0

Today I noticed by experiment that Google Chrome (69.0.3497.100) and Firefox (62.0.3) both were willing to connect to a server which only supported TLS 1.0, even though the corresponding support was removed in the browser settings.

In Wireshark I could see the client asking for TLS 1.2 and the server responding that only a lesser version of TLS is supported -- the browser happily continued to connect.

On the other hand, MS Edge, after removing TLS 1.0 and TLS 1.1 support in the Internet Explorer settings (I could not find the setting in Edge) refused to connect to that server. It only connected after adding TLS 1.0 and 1.1 support again or after enabling TLS 1.2 in the server.

Which behavior is correct?

And is there a way to not allow Chrome or Firefox to connect to a server which does not support TLS 1.2? Of coure I could try to remove support on OS level, but I'm not sure whether I want to do that.

Thomas
  • 121
  • 1
  • 1
  • 6
  • --ssl-version-min=tls1.2 This flag is supposed to be what you want for chrome but in some simple testing on my box it didn't seem to actually disable tls 1.0 or 1.1. – DarkMatter Oct 18 '18 at 16:09

2 Answers2

1

For chrome major version 69 the --ssl-version-min=tls1.2 flag was not effective. Upon updating to major version 70 this flag is working as expected.

Additionally, the following registry key should also work:

HKLM\Software\Policies\Google\Chrome\SSLVersionMin == "tls1.2"

DarkMatter
  • 2,671
  • 2
  • 5
  • 23
0

In Chrome, you should be able to forcibly disable TLS fallback using the --ssl-version-min command line flag.

Be sure to make that a part of every shortcut so you don't accidentally open it without that option (e.g., modify both the Start menu and desktop icon).

You may also want to try the Chrome policy extensions. These are the easier way to accomplish the task across all users.

This is one case where Microsoft's behavior is more reasonable and consistent with industry standards, and I don't understand why Chrome behaves this way.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
  • Have you personally tested this? The flag did not behave as expected when I tested it. – DarkMatter Oct 18 '18 at 15:59
  • I haven't tested the --ssl-version-min flag with the latest version of Chrome, but it has worked before. We use the policy extensions at work now, and I no longer use Chrome at home. – DoubleD Oct 18 '18 at 16:02
  • I updated from Chrome 69 to 70 and now the command line flag works as expected. – DarkMatter Oct 18 '18 at 18:58