Random ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION in chrome

Question

For a site which is running an old version of Java and Tomcat (6 and 5.5 respectively) the latest build of chrome is failing with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION.

And that's fine, since chrome disabled SSLv3 becuase of POODLE. I went to conf/server.xml and specified sslProtocol="TLSv1" explicitly.

The the site opens successfully, but sometimes, some of the resources (js and css only) fail to open with the same ERR_SSL. I use iptables forwarding to Tomcat, so no apache/nginx and no proxies.

Here's a screenshot to illustrate the failures. With cache disabled, you can see that some js and css files are served OK (the actual jsps and all images are always served OK), and some are failing:

I could not find any connection between what's failing, and their declaration. Furthermore, sometimes these are not failing.

Can I do something about it (apart from upgrading Java, which is not guaranteed to work and is a lot of effort, as the site potentially won't work, and have to be recompiled, repackaged, etc), or is it a chrome bug?

Answer 1

Specifying sslProtocol="TLSv1" in the Tomcat <Connector /> element only guarantees that the specified protocol will be available, not that it is the only one available. For example, the connector

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1" ... />

will have SSLv3 and TLSv1 available. In order to disable SSLv3, you need to explicitly say which protocols are enabled using another property. I'm not familiar with the syntax for Tomcat 5, but the syntax for Tomcat 6 is protocols="TLSv1" and Tomcat 7 is sslEnabledProtocols="TLSv1".