ERR_SSL_VERSION_INTERFERENCE on Chrome 66

[eezers]

I have a website that uses websockets on client & server (WebsocketSharp). I get an error when using chrome, ERR_SSL_VERSION_INTERFERENCE. I have the latest chrome. Turning off TLS 1.3 works but I'd rather fix the problem myself.
An answer on StackExchange from a developer working on Chrome's TLS provided this answer:

"We're experimenting with draft versions of TLS 1.3, the next revision of the TLS protocol. Unfortunately, we're seeing issues with buggy middleware (antivirus, firewalls, proxies, etc.) which break when TLS 1.3 is enabled. ERR_SSL_VERSION_INTERFERENCE means we've detected one of these cases."

But, I don't know what "buggy middleware" means in this context. How can I fix it? What does chrome need to see in order to not throw this error?

[Chris Bentzel]

+David Benjamin +Steven Valdez 

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/0d1414ca-4d3f-4f65-a0ba-83c70b023d3a%40chromium.org.

[Steven Valdez]

Do you know whether you receive the error from any network connection or only from a specific computer/network? In the latter case (only having issues from specific computers), there is probably something installed on your network (AV/Firewall/Proxy) that's causing problems. Do you know what you have installed on your computer/network?

If this is happening from all Chrome connections, its possible that your server has some bug in it (though we've only seen a couple instances of this).

--

Steven Valdez |

Chrome Networking |

sva...@google.com |

210-692-4742

[David Benjamin]

Are you running this on Mono by any chance? We ran into an issue previously where Mono's legacy TLS provider, in addition to only supporting TLS 1.0 which is 12 years obsolete and insecure, implemented TLS 1.0 wrong in a way which makes it incompatible with TLS 1.3. TLS 1.3 brings a lot of security and performance improvements, so this will affect all browsers over time.

Mono has a newer "btls" TLS provider these days which both supports more modern settings and does not have this bug. I believe you use it with MONO_TLS_PROVIDER=btls if your Mono is new enough.

(We can't tell on the browser side whether the error is coming from a firewall/antivirus/proxy or the server. The vast vast majority of problems are the former, so that's why the text is tailored to that.)

[Eric Sorensen]

I am indeed running it on Mono! Mono Version 4.9.4. I can't believe that didn't cross my mind before. I have it running on a CentOS 6, no antivirus or sophisticated firewall other than iptables. It happens with all Chromes. I will try to update Mono when I get the chance and I'll keep you all posted.

[Eric Sorensen]

Thank you Steven and Benjamin for the help. The problem was indeed with mono. I posted my solution here: https://stackoverflow.com/questions/49962714/err-ssl-version-interference-on-chrome