Google Chrome TLS v1.2 issue

[Brewhaus]

I am not sure that this is an AC issue, but when testing most of the websites listed under the featured websites on the main AbleCommerce site we found the same issue arising. It may be a coincidence, but either way hopefully someone can point us in the right direction.

Here is the issue:
Suddenly on Friday we started getting a few reports about the inability to access our https pages. Non SSL pages were fine- it was specifically when people tried to go to a secure page, such as the login page. We found a common denominator- all of these people were using Chrome. If they tried a different browser (IE, Firefox) they had no problems accessing the secure pages. We tried accessing the secure pages using Chrome on five different computers, from three locations, and none had any problem.

One of these customers found information that it was supposedly caused by a Microsoft update that messed something up with Chrome and TLS 1.2. By forcing Chrome to run at a maximum of TLS 1.1 she was able to access the secure pages. Our server is configured to run TLS 1.2, and when we check the SSL level when accessing the secure pages using IE or Firefox it shows the encryption to be TLS, 256 bit. However, on those computers that we were able to access the secure pages using Chrome, it is connecting using TLS 1.1 (the connection properties show a problem, and say that the connection had to be retried at TLS 1.1). This further confirms a problem with Chrome at TLS 1.2.

I then tried forcing Chrome on one machine to run at a minimum of TLS 1.2. Voila- I could replicate the issue when trying to go to one of our secure pages. Having something to go on I started trying to access secure pages on many of the AC's featured sites, and hit the exact same issue- you can go to non-secure pages, but not secure pages.

With Chrome forcing TLS 1.2 we CAN access secure pages on some other sites (Facebook, competitors sites that do not use AbleCommerce). The one site that I am pretty sure used AbleCommerce and I was able to access the secure pages is www.ablemods.com. The only thing that I could see different on this site is that it is running 128-bit security while we run 256-bit. I am not sure if this is the root of the problems, or if Joe has a patch installed on Able or his server (Joe- can you weigh in?).

Does anyone have any input? Because it is affecting so many AC sites I am guessing that this is related to AbleCommerce, or is a big coincidence (which I am not dismissing as a very real possibility). However, if it is just a coincidence, then we still need to find the problem and share it on here, as it is affecting a large number of AC websites, so there are obviously a number of people who need to employ some sort of fix to allow Chrome users to access their sites at TLS v1.2.

[Brewhaus]

Incidentally, this even affects www.ablecommerce.com- non secure pages are fine, but secure pages throw the error.

[Brewhaus]

RESOLVED
Through messing around it appeared that this was an issue where Chrome could not negotiate TLS 1.2 at 256-bit unless the server was forcing it to so. There were four updates to Chrome on Thursday, and I would bet that one of those was the culprit. Best we can tell, if the certificate is 256-bit and your server runs TLS 1.2, and your server is not trying 256-bit first in the priority list, then Chrome is not able to make the connection at TLS 1.2. Most of the Chrome browsers are then dropping to TLS 1.1 and the user does not experience any issues. However, some Chrome browsers must have been set to disallow dropping below TLS 1.2, and the user gets an error stating that the page does not exist.
Changing the server to attempt a 256-bit connection first seems to resolve the issue. I can only assume that if you are running 128-bit SSL that you will be fine.

So, here is the fix that we employed. It worked, so I suggest giving this a shot:
Some of the AC featured sites that we went to are not even running TLS 1.2. The instructions are the difficult way, in my opinion, of how to enable TLS 1.2, but regardless, without TLS 1.2 enabled on your server the Chrome users with issues will not be able to access your secure pages.
The second part of the instructions show how to push 256-bit as the priority. For those already running TLS 1.2 on their servers this should be the only thing that you need to do. It is all that we did, and the secure pages are now accessible.
I hope this helps: http://jackstromberg.com/2013/09/enabli ... -strength/

Rick

[Shopping Cart Admin]

Hello Rick,

The way chrome is working they won't be able to access ANY websites running Windows 2003 server as TLS 1.2 is NOT available period.

That's millions AND millions of secure websites.

This is NOT an AbleCommerce issue, this is a Google jumping the gun issue as TLS 1.1 is still an accepted method.

[Brewhaus]

Yup- I completely agree with you, Mike. Fortunately, it seems that only a small percentage of Chrome browsers have been updated to disallow anything below TLS 1.2 (unless the user specifically forces it in the target of the shortcut).

I hope that I made clear in my posts that it was nothing more than a coincidence that we saw so many AC sites with the block from Chrome, and that it had nothing to do with AC. I only raised it as a possibility when we were first trying to find a resolution and we saw the number of AC sites from the list that had the problem.

It appears, though, that not only are they gradually implementing a disallow for anything under TLS 1.2, but if your server is running TLS 1.2 and 256-bit encryption, but you do not explicitly place the 256-bit ciphers as the top priorities, then those same Chrome users still will not be able to access your website.

In the research that my online marketing / web person did in trying to find a resolution to all of this, she also found that Chrome is supposedly discontinuing support for JAVA. Right now you can choose to still go to sites running JAVA, but as of September there will be no support for it. So, you can likely add millions more websites to the list that Chrome will not be able to access.

[Shopping Cart Admin]

Hi Rick,

If anyone needs to get their ciphers ordered as best as possible for any given server, I recommend IISCrypto. A couple of clicks and a reboot and you are good to go. Otherwise it's a real pain via the registry as there are a lot of entries.

https://www.nartac.com/Products/IISCrypto/

Single click to secure your site using best practices
Stop FREAK, BEAST and POODLE attacks
Easily disable SSL 2.0 and SSL 3.0
Enable TLS 1.1 and 1.2
Disable other weak protocols and ciphers
Enable forward secrecy
Reorder cipher suites
Templates for compliance with government and industry regulations - FIPS 140-2 and PCI