Google Chrome Update

Reply
L1 Bithead

Google Chrome Update

I'm seeing an issue with the latest version of Chrome that was released earlier today (21.0.1180.60) and SSL-Decryption. On either Mac or Windows platforms, any sites that are in the decryption policy (google, gmail, facebook, etc) are met with the following error:


Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.

Before updating Chrome, the policies were working without a hitch. Removing the computers from the decryption policy resolves the issue. IE, Firefox and Safari are unaffected.

Any suggestions for troubleshooting this?


Accepted Solutions
L4 Transporter

In some testing in our lab it seems like the "--use-system-ssl" setting, and not the SPDY related command allows the sites to work correctly.  In a PCAP it shows that without the "--use-system-ssl" setting Chrome uses TLS1.1 instead of TLS1. 

Could you try to use just the "--use-system-ssl" command line parameter and see if you are able to navigate to the affected sites?

View solution in original post


All Replies
Not applicable

This behavior seems to be related in changes of SPDY in Chrome 21. Turning off SPDY in Chrome with the following workaround helped in our environment:

Windows

  • Right click on the short-cut you’re using to start Chrome
  • Select Properties
  • Modify Target from
    • ...\chrome.exe"into
    • ...\chrome.exe" --use-spdy=off --use-system-ssl (note: the command line arguments have to go after the quotation marks)
  • Click Apply
  • Close all Chrome windows
  • Restart Chrome
L6 Presenter

I have tried this on my lab device and it seems your right. with new chrome 21.xx version we are seeing this error for gmail, you tube and other google sites. and google uses spdy for theese websites so that it can streamline all the https requests in one tcp connection and turning off this spdy feature did fix the issue. However I was not able to figure out why these settings effect the ssl decryption. Packet captures show some RST's.


- I would ask you to open a case with support as this is not the expected behavior. You can use the fix suggested by ulli.volk for time being and for disabling the SPDY settings on the MAC please do this

  • Open the terminal (In your Applications -> Utilities folder)
  • Type into terminal to change to Chrome’s Directory using:cd /Applications/Google\ Chrome.app/Contents/MacOS
  • Rename Google Chrome to Chrome in the terminal:mv Google\ Chrome Chrome
  • Copy the following 3 lines for the contents of our execution script:#!/bin/sh # This will execute your Google Chrome with SPDY disabled, and set it to use your System SSL /Applications/Google\ Chrome.app/Contents/MacOS/Chrome --use-spdy=off --use-system-ssl
  • Type the following into the Terminal to make a file from what you just copied:pbpaste > Google\ Chrome
  • Type the following into the terminal to it so our new Google Chrome can run:chmod +x Google\ Chrome
  • Close Google Chrome using the Apple menu, or Command-Q:
  • Restart Google Chrome

Thanks,

Sandeep T

L4 Transporter

In some testing in our lab it seems like the "--use-system-ssl" setting, and not the SPDY related command allows the sites to work correctly.  In a PCAP it shows that without the "--use-system-ssl" setting Chrome uses TLS1.1 instead of TLS1. 

Could you try to use just the "--use-system-ssl" command line parameter and see if you are able to navigate to the affected sites?

View solution in original post

L1 Bithead

FWIW  I can confirm that using ONLY "--use-system-ssl" does allow the SSL sites to operate normally.

I had been using the full switch "--use-spdy=off --use-system-ssl"  after reading the above posts and just removed the spdy piece now.


Not applicable

Interesting.

I can confirm as well that SSL decryption works as expected with the switch "--use-system-ssl"    

However, if I start with "--use-system-ssl" only it still seems to stop using SPDY.

No active SPDY sessions are displayed under

chrome://net-internals/#spdy

L1 Bithead

Just a thought - spdy requires NPN, a TLS extension that allows the application layer to determine which protocol should be used over a secure communication.

Where the switch "--use-system-ssl" forces the use of TLS v1, perhaps spdy shuts down because a protocol was forced and not negotiated?

Totally a guess though, I honestly have no idea.  =)

L4 Transporter

Another problem is that PA has not implemented fully TLS 1.0 protocol, so it's pointless to talk about 1.1 ...

Please PA, finish your dev on SSL stack ! Decryption has been unsuable for more than a year over here.

Not applicable

Any updates on this?  I don't believe we can shut off SPDY within Chrome as a solution

L6 Presenter

As a sidenote regarding SPDY Kaspersky Anti-Virus 2013 use the following settings:

Settings -> Advanced Settings -> Network

Encrypted connections scan

Scan encrypted connections: enabled

Use HTTP instead of SPDY protocol: enabled

The application does not apply heuristic analysis to data transferred over SPDY.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!