Issue metadata
Sign in to add a comment
|
Can’t connect to https://invest.ameritrade.com/: ERR_SSL_PROTOCOL_ERROR |
||||||||||||||||||||||
Issue descriptionChrome 61.0.3157.3 canary (e9ee32ca5aa5) on macOS 10.12.5 16F73. When I try to visit https://invest.ameritrade.com/, I see: -- [sad page icon] This site can’t provide a secure connection invest.ameritrade.com sent an invalid response. Try running Network Diagnostics. ERR_SSL_PROTOCOL_ERROR [Reload] -- This is reliably reproducible 100% of the time. The Security tab in Developer Tools has: -- This page is not secure. Valid certificate The connection to this site is using a valid, trusted server certificate issued by unknown name. Secure resources All resources on this page are served securely. -- This unfortunately leaves me wondering what about the site Chrome isn’t happy with. I bisected this down to this range: https://chromium.googlesource.com/chromium/src/+log/32f99d7e474d48ae4b80918e453e80991388a450..3d931394f6ac24c64c200d3f8f98914316a0d195 which contains this BoringSSL roll: https://boringssl.googlesource.com/boringssl/+log/3120950b1e27635ee9b9d167052ce11ce9c96fd4..52586f952ecb624f823eb9ee5ef2eb41e644e7f5
,
Jul 14 2017
I captured a net-export if you’d like to see it, but since you responded so quickly and sound like you’re able to reproduce it too, I’ll chuck it unless you really want it.
,
Jul 14 2017
Yup, reproduced and fix ready. Putting together a test since we apparently never had test coverage here, which is embarrassing. :-(
,
Jul 14 2017
This should fix it: https://boringssl-review.googlesource.com/c/17904
,
Jul 14 2017
The following revision refers to this bug: https://boringssl.googlesource.com/boringssl/+/b853f315dd5b3682bf9d90b2efd007c0c559e142 commit b853f315dd5b3682bf9d90b2efd007c0c559e142 Author: David Benjamin <davidben@google.com> Date: Fri Jul 14 23:17:40 2017 Fix handling of ServerHellos with omitted extensions. Due to SSL 3.0 legacy, TLS 1.0 through 1.2 allow ClientHello and ServerHello messages to omit the extensions field altogether, rather than write an empty field. We broke this in https://boringssl-review.googlesource.com/c/17704/ when we needed to a second ServerHello parsing path. Fix this and add some regression tests to explicitly test both the omitted and empty extensions ClientHello and ServerHello cases. Bug: chromium:743218 Change-Id: I8297ba608570238e19f12ea44a9fe2fe9d881d28 Reviewed-on: https://boringssl-review.googlesource.com/17904 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> [modify] https://crrev.com/b853f315dd5b3682bf9d90b2efd007c0c559e142/ssl/handshake_client.cc [modify] https://crrev.com/b853f315dd5b3682bf9d90b2efd007c0c559e142/ssl/test/runner/handshake_client.go [modify] https://crrev.com/b853f315dd5b3682bf9d90b2efd007c0c559e142/ssl/test/runner/handshake_messages.go [modify] https://crrev.com/b853f315dd5b3682bf9d90b2efd007c0c559e142/ssl/test/runner/runner.go [modify] https://crrev.com/b853f315dd5b3682bf9d90b2efd007c0c559e142/ssl/test/runner/common.go [modify] https://crrev.com/b853f315dd5b3682bf9d90b2efd007c0c559e142/ssl/test/runner/handshake_server.go
,
Jul 15 2017
CQ willing, https://chromium-review.googlesource.com/c/572621/ should pull the change into Chromium.
,
Jul 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4686061bdb21e7a828c297a818c87708121a798d commit 4686061bdb21e7a828c297a818c87708121a798d Author: David Benjamin <davidben@chromium.org> Date: Sat Jul 15 02:38:32 2017 Roll src/third_party/boringssl/src 52586f952..14308731e https://boringssl.googlesource.com/boringssl/+log/52586f952ecb624f823eb9ee5ef2eb41e644e7f5..14308731e5446a73ac2258688a9688b524483cb6 This picks up, among other things, the fix to some ServerHello parsing. Bug: 743218 Change-Id: I45316af58f675f59ae141f9f1379690010bf04c7 Reviewed-on: https://chromium-review.googlesource.com/572621 Reviewed-by: Adam Langley <agl@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#486971} [modify] https://crrev.com/4686061bdb21e7a828c297a818c87708121a798d/DEPS [modify] https://crrev.com/4686061bdb21e7a828c297a818c87708121a798d/third_party/boringssl/BUILD.generated.gni [modify] https://crrev.com/4686061bdb21e7a828c297a818c87708121a798d/third_party/boringssl/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S [modify] https://crrev.com/4686061bdb21e7a828c297a818c87708121a798d/third_party/boringssl/mac-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S
,
Jul 15 2017
Awesome. Thanks, David!
,
Jul 15 2017
,
Jul 18 2017
Verified this issue on Windows 10, Ubuntu 14.04 and Mac 10.12.5 with chrome #61.0.3159.5, able to connect to https://invest.ameritrade.com/, without observing any SSL errors.Hence adding TE-Verified labels. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by davidben@chromium.org
, Jul 14 2017