Re: Issue 461739 in chromium: Disable experimental QUIC protocol via Group Policy

[chro...@googlecode.com]

Updates:
Owner: pelets...@chromium.org
Cc: sas...@chromium.org mnis...@chromium.org
Labels: Enterprise-Triaged Hotlist-GoodFirstBug

Comment #1 on issue 461739 by atwi...@chromium.org: Disable experimental
QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Saswat/Mattias - what do you think? Perhaps this is something Sasha could
tackle?

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #2 on issue 461739 by mnis...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Sure, this should be straightforward enough and is probably going to be
useful for some people.

[chro...@googlecode.com]

Comment #5 on issue 461739 by r...@chromium.org: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Let me know if you need any help with the QUIC-specific parts of this
change.

[chro...@googlecode.com]

Comment #6 on issue 461739 by tom.clau...@combellgroup.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Hi,

Is any news available yet?
We are noticing alot of alerts on our firewall because of high session
limits being reached, because of UDP traffic to 443 and 80.

Therefor this would be something good for us to be able to do.

Thanks in advance.

[chro...@googlecode.com]

Comment #7 on issue 461739 by pelets...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Hi.
For now the issue is fixed and is under review.

[chro...@googlecode.com]

Updates:
Labels: Hotlist-Enterprise

Comment #8 on issue 461739 by lawrence...@chromium.org: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

What is the target milestone for this to merge into? Is there any
workaround we can recommend to customers in the meantime?

[chro...@googlecode.com]

Comment #9 on issue 461739 by scott...@gmail.com: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Any update to this?
Most Google sites fail to load as our content filter blocks the QUIC
protocol.....have to disable this flag on every users system, a GPO would
be FAR simpler.

Thanks

[chro...@googlecode.com]

Comment #10 on issue 461739 by r...@chromium.org: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

You can follow the status on the CL
https://codereview.chromium.org/998383002/

​That being said, if you are blocking UDP ports 80 and 443, chrome should
transparently fail over to TCP. If this is not happening for you, can you
generate a net-internals log?​

[chro...@googlecode.com]

Comment #11 on issue 461739 by scott...@gmail.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Thanks for the link,

It does failover eventually...sometimes will need a few refreshes, however
im supporting 140 staff and 1000 students, so its been easier to disable it
entirely in about:flags, forcing it to be disabled will make it all the
more simple for me.

[chro...@googlecode.com]

Comment #12 on issue 461739 by r...@chromium.org: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

That's very surprising. It should not require any refreshes. Can you
generate a net-internals trace when this happens?

https://dev.chromium.org/for-testers/providing-network-details

[chro...@googlecode.com]

Comment #14 on issue 461739 by pelets...@google.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Hi. I'm planing to finish this feature next week.

[chro...@googlecode.com]

Comment #15 on issue 461739 by adam.da...@gmail.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

This has massively affected our whole company's ability to connect to all
google's cloud based services - docs, sheets, keep, mail etc etc.

Raised a ticket with googles business support only to be told it was
something to do with our network.

Disabled QUIC and hey presto - timeouts stopped and service resumed!

Get with it google.

[chro...@googlecode.com]

Updates:
Labels: -M-43 M-43Merge-Requested

Comment #21 on issue 461739 by j...@chromium.org: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #22 on issue 461739 by j...@chromium.org: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Apologies -- I am trying to request a merge to M43 (beta channel). I can't
seem to get the labels right (or maybe I did?)

[chro...@googlecode.com]

Updates:
Cc: s...@chromium.org

Comment #25 on issue 461739 by s...@chromium.org: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

(No comment was entered for this change.)

[chro...@googlecode.com]

Updates:
Labels: -Merge-Requested Merge-Approved Hotlist-Merge-Approved

Comment #26 on issue 461739 by lafo...@google.com: Disable experimental

QUIC protocol via Group Policy

https://code.google.com/p/chromium/issues/detail?id=461739#c26

Approved for M43 (branch: 2357)

[chro...@googlecode.com]

Comment #27 on issue 461739 by lafo...@google.com: Disable experimental

QUIC protocol via Group Policy

https://code.google.com/p/chromium/issues/detail?id=461739#c27

[chro...@googlecode.com]

Updates:
Labels: -Merge-Approved merge-merged-2357

Comment #29 on issue 461739 by bugdro...@chromium.org: Disable experimental

QUIC protocol via Group Policy

https://code.google.com/p/chromium/issues/detail?id=461739#c29

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/5c4914fa577cdea737acdf9f28071827e52f6407

commit 5c4914fa577cdea737acdf9f28071827e52f6407
Author: Philipp Neubeck <pneu...@chromium.org>
Date: Tue May 05 14:31:57 2015

Added QuicAllowed policy. Added unit and browser tests.

