SOLVED

MS Edge Dev 81.0.389.2 won't load any (remote) sites over HTTPS

Copper Contributor

Some time after receiving the latest update on the dev channel, the browser seemingly broke for almost all HTTPS sites. I've got a local webpack dev server running that still seems to work, but anything other than localhost seems to fail.

 

One example is http://www.httpvshttps.com/ which loads fine, but as soon as I select to run the test over HTTPS, I immediately get the "Hmmm... can't reach this page" with an "ERR_CONNECTION_CLOSED" error code. Google.com, bing.com, etc, they all fail.

 

I've tried it on several different networks, but the issue still persists.

 

Every other browser on my system works just fine (Firefox, Edge (Non-Chromium), IE, Chrome Dev, and Edge Dev worked fine up until very recently (last week, perhaps?). I mostly use it as a browser for development, so it might've broken before the latest dev channel update, but that's when I first discovered it.

 

I've tried reinstalling Edge Dev, I've double-checked that it's not using any weird proxy settings, my OS and AV is fully updated (Win 10 b1909, Windows Defender). Maybe there's an obvious thing causing this, but I can't see it :smile:

11 Replies

@oddnes Thanks for letting us know. If the issue is persisting, can you please first try on the newest version of MS Edge Dev then Canary? And if it's still not working, it would be great if you could submit feedback through the browser so our devs can see the logs.

 

Fawkes (they/them)
Project & Community Manager - Microsoft Edge

@Deleted 

Currently I've the same problem with Edge Dev (82.0.425.3) and Edge Can (82.0.436.0)

@danielthecoder I have the exact same problem, started with Edge Dev 82.0.425.3 and is still present with 82.0.432.3. I downloaded Canary today (82.0.437.0), same problem.

Anteckning 2020-02-27 085700.PNG.jpg

 

@Deleted At my organisation, we use Zscaler. I used to have the "Your connection isn't private" issue that was talked about in https://techcommunity.microsoft.com/t5/discussions/your-connection-isn-t-private-zscaler/m-p/1059762, but that went away after some update and all was good for a while.

 

I have also sent this as feedback through the browser.

@adamohman @danielthecoder Thank you both. I'm working with the team to get more info on this. In the meantime, can you both please confirm:

1) Do your DNS settings seem to be correctly configured?

2) Is this happening with any other browsers, specifically Chromium-based ones?

 

Fawkes (they/them)
Project & Community Manager - Microsoft Edge

We have the same problem with Chrome Dev (Chromium 82.*) on multiple machines.
Seems like there is a change with Chromium 82.* which causes this problem.
In addition, websites which are hosted inside the corporate network are working. Websites outside the coorparte network are having this problem, like azure.com.
best response
Solution

@adamohman @danielthecoder @oddnes 

 

This is very likely the same issue as some users saw in December, whereby most or all HTTPS connections fail with one of several error messages. You can verify if this is the case by closing all Edge instances and hitting Win+R, then running

   msedge.exe --disable-features=PostQuantumCECPQ2

 
If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to "pass along" the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.
 
In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.
 
The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.

The upstream issue can be found here: https://crbug.com/1028602



 

@Eric_Lawrence starting edge dev (82.*) with msedge.exe --disable-features=PostQuantumCECPQ2 is working for me.

I don't know if we are using ZScaler, I'll check it with our IT department.

 

I tried the --disable-features=PostQuantumCECPQ2 flag from the previous thread but somehow missed the last "2"... facepalm. When copy-pasting the correct string, my latest Edge Dev (82.0.432.3) now works for external https sites, so a super big thank you @Eric_Lawrence! Now I can continue using my new favorite browser :)

 

Just to be clear and to also confirm @danielthecoder findings:

Chrome (80.0.3987.122 ) = works

Chrome Dev (82.0.4068.5) = has the problem

Edge Dev and Canary (82.*) without the PostQuantum flag = has the problem

Edge Dev and Canary (82.*) with the PostQuantum flag = works

 

And "has the problem" means that internal https sites can be reached, but not external/remote https sites.

 

@Eric_Lawrence Do you have any more details about the Zscaler fix? I tried searching but could not find anything relevant online. I would be really (extra) grateful for any pointers that I could pass on to our network team, and useful for others that see this thread.

@Eric_Lawrence Thank you so much, msedge.exe --disable-features=PostQuantumCECPQ2 did the trick for accessing external/remote https sites! I will pass the info about the Zscaler "support case 983026 / (view restricted) issue 1033401" that you mentioned 17 Jan 2020 on https://bugs.chromium.org/p/chromium/issues/detail?id=1028602 to our network team. If you have any more details or more recent information about the fix, I would be (even more) grateful.

 

To summarize and also confirm @danielthecoder's findings:

Chrome (80.0.3987.122 ) = OK
Chrome Dev (82.0.4068.5) = Error
Edge Dev (82.0.432.3) = Error
Edge Canary (82.0.438.0) = Error

Edge Dev with the --disable-features=PostQuantumCECPQ2 flag = OK

 

And thanks @oddnes for starting this thread!

 

Cheers,

Adam

Thanks for confirming.

From another thread, the ZScaler folks said "There is a ticket opened internally for that (BUG-67731)."

In that thread, a ZScaler customer noted: "Just had an update from Zscaler support on this, the fix is estimated to be pushed for 5.7 version of Zscaler on 1/17th for ZS3 and 1/24 for the rest of the clouds."

@Eric_Lawrence We are not using ZScaler, we are seeing this issue with citrix netscaler.

1 best response

Accepted Solutions
best response
Solution

@adamohman @danielthecoder @oddnes 

 

This is very likely the same issue as some users saw in December, whereby most or all HTTPS connections fail with one of several error messages. You can verify if this is the case by closing all Edge instances and hitting Win+R, then running

   msedge.exe --disable-features=PostQuantumCECPQ2

 
If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to "pass along" the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.
 
In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.
 
The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.

The upstream issue can be found here: https://crbug.com/1028602



 

View solution in original post