Cisco firewalls cause ERR_SSL_VERSION_INTERFERENCE when trying to get to Gmail
Reported by
bobfe...@gmail.com,
Dec 14 2017
|
|||||||||
Issue descriptionChrome Version 63.0.3239.84 : <Copy from: 'about:version'> OS Version: 6.1 (Windows 7, Windows Server 2008 R2) URLs (if applicable) :mail.google.com, crbug.com/new Other browsers tested: Add OK or FAIL after other browsers where you have tested this issue: Safari: Firefox:OK IE/Edge: What steps will reproduce the problem? 1. browse to mail.google.com 2. 3. What is the expected result? Taken to Gmail What happens instead of that? ERR_SSL_VERSION_INTERFERENCE error Please provide any additional information below. Attach a screenshot if possible.
,
Dec 14 2017
,
Dec 14 2017
This is caused by a buggy non-compliant firewall, proxy, antivirus, or other middleware in your network. Over the course of the next year, TLS 1.3 is going to get deployed by many vendors, so this initial deployment in Chrome is to help find such buggy devices early. To help us diagnose this, could you please tell us what kind of network this is (home, work, school, etc) and what kind (vendor, name, and version) of such products you know of on your network. Additionally, could you attach a NetLog per these instructions? https://dev.chromium.org/for-testers/providing-network-details Thanks!
,
Dec 15 2017
Issue 795126 has been merged into this issue.
,
Dec 15 2017
,
Dec 15 2017
The problem was encountered while on a corporate network. Looks like our firewall, Cisco ASA5525X, does not yet support TLS 1.3. That being said, should not Chrome have toggled down to use v1.2 if v1.3 was not available?
,
Dec 15 2017
Thank you for providing more feedback. Adding requester "davidben@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
Ah, yeah, we've reproduced some issues with Cisco devices. Chrome does indeed continue to support TLS 1.2 just fine. The problem is the devices not do not implement *TLS 1.2* correctly, which causes version negotiation for TLS 1.3 to break. This is a protocol compliance bug in the firewall, not Chrome or Gmail. We've reached out to Cisco who need to release a fix for this bug. As a temporary workaround until then, the SSLVersionMax policy can be used to disable TLS 1.3 to work around these issues: https://www.chromium.org/administrators/policy-list-3#SSLVersionMax
,
Dec 15 2017
,
Dec 15 2017
In reading about the SSLVersionMax policy at the above link, it appears that the Windows registry changes that are suggested will stop working in February 2018. Am I reading that correctly?
,
Dec 15 2017
Oh, whoops! Thanks for catching that! This is actually one year after the first attempted TLS 1.3 deployment, and we'd set the date back then. We forgot to update the text based on the new timeline. :-) It should be the start of 2019, not 2018. I'll go fix that. (The original deployment ran into all kinds of other compliance bugs in other similar devices that we've worked around for this deployment. Alas, this bug didn't show up in the first round of testing and is particularly egregious, so they'll need to fix it. Vendors have over a year now to ensure their products work with TLS 1.3, but evidently not all vendors did so.)
,
Jan 3 2018
davidben@ - Gentle Ping...!! Could you please provide any update on the issue. Thanks...!!
,
Jan 3 2018
Nothing to do here.
,
Oct 18
Cisco have since shipped firmware updates for the various bugs in the older versions of their product. If you update to the 6.2.3.4 release, is the issue resolved?
,
Nov 1
Closing due to lack of feedback. Please update your device to the 6.2.3.4 release. If it still occurs, feel free to file a new issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by bobfe...@gmail.com
, Dec 14 2017