I can’t get to gmail.com, I get an "ERR_SSL_VERSION_INTERFERENCE” error in Chrome.
Reported by
r...@winter.net.nz,
Aug 23 2017
|
|||||
Issue description
Chrome Version : 61.0.3163.49
OS Version: OS X 10.12.6
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5: OK
Firefox 54.0.1 (64 bit): OK
IE 7/8/9: N/A (on macOS)
What steps will reproduce the problem?
1. Visit gmail.com in Chrome
2. Get error in browser
3. Disable TLS1.3 in Chrome flags means I can now access gmail.com
What is the expected result?
Gmail.com loads
What happens instead of that?
ERR_SSL_VERSION_INTERFERENCE
Please provide any additional information below. Attach a screenshot if
possible.
UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.49 Safari/537.36
,
Aug 23 2017
Before you do that, could you also attach a NetLog per these instructions? Thanks! https://dev.chromium.org/for-testers/providing-network-details
,
Aug 23 2017
Okay, that's fascinating! You are already on the more compatible variant. Hrm. What kind of network is this (home? work?). Do you have any antivirus, firewall, proxy, or other networking middleware products configured? If so, do you know which they are?
,
Aug 24 2017
It's a work network, here's a description of the environment from one of our network engineers: Managed network, local subnets through a 4510+E core switch, access out through a cisco PIX then onsite bluecoat for browsing. Upstream is a second bluecoat virtualised appliance as part of our ISP/security provider's clean pipe environment. Does that help?
,
Aug 24 2017
That's good to know. Its possible that updating your Bluecoat boxes to the latest version will fix the issue (SSLV 4.0 or newer), but otherwise can you try the various 'Enabled' options in the chrome://flags#tls13-variant setting and see which of them fix your issues? We're trying to find a mitigation on our end to work around middlebox issues we've seen in other intermediary appliances.
,
Aug 24 2017
Only Enabled Draft gave me both Inbox and Gmail access so I'll leave it set there for now. Thanks for your help.
,
Aug 24 2017
That's good to know, thanks. If you can find out the version of Bluecoat, that would be useful to know so we can see about finding a way to reproduce this. Otherwise leaving it at Enabled Draft should be fine for now.
,
Aug 24 2017
,
Aug 29 2017
Hi there, we're on Bluecoat V6.6.4.2
,
Aug 29 2017
,
Sep 5 2017
ryan: we've set up some test servers which will hopefully narrow down the cause a little better. Could you do the following? 1. Set TLS 1.3 to "Experiment" and restart Chrome. 2. Go to chrome://net-export and start logging. 3. Load https://tls.ctf.network:9443/. This should fail to load, but the way in which it does will be helpful to us. 4. Load https://tls.ctf.network:7443/ and wait for it to finish its test. Copy what it shows to this bug. 5. Stop logging in chrome://net-export and attach the log. Thanks!
,
Sep 6 2017
Hi there, log attached. The URL in step 4 didn't load, this was the message: tls.ctf.network took too long to respond. If this isn't expected, I assume we don't have port 7443 open on our firewall. I could request it's opened for my static IP, let me know if that'd be helpful to try.
,
Sep 6 2017
Ugh, I guess that's what we get for hosting those on funny ports. :-/ I think both tests are just hitting your firewall, yeah. If you could get 7443, 8443, and 9443 open and try again, that'd be really helpful. Otherwise, I'll see about spinning those up somewhere else instead.
,
Sep 7 2017
Here's a set of steps that should work better with firewalls blocking unusual ports: 1. Set TLS 1.3 to "Experiment" and restart Chrome. 2. Go to chrome://net-export and start logging. 3. Load https://experiment1.ctf.network/. This should fail to load, but the way in which it does will be helpful to us. 4. Load https://experiment2.ctf.network/ and wait for it to finish its test. Copy what it shows to this bug. 5. Stop logging in chrome://net-export and attach the log.