BUG=461739

Review URL: https://codereview.chromium.org/998383002

Cr-Commit-Position: refs/heads/master@{#327723}
(cherry picked from commit 5df83d489109f9df482abe00177e120513b4c3fa)

Review URL: https://codereview.chromium.org/1124583007

Cr-Commit-Position: refs/branch-heads/2357@{#309}
Cr-Branched-From:
59d4494849b405682265ed5d3f5164573b9a939b-refs/heads/master@{#323860}

[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/chrome/browser/io_thread.cc
[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/chrome/browser/io_thread.h
[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/chrome/browser/io_thread_unittest.cc
[add]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/chrome/browser/policy/policy_network_browsertest.cc
[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/chrome/chrome_tests.gypi
[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/chrome/test/data/policy/policy_test_cases.json
[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/components/policy/resources/policy_templates.json
[modify]
http://crrev.com/5c4914fa577cdea737acdf9f28071827e52f6407/tools/metrics/histograms/histograms.xml

[chro...@googlecode.com]

Comment #30 on issue 461739 by bugdro...@chromium.org: Disable experimental

QUIC protocol via Group Policy

https://code.google.com/p/chromium/issues/detail?id=461739#c30

The following revision refers to this bug:

https://chrome-internal.googlesource.com/bling/chromium.git/+/5c4914fa577cdea737acdf9f28071827e52f6407

commit 5c4914fa577cdea737acdf9f28071827e52f6407
Author: Philipp Neubeck <pneu...@chromium.org>
Date: Tue May 05 14:31:57 2015

[chro...@googlecode.com]

Comment #31 on issue 461739 by afro...@gmail.com: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

So this has supposedly been merged into M43 and yet the policy is having no
effect in Chrome 43.0.2357.81 m? I have set QuicAllowed=0 (DWORD) under
HKEY_CURRENT_USER\Software\Policies\Google\Chrome and
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. The policies are also
set under Wow6432Node.

[chro...@googlecode.com]

Comment #35 on issue 461739 by afro...@gmail.com: Disable experimental QUIC

protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Note that I'm not using the adm/admx and wish to disable via Registry
policy only. It appears Chrome is no longer checking the policy registry
(according to procmon) unless the adm/admx is used and the policy is set.
Is this a recent change? I am fairly certain previous versions of Chrome
from February didn't have this behaviour?

[chro...@googlecode.com]

Updates:
Status: Fixed

Comment #36 on issue 461739 by pneu...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

re c#35:
If no policy is picked up at all, then your issue is unrelated to the QUIC
policy and you should create a new bug.

Nonetheless, according to
http://www.chromium.org/administrators/policy-list-3 :
"The recommended way to configure policy on Windows is via GPO, although
provisioning policy via registry is still supported for Windows instances
that are joined to an Active Directory domain."

Are you using an Active Directory domain?

Marking this issue as fixed, waiting for verification.

[chro...@googlecode.com]

Comment #38 on issue 461739 by pelets...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Just tried this policy on chrome 43.0.2357.124 for Windows and it works.
I've added DWORD value QuicAllowed to HKLM/Software/Policies/Google/Chrome
and set its value to 0. Afterwards I restarted chrome. Please make sure
that there is no chrome.exe processes left in the task manager so that
policy take effect. Afterwards should work QUIC should be disabled.

[chro...@googlecode.com]

Comment #39 on issue 461739 by pelets...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

The explanation why SPDY policy works and QUIC does not can be that
DisableSpdy supports dynamic refresh but QuicAllowed does not.

[chro...@googlecode.com]

Comment #40 on issue 461739 by developm...@ubtsupport.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Tried again:-

Windows 7 x64 and Windows 8.1 x64 - standalone workstation (not domain
joined).
Chrome Version 43.0.2357.124 m

Ran: chrome://net-internals/#quic before and after adding a 32bit DWORD in
HKLM/Software/Policies/Google/Chrome for QuicAllowed - Value = 0.

Killed all processes from task manager that were called 'chrome.exe'.

After the restart, still getting this reported by the QUIC test:-

* QUIC Enabled: true
* Alternate Protocol Probability Threshold: 0.01
* Origin To Force QUIC On: :0
* QUIC connection options:
* Consistent Port Selection Enabled: false

Any other suggestions please?

