ERR_SSL_PROTOCOL_ERROR on the newest Chrome 131

Same problem here since today. If we turn of SSL deep inspection, we have no problem. But that is not a good solution.
No problems with other browsers

Based on some initial tests:
proxy-mode inspection seems to work (tested 7.6.0).

Flow-mode has problems. This will need a new IPS engine release.

As a workaround you can go to chrome://flags, and disable the post-quantum feature flags:
#enable-tls13-kyber

#use-ml-kem 

ya indeed,

getting more and more tickets from my clients that this happens.

I've read that post-quantum was enabled by google in Chrome 124 already.

I am going to perform some testing in FOS 7.2 to see if it works in proxy mode.

I also opened a ticket with TAC on this.

yes I can now confirm: also in FOS 7.2: 

TLSv1.3 broken with DPI in flow mode

TLSv1.3 works with DPI in proxy mode (policy + security profile group + filter profiles)

humm my TAC ticket has escalated to a senior within 15mins ;)

I believe the switch from Kyber to ML-KEM is what is causing the issue. Chrome 131 switched post-quantum key agreement from Kyber to ML-KEM. Disabling the flag via GPO is what we ended up doing at our org until FortiOS 7.2.x supports ML-KEM.

This link has some details on this: https://chromestatus.com/feature/5257822742249472

Accoarding to this disabling the Flag is not a solution because its going to be removed at all with chrome v141. Then you GPO will no longer work.

ok the official workaround (that's what they said) that TAC just gave me in a call is to change Policies to proxy mode inspection. They're working on it internally and it will "hopefully be fixed with the next FOS Update"...

they also have released a technical support doc on this: ERR_SSL_PROTOCOL_ERROR when using Flow-ba... - Fortinet Community

oh and NO, Fortinet, switching from DPI to certificate inspection is NOT a solution