For the last few months we've has a client site working fine over HTTPS and HTTP, however as of a week or two ago we've had intermittent reports of it failing in Google Chrome.
As of last week I also got the issue, which is Chrome claiming ERR_EMPTY_RESPONSE to all requests sent through HTTPS.
This isn't replicated in any other browsers and the Security tab of the inspector declares the certificate valid and all page resources secure.
Anyone got some suggestions? I'm at a loss as to what to do, it feels like it might be a browser bug itself...
[Originally provided by a user called #daFlame, but it then got deleted within a few hours?]
The issue is caused by Chrome struggling with the cipher suites cPanel uses by default. CPanel are aware of the issue, and I've reported a ticket to Chrome.
CPanel's work around can be found here, but I'll provide a summary:
Go to WHM >> Service Configuration >> Apache Configuration >> Global Configuration
Then find the value SSL Cipher Suite and change it from the default to:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS`
Once Apache is rebuilt, the errors stop.
Related
We're having some issues on some machines related with ssl when connecting to our sites through https. sometimes, some of the users get the err_ssl_protocol_error when they try to load one of the sites. now, the weird thing is that hitting f5 solves the issue and the page that was returning the ssl error gets miraculous loaded. we've already tried most online suggestions (checking date and time, cleaning the browser/ssl cache, etc).
we have changed the ssl certificate recently (a month ago), but the issues have only started now. btw, all our requests go through our firewall (forti adc) which is responsible for enforcing the https to all our clients.
any clues on why we're getting this error?
edit: adding more info
sites are hosted in iis (windows server 2016)
our firewall is running forti adc
the requests go through a load balancer before hitting firewall
the firewall has the wildcard certificate used for ssl (all. sites)
sites are built with aspnet
it only happens on some pcs, and only with chrome (Firefox is working without any problems)
edit 2: More info from wireshark
So, I've used wireshark to capture the traffic and when I get the ERR_SSL_PROTOCOL_ERROR on chrome, I've noticed that wireshark is showing me an alert with a decrypt error in response to the server hello message:
Any clues on what's going on here?
After lots of digging and testing, it seems like there's an issue with openssl and ECDHE algorithms. Changing the algorithm to a non ECDHE seems to have solved the issue for our chrome users...
I answered this below for anyone that is interested
I'm on Windows 10 using Chrome, Firefox and MS Edge. I'm trying to do something for a class I'm taking and can't get it to work. All I want to do is add something like this to the hosts file:
127.0.0.1 mysite.dev
This is ALL to run on my local PC. I eventually need to have my site able to run on IIS, but this is the first step and I can't get past it. (I'm on my second day trying)
What I've done:
I did edits in notepad on a file on my desktop.
I renamed the original hosts file in the drivers/etc directory.
I copied my file into the drivers/etc directory.
I ran ipconfig -flushdns
I successfully pinged the new site with: ping mysite.dev
I cleared browsing history in all three browsers.
I reopened all three browsers.
All that failed to make any difference (and I rebooted as well) So I added this:
I ran ipconfig -flushdns
Then ipconfig -renew
Then ipconfig -registerdns
Then repeated steps 5->6 and all failed to make any difference. These are the errors per browser:
Chrome: This site can’t be reached mysite.dev refused to connect.
Firefox: Unable to connect Firefox can’t establish a connection to the server at www.mysite.dev.
MS Edge: Hmmm...can’t reach this page
I noticed that all three browsers changed http to https. Not sure if that mattered but I followed instructions to disable this re-direct for all three browsers and NONE of them actually stopped the redirect to https.
And I still can't the correct result, which should be the IIS default page. I can see the IIS default page with localhost, so IIS is running.
Help! Any ideas or directions at all would be very appreciated!
Got the answer from someone. Google owns the .dev domains and has restrictions on it so it HAS to be HTTPS, which requires certs etc, which is not in the scope of my class. I just changed it to mysite.local and BOOM!, there it was! Thanks.
I'm debugging a local site.
I'm getting the following message in chrome.
Your connection is not private
Attackers might be trying to steal your information from t.buyamerica.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
This is not new, and normally I just click ADVANCED and Procced ...
but lately it just stuck in a loop and display the error message again.
This is a local site therefore the key-pair is indeed invalid, but is there a way to by-pass this issue without installing a proper https for all my local (vagrant based) servers?
NOTE:
The current by-pass for me is to use the same domain as the original site, so that the local site is www.somesite.com, and the actual site is somesite.com
I solved this issue as follow:
In
System Preference -> Network -> WiFi -> Advanced -> Proxies I saw that Secure Http Proxy (HTTPS) is checked and the value for the proxy is localhost:8888
I unchecked the Secure Http Proxy (HTTPS) and it seems to solve the issue.
NOTE: this is a specific MAC issue that apparently caused by a system upgrade (my current version is 10.10.5 (14F2511) Yosemite, MacBook Air (13-inch, Mid 2012))
I never set a proxy server or run any proxy on localhost:8888
You change your local domain something like http://yourdomain.test.
Don't forget the 'http'. And if you're using .dev, change it to .test
After upgrading to Windows 10, I am receiving the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Google Chrome (Firefox 39 just doesn't load the page) when I attempt to access my machine over HTTPS. I have a GoDaddy signed certificate for my computer.
