New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 758344 link

Starred by 1 user
Status: Verified
Owner:
svaldez@chromium.org
Last visit > 30 days ago
Closed: Aug 2017
Cc:
davidben@chromium.org
rch@chromium.org
pbomm...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

ERR_SSL_VERSION_INTERFERENCE when VPN using FortiClient

Reported by systemid...@gmail.com, Aug 23 2017 
Chrome Version       : 61.0.3163.59
OS Version: 10.0
URLs (if applicable) : https://mail.google.com/
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:
  Firefox 4.x:
     IE 7/8/9:

What steps will reproduce the problem?
1. VPN to my work.
2. Go to https://mail.google.com/
3.

What is the expected result?
See my GMail

What happens instead of that?
Message:
This site can’t be reached

mail.google.com is currently unreachable.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_SSL_VERSION_INTERFERENCE

Please provide any additional information below. Attach a screenshot if
possible.
I am using FortiClient 5.4.2.0860 to VPN to work.  Only happens when VPN'd.  Read that this could be due to a new TLS 1.3 implementation.

UserAgentString: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.59 Safari/537.36

Comment 1 by systemid...@gmail.com, Aug 23 2017 

Disabled chrome://flags/#tls13-variant and is working over VPN.

Comment 2 by pbomm...@chromium.org, Aug 23 2017

Cc: pbomm...@chromium.org rch@chromium.org
Components: Internals>Network
Labels: Needs-Triage-M61
 systemidleprocess@ can you please provide "Chrome://net-internals" trace, Please follow the instructions from here : https://dev.chromium.org/for-testers/providing-network-details

Comment 3 by systemid...@gmail.com, Aug 23 2017 

Trace attached
chrome-net-export-log.json
810 KB View Download

Comment 4 by pbomm...@chromium.org, Aug 23 2017

Labels: M-61

Comment 5 by rch@chromium.org, Aug 23 2017

Components: -Internals>Network Internals>Network>SSL
Summary: ERR_SSL_VERSION_INTERFERENCE when VPN using FortiClient (was: ERR_SSL_VERSION_INTERFACE when VPN using FortiClient)

Comment 6 by svaldez@chromium.org, Aug 23 2017

Cc: davidben@chromium.org
Owner: svaldez@chromium.org
Status: Untriaged (was: Unconfirmed)
Can you set chrome://flags/#tls13-variant to "Enabled (Experiment)" and see whether your VPN still functions, that should work around the issues with the Fortinet software, while still allowing more secure forms of TLS to be negotiated.

Comment 7 by davidben@chromium.org, Aug 23 2017 

svaldez: The attached net-internals log is using TLS13Variant:NoSessionIDExperiment, which is interesting. This suggests that Fortinet can't handle that one.

Comment 8 by davidben@chromium.org, Aug 23 2017

Labels: Needs-Feedback

Comment 9 by systemid...@gmail.com, Aug 26 2017 

TLS1.3 Enabled (Experiment) works over Forticlient VPN.

Comment 10 by svaldez@chromium.org, Aug 28 2017

Status: Assigned (was: Untriaged)
That's good to know, thank you.

We're doing experiments to figure out which variant is most compatible with broken middleboxes/VPNs/firewalls, so additional data that Experiment is working it is useful. If you have a chance, can you test whether the other ones (RecordType and Draft) work, but otherwise you can leave it on "Enabled (Experiment)" and I'll close out the bug in a couple days.

Comment 11 by systemid...@gmail.com, Aug 28 2017 

Results:
Enabled (Draft)				Didn't Work
Enabled (Record Type Experiment)	Worked
Enabled (No Session ID Experimetn)	Didn't Work

Comment 12 by svaldez@chromium.org, Aug 29 2017

Labels: -Needs-Feedback
Status: Verified (was: Assigned)
Thanks for the additional results.

Leaving it at Enabled (Experiment) should work.

Sign in to add a comment