Google Chrome’s new False Start “Feature”

In the past few weeks, millions of Google Chrome users have started to experience issues accessing isolated web sites. These users are typically accessing sites using HTTPS, and have often successfully accessed these sites in the past, but no longer can. Accessing these sites using Internet Explorer or FireFox are successful. When attempting to access the site, Chrome will just spin forever attempting to load the page, or will display an Error 101 (net::ERR_CONNECTION_RESET): Unknown error.

So, what is happening?

Google Chrome now has a “feature” called False Start that is designed to speed up secure communications over SSL and TLS. False Start eliminates one of the round-trip messages needed to set up a secure channel between a Web browser and Web server. While this is a nice little improvement to speed up sites that use HTTPS, many web sites do not yet support the ability to handle False Start, and this is why the pages will not load. Chrome has a built-in set of sites that it knows does not support False Start, and Chrome disables False Start when communicating with them. However, it is clear that Google appears to underestimate the number of sites this issue is affecting. In particular, we are getting reports from lots of people who use private internal web applications that can no longer work with Chrome. Even when a web server (Apache, IIS, Tomcat) is updated, it seems as if many load balancers are still running very old versions of software. If they have not been updated recently, and SSL/TLS negotiation is handled at the load balancer level, you will have issues. A10 Networks only recently updated their code, and it is unclear what version of F5 BigIP supports False Start.

What can you do?

if you control the servers, make sure your server and load balancer version are up to date. Complain to vendors who are not yet supporting False Start. If you are using Chrome to access a web site that you do not control, you can use Chrome command line options to allow Chrome to access offending websites.

First Option is –use-system-ssl. This forces Chrome to use your systems SSL library (Windows-SCHANNEL) rather than Chrome’s built-in NSS.

You must specify –use-system-ssl in the command line, without extra spaces inside. Your shortcut should look like : “C:\…blahblah…\chrome.exe” –use-system-ssl

Second Option is –disable-ssl-false-start. This forces Chrome to not use False Start, but still use internal NSS stack.

You must specify –disable-ssl-false-start in the command line, without extra spaces inside. Your shortcut should look like : “C:\…blahblah…\chrome.exe” –disable-ssl-false-start

Leave me a message if you use Chrome and have been bitten by this “feature”

15 thoughts on “Google Chrome’s new False Start “Feature”

  1. Pingback: RIM reports record 14.2 million smartphone shipments in Q3 FY2011 | Neuphones

  2. Pingback: What database does Facebook use? | Prodromus

  3. B Hatch

    It was pretty crappy the way Google rolled this out. I guess OpenSSL just happen to let application data through before the SSL handshake was complete because any strict SSL implementation should choke on this protocol change.

  4. Elizabeth

    I was bitten by this problem a couple of weeks ago and have been sporadically searching for a solution. I can’t even get the Chrome browser to load its own webpage! I’m not sure where I type the command line.

  5. Dani

    As I make all my html and css in “notepad” I have been getting this a lot at the moment. GRRR @ Chrome!!

  6. Nazi

    i made my html project in notepad… and when i open the .html file.. this SSL problem occurs… it totally irritates me.. i really need some help.. tried the above solution.. didnt work… HELP ME!!!! :((

  7. Paul Beatty

    Your parameter suggestion was spot on, as an internal SSL site was not working for me until I tried this parameter — Voila — now works fine

  8. carpool

    Personally I dont like Google Chrome. I notice when your logged in Google spams you with Google Plus stuff. (there new social network) I prefer firefox.

  9. Janet Franklin

    All these posts are over two years old. I just started having this problem the last couple of months. I don’t know what to do except switch back to IE.

Leave a Reply and Let me know what you think...