cross-signed by IdenTrust authority so it should be accepted imo. anyway, if i add an exception to firefox, the page loads without issues which is what i expect with chromium/chrome and what was the main reason i mentioned firefox as working. chromium/chrome simply fails to load the page without giving me the real reason why. as i mentioned before, chromium/chrome loaded the page without issues in early versions 53 but it stopped to work later. also, in chromium dev tools in security tab i can see this when loading the page: This page is not secure. Valid Certificate The connection to this site is using a valid, trusted server certificate. Secure Resources All resources on this page are served securely. so i'd expect that chromium trusts the certificate, but something else goes wrong. i'm attaching screenshot from firefox after loading the page (with added security exception) to show that firefox really works and how the page looks after loading. i'm also attaching the server public certificate just in case. here is link describing the signing chain of let's encrypt: https://letsencrypt.org/certificates/
,
Oct 18 2016
you need to update your tomcat - it was severely buggy with the recent HPACK changes both firefox and chrome made to allow 64KB in the dynamic table. They've fixed the bug up to at least 64KB. https://bz.apache.org/bugzilla/show_bug.cgi?id=60173#c5 as an aside, your certificate issues are probably because that site doesn't bundle its intermediates correctly - https://www.ssllabs.com/ssltest/analyze.html?d=pz.one2one.cz&s=138.201.140.137
,
Oct 18 2016
you are completely right. i just updated tomcat to version 8.5.6 and since then i am able to connect to the website from chromium/chrome. to avoid the firefox issue with certificate, i had to add certificate chain file to the tomcat configuration. so it was not chromium/chrome issue but tomcat issue and firefox happened just accidentaly to work (http2). so this bug can be closed as invalid. thank you patrick for helping me to resolve it!
,
Oct 18 2016
Thanks patric.ducksong@! |
||||
►
Sign in to add a comment |
||||
Comment 1 by ellyjo...@chromium.org
, Oct 18 2016Status: Untriaged (was: Unconfirmed)