New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 758344 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

ERR_SSL_VERSION_INTERFERENCE when VPN using FortiClient

Reported by systemid...@gmail.com, Aug 23 2017

Issue description

Chrome Version       : 61.0.3163.59
OS Version: 10.0
URLs (if applicable) : https://mail.google.com/
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:
  Firefox 4.x:
     IE 7/8/9:

What steps will reproduce the problem?
1. VPN to my work.
2. Go to https://mail.google.com/
3.

What is the expected result?
See my GMail

What happens instead of that?
Message:
This site can’t be reached

mail.google.com is currently unreachable.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_SSL_VERSION_INTERFERENCE

Please provide any additional information below. Attach a screenshot if
possible.
I am using FortiClient 5.4.2.0860 to VPN to work.  Only happens when VPN'd.  Read that this could be due to a new TLS 1.3 implementation.

UserAgentString: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.59 Safari/537.36



 
Disabled chrome://flags/#tls13-variant and is working over VPN.
Cc: pbomm...@chromium.org rch@chromium.org
Components: Internals>Network
Labels: Needs-Triage-M61
 systemidleprocess@ can you please provide "Chrome://net-internals" trace, Please follow the instructions from here : https://dev.chromium.org/for-testers/providing-network-details
Trace attached
chrome-net-export-log.json
810 KB View Download
Labels: M-61

Comment 5 by rch@chromium.org, Aug 23 2017

Components: -Internals>Network Internals>Network>SSL
Summary: ERR_SSL_VERSION_INTERFERENCE when VPN using FortiClient (was: ERR_SSL_VERSION_INTERFACE when VPN using FortiClient)
Cc: davidben@chromium.org
Owner: svaldez@chromium.org
Status: Untriaged (was: Unconfirmed)
Can you set chrome://flags/#tls13-variant to "Enabled (Experiment)" and see whether your VPN still functions, that should work around the issues with the Fortinet software, while still allowing more secure forms of TLS to be negotiated.
svaldez: The attached net-internals log is using TLS13Variant:NoSessionIDExperiment, which is interesting. This suggests that Fortinet can't handle that one.
Labels: Needs-Feedback
TLS1.3 Enabled (Experiment) works over Forticlient VPN.
Status: Assigned (was: Untriaged)
That's good to know, thank you.

We're doing experiments to figure out which variant is most compatible with broken middleboxes/VPNs/firewalls, so additional data that Experiment is working it is useful. If you have a chance, can you test whether the other ones (RecordType and Draft) work, but otherwise you can leave it on "Enabled (Experiment)" and I'll close out the bug in a couple days.
Results:
Enabled (Draft)				Didn't Work
Enabled (Record Type Experiment)	Worked
Enabled (No Session ID Experimetn)	Didn't Work
Labels: -Needs-Feedback
Status: Verified (was: Assigned)
Thanks for the additional results.

Leaving it at Enabled (Experiment) should work.

Sign in to add a comment