,
Sep 10 2017
Thanks for spinning up without funky ports, makes things easier on this side! Here's the results: Running experiment... Fetching iteration 1 Result: 404 Fetching iteration 2 Result: Error: request failed Fetching iteration 3 Result: Error: request failed Fetching iteration 4 Result: 404 Fetching iteration 5 Result: Error: request failed Fetching iteration 6 Result: Error: request failed Fetching iteration 7 Result: Error: request failed Fetching iteration 8 Result: 404 Fetching iteration 9 Result: 404 Fetching iteration 10 Result: 404 Fetching iteration 11 Result: 404 Fetching iteration 12 Result: 404 Fetching iteration 13 Result: 404 Fetching iteration 14 Result: 404 Fetching iteration 15 Result: Error: request failed Fetching iteration 16 Result: Error: request failed Fetching iteration 17 Result: 404 Fetching iteration 18 Result: 404 Fetching iteration 19 Result: Error: request failed Fetching iteration 20 Result: 404 FAILED
,
Sep 13 2017
Thanks! Alas, that told us both our theories were wrong. Good news is we've since managed to reproduce the issue and we think we know what the problem was. Hopefully in a few weeks, we'll have Experiment2 and Experiment3 variants on canary (no relation to the hostnames of those test servers) that will work in your deployment and not break the folks who had troubles with Draft.
,
Sep 13 2017
Glad it was useful! I'm happy to run the tests again in Canary once they're ready.
,
Sep 14 2017
If you can grab the latest Chrome Canary (63.0.3215.0 or later) and can do the following steps, that would be incredibly helpful: 1) Set to TLS 1.3 to "Enabled (Experiment 2)" and restart Chrome. 2) Go to chrome://net-export and start logging. 3) Visit https://tls.ctf.network/version.php (It should succeed if we have the right fix). 4) Stop logging in chrome://net-export and attach the log. 5) Repeat the above steps for "Enabled (Experiment 3)".
,
Sep 14 2017
Currently Mac only allows side-by-side installation of Canary with a different version of Chrome, I think work is being done to allow side-by-side installation of all the branches (Dev/Beta/Canary/Stable), though that still hasn't finished. Cool, thanks, since Experiment 2 and 3 seem to be working for users with issues with other TLS 1.3 variants, we'll probably start a field trial as part of the next Chrome release to use that variant of TLS 1.3 to work around middlebox issues. Leaving TLS 1.3 set to Disabled or Draft should probably work for you until we cut a release with the new variants.
,
Sep 14 2017
Ah I see, I use Beta but would be nice to also have Stable to troubleshoot customer issues. Thanks, will you update this thread when the new release is launched so I know to change the setting back to default? That's be most appreciated if possible.
,
Sep 15 2017
Yeah, I'll make sure to ping this bug once we've launched the experiment onto Beta.
,
Oct 30 2017
The new experiment is now on Beta.
,
Oct 30 2017
Thanks - unfortunately our IT team upgraded Bluecoat to TLS1.3 and I can't connect to certain HTTPS URLs on Chrome or Firefox again. Gmail.com works, but apple.com doesn't for example. IE and Edge connect fine however.
,
Oct 30 2017
apple.com does not deploy TLS 1.3, so that sounds unrelated. Are you also getting ERR_SSL_VERSION_INTEREFERENCE there? If it's also breaking Firefox, I would suggest you file a ticket with Blue Coat. Their product can be, alas, a little finicky.
,
Nov 1 2017
We've gotten some reports of a Blue Coat bug with connections from Chrome and Firefox to Akamai-hosted servers, which is probably what you're hitting there? Reportedly, the workaround is to disable protocol_detection for the affected domains, they have a fix ready, but not yet released. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by svaldez@chromium.org
, Aug 23 2017Components: Internals>Network>SSL
Owner: svaldez@chromium.org
Status: Untriaged (was: Unconfirmed)