Is it possible to disable TLS1.0 in Chrome?

The way you tell your story, it seems to me that a likely culprit is the firewall of your workplace. I will show you in the following how to test this hypothesis. If instead everything works fine, I can only suggest you re-install Chrome, because nothing, in a successful installation, should prevent you from connecting to LastPass.

In order to test whether it is your LAN firewall that blocks access to LastPass, you may proceed as follows: download nmap, a scan utility that is available for all OSes, then issue this command:

   (sudo) nmap -p 443 -sT www.lastpass.com

(the sudo is necessary in *Nix systems). If you can contact it, then you have problem with your browser. If instead it hangs, and in general does not reply, open your browser and go to http://www.yougetsignal.com/tools/open-ports/, where you may input the IP address of LastPass (deduced, for instance, from the previous nmap's output), and choose 443 as a port. If you get the reply that LastPass can be contacted at the same IP address you used for nmap, and nearly simultaneously, then it means someone along your path to LastPass is not letting your packets through. Most likely, your local firewall.

Like I said above, if instead nmap manages to contact LastPass, (which will produce an output similar to the following:

  nmap -p 443 -sT www.lastpass.com

 Starting Nmap 6.40 ( http://nmap.org ) at 2014-05-20 19:21 CEST
 Nmap scan report for www.lastpass.com (128.121.22.187)
 Host is up (0.24s latency).
 Other addresses for www.lastpass.com (not scanned): 38.127.167.59
 rDNS record for 128.121.22.187: download.lastpass.com
 PORT    STATE SERVICE
 443/tcp open  https

 Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds

), you have problem with your Chrome installation, which will need to be redone.

EDIT:

Given that there is no foul play from your site's firewall, let us try to force Windows7 to update TLS to 1.1/1.2, which is not enabled by default on Windows7, just Windows8. There are two ways:

You may import these registry keys,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
or you may download this zip file and then double-click on Enable TLS 1.x on Windows 7.reg.

Edit2:

I jut found out, by Googling, something I did not know: in Chrome, it is possible to enable support for TLS 1.1/1.2 on the command line, by means of:

 --ssl-version-max  Specifies the maximum SSL/TLS version ("ssl3", "tls1", "tls1.1", or "tls1.2"). 
  --ssl-version-min     Specifies the minimum SSL/TLS version ("ssl3", "tls1", "tls1.1", or "tls1.2").

The reference is here. This of course makes it very easy to test whether an update of TLS is the source of your problems.

MariusMatutiae

Posted 2014-05-20T15:53:46.883

Reputation: 41 321

Thank you sir, let me do what you have said and report back momentarily. – TheGrapeBeyond – 2014-05-20T20:35:48.130

Ok, so I got the following output. I suppose this means that there is a problem with the Chrome installation? So, the weird thing is that I DID already uninstall, and re-install, but have the same problem...

– TheGrapeBeyond – 2014-05-20T20:40:29.900

@TheGrapeBeyond Yes, you are right, you are perfectly connected to lastpass. Why don't you try to install LastPass from the Chrome Webstore? I did it this way, perhaps it will help... – MariusMatutiae – 2014-05-20T20:57:41.370

Well, I did that before actually. The problem is I cant even get to the simple site, www.lastpass.com from Chrome. (Forget about the widget). This is the problem. The widget just uses the website. :-( – TheGrapeBeyond – 2014-05-20T21:05:59.430

I am convinced its something to do with this TLS business, or certificates. This is because: I cant access lastpass.com even on IE or Mozilla, UNLESS I disable TLS1.0, and force them to use SSL3. Only then can I access lastpass.com no problem. – TheGrapeBeyond – 2014-05-20T21:08:39.203

@TheGrapeBeyond Which OS are you on? – MariusMatutiae – 2014-05-20T21:15:40.850

I am using Windows-7. – TheGrapeBeyond – 2014-05-20T21:16:21.000

@TheGrapeBeyond Please see the Edit to my answer. – MariusMatutiae – 2014-05-20T21:31:11.980

Thanks Marius - question: If I needed to reverse all this, would it be easy? How would I do that? I want to try your suggestion, but just also make sure there is a reversal in case. Thanks! – TheGrapeBeyond – 2014-05-20T23:00:38.217

@TheGrapeBeyond - Do you have permission to reverse it? Its entirely possible this is done by design by your IT staff so you are in an enterprise environment. I can't help somebody get around security measures unless they have permission to do so and I encourage others to take the same stance – Ramhound – 2014-05-20T23:01:56.500

Yes I do. IT here says either use IE or 'youre on your own', so I just want to make sure I can reverse this in case. Would it just be something as simple as uninstalling? – TheGrapeBeyond – 2014-05-20T23:03:32.093

@TheGrapeBeyond Please see my Edit2 – MariusMatutiae – 2014-05-21T04:46:50.143

Marius, thanks! I have a very noob question, but where exactly shoudld I type those commands? Like, what would I type exactly, and where? – TheGrapeBeyond – 2014-05-21T15:11:54.693

@TheGrapeBeyond In a terminal: chrome --ssl-..... – MariusMatutiae – 2014-05-21T15:51:35.573

Sorry I dont understand. I opened cmd in windows. Then I typed: "--ssl-version-max tls1.1" (without the quotes). It says:" 'ssl-version-max' is not recognized as an internal or external command, operable program or batch file." Sorry can you please tell me EXACTLY what to type where, I am very very noob to anything command prompt... – TheGrapeBeyond – 2014-05-21T16:43:20.910

@TheGrapeBeyond Like I said, in a terminal, you must type: chrome --ssl-version.... – MariusMatutiae – 2014-05-21T16:51:30.783

Ok let me try that... – TheGrapeBeyond – 2014-05-21T16:52:46.617

Hmm, I still cant get lastpass.com to load. :-( Ill accept your answer though... – TheGrapeBeyond – 2014-05-21T19:47:05.753

You not being able to access it indicates you don't actually have a secure connection between Lastpass. What sort of environment are you in? You shouldn't have to disable TLS 1.0 to access Lastpass. Lastpass.com supports TLS 1.0 Proof

– Ramhound – 2014-05-20T16:01:31.257

@Ramhound You are absolutely right. I am on a work computer, Win-7. However on my home computer with Win-7, I am able to access lastpass without issue. IT here tells me that its 'Chromes fault' basically, but I doubt that, and so I now do not know what to do. – TheGrapeBeyond – 2014-05-20T16:03:16.267

If I were to hazard a guess. Validate the certificate chain. Since this is a work environment it seems to indicate that your actually making a true secure connection with Lastpass. – Ramhound – 2014-05-20T16:05:33.313

@Ramhound Ok - how would I do that? Is it complicated to make a new question for it, or something relatively simple? Many thanks. – TheGrapeBeyond – 2014-05-20T16:08:01.050

I only have access to IE. But in IE you would simply click on the certificant to bring up the certificant chain. Lastpass uses an extended validated certificant, so if the certificant chrome receives isn't one, then your not getting the actual lastpass certificant. – Ramhound – 2014-05-20T16:16:00.983

Is it possible to disable TLS1.0 in Chrome?

Answers