cannot connect to Google properties
Reported by
con...@superhuman.com,
Mar 14 2017
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 Example URL: Steps to reproduce the problem: 1. Go to the "CapitalOne café" in San Francsico 2. Restart Google Chrome (to flush any connection caches) 3. Visit https://mail.google.com/ What is the expected behavior? It should load mail.google.com. (Also observed with securetoken.googleapis.com, calendar.google.com, www.google.com, bugs.chromium.org) What went wrong? It gets connection refused errors. Did this work before? N/A Chrome version: 57.0.2987.98 Channel: stable OS Version: OS X 10.12.3 Flash Version: Shockwave Flash 24.0 r0 This works fine from curl, and Safari. It does not work in chrome (or chrome canary). This was observed on multiple laptops (all running Mac OS 10.12.3) The IP address that it's trying to connect to is: $ host www.google.com www.google.com has address 216.58.195.68 www.google.com has IPv6 address 2607:f8b0:4005:807::2004 I'm assuming there's a badly behaved middle-box on the network (if it would be helpful I can reach out to capital one cafe and see what they're using), but I also think this is something specific to how chrome is establishing the https:// connection. I tried both disabling and enabling the QUIC protocol flag, but it didn't make a difference. The next step I would like to try is disabling HTTP/2 (though I don't see how that would make a difference), and then try removing SSL algorithms (on the assumption that it's bad ssl-handshake parsing code that's causing the middle-box to reset the connection). The traceroute was: traceroute: Warning: securetoken.googleapis.com has multiple addresses; using 216.58.195.74 traceroute to googleapis.l.google.com (216.58.195.74), 64 hops max, 52 byte packets 1 10.0.4.11 (10.0.4.11) 2.022 ms 1.802 ms 1.333 ms 2 192.168.2.1 (192.168.2.1) 2.100 ms 2.122 ms 1.956 ms 3 serial5-1-0.ar1.sfo1.gblx.net (159.63.21.185) 2.604 ms 2.375 ms 2.623 ms 4 ae-3-18.edge1.sanjose3.level3.net (4.69.209.173) 8.851 ms ae-4-22.edge1.sanjose3.level3.net (4.69.209.177) 7.895 ms 3.890 ms 5 72.14.223.91 (72.14.223.91) 5.203 ms 4.697 ms 4.728 ms 6 108.170.242.241 (108.170.242.241) 5.439 ms 6.561 ms 6.058 ms 7 108.170.235.237 (108.170.235.237) 7.212 ms 4.705 ms 108.170.235.239 (108.170.235.239) 4.726 ms 8 sfo07s16-in-f74.1e100.net (216.58.195.74) 4.987 ms 5.382 ms 4.813 ms /0/superhuman/backend staging … curl https://securetoken.googleapis.com/ The cafe is only a few blocks away, so happy to grab more information if you need it (but it's also only about 10 blocks from Google SF, so you can probably visit too :).
,
Mar 14 2017
Could you please provide a net-internals log of this happening? Instructions: https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details
,
Mar 16 2017
,
Mar 16 2017
Looks like an SSL handshake error. Over to the SSL component.
,
Mar 20 2017
Looks like our ClientHello is getting rejected about 300-400ms later for some reason. That's long enough that I'm guessing the middlebox is unhappy at the server response, rather than the ClientHello. Does this happen with non-Google HTTPS sites, or just Google ones? Since this is a cafe and I gather doesn't happen at home, that suggests this is not an SSL-terminating MITM. Supposing it is just Google sites, that suggests the middlebox is unhappy about something non-Google servers, Safari, and cURL don't implement. That could be: - TLS 1.3 (We had to back that out temporarily, so probably not. Also that ClientHello is a bit on the small side for TLS 1.3.) - Channel ID extension - CHACHA20_POLY1305 ciphers - Extended Master Secret - X25519 - RSA-PSS signature algorithms Does it work in Firefox? Some of these options also exist in Firefox, so that would help narrow things down a bit. I'm actually on the east coast, so +nharper, do you feel like taking a field trip? :-) (Though I see CapitalOne Cafe also has a Cambridge location and they're even open late. I suppose I could also take a field trip, supposing they have a similar network in all their locations...)
,
Mar 20 2017
Okay, I'm in one of their Cambridge locations and it seems fine. Perhaps their SFO location has a different network setup?
,
Mar 22 2017
Could you provide a hexdump or pcap of the ClientHello sent by Chrome? (Or a net-internals dump with a byte-level capture enabled.) Which SSID were you connected to - CapitalOneCafe or 360-Cafe?
,
Mar 23 2017
When connected to the 360-Cafe wifi network, I was able to reproduce issues with Chrome 57.0.2987.110 (on macOS 10.12.3). When connecting (from Chrome or boringssl) to google from another network, the cipher suite negotiated is ECDHE-ECDSA-AES128-GCM-SHA256. From the 360-Cafe network, if I disable that cipher suite before connecting to google, the server chooses a chacha20 cipher suite, and the connection works fine. With that cipher suite enabled (which it is by default), my client never receives a ServerHello. I discovered some interesting behavior when I spun up another server to test against (running "./bssl server -accept 443 -max-version tls1.2" as the server command): when I connect to it on the 360-Cafe network (using "bssl client -connect tls13.nharper.org:443 -server-name localhost -grease -ocsp-stapling -max-version tls1.2 -alpn-protos h2,http/1.1") I get a self-signed cert that did not come from my test server. The subject/issuer is C = " ", ST = Some-State, O = Blue Coat SG300 Series, OU = 1911162020. (If I run the same thing, but on port 3000 instead of 443, the client connects to my test server directly with the expected cipher suite of ECDHE-ECDSA-AES128-GCM-SHA256.) I don't know if this is a bug in the particular Blue Coat SG300 appliance that is in use, or if it is an issue with the configuration of said device.
,
Apr 3 2017
This isn't an issue with Chrome - it is either an issue with the software on that Blue Coat device or with the configuration of said device. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ajha@chromium.org
, Mar 14 2017