Updates:
Status: Started
Cc: [email protected]
Labels: -NeedsEngReview
Comment #15 on issue 5894 by [email protected]: Bank of America Military
Bank Login Page Inaccessible
http://code.google.com/p/chromium/issues/detail?id=5894
Eric and I looked at the SSL packet trace. We found that
the server is a TLS-intolerant server.
On XP, Google Chrome 2.0.157.2 sends this SSL ClientHello
message to the server:
--> [
(70 bytes of 65)
SSLRecord { [Tue Jan 20 18:06:37 2009]
0: 16 03 01 00 41 |....A
type = 22 (handshake)
version = { 3,1 }
length = 65 (0x41)
handshake {
0: 01 00 00 3d |...=
type = 1 (client_hello)
length = 61 (0x00003d)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 49 76 83 2d d3 65 66 86 3e f1 86 26 c7 38 e2 86 | Iv.-.ef.>..&.8..
10: 23 cd 5b 0d f6 f5 2e b3 44 91 6c 13 d2 e4 16 b2 | #.[.....D.l.....
session ID = {
length = 0
contents = {..}
}
cipher_suites[11] = {
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0005) SSL3/RSA/RC4-128/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x0009) SSL3/RSA/DES56-CBC/SHA
(0x0064) TLS/RSA-EXPORT1024/RC4-56/SHA
(0x0062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
(0x0003) SSL3/RSA/RC4-40/MD5
(0x0006) SSL3/RSA/RC2CBC40/MD5
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x0012) SSL3/DHE-DSS/DES56-CBC/SHA
(0x0063) TLS/DHE-DSS_EXPORT1024/DES56-CBC/SHA
}
compression[1] = { 00 }
}
}
}
]
On Vista, Google Chrome sends a different SSL ClientHello
message, which causes the server to close the underlying
TCP connection immediately:
--> [
(92 bytes of 87)
SSLRecord { [Tue Jan 20 17:56:46 2009]
0: 16 03 01 00 57 |....W
type = 22 (handshake)
version = { 3,1 }
length = 87 (0x57)
handshake {
0: 01 00 00 53 |...S
type = 1 (client_hello)
length = 83 (0x000053)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 49 76 80 de 9f e8 29 53 cc 9c 42 d7 95 86 c6 4f | Iv....)S..B....O
10: 0e fb c2 29 3d 02 c2 e8 f3 65 4a 12 7e a6 b7 9c | ...)=....eJ.~...
session ID = {
length = 0
contents = {..}
}
cipher_suites[12] = {
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x0005) SSL3/RSA/RC4-128/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
(0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
(0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
(0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
}
compression[1] = { 00 }
extensions[18] = {
extension type elliptic_curves, length [8] = {
0: 00 06 00 17 00 18 00 19 |........
}
extension type ec_point_formats, length [2] = {
0: 01 00 |..
}
}
}
}
}
]
Read EOF on Server socket. [Tue Jan 20 17:56:46 2009]
You can see that the lists of cipher suites are different
in the ClientHello messages. Moreover, the Vista ClientHello
message has two extensions (for elliptic curve cryptography).
Most likely, the server doesn't like ClientHello extensions.
We have code in http_network_transaction.cc for handling
TLS-intolerant servers, but it requires the error code from
SSL handshake to be ERR_SSL_PROTOCOL_ERROR or
ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Since we're returning
ERR_FAILED now, the TLS-intolerant server handling code is
not activated. The fix is most likely to return
ERR_SSL_PROTOCOL_ERROR instead.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