I've attempted disabling most of my encryption ciphers per https://http2.github.io/http2-spec/#BadCipherSuites.
I've gone so far that I've disabled ciphers that are keeping me from RDPing to my desktop...and it still gives me an error!
Any guidance is appreciated.
Apparently you are not the only one having this issue: Disabling HTTP/2 / SPDY in HTTP.SYS and IIS in Windows 10
According to the error message this is a SPDY issue, so the certificate and the cipher suites are not the cause.
SPDY is a protocol allowing multiplexing HTTPS requests but it will be replaced by HTTP/2. As a temporary fix, you can apparently disable its support in you browser/registry/server.
I ran into this same issue after my win 10 dev machine got updated twice recently (the updates took around 35-40 minutes to deploy each time) and after this i was not able to run my Visual studio 2015 web applications over Https on Chrome but was able to run on IE
I tried out the registry method for disabling Http 2 as mentioned
here, but this did not worked for me
Then I came across the following solution: I downloaded IIS Crypto and
selected "Cipher Suites" option and clicked Best Practices button, and applied
it, My problem was gone and i can now run my web app over Https in Chrome just like before
Uncheck "Enable SSl" in your project properties under the Debug tab
I solved a similar problem by removing the parameter "Strict´Transport-Security" with value "max-age = 31536000; includeSubDomains; preload" from "HTTP Response Headers"
I've got a web site that uses SSL Client certificate authorization.
All client certificates are generated using OpenSSL and are self-signed. Everything worked with all web-browsers, but the recommended one was Google Chrome, because it uses same SSL warehouse as IE, so certificate installation was pretty easy (click-click-password-done!).
After last update of Google "Chrome 29.0.1547.57 m", noone can access my web-server, even me.
Google chrome error only! IE and FF working fine.
Error is: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.
Same in server error log.
Do you have any suggestions?
The problem is that most part of clients are non familiar with PC's and they got very frightened about that situation. So phone support guys are under the wave of calls.
We are experiencing the same problem. As Sean has reported, it seems that Chrome on Windows XP
negotiates TLSv1.2 even though the operating system does not support SHA-2 (say, SHA-256 or SHA-384)
hash function.
We found that Chrome fails when it receives "client certificate request" following SERVER HELLO.
SERVER HELLO itself negotiates RC4-SHA1 (in our environment) which should succeeds. The problematic
packet seems the "client certificate request" that includes SHA-2 (as well as SHA1) functions for hashes.
Invoking Chrome with "--enable-logging --log-level=0" outputs the following message:
ERROR:nss_ssl_util.cc(193)] ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error -12222, OS error -2146893816
This is an Operating system error corresponding "NTE_BAD_ALGID" for CryptSignHash function:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380280(v=vs.85).aspx
Disabling TLSv1.2 on the server should fix the problem. But I think Chrome should prefer SHA1 on Windows XP.
I'm experiencing the same thing here with Windows7 client systems unable to authenticate with client certificates against some of our systems, but not others. The affected servers are running Apache Tomcat while the unaffected are running IIS7, though I'm hesitant to identify that difference as the culprit.
Anyone else seeing this?
EDIT:
I'm able to eliminate the problem by disabling TLSv1.2 on the server. Is anyone else able to replicate this experience?
I would also be interested to know whether anyone else is seeing this on anything but the Windows platform, as it's the only place it's happening here (same version OSX has no issues).
EDIT2:
Chrome Bug Report here: https://code.google.com/p/chromium/issues/detail?id=278370
EDIT3:
Should be working again in latest Chrome stable. Chrome 30 will have a more robust fix, but 29.x should also work now.
I recently had a similar issue in Chrome on Mac OS. It worked fine with Firefox, but started failing in Chrome and Safari after changing my corporate (AD) credentials -- I guess the issue was a mismatch between system creds and the keychain creds.
The solution for me was a reset of the private key(s) access permissions in the Keychain Access app.
To do the reset:
In Keychain Access app right-click each private key that fails and select "Get Info".
Go to "Access Control" tab and set "Allow all applications to access this item" -- click on that option even if it's already set. Then click Save Changes.
Refresh the website that fails and you should be prompted to enter keychain password -- enter it and select Allow Always.
It is combination of Win XP and Google Chrome 29.0.1547.57 m
On Win 7/8 this problem doesn't occur.
You could install older working version 28.0.1500.95
http://www.filehippo.com/download_google_chrome/15657/
But settings for disabling updating are not so easy.
http://dev.chromium.org/administrators/turning-off-auto-updates
The problem is caused by Chrome running TLSv1.2 on Windows XP.
This can be disabled on the server side but also on the client side.
To run Chrome with a lower version of TLS, start it with the command-line option --ssl-version-max=tls1.1
I had this problem Connecting Chrome with WebSockets to apache throw proxy_wstunnel_module.
My solution was configuring httpd.conf
ProxyPass /wss2/ ws://127.0.0.1:8080/ retry=0 keepalive=On
ProxyPassReverse /wss2/ ws://127.0.0.1:8080/ retry=0
<Location /wss2/>
SSLRequireSSL On
SSLVerifyClient none
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
SSLRenegBufferSize 10486000
</Location>
Chrome WebSockets does not like the parameter SSLVerifyClient optional
I hope this helps.