New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google Chrome reports ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY on default MVC app #8409
Comments
@shirhatti - any idea about this? |
SDPY at the time (and now HTTP/2) has a list of disallowed cipher suites. The default ordering in cipher suites in Schannel meant you could end up negotiating a cipher suite that is disallowed and the client (Chrome) was forced to reject the connection. That being said, Chrome dropped support for SPDY back in May 2016. What version of Chrome are you using? |
Chrome is latest version 72.0.3626.121. I am wondering why the default sample does not work correctly here. This is the startup code, nothing was changed, of course from debugger it runs in Development mode:
I would expect that the default code for a new app should work with all latest browsers.
Maybe it's a cipher selection problem and related to #4776? |
This looks to me like a cypher suite disallowed by Chrome for HTTP/2 has been negotiated. Since Kestrel uses SslStream which in turn uses SChannel on Windows, the workaround is to disable weak cypher suites at the OS level. |
I am on Windows 10 Enterprise, 1809 version with all latest patches installed.
I have downloaded IISCrypto v3.0 (latest) and set it to "Best Practices". This did not help. |
Did you find a solution or workaround @schuettecarsten? |
Sorry, closed accidentially while posting my comment. The issue is still there. |
Or it didn't use TLS 1.2 for some reason? Did you change anything in Program.cs? |
I'm also getting this on a new build of a computer. I've trusted the cert and removed unsafe cyphers with iiscrypto but kestrel still causes issues. If I use VS.net 2019 and run it debugging with IISExpress it's fine. My guess is that the developer cert for .NET Core 3 preview 3 isn't secure and thus chrome throws this, but the developer cert that IIS Express uses IS. (both have been registered and check out according to the tools) IIS Express had this issue a few years ago as well that had to be fixed with an update to visual studio and a reissue of the local cert. |
It's likely not that the cert itself is insecure, but that it's only compatible with certain cipher suits. i.e. I don't think it works with EC cyphers. The negotiation falls back to cert compatible ciphers and apparently doesn't find one that meents HTTP/2 requirements. @JohnGalt1717 are you also running a Win10 insiders build? Which one? |
@Tratcher Yes. 19H 18362.1 |
FYI @JohnGalt1717 we're already discussing this over at #8952 |
Duplicate of #8952 Closing this one. |
Describe the bug
Google Chrome reports an
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
error when trying to access a default ASP.NET Core MVC app started from Visual Studio Debugger.To Reproduce
Steps to reproduce the behavior:
Additional context
It works using Edge or other browsers, but Chrome does not like the default settings?
The text was updated successfully, but these errors were encountered: