New issue
Advanced search Search tips
Starred by 7 users

Issue metadata

Status: WontFix
Closed: Sep 2011
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

  • Only users with Commit permission may comment.

Sign in to add a comment

Server or script on server is intolerant to 1/n-1 record splitting.

Reported by, Sep 27 2011

Issue description

Chrome Version       : 15.0.874.24 (Official Build 102155) beta-m
URLs (if applicable) :
Other browsers tested:
Firefox 7  : OK
Opera 11.51: OK
IE 8       : OK

What steps will reproduce the problem?
1.Visit URL above (HTTPS not HTTP)
2.Chrome will tell me it's untrusted, just "proceed anyway"
3.Input username and password, click login.

What is the expected result?
Login successfully or failed.

What happens instead?
Connection failed, Chrome tell me "no data received".

Please provide any additional information below. Attach a screenshot if
Visiting url via HTTP is normal, only untrusted HTTPS url will cause this problem. All browsers except Chrome can work well too.


Comment 1 by, Sep 27 2011

From chrome://net-internals/#events , I can see sth like below:

Start Time: Tue Sep 27 2011 17:21:20 GMT+0800 (China Standard Time)

(P) t=1317115280059 [st=  0] +SOCKET_POOL_CONNECT_JOB             [dt=487]
(P) t=1317115280059 [st=  0]    +SOCKET_POOL_CONNECT_JOB_CONNECT  [dt=487]
                                 --> group_name = "ssl/"
(P) t=1317115280059 [st=  0]       +SOCKET_POOL                   [dt=250]
(P) t=1317115280309 [st=250]           SOCKET_POOL_BOUND_TO_CONNECT_JOB  
                                       --> source_dependency = {"id":535,"type":4}
(P) t=1317115280309 [st=250]           SOCKET_POOL_BOUND_TO_SOCKET  
                                       --> source_dependency = {"id":537,"type":5}
(P) t=1317115280309 [st=250]       -SOCKET_POOL                   
(P) t=1317115280546 [st=487]        CONNECT_JOB_SET_SOCKET        
                                    --> source_dependency = {"id":537,"type":5}
(P) t=1317115280546 [st=487]    -SOCKET_POOL_CONNECT_JOB_CONNECT  
                                 --> net_error = -202 (CERT_AUTHORITY_INVALID)
(P) t=1317115280546 [st=487] -SOCKET_POOL_CONNECT_JOB    

Maybe CERT_AUTHORITY_INVALID cause the problem?

Comment 2 by, Sep 27 2011

Labels: -Area-Undefined Area-Internals Internals-Network-SSL

Comment 3 by, Sep 27 2011

Status: Assigned
Interestingly this is caused by the CBC 1/n-1 record splitting.

Can you say what software is terminating the SSL connection for this server? This is the first instance where I've seen this patch actually break something.

Sadly for you, Firefox and IE will soon be doing the same thing so won't work with your site either.

Comment 4 by, Sep 27 2011

 Issue 98265  has been merged into this issue.

Comment 5 by, Sep 28 2011

Sorry i don't know what software is running on the server. I am not the owner but the user of this site. It seems to be Apache Web Server?
Firefox and Opera can add a permanent exception for this situation. It's a common situation in the underground service. Buying a certificate is not worthy, so we use a self-signed CA instead.
Can you guys add a permanent exception mechnism like Firefox and Opera?
I am not familiar with IE which is just a fallback solution.

Comment 6 by, Sep 28 2011

Status: WontFix
Summary: Server or script on server is intolerant to 1/n-1 record splitting.
It's not related to the certificate. Mostly likely it's a bug in the script running on the server which is assuming that the whole HTTP request will be read in a single chunk.

As a workaround for a security issue Chrome has changed this behaviour. Since the security issue also exists in other browsers, they are likely to do the same in the coming weeks or months; Chrome and Opera are simply the early to the party.

I'm afraid the security issue needs to be addressed and so we're not going to revert the change based on this. I'm happy to help the server admin address the problem if you can get them to contact me.

Comment 7 by, Sep 30 2011

 Issue 98647  has been merged into this issue.
Project Member

Comment 8 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 9 by, Mar 10 2013

Labels: -Area-Internals -Internals-Network-SSL Cr-Internals Cr-Internals-Network-SSL

Sign in to add a comment