ERR_SSL_VERSION_INTERFERENCE
Reported by
danie.el...@gmail.com,
Dec 14 2017
|
||||||||||||||
Issue description
Chrome Version : 63.0.3239.84
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari: N/A
Firefox: OK
IE/Edge: OK
What steps will reproduce the problem?
1.Go to the specific URL https://collectpay.princetonecom.com/
2.
3.
What is the expected result?
Webpage should load and present login screen.
What happens instead of that?
Error "This site can't be reached" ERR_SSL_VERSION_INTERFERENCE
Please provide any additional information below. Attach a screenshot if
possible.
UserAgentString: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
,
Dec 14 2017
I'm not able to reproduce this on my machine. This could be a buggy product in the network. What kind of network is this? (Home? Work? School?) Are you behind some kind of firewall, proxy, or antivirus? If so, do you know the product and version? Also, could you attach a NetLog per these instructions below? Thanks! https://dev.chromium.org/for-testers/providing-network-details
,
Dec 14 2017
This is a work environment with a Watchguard M200 performing "observe only" proxy filtering. The workstations have AVG business and for the results attached, this was after clearing the cache on the browser and disabled AVG on the workstation. That reproduced on 3 other machines.
,
Dec 14 2017
Thank you for providing more feedback. Adding requester "davidben@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
Are you consistently experiencing this behavior? Are you able to successfully visit: https://mail.google.com/ https://tls.ctf.network/version.php Testing locally, it appears that sometimes trying to access that site causes issues locally as well, so it might be an issue with the site.
,
Dec 15 2017
It's consistently for this site. No other ones that I know of. https://tls.ctf.network/version.php returns TLSv1.2 mail.google.com loads without issue.
,
Dec 15 2017
Do you mind getting a NetLog for when you visit both https://tls.ctf.network/version.php and the collectpay site?
,
Dec 15 2017
Thanks! I wasn't able to reproduce this with AVG alone. I did also see that AVG doesn't try to intercept that connection, unlike others, so maybe it has that site whitelisted as a banking device or sorts. We have a Watchguard device to test with, but it was fine in our tests. Do you know what version of the firmware you are running?
,
Dec 15 2017
12.0.1. using an m200. Firewall logs show the connectors being allowed outbound. The no block proxy is showing it being flagged as a financial/banking site, so that might be why AVG is not blocking it like you said. I'll have to see if I can turn on some sort of verbose logging in chrome to get more details about the connection.
,
Dec 15 2017
Thank you for providing more feedback. Adding requester "davidben@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 17 2017
,
Dec 18 2017
I checked for updates this morning and chrome updated to sub build .108. I relaunched chrome and and then closed all open tabs except for https://collectpay.princetonecom.com. refreshing the page showed a 404 error. I then entered the full url https://collectpay.princetonecom.com/otp/loadFullHostLogin.do?id=571155 and the page loaded ok. Attached are the bucksaw logs that I was pulling at the time that this occurred. I have since refreshed the page, and the "ERR_SSL_VERSION_INTERFERENCE" error has returned.
,
Dec 19 2017
I got the same error going to https://h10145.www1.hpe.com/downloads/ProductsList.aspx?lang=&cc=&prodSeriesId= from my mobile phone while on wifi at work. The chrome on my desktop gave the same error, but when I refreshed the page, the website loaded correctly. See the mobile phone log attached.
,
Dec 19 2017
Can you try visiting: https://mail.google.com/ https://tls.ctf.network/version.php From your mobile phone? If it fails, can you attach the net internals log from those connections?
,
Dec 19 2017
Both loaded ok. The tls version was 1.3 on the mobile device when visiting the second URL you sent. Interesting how the mobile will do 1.3 but the desktop browser only does 1.2. Internal logs attached even though I didn't have any issue with the URLs.
,
Dec 19 2017
Thanks!
Hrm, interesting. So somehow the issue is related to turning on TLS 1.3, but it breaks not on those servers that enable TLS 1.3, but on random other ones. And we know it's definitely not related to AVG as I assume you don't have that on your phone.
We weren't able to reproduce the issue upgrading our Watchguard box to 12.0.1, so something else is different. Do you know more specifically how the Watchguard box is configured? It's got a lot of settings. Is "Enable Content Inspection" on? (I'm guessing no as those connections speak TLS 1.3. Or is it set up to only terminate those ) What about "Allow only SSL compliant traffic"?
Actually, I think it might have a configuration export button. Would you be willing to provide an export of the configuration? I'm not sure what it will include. Hopefully nothing sensitive, but you may wish to look it over before sending it. (Feel free to email it privately if you prefer.)
One thing of note is that both failing servers have fairly similar cipher suite profiles,
{ECDHE_RSA,RSA}_WITH_AES_{128,256}_CBC_SHA{,256} with one of them also including 3DES. Getting a handshake_failure alert usually suggests that we couldn't negotiate a cipher suite in common. (But we do have cipher suites in common with those servers. Though the servers end up picking rather poor ones...)
,
Dec 19 2017
PS: The experiment is actually ending soon for the holidays, so it will get turned off for you soon. Though you can turn it back on by going to about:flags and configuring TLS 1.3 to "Enabled (Experiment2)".
,
Dec 19 2017
Also, is it possible there's something else on the network other than the Watchguard device?
,
Dec 20 2017
We do not have anything else on the network other then layer 2 & 3 switches. I'll PM you screenshots of the current proxy filter we have enabled. Inspection is off as far as I can tell. I do not have any AV on my phone. SSL Compliance is not enforced.
,
Dec 20 2017
Thank you for providing more feedback. Adding requester "davidben@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 20 2017
I suspect that's because as per #19, we've turned off the feature for the holidays. You can explicitly enable it to see if you can reproduce the issue by going to chrome://flags#tls13-variant and setting it to "Enabled (Experiment 2)".
,
Dec 20 2017
Ok. I didn't expect it to go into effect that quickly.
,
Jan 3 2018
danie.ellenwood@ - As per comment #25, can the issue be closed now. Thanks...!!
,
Jan 3 2018
You can close it out if you want, but the issue isn't resolved. The reason for comment 25 was because TLS1.3 was disabled globally which I was unaware of at the time. When I manually re-enabled it again, the issue persisted. You can circle up with David to discuss if you want. Thanks
,
Jan 3 2018
Thank you for providing more feedback. Adding requester "krajshree@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 5 2018
davidben@ - Could you please respond to comment #28. Thanks...!!
,
Jan 5 2018
davidben@ - Could you please respond to comment #28. Thanks...!!
,
Jan 18 2018
Adding TE-NeedsTriageHelp and requesting someone from Internals>Network>SSL team to help us in triaging the issue further. Thanks...!!
,
Jan 23 2018
For M65 we'll be running a slightly different version of TLS 1.3, which might potentially resolve these issues, leaving this as assigned and we can re-check if you're still having issues once that version gets deployed.
,
Oct 18
The new version of TLS 1.3 has now been running for a while and includes workarounds for the various non-compliant middleboxes we're aware of. Are you still having issues with TLS 1.3?
,
Oct 18
The company that I worked for that was having the issue declared bankruptcy and has subsequently closed. So I cannot test at this time. You can close this ticket if needed. Thanks.
,
Oct 18
|
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by pauljensen@chromium.org
, Dec 14 2017Components: Internals>Network>SSL