This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

www.google.it

-1

Hi all, in our offices some users started some weeks ago to complain about https://www.google.it home page unreachability just with the following conditions :

Connection: WiFi Guest
Device: Smartphone/Tablet Android
Note: Specific browser
Url: Just Google is KO
Protocol : TLS V1.1

We manage proxy chain to let users reach internet. Capturing traffic, we notice that HQ proxy replies to branch proxy with the message in the subject.

In the meanwhile that we do other tests, is there something wellknow about this issue ? What does this message found in the capture is telling ?

The browsing user experience is a message which informs that the connection has been reset.

Thanks a lot

fallback inappropriate

asked 23 Aug '16, 15:01

ValerioItaly
5●3●3●4
accept rate: 0%

Update: We have discovered that the main browser that has got this problem (with https://www.google.it) in our case is Google Chrome, and the problem appeares just when the Client SSL Connection is TLS 1.1, with TLS_FALLBACK_SCSV Cipher suite option in the Client Hello request.

No problem with Firefox (it uses TLS 1.2) or IE (TLS 1.2)

If the same Chrome decides (I don't know on which basis) to use TLS 1.2 for https://www.google.it the home page is reached. This is done for example using an older version of Chrome (example -> Ver 48).

So, as far as now, we have the cause of the problem. Now we need to find the cure. :)

(24 Aug '16, 07:54) ValerioItaly

This definitely sounds like the new X25519 cipher which is the cipher Google servers and services are now choosing for TLS as the most preferred to use. And since current Chrome 52 browser supports X25519, it will try to connect with that to Google's servers.

Browsing internet it seems that Proxy should either support elliptic curve 0x001d, or remove elliptic curves from the Client Hello of the client that it doesn't understand.

Taking a capture by notebook side on the SAME WiFi Guest architecture (Transparent mode), different PC but same Version 52, it seems that when Chrome decides to speak with TLS V1.1 it has got an extension called Elliptic Curve set as UNKNOWN.

Moreover if Notebooks that have got the issue with Chrome 52 from WiFi Guest launch the browser disabling several Cipher suites using “ellipting curve”, It works.

This is the extension we have used to start chrome
--cipher-suite-blacklist=0xc02f,0xc02b,0xcc14,0xcc13,0xc009,0xc013,0xc00a,0xc014

So this is a confirmation that the problem is this.

Now we are looking for the cure.

(26 Aug '16, 05:42) ValerioItaly

One Answer:

0	Issue solved using DHCP WPad in the WCCP Architecture. This forces the clients to use TLS V1.2. answered 19 Sep '16, 06:01 ValerioItaly 5●3●3●4 accept rate: 0%