Forum Discussion

Krishna_388466's avatar
Krishna_388466
Icon for Altostratus rankAltostratus
Apr 14, 2019

After Weak cipher remediation , URL not working in chrome while IE load is fine.

Chrome not able to load URL using only TLS 1.2 with SHA256 AES256.Website works fine in IE.

 

Are there any setting changes needed to resolve the issue?

 

  • Can you please share the error message which you are seeing Google chrome? I am suspecting that chrome has removed RC4 cipher in chrome v48..

     

  • RC4 is disabled by chrome.

    Run below in chrome browser

    chrome://flags/ssl-version-max

    Then change the maximum TLS version enabled from default to TLS 1.3

    And select tls1.3 will work. Try n confirm.

  • Thanks. When I tried the above option in chrome://flags/ssl-version-max,I dont see any settings related to tls1.3 or ssl..

     

  • Hi Krishna,

     

    please post your Client SSL Profile cipher string. Maybe we can optimize it further...

     

    Cheers, Kai

     

  • Hi,

     

    You can take a packet capture of the ssl handshake (with ssldump) to see exactly which ciphers are being negotiated and selected.

     

    https://support.f5.com/csp/article/K10209

     

    Then check if you find a reference in chrome support/forum that talking about your problem.

     

    SO first capture traffic then check with ssldump which ciphers/protocol are negotiated it will be helpfull for your to find a solution...

     

    Regards

     

  • Hi Krishna,

    just tested the cipher support of Chrome. Chrome does not support the cihper called AES256-SHA256 (ID 61). It does only support AES256-SHA (ID 53) or AES256-GCM-SHA384 (ID 157) if you require a (non-DH) RSA based AES256.

    Qualys SSL Labs: SSL/TLS Capabilities of Your Browser

    https://www.ssllabs.com/ssltest/viewMyClient.html

    To workaround this limitation, I would recommend to change your cipher string to include

    AES256-GCM-SHA384
    as well as
    AES256-SHA256
    . The GCM is considered more secure than CBC, so you will more or less increase the security of those browser who support this chiper spec.

    [root@f501:Active:Standalone] /  tmm --clientcipher 'AES256-GCM-SHA384:AES256-SHA256:-SSLv3:-DTLSv1:-TLSv1:-TLSv1_1'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
     1:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA 
     [root@f501:Active:Standalone] / 
    

    Cheers, Kai