First time here? You are looking at the most recent posts. You may also want to check out older archives or the tag cloud. Please leave a comment, ask a question and consider subscribing to the latest posts via RSS. Thank you for visiting! (hide this)

[UPDATE: There is a workaround]

This morning, following the release of Chrome 6, I decided to upgrade to the latest version.

But as soon as I tried going to Gmail I got the following error:

SSL connection error. Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

Error 128 (net::ERR_SSL_UNSAFE_NEGOTIATION): The SSL renegotiation extension was missing from the secure handshake. For some sites, which are known to support the renegotiation extension, Chrome requires a more secure handshake to prevent a class of known attacks. The omission of this extension suggests that your connection was intercepted and manipulated in transit.

This happens because “starting with 6.0.453.1 Chrome began requiring the TLS renegotiation extension from a small number of sites (Gmail included). This extension is required to prevent TLS renegotiation attacks”. This means that if you use Gmail (or any other Google application, like Docs, Reader and so on) over HTTPS and you are behind a proxy that alters in some way the data passed (like MITM proxies), you will not be able to access Gmail any more.

This problem has been reported on Google Chrome forums and also in the issue tracker of Chromium, but has been marked as invalid because they are now trying to increase the security, implementing the renegotiation extension.

While this is a good thing, most companies are not always up to date with the latest technologies, and since this extension is standard since “just” 6 months, Google cannot expect everyone to have it implemented already.

What you should do if you have already installed and you get the SSL Connection Error?

[UPDATE] After having commented on the Chromium bug, Adam Langley answered that if you manually specify a proxy, the check is disabled automatically. And if you have a transparent proxy (so no proxy configured in the options) you can disable the check using the command-line option: --allow-ssl-mitm-proxies.

Thank you Adam for also commenting here with the complete explanation of the problem.

The only thing you can do is revert Google Chrome back to version 5. Unfortunately this requires you to uninstall Chrome, and reinstall the old version using the offline installer that you can download from Google site at the following address: http://dl.google.com/chrome/install/375.55/chrome_installer.exe

Unfortunately uninstalling Chrome means you loose all your stored passwords and some other things because a Chrome 6 profile cannot be read from Chrome 5. So if you are unsure, do a backup of your profile folder before trying to update to Chrome 6.

I hope Chrome either allow users to “ignore” some errors, like they do when the certificate is not valid, and that in meantime all MITM proxies get updated to support the renegotiation extension (and all IT guys install the updated version).

posted on Friday, September 3, 2010 12:26 PM

Comments on this entry:

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by Adam Langley at 9/3/2010 4:15 PM

For Chrome 6 stable, renegotiation checks are disabled if you have a proxy configured. We are working with several SSL MITM proxy vendors in the mean time to address this. One of the most common, Blue Coat, have (or will very soon) release an update to their products which includes the needed security fix. Applying this is by far the best solution.

If your proxy is rewriting the TCP streams themselves then there is no way to distinguish this from an attack. In this case, adding --allow-ssl-mitm-proxies to the command line will disable this check and all other additional security measures that we have roadmapped in this area.

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by admin at 9/3/2010 4:26 PM

@Adam: thank you for the explanation and the workaround.
I updated the post accordingly

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by LorenzoC at 9/4/2010 11:58 AM

Linked this post on my blog.

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by Tim at 9/11/2010 5:26 PM

Please forgive my ignorance, but how do you add "--allow-ssl-mitm-proxies" to the command line? I'm having this problem with Gmail and am trying to get it fixed, but I don't understand the solution you've posted.

Thanks for the help.

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by Tim at 9/11/2010 5:36 PM

Never mind. Figured it out. Thanks for providing the solution.

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by Matt at 9/13/2010 8:57 PM

--allow-ssl-mitm-proxies doesn't seem to work on my machine.
However --use-system-ssl works!!

Source: www.chromeboard.com/showpost.php

# re: Chrome 6 might break your Gmail (when behind proxies in corporate environments)

Left by Michael Nash at 9/14/2010 6:00 PM

How do you add "--allow-ssl-mitm-proxies" to the command line on a Macintosh under Snow Leopard? I know how to do it on a Windows system.

Thanks.

Comments have been closed on this topic.