HTTPS connection issue on Chrome/Chromium/Opera

Question

I am trying to build a light web server on an embedded device, and trying to add HTTPS to it by introducing mbedTLS.

I can use Firefox or IE to make connections without any problem. However, when using Chrome/Chromium/Opera, it creates many TCP connections at first, and try to do SSL handshake. Most of the connections didn't send any ApplicationData after SSL handshake, the browser sends FIN right after ChangeCipherSpec and Finish. Only few connection would send ApplicationData after SSL handshake. It causes many items on a page are not loaded, the server didn't receive GET request for some items.

Cipher suite: RSA_WITH_AES128_GCM_SHA256
Certificate: Self-signed certificate with RSA1024/2048 key
keep-alive is not enabled

Why are so many connections created but not used by Chrome? And any idea to fix it?

Thanks

For StackzOfZtuff

Here is the screenshot of Chrome dev tool, it shows some certificate error, which is because the certificate is self-signed.

For Tom

SSLLabs result: The main issues are: (A) RSA key length 1024 is weak (B) Self-signed certificate issue (C) Forward secrecy not support

For Baptiste

I tried to disable "QUIC protocol", but I still got the issue of Chromes sends FIN after SSL handshake.

Is there an error message in the Chrome? Or in the Chrome dev tools (F12 key)? — StackzOfZtuff, Nov 10 '17 at 12:04
Try to disable chrome's $% QUIC protocol, and retry. might have an answer depending on the result. — Baptiste, Nov 13 '17 at 02:15

score 1 · Accepted Answer · answered Nov 18 '17 at 04:10

Thanks for StackzOfZtuff's help, I found the problem finally.

While connecting to a server with a self-signed certificate, the Chrome would show "Your connection is private", and we can keep going by clicking "Advanced" and "Proceed to XXX". However, even the website is loaded, but the chrome would create many SSL connections and disconnect some of them after handshake finish.

By analyzing the Chrome event by "chrome://net-export" and "chrome://net-internal", it shows the socket is closed after SSL handshake and an error "ERR_CERT_AUTHORITY_INVALID" shows.

I tried to disable the SAN(Subject Alternative Name) check of Chrome first (because my mbedTLS doesn't support creating a certificate with SAN now) and import the certificate manually to Chrome, then the Chrome can connect to my httpd without certificate warning message and the Chrome would no more drop the connection.

score 0 · Answer 2 · edited Jun 16 '20 at 09:49

0

"Subject Alternative Name missing"

Chrome requires SAN and no longer supports CommonName.

See: ChromeStatus, Support for commonName matching in Certificates (removed)

Add a SAN name to your cert to fix this.

edited Jun 16 '20 at 09:49

Community

1

answered Nov 13 '17 at 09:56

StackzOfZtuff

17,783
1
50
86

Thanks for your reply. I tried to use Chrome 49, but still got the connection issue. – Liang Changwei Nov 14 '17 at 07:42

HTTPS connection issue on Chrome/Chromium/Opera

2 Answers2

"Subject Alternative Name missing"