Chromium‎ > ‎

TLS 1.3

In Chrome 65, TLS 1.3 will be enabled for outgoing connections. (A small percentage may be held back to provide comparison metrics.)

This does not require any updates to servers. The TLS protocol contains a version negotiation system and the initial TLS 1.3 message is completely valid as TLS 1.2 also. Thus a TLS 1.2 (or below) server will successfully negotiate TLS 1.2 (or below, respectively) with Chrome 63.

TLS 1.3 also does not require any changes to correctly operating TLS proxies (a.k.a. "MITM" proxies). These proxies terminate the client's connection with a locally-trusted certificate and make a new connection to the original destination, proxying data between the two. With Chrome 65, the proxy will negotiate TLS 1.2 to the client, just as a server would, and will make a TLS 1.2 connection to the outside world. The only exception is that we are aware of flaws in Cisco's Firepower devices, see below.

The only Google service with TLS 1.3 enabled at this time is Gmail, thus Chrome 65 should successfully negotiate TLS 1.3 when connecting to Gmail. However, there is a possibility that bugs in software (such as anti-virus software), or hardware middleboxes, that are between Chrome 65 and a TLS 1.3-enabled service like Gmail will cause problems. We have worked hard to tweak TLS 1.3 in ways that workaround the middleware bugs that we're aware of, but there might be things that we don't know about.

Thus, if you see the following situation, you might have some buggy software or hardware that we're not aware of and we would be very interested in the details:
  1. Chrome 64 works without issues.
  2. Chrome 65 works for all sites except Gmail.
  3. Gmail fails to load with ERR_SSL_VERSION_INTERFERENCE.
In this situation, consider the following:
  1. Do you have local "anti-virus" software running that may be attempting to manipulate TLS connections (often called "HTTPS scanning")? If so, please see whether disabling that scanning solves the problem and, if so, please report to us the vendor and version number of the software.
  2. Do you have a "deep packet inspection" (DPI) firewall that might be attempting to disrupt connections that don't match the appearance of older TLS versions? Does the problem go away when not behind that firewall? If so, please report to us the make, model, and firmware version.
  3. Similarly to the case of a DPI firewall, if you have a TLS proxy consider whether it might be the source of the issue. If so, please tell us the vendor, product name, and firmware version.
Please report problems on the administrator's forum.

CIsco "Firepower" Devices

When operating in “Decrypt - Resign mode/SSL Decryption Enabled”, issues with these devices will cause TLS 1.3 connections to break. Cisco have published a workaround for this here. (The link requires a Cisco customer login.)