Issue 131769 in chromium: Chromium Android fails when SSL server gives a empty protocol list in NPN extension in a ServerHello message.

75 views
Skip to first unread message

chro...@googlecode.com

unread,
Jun 8, 2012, 5:31:09 AM6/8/12
to chromi...@chromium.org
Status: Untriaged
Owner: j...@chromium.org
CC: j...@chromium.org, a...@chromium.org, w...@chromium.org,
rsl...@chromium.org
Labels: Type-Bug Pri-2 OS-Android Area-Internals Internals-Network-SSL

New issue 131769 by j...@chromium.org: Chromium Android fails when SSL
server gives a empty protocol list in NPN extension in a ServerHello
message.
http://code.google.com/p/chromium/issues/detail?id=131769

Description of the Issue:
Chromium Android fails when SSL server gives a empty protocol list in NPN
extension in a ServerHello message.

When visiting https://www.ossifrage.net/ by using Chromium Android,
gets "Error 2 (net::ERR_FAILED): Unknown error". The site works fine in
desktop chrome and in the android browser.

Reproducibility:
just try to visit https://www.ossifrage.net/.

After investigation. the failure is caused by server doesn't give any
advertised protocols in TLS "Next Protocol Negotiation" extension in a
ServerHello message.

Adam(cced) have proposed a new TLS extension: "Next Protocol Negotiation"
(aka NPN) since 2010 and recently added in openssl. You can find the
specification on
http://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html or
https://technotes.googlecode.com/git/nextprotoneg.html.

In the specification of NPN, it says "The extension_data field of a
next_protocol_negotiation extension in a ServerHello contains an optional
list of protocols advertised by the server.", which means the server may
not send the protocol list in NPN extension in a ServerHello message. Then
in "Protocol selection" phase, the spec says

"It's expected that a client will have a list of protocols that it
supports, in preference order, and will only select a protocol if the
server supports it. In that case, the client SHOULD select the first
protocol advertised by the server that it also supports. In the event that
the client doesn't support any of server's protocols, or the server doesn't
advertise any, it SHOULD select the first protocol that it supports."

Seems Chromium NSS implementation handles the case that the server doesn't
advertise any protocols, but Chromium openssl implementation doesn't.

chro...@googlecode.com

unread,
Jun 9, 2012, 1:08:05 AM6/9/12
to chromi...@chromium.org
Updates:
Status: Assigned

Comment #1 on issue 131769 by w...@chromium.org: Chromium Android fails when
SSL server gives a empty protocol list in NPN extension in a ServerHello
message.
http://code.google.com/p/chromium/issues/detail?id=131769

jnd: could you find out where Chrome sets the net::ERR_FAILED error code?
This won't help fix this bug. I just wanted to improve Chrome's error
reporting. net::ERR_FAILED is the default error code and is not
informative.

chro...@googlecode.com

unread,
Jun 11, 2012, 11:28:59 AM6/11/12
to chromi...@chromium.org

Comment #2 on issue 131769 by j...@chromium.org: Chromium Android fails
when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

The call sequence was (in ssl_client_socket_openssl.cc)
SSLClientSocketOpenSSL::DoHandshake() ->
MapOpenSSLError(int err, const crypto::OpenSSLErrStackTracer& tracer)->
MapOpenSSLErrorSSL().

In MapOpenSSLErrorSSL, the OpenSSL error SSL_R_PARSE_TLSEXT(227) maps to
ERR_FAILED in default switch.

chro...@googlecode.com

unread,
Jun 14, 2012, 1:17:33 AM6/14/12
to chromi...@chromium.org

Comment #3 on issue 131769 by bugdro...@chromium.org: Chromium Android
fails when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769#c3

The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=142098

------------------------------------------------------------------------
r142098 | j...@chromium.org | Wed Jun 13 22:05:49 PDT 2012

Changed paths:
M
http://src.chromium.org/viewvc/chrome/trunk/src/net/socket/ssl_client_socket_openssl.cc?r1=142098&r2=142097&pathrev=142098

Select the first protocol from the next protocol list of SSLConfig if If we
didn't find a protocol.

It's possible that there is no overlap between the server advertised
protocols and SSL client advertised protocols. And Server even can give a
empty protocol list in NPN extension in a ServerHello message.
In this case, the SSL client should pick up the first protocol from the
next protocol list of SSLConfig.

