08-01-2012 04:08 PM
I'm seeing an issue with the latest version of Chrome that was released earlier today (21.0.1180.60) and SSL-Decryption. On either Mac or Windows platforms, any sites that are in the decryption policy (google, gmail, facebook, etc) are met with the following error:
Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.
Before updating Chrome, the policies were working without a hitch. Removing the computers from the decryption policy resolves the issue. IE, Firefox and Safari are unaffected.
Any suggestions for troubleshooting this?
08-02-2012 10:14 AM
In some testing in our lab it seems like the "--use-system-ssl" setting, and not the SPDY related command allows the sites to work correctly. In a PCAP it shows that without the "--use-system-ssl" setting Chrome uses TLS1.1 instead of TLS1.
Could you try to use just the "--use-system-ssl" command line parameter and see if you are able to navigate to the affected sites?
08-01-2012 05:13 PM
Windows
08-02-2012 01:51 AM
I have tried this on my lab device and it seems your right. with new chrome 21.xx version we are seeing this error for gmail, you tube and other google sites. and google uses spdy for theese websites so that it can streamline all the https requests in one tcp connection and turning off this spdy feature did fix the issue. However I was not able to figure out why these settings effect the ssl decryption. Packet captures show some RST's.
- I would ask you to open a case with support as this is not the expected behavior. You can use the fix suggested by ulli.volk for time being and for disabling the SPDY settings on the MAC please do this
Thanks,
Sandeep T
08-02-2012 10:14 AM
In some testing in our lab it seems like the "--use-system-ssl" setting, and not the SPDY related command allows the sites to work correctly. In a PCAP it shows that without the "--use-system-ssl" setting Chrome uses TLS1.1 instead of TLS1.
Could you try to use just the "--use-system-ssl" command line parameter and see if you are able to navigate to the affected sites?
08-02-2012 10:30 AM
FWIW I can confirm that using ONLY "--use-system-ssl" does allow the SSL sites to operate normally.
I had been using the full switch "--use-spdy=off --use-system-ssl" after reading the above posts and just removed the spdy piece now.
08-02-2012 11:19 AM
Interesting.
I can confirm as well that SSL decryption works as expected with the switch "--use-system-ssl"
However, if I start with "--use-system-ssl" only it still seems to stop using SPDY.
No active SPDY sessions are displayed under
chrome://net-internals/#spdy
08-02-2012 11:31 AM
Just a thought - spdy requires NPN, a TLS extension that allows the application layer to determine which protocol should be used over a secure communication.
Where the switch "--use-system-ssl" forces the use of TLS v1, perhaps spdy shuts down because a protocol was forced and not negotiated?
Totally a guess though, I honestly have no idea. 😃
08-06-2012 01:45 AM
Another problem is that PA has not implemented fully TLS 1.0 protocol, so it's pointless to talk about 1.1 ...
Please PA, finish your dev on SSL stack ! Decryption has been unsuable for more than a year over here.
10-29-2012 10:03 AM
Any updates on this? I don't believe we can shut off SPDY within Chrome as a solution
10-29-2012 12:21 PM
As a sidenote regarding SPDY Kaspersky Anti-Virus 2013 use the following settings:
Settings -> Advanced Settings -> Network
Encrypted connections scan
Scan encrypted connections: enabled
Use HTTP instead of SPDY protocol: enabled
The application does not apply heuristic analysis to data transferred over SPDY.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
