Chromium‎ > ‎

TLS 1.3

With Chrome 63, TLS 1.3 will be enabled for outgoing connections. (A small percentage may be held back to provide comparison metrics.)

This does not require any updates to servers. The TLS protocol contains a version negotiation system and the initial TLS 1.3 message is completely valid as TLS 1.2 also. Thus a TLS 1.2 (or below) server will successfully negotiate TLS 1.2 (or below, respectively) with Chrome 63.

TLS 1.3 also does not require any changes to correctly operating TLS proxies (a.k.a. "MITM" proxies). These proxies terminate the client's connection with a locally-trusted certificate and make a new connection to the original destination, proxying data between the two. With Chrome 63, the proxy will negotiate TLS 1.2 to the client, just as a server would, and will make a TLS 1.2 connection to the outside world.

Update: we are aware of flaws in Cisco's "Firepower" devices that can cause them to fail to process TLS 1.3 connections correctly in some configurations. We are talking with Cisco about this. If you are affected by this, please report it on the administrator's forum, as suggested below. The SSLVersionMax policy can be used to disable TLS 1.3 temporarily to work around these issues.

The only Google service with TLS 1.3 enabled at this time is Gmail, thus Chrome 63 should successfully negotiate TLS 1.3 when connecting to Gmail. However, there is a possibility that bugs in software (such as anti-virus software), or hardware middleboxes, that are between Chrome 63 and a TLS 1.3-enabled service like Gmail will cause problems. We have worked hard to tweak TLS 1.3 in ways that workaround the middleware bugs that we're aware of, but there might be things that we don't know about.

Thus, if you see the following situation, you might have some buggy software or hardware that we're not aware of and we would be very interested in the details:
  1. Chrome 62 works without issues.
  2. Chrome 63 works for all sites except Gmail.
  3. Gmail fails to load with ERR_SSL_VERSION_INTERFERENCE.
In this situation, consider the following:
  1. Do you have local "anti-virus" software running that may be attempting to manipulate TLS connections (often called "HTTPS scanning")? If so, please see whether disabling that scanning solves the problem and, if so, please report to us the vendor and version number of the software.
  2. Do you have a "deep packet inspection" (DPI) firewall that might be attempting to disrupt connections that don't match the appearance of older TLS versions? Does the problem go away when not behind that firewall? If so, please report to us the make, model, and firmware version.
  3. Similarly to the case of a DPI firewall, if you have a TLS proxy consider whether it might be the source of the issue. If so, please tell us the vendor, product name, and firmware version.
Please report problems on the administrator's forum.
Comments