BUG=131769
TEST=None
Review URL: https://chromiumcodereview.appspot.com/10532061
------------------------------------------------------------------------

chro...@googlecode.com

unread,
Jun 19, 2012, 6:22:26 AM6/19/12
to chromi...@chromium.org
Updates:
Status: Fixed

Comment #4 on issue 131769 by j...@chromium.org: Chromium Android fails
when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

(No comment was entered for this change.)

chro...@googlecode.com

unread,
Sep 12, 2012, 9:01:22 AM9/12/12
to chromi...@chromium.org

Comment #5 on issue 131769 by i...@daniel-baran.de: Chromium Android fails
when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

there is the same error with https://android.dab-server.de/ Is this a
Client- or a Server-Problem?

chro...@googlecode.com

unread,
Sep 12, 2012, 9:51:17 AM9/12/12
to chromi...@chromium.org

Comment #6 on issue 131769 by a...@chromium.org: Chromium Android fails
when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

info: yes, it appears to be the same problem. The server's behaviour is
suboptimal, but not strictly invalid. The client should tolerate it but I
suspect that the fix just hasn't made it into a Chrome Android release yet.

chro...@googlecode.com

unread,
Oct 2, 2012, 2:57:21 AM10/2/12
to chromi...@chromium.org

Comment #7 on issue 131769 by jonat...@ernstfamily.ch: Chromium Android
fails when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

A new version of Android for Chrome was released some days ago and the bug
is still not fixed.

In my case we have disabled SPDY for one of our non-thread safe domain and
this triggers the bug on Chrome on Android.

In the meantime is there a way to specify a non empty list in this
virtualhosts config?

chro...@googlecode.com

unread,
Dec 4, 2012, 1:57:56 PM12/4/12
to chromi...@chromium.org

Comment #9 on issue 131769 by simpf...@gmail.com: Chromium Android fails
when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

Here is another site that fails with (I presume) this issue:

https://bugzilla.samba.org

I lodged a bug with them, but it looks to be a Chrome/Chromium issue more?

Here's their bug report:

https://bugzilla.samba.org/show_bug.cgi?id=9441

but don't try and go there from Android Chrome as it will fail due to this
bug :)



chro...@googlecode.com

unread,
Jan 15, 2013, 3:46:59 PM1/15/13
to chromi...@chromium.org

Comment #10 on issue 131769 by mike.gau...@gmail.com: Chromium Android
fails when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

Did the fix make it into any released versions of Chrome on Android?

chro...@googlecode.com

unread,
Jan 30, 2013, 7:45:37 AM1/30/13
to chromi...@chromium.org

Comment #11 on issue 131769 by jamescle...@gmail.com: Chromium Android
fails when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

Still getting this on above sites and
https://www.brightonfeministcollective.org.uk/

If it helps, here's my SSL configuration. Server is Apache 2.4. Works on
everything I've tested with (Android stock browser, Chromium desktop,
Chrome desktop, Firefox desktop, Firefox mobile, Lynx, cURL, wget, httpie).

SSLEngine on
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:RC4-SHA:!ADH:!MD5:!aNULL:!EDH
SSLCompression Off


chro...@googlecode.com

unread,
Aug 19, 2013, 10:56:41 AM8/19/13
to chromi...@chromium.org

Comment #13 on issue 131769 by email.to...@gmail.com: Chromium Android
fails when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

This is quite important as a number of 3rd party web servers (such as
Oracle HTTP Server and some of the IBM ones) are based on Apache but have
slower release schedules (so are using slightly older OpenSSL versions).
These will not be updated instantly as they are often running critical
business applications, so Chrome needs to be able to handle older
implementations rather than just assuming everyone can upgrade to the
latest OpenSSL to fix this

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

chro...@googlecode.com

unread,
Sep 26, 2013, 8:00:29 AM9/26/13
to chromi...@chromium.org

Comment #14 on issue 131769 by charlie....@gmail.com: Chromium Android
fails when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

Has there been any progress on this lately?

We're also using Oracle HTTP Server 2.0, which is based on a quite old
Apache-version. We can not make the changes suggested here, since OHS does
not support them. What to do? I've tried many configurations, none works. I
would suspect the SNI TLS-extension, or some other extension, that OHS
(Apache) drops the connection for. We can't you make Chrome for Android
downgrade and just use SSLv3 or TLS 1.0 (without extension) if something
goes wrong? All other browsers do this.

Yes, I would love to upgrade our whole production environment, but it's not
that easy.

chro...@googlecode.com

unread,
Sep 26, 2013, 6:23:31 PM9/26/13
to chromi...@chromium.org
Updates:
Labels: Restrict-AddIssueComment-EditIssue

Comment #15 on issue 131769 by rsl...@chromium.org: Chromium Android fails
when SSL server gives a empty protocol list in NPN extension in a
ServerHello message.
http://code.google.com/p/chromium/issues/detail?id=131769

Note: This issue was marked fixed back in 2012, and the issue originally
reported was fixed. As such, no one is working on this actively.

If you're still seeing issues, it is likely something different, and it
would be good to file separate bug reports so that more investigation can
be conducted.
Reply all
Reply to author
Forward
0 new messages