topic Re: Google Chrome Update in General Topics

Google Chrome Update

bbermingham — Wed, 01 Aug 2012 23:08:51 GMT

I'm seeing an issue with the latest version of Chrome that was released earlier today (21.0.1180.60) and SSL-Decryption. On either Mac or Windows platforms, any sites that are in the decryption policy (google, gmail, facebook, etc) are met with the following error:

Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.

Before updating Chrome, the policies were working without a hitch. Removing the computers from the decryption policy resolves the issue. IE, Firefox and Safari are unaffected.

Any suggestions for troubleshooting this?

Re: Google Chrome Update

panwmod — Thu, 02 Aug 2012 00:13:50 GMT

This behavior seems to be related in changes of SPDY in Chrome 21. Turning off SPDY in Chrome with the following workaround helped in our environment:

Windows

Right click on the short-cut you’re using to start Chrome
Select Properties
Modify Target from
- ...\chrome.exe"into
- ...\chrome.exe" --use-spdy=off --use-system-ssl (note: the command line arguments have to go after the quotation marks)
Click Apply
Close all Chrome windows
Restart Chrome

Re: Google Chrome Update

sdurga — Thu, 02 Aug 2012 08:51:14 GMT

I have tried this on my lab device and it seems your right. with new chrome 21.xx version we are seeing this error for gmail, you tube and other google sites. and google uses spdy for theese websites so that it can streamline all the https requests in one tcp connection and turning off this spdy feature did fix the issue. However I was not able to figure out why these settings effect the ssl decryption. Packet captures show some RST's.

- I would ask you to open a case with support as this is not the expected behavior. You can use the fix suggested by ulli.volk for time being and for disabling the SPDY settings on the MAC please do this

Open the terminal (In your Applications -> Utilities folder)
Type into terminal to change to Chrome’s Directory using:cd /Applications/Google\ Chrome.app/Contents/MacOS
Rename Google Chrome to Chrome in the terminal:mv Google\ Chrome Chrome
Copy the following 3 lines for the contents of our execution script:#!/bin/sh # This will execute your Google Chrome with SPDY disabled, and set it to use your System SSL /Applications/Google\ Chrome.app/Contents/MacOS/Chrome --use-spdy=off --use-system-ssl
Type the following into the Terminal to make a file from what you just copied:pbpaste > Google\ Chrome
Type the following into the terminal to it so our new Google Chrome can run:chmod +x Google\ Chrome
Close Google Chrome using the Apple menu, or Command-Q:
Restart Google Chrome

Thanks,

Sandeep T

Re: Google Chrome Update

kfindlen — Thu, 02 Aug 2012 17:14:18 GMT

In some testing in our lab it seems like the "--use-system-ssl" setting, and not the SPDY related command allows the sites to work correctly. In a PCAP it shows that without the "--use-system-ssl" setting Chrome uses TLS1.1 instead of TLS1.

Could you try to use just the "--use-system-ssl" command line parameter and see if you are able to navigate to the affected sites?

Re: Google Chrome Update

rmgnetwork — Thu, 02 Aug 2012 17:30:51 GMT

FWIW I can confirm that using ONLY "--use-system-ssl" does allow the SSL sites to operate normally.

I had been using the full switch "--use-spdy=off --use-system-ssl" after reading the above posts and just removed the spdy piece now.

Re: Google Chrome Update

panwmod — Thu, 02 Aug 2012 18:19:14 GMT

Interesting.

I can confirm as well that SSL decryption works as expected with the switch "--use-system-ssl"

However, if I start with "--use-system-ssl" only it still seems to stop using SPDY.

No active SPDY sessions are displayed under

chrome://net-internals/#spdy

Re: Google Chrome Update

rmgnetwork — Thu, 02 Aug 2012 18:31:18 GMT

Just a thought - spdy requires NPN, a TLS extension that allows the application layer to determine which protocol should be used over a secure communication.

Where the switch "--use-system-ssl" forces the use of TLS v1, perhaps spdy shuts down because a protocol was forced and not negotiated?

Totally a guess though, I honestly have no idea. 😃

Re: Google Chrome Update

essnet — Mon, 06 Aug 2012 08:45:18 GMT

Another problem is that PA has not implemented fully TLS 1.0 protocol, so it's pointless to talk about 1.1 ...

Please PA, finish your dev on SSL stack ! Decryption has been unsuable for more than a year over here.

Re: Google Chrome Update

nmcfeters — Mon, 29 Oct 2012 17:03:35 GMT

Any updates on this? I don't believe we can shut off SPDY within Chrome as a solution

Re: Google Chrome Update

mikand — Mon, 29 Oct 2012 19:21:41 GMT

As a sidenote regarding SPDY Kaspersky Anti-Virus 2013 use the following settings:

Settings -> Advanced Settings -> Network

Encrypted connections scan

Scan encrypted connections: enabled

Use HTTP instead of SPDY protocol: enabled

The application does not apply heuristic analysis to data transferred over SPDY.