Adsense Code

Wednesday, 10 February 2016

Google Chrome not working with IIS websites - but all the other browsers work - what gives?

A bizarre issue happened here in Dinerth IT towers where we had a website running on IIS on a Windows 2008R2 server.  It was running over HTTPS and had valid certificates.

The website would not work on Chome.  The website would work fine in Internet Explorer, Safari, Opera and Dolphin.  Just not Chrome.  The error messages we would get would include that the website was using too many redirections, the website could not be found (odd when you could use another browser) - but nothing massively conclusive.

It was affecting an important website for us so we did spend a lot of time investigating and we ended up hitting on this blog by Toby Meyer which helped us actually implement a fix.  We used IIS Crypto to help us achieve the fix because otherwise you are faffing about the registry - which is fine but the possibility of human error with typos etc is just increased.  

IIS Crypto lets you sort out the different cipher methods that the SSL encryption can use and prioritise them.  Now - what it is that stops Chrome from working and other web browsers to keep on working - I have no idea - but this is the Cipher order that worked for us.

Within IIS Crypto I clicked the Best Practices button then I checked the settings within each of the dialogue boxes.


Under protocols

TLS 1.0
TLS 1.1
TLS 1.2



Under Ciphers Enabled

Triple DES 168
AES 128/128
AES 256/256



Under Hashes Enabled

MD5
SHA
SHA 256
SHA 384
SHA 512




Under Key Exchanges Enabled

Diffie-Hellman
PKCS
ECDH



And under the SSL Cipher Suite Order - we had to re-organise the ciphers into the following order.  All the other ciphers are unticked and not being used.


TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA


You click Apply, IIS Crypto tells you that it won't reboot the server but you do need to reboot the server later.  We just did that as we had a significant amount of traffic coming from Chrome sources.  Post reboot - working fine!