New issue
Advanced search Search tips

Issue 906537 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 19
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

TLS1_2 handshakes not supported in chromium version 41.0.2272.76

Reported by meraj.ji...@gmail.com, Nov 19 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36

Steps to reproduce the problem:
1: Enable minimal TLS_1.2 supported in chromium client code.
1. Trying to access TLS1_2 only supported site.
2. After a successful connect with server no handshaking done.
3. If I enable TLS1_1 and TLS1_2 both on server site then handshaking is done using TLS1_1 and after that rest communication is done using TLS1_2.

What is the expected behavior?
If server site has only TLS1_2 enabled then handshaking should also be done using TLS1_2 from client side. Client code is written using chromium version 41.0.2272.76.

What went wrong?
After analyzing the chromium (version 41.0.2272.76) code found that for some reason PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) ( written in the file: src\net\socket\ssl_client_socket_nss.cc) always returning false.

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 41.0.2272.76  Channel: n/a
OS Version: 10.0
Flash Version: 

Also noticed that exports_win.def does not contain any PK11_* methods. I tried with adding PK11_* methods in exports_win.def but still no luck.

Comment 1 by dtapu...@chromium.org, Nov 19

Components: Internals>Network>SSL
Labels: Needs-Feedback
Chrome 41.0.2272.76 is over 3 years old. Is there a reason why you can't update to a more recent version?

Comment 2 by davidben@chromium.org, Nov 19

Status: WontFix (was: Unconfirmed)
Please update to a recent version. TLS 1.2 support is always present these days and has been for some time now. Not sure what's going on with 41, but ssl_client_socket_nss.cc does not even exist anymore. Even were there a bug in 41, we have not made changes to that branch for years now, so there's nothing actionable save for you updating.

Comment 3 by meraj.ji...@gmail.com, Nov 19 

Hi,

Thanks for your response.

Updating to a new version of chrome requires some business decision. However simply forcefully returning "true" from PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) works for me. Now only concern is, Is it safe a forceful "true" return from PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) ?

Comment 4 by davidben@chromium.org, Nov 19 

No, it's not safe at all to ship a product using code from M41, which has about three years worth of known security bugs. See https://chromereleases.googleblog.com/ for notes on various bugs fixed in that time frame.

Sign in to add a comment