[chro...@googlecode.com]

Comment #41 on issue 461739 by pelets...@google.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Please mane sure that policies are up to date inside chrome: go
chrome://policies and click "Reload policies".
Besides this you may try disallow chrome to run in background so that not
to kill any chrome.exe process in task manager: chrome://settings/ and then
change "Continue running background apps when Google Chrome is closed".
If nothing works please run chrome from cmd with the key --disable-quic and
let me know the result.

[chro...@googlecode.com]

Comment #42 on issue 461739 by developm...@ubtsupport.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

1. chrome://policy/ - after reload tested QUIC and still showing Enabled:
true
2. chrome://settings/ unchecked "Continue running background apps when
Google Chrome is closed" and restested QUIC - showing Enabled: true
3. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
--disable-quic - this correctly disabled QUIC (Enabled: false)
4. Closed Chrome, re-opened and tested for QUIC - showing Enabled: true

Tested the above steps on Windows 8.1 x64.

[chro...@googlecode.com]

Comment #43 on issue 461739 by developm...@ubtsupport.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Should have mentioned in #42 that the registry entry made in #40 was still
present - verified after each step.

[chro...@googlecode.com]

Comment #44 on issue 461739 by developm...@ubtsupport.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

For reference:-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"QuicAllowed"=dword:00000000

[chro...@googlecode.com]

Comment #45 on issue 461739 by pelets...@google.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Can you see in chrome://policy entry "Machine Mandatory QuicAllowed false
OK"?

[chro...@googlecode.com]

Comment #46 on issue 461739 by developm...@ubtsupport.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

When checking the policies - none are set.

If I set Chrome to "Show policies with no value set", I can see
the 'QuicAllowed' policy with the status as 'Not Set'.

Have tried the steps at #42 with a physical machine reboot between - no
change in the results.

The interesting thing here is that I just tried setting DisableSpdy = 1 in
the registry and Chrome is not respecting that either - even after a policy
reload and restart.

I now have to entries in the registry on both Windows 7 and Windows 8.1
machines:-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"QuicAllowed"=dword:00000000

"DisableSpdy"=dword:00000001

Have also tested in Windows XP SP3 (x86) just to confirm that the issue is
not isolated to x64 - same issues present.

Let me know what further tests I should carry out - thanks.

[chro...@googlecode.com]

Comment #47 on issue 461739 by developm...@ubtsupport.com: Disable

experimental QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

When checking the policies - none are set.

If I set Chrome to "Show policies with no value set", I can see
the 'QuicAllowed' policy with the status as 'Not Set'.

Have tried the steps at #42 with a physical machine reboot between - no
change in the results.

The interesting thing here is that I just tried setting DisableSpdy = 1 in
the registry and Chrome is not respecting that either - even after a policy
reload and restart.

I now have two entries in the registry on both Windows 7 and Windows 8.1

[chro...@googlecode.com]

Comment #51 on issue 461739 by pelets...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Rob, can you confirm that before restarting chrome you can see in

chrome://policy entry "Machine Mandatory QuicAllowed false OK"?

About policy fetching issue I would recommend to start with this:
https://support.google.com/chrome/a/answer/187202?hl=en

[chro...@googlecode.com]

Comment #52 on issue 461739 by rob.youn...@gmail.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

Hello, thanks for your response.

I checked the policies using chrome://policy/ and it confirms that no
policies have been set.

I have a question regarding the link you sent:
https://support.google.com/chrome/a/answer/187202?hl=en

"An OS-user policy is applied to Chrome when a user signs into their
corporate-managed Windows or Mac computer. These policies are set using GPO
on Windows and Managed Preferences on Mac. OS-user policies take precedence
over cloud policies set for Chrome."

To test, I have been setting the registry setting and not using the GPO -
presumably the registry setting takes the place of the GPO?

In my sepecific use case, I cannot use a GPO as the devices are not domain
connected - hence why I need the direct registry setting to invoke the
policy.

Hope this makes sense? Looking forward to your response.

[chro...@googlecode.com]

Comment #54 on issue 461739 by jkazu...@gmail.com: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

where is this setting in GPO? We can't find it and need to disable quic
since it can't be decrypted.

[chro...@googlecode.com]

Comment #55 on issue 461739 by pelets...@chromium.org: Disable experimental

QUIC protocol via Group Policy
https://code.google.com/p/chromium/issues/detail?id=461739

jkazules@:
I found it in Administrative templates > Google Chrome > Allows QUIC
protocol.
Please be sure that yo use the latest ADM/ADMX templates.