Add a dedicated error code for TLS 1.3 interference.
From the previous TLS 1.3 launch attempt, we learned that many
firewall, proxy, etc., products are buggy and interfere with TLS 1.3's
deployment, holding back a security and performance improvement across
To make diagnosing such issues easier, this CL implements a dedicated
error code based on a retry probe. On SSL connection failure, if TLS 1.3
was enabled and the error code is one of a handful which, in the past,
have potentially signaled version intolerance, we retry the connection
with TLS 1.3 disabled. If this connection succeeds, we still reject the
connection (otherwise a network attacker can break the security of the
version negotiation, cf. POODLE) and return
This error code should hopefully give an easier target for search
metrics and others, as we otherwise cannot reliably classify
Unfortunately, such a probe is inherently flaky and is itself not
reliable. This error could mean one of three things:
1. This is a transient network error that will be resolved when the user
2. The server is buggy and does not implement TLS version negotiation
3. The user is behind a buggy network middlebox, firewall, or proxy which is
interfering with TLS 1.3.
Based on server side probes, the lack of TLS 1.3 error reports until it
was enabled on the server, and a protocol change in TLS 1.3 intended to
avoid this, we do not believe (2) is common. (The difference between (2)
and (3) is whether the servers or middleboxes are at fault here.)
(1) is unavoidable. There is no way to reliably distinguish (1) and (3).
We can only make (1) less and less likely by spamming the user's network
with probes, which is undesirable.
Accordingly, though the error string is short and easily searchable, I
have left the network error page fairly non-descript, borrowing from the
ERR_CONNECTION_FAILED text, but with SUGGEST_PROXY_CONFIG and friends
enabled, to hint that users should, if their default reaction of mashing
reload (or the auto-reload feature) doesn't work, look there.
5 files changed