on SSL renegotiation chrome does multiple requests on the ressource
Reported by
medic12...@googlemail.com,
Apr 5 2018
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.41 Safari/537.36 Steps to reproduce the problem: 1. within handling of a POST request do a SSL renegotiation to get the client certificate 2. check accesslog - you will see up to 5 requests on this URL even though this was just 1 connection issuing the request What is the expected behavior? do not have all connections requesting that URL What went wrong? probably chrome does try to "pre-authenticate" the entire connection pool to this server. Did this work before? N/A Chrome version: 58.0.3029.41 Channel: beta OS Version: Arch Linux Flash Version: Shockwave Flash 29.0 r0 even setting keep-alive off does not work, as chrome pre-establishes 6 connections
,
Apr 10 2018
This looks like issue related to SSL, hence adding the respective label and component for it to triage further.
,
Apr 10 2018
Chrome 58 is quite old, so first off, please first update to the latest version and see if it still reproduces. Next, please attach a NetLog per these instructions: https://dev.chromium.org/for-testers/providing-network-details 5 requests is a bit more than I would have expected, but we do indeed make one extra request on renegotiation. Renegotiation is an extremely dangerous and problematic TLS features, so we intentionally err towards simplicity when supporting it for compatibility with legacy systems. This handles the case when the user takes a long time to pick a certificate and avoids subtle issues that come up when a socket's authentication state changes.
,
May 4 2018
I was about to open this same ticket as we are experiencing the same issue on Windows 10 with chrome version 66.0.3359.139 ( net-export log attached ). According to my network logs, the client-authentication endpoint (/cssl) was called 6 times in total with the last one being successful. Our javascript code, only made a single invocation of the url.
,
May 4 2018
Oh. Right, of course it's 5-6 requests. We have to drain the socket pools to get to a new one. This is another instance of the various SSL state and socket pool mismatch problems.
,
May 4 2018
So, is this something that can be fixed ? Although, generally speaking this is invisible ... We have one location where this behavior results in the certificate prompt happening multiple times. ( I can open a separate ticket for that if needed )
,
May 4 2018
No need for the separate ticket. It's the same issue. It's fixable, but we're currently working on other things at the moment. In general, renegotiation is an extremely broken and insecure TLS feature, so I would not recommend using it in your deployment. It's been removed completely in TLS 1.3.
,
May 4 2018
Will chrome be adding support for the post_handshake_auth extension of TLS 1.3 ?
,
May 4 2018
We do not currently have any plans on adding it, no.
,
May 21 2018
[Removing needs feedback label] |
||||
►
Sign in to add a comment |
||||
Comment 1 by viswa.karala@chromium.org
, Apr 5 2018