Skip to content

Google Chrome’s new False Start “Feature”

In the past few weeks, millions of Google Chrome users have started to experience issues accessing isolated web sites. These users are typically accessing sites using HTTPS, and have often successfully accessed these sites in the past, but no longer can. Accessing these sites using Internet Explorer or FireFox are successful. When attempting to access the site, Chrome will just spin forever attempting to load the page, or will display an Error 101 (net::ERR_CONNECTION_RESET): Unknown error.

So, what is happening?

Google Chrome now has a “feature” called False Start that is designed to speed up secure communications over SSL and TLS. False Start eliminates one of the round-trip messages needed to set up a secure channel between a Web browser and Web server. While this is a nice little improvement to speed up sites that use HTTPS, many web sites do not yet support the ability to handle False Start, and this is why the pages will not load. Chrome has a built-in set of sites that it knows does not support False Start, and Chrome disables False Start when communicating with them. However, it is clear that Google appears to underestimate the number of sites this issue is affecting. In particular, we are getting reports from lots of people who use private internal web applications that can no longer work with Chrome. Even when a web server (Apache, IIS, Tomcat) is updated, it seems as if many load balancers are still running very old versions of software. If they have not been updated recently, and SSL/TLS negotiation is handled at the load balancer level, you will have issues. A10 Networks only recently updated their code, and it is unclear what version of F5 BigIP supports False Start.

What can you do?

if you control the servers, make sure your server and load balancer version are up to date. Complain to vendors who are not yet supporting False Start. If you are using Chrome to access a web site that you do not control, you can use Chrome command line options to allow Chrome to access offending websites.

First Option is –use-system-ssl. This forces Chrome to use your systems SSL library (Windows-SCHANNEL) rather than Chrome’s built-in NSS.

You must specify –use-system-ssl in the command line, without extra spaces inside. Your shortcut should look like : “C:\…blahblah…\chrome.exe” –use-system-ssl

Second Option is –disable-ssl-false-start. This forces Chrome to not use False Start, but still use internal NSS stack.

You must specify –disable-ssl-false-start in the command line, without extra spaces inside. Your shortcut should look like : “C:\…blahblah…\chrome.exe” –disable-ssl-false-start

Leave me a message if you use Chrome and have been bitten by this “feature”

13 Comments

  1. David Holmes wrote:

    FYI All shipping versions of BIG-IP are False Start compatible using the NATIVE stack.

    Saturday, February 12, 2011 at 12:50 pm | Permalink
  2. B Hatch wrote:

    It was pretty crappy the way Google rolled this out. I guess OpenSSL just happen to let application data through before the SSL handshake was complete because any strict SSL implementation should choke on this protocol change.

    Monday, March 7, 2011 at 3:08 pm | Permalink
  3. Tim Webber wrote:

    Many thanks for the fix and the explanation of why and what the problem was

    Wednesday, March 16, 2011 at 1:12 pm | Permalink
  4. Elizabeth wrote:

    I was bitten by this problem a couple of weeks ago and have been sporadically searching for a solution. I can’t even get the Chrome browser to load its own webpage! I’m not sure where I type the command line.

    Monday, June 27, 2011 at 2:41 pm | Permalink
  5. Dani wrote:

    As I make all my html and css in “notepad” I have been getting this a lot at the moment. GRRR @ Chrome!!

    Thursday, June 30, 2011 at 2:29 am | Permalink
  6. Nazi wrote:

    i made my html project in notepad… and when i open the .html file.. this SSL problem occurs… it totally irritates me.. i really need some help.. tried the above solution.. didnt work… HELP ME!!!! :((

    Monday, July 11, 2011 at 10:40 am | Permalink
  7. Paul Beatty wrote:

    Your parameter suggestion was spot on, as an internal SSL site was not working for me until I tried this parameter — Voila — now works fine

    Sunday, March 4, 2012 at 8:13 pm | Permalink
  8. Vulkanizer wrote:

    I’ve read some good stuff here. Definitely worth bookmarking for revisiting.

    nice info about google chrome didn’t know that

    Wednesday, April 11, 2012 at 6:51 pm | Permalink
  9. Marc wrote:

    Great information in post but I just assume using Firefox instead.

    Saturday, April 21, 2012 at 12:10 pm | Permalink
  10. carpool wrote:

    Personally I dont like Google Chrome. I notice when your logged in Google spams you with Google Plus stuff. (there new social network) I prefer firefox.

    Sunday, April 29, 2012 at 6:40 pm | Permalink
  11. jim wrote:

    this helped me a lot, I had few problems with Chrome

    Friday, March 1, 2013 at 8:06 pm | Permalink
  12. Janet Franklin wrote:

    All these posts are over two years old. I just started having this problem the last couple of months. I don’t know what to do except switch back to IE.

    Monday, April 29, 2013 at 7:20 pm | Permalink
  13. Jonas wrote:

    Got the same problem when trying to access http://www.ncbi.nlm.nih.gov/pubmed site. Tried both –use-system-ssl and –disable-ssl-false-start

    Saturday, November 30, 2013 at 4:37 pm | Permalink

2 Trackbacks/Pingbacks

  1. […] Google Chrome’s new False Start “Feature” (z-car.com) […]

  2. What database does Facebook use? | Prodromus on Thursday, January 27, 2011 at 7:19 pm

    […] Google Chrome’s new False Start “Feature” (z-car.com) […]

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*