Chrome backs out of TLS 1.3 support after proxy issues
After Google rolled out the latest version of Chrome, Blue Coat proxy software issues prompt rollback of TLS 1.3 support in latest version of Chrome browser.
Google has disabled TLS 1.3 support in Chrome 56 after reports of failed connections through proxies.
According to a Chromium bug report, Google began receiving reports last week that customers using Blue Coat Systems' secure gateway operating system were unable to connect to the internet using Google's Chrome 56 web browser and OS. The report states Blue Coat's proxy terminates connections instead of negotiating down to support version 1.2 of the Transport Layer Security protocol. Users attempting to connect to the web using the Chrome 56 browser, therefore, have been unable to do so, while Chromebook users have been unable to connect to the internet at all.
The problem is apparently being caused by proxy or firewall products that are incompatible with TLS 1.3, according to Chromium project members. When connecting to a server supporting TLS 1.3, a compliant proxy implementation of TLS 1.2 should negotiate a TLS 1.2 connection, but the Blue Coat proxy, version 6.5 simply terminates the connection, the bug report claims.
"When Chrome attempts to connect via TLS 1.3, Blue Coat hangs up connection," wrote Google's Chromium project member Jay H. Lee in the issue report. "We have at least one very large customer seeing similar issues against Blue Coat. The connection fails with SSL_HANDSHAKE_ERROR / ERR_CONNECTION_CLOSED. Customer found that restricting to TLS 1.2 via policy resolves the issue for Chrome 56 stable."
TLS 1.3 is a problem
Two days after the issue was first reported on Feb. 21, Lee noted that Google was working toward the drastic step of rolling back TLS 1.3 support for Chrome 56.
"For anyone following this issue, we are working on a Chrome update that should resolve by disabling TLS 1.3 in Chrome 56," Lee wrote. "To be clear, ultimately this is an issue with proxies/firewalls that are not compatible with TLS 1.3. Please continue to work with your proxy/firewall vendor to update to a version that is compatible with TLS 1.3. A future version of Chrome will re-enable TLS 1.3."
Just last month Google released Chrome version 56, which includes TLS 1.3 support as well as eliminates support for the SHA-1 hashing algorithm, which was reported to no longer be secure last week. But according to the latest information in the Chromium bug report, TLS. 1.3 support has also been eliminated -- at least temporarily.
"Removing various high-priority labels from this bug as this has, sadly, been backed out of M56," Google software engineer David Benjamin wrote in the bug report Sunday evening. "The middleboxes are still broken, but we will resolve this asynchronously now that we have a list of buggy products and contacts with the vendors."
"Note these issues are always bugs in the middlebox products. TLS version negotiation is backwards compatible, so a correctly-implemented TLS-terminating proxy should not require changes to work in a TLS-1.3-capable ecosystem. It can simply speak TLS 1.2 at both client <-> proxy and proxy <-> server TLS connections. That these products broke is an indication of defects in their TLS implementations."
A Symantec spokesperson told SearchSecurity "Symantec has been alerted a potential issue with TLS 1.3 on select devices. We're investigating now and are working to resolve the issue." Symantec purchased Blue Coat for $4.65 billion in cash last year.
A spokesperson for web gateway provider iboss, which was mentioned in the Chromium issue tracker record as a vendor possibly affected by the issue, said that the company supports TLS 1.3 and that it is "not an issue" for the vendor.
Google has not responded to requests for comment.
Chromebooks are widely used in the education industry. One comment submitted from what appears to be the domain used by the Montgomery County, Md., public school system, reported that many of the school system's Chromebooks and PCs using Chrome were affected by the problem. Security researcher Kenn White tweeted:
TIL Montgomery County schools (DC area) run 120K Chromebooks, and half their fleet died after an update b/c BlueCoat MitM chokes on TLS 1.3 pic.twitter.com/szbXaKdCnT
— Kenn White (@kennwhite) February 25, 2017
The Montgomery County School's public information office has not responded to requests for comment.