Forum Discussion

oddnes's avatar
oddnes
Copper Contributor
Jan 22, 2020

MS Edge Dev 81.0.389.2 won't load any (remote) sites over HTTPS

Some time after receiving the latest update on the dev channel, the browser seemingly broke for almost all HTTPS sites. I've got a local webpack dev server running that still seems to work, but anyth...
  • Eric_Lawrence's avatar
    Eric_Lawrence
    Feb 27, 2020

    adamohman danielthecoder oddnes 

     

    This is very likely the same issue as some users saw in December, whereby most or all HTTPS connections fail with one of several error messages. You can verify if this is the case by closing all Edge instances and hitting Win+R, then running

       msedge.exe --disable-features=PostQuantumCECPQ2

     
    If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to "pass along" the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.
     
    In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.
     
    The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.

    The upstream issue can be found here: https://crbug.com/1028602



     

Eric_Lawrence's avatar
Eric_Lawrence
Icon for Microsoft rankMicrosoft

adamohman danielthecoder oddnes 

 

This is very likely the same issue as some users saw in December, whereby most or all HTTPS connections fail with one of several error messages. You can verify if this is the case by closing all Edge instances and hitting Win+R, then running

   msedge.exe --disable-features=PostQuantumCECPQ2

 
If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to "pass along" the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.
 
In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.
 
The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.

The upstream issue can be found here: https://crbug.com/1028602



 

adamohman's avatar
adamohman
Copper Contributor
Feb 27, 2020

I tried the --disable-features=PostQuantumCECPQ2 flag from the previous thread but somehow missed the last "2"... facepalm. When copy-pasting the correct string, my latest Edge Dev (82.0.432.3) now works for external https sites, so a super big thank you Eric_Lawrence! Now I can continue using my new favorite browser 🙂

 

Just to be clear and to also confirm danielthecoder findings:

Chrome (80.0.3987.122 ) = works

Chrome Dev (82.0.4068.5) = has the problem

Edge Dev and Canary (82.*) without the PostQuantum flag = has the problem

Edge Dev and Canary (82.*) with the PostQuantum flag = works

 

And "has the problem" means that internal https sites can be reached, but not external/remote https sites.

 

Eric_Lawrence Do you have any more details about the Zscaler fix? I tried searching but could not find anything relevant online. I would be really (extra) grateful for any pointers that I could pass on to our network team, and useful for others that see this thread.

Resources