New Member

Solved

SSL Deep Inspection - Google Chrome

Forum|Forum|2 years ago
November 27, 2023
11 replies
36290 views

Hi, is anyone else having a problem doing deep inspection using Google Chrome?

Google Chrome version: 119.0.6045.160 (Versão oficial) 64 bits

Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3

google same policy/ssl profile from prints below.

facebook.com_chrome.png

same policy ID from above - EGDE

facebook.com_edge.png

same policy ID from abobe - firefox

faceook.com_firefox.png

SSL Profile:

Do you guys have some advices?
TY

FortiGate

Best answer by smaruvala

Hi,

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

Regards,

Shiva

Show previous replies

smaruvala

Staff

Hi,

Regarding the Kyber issue there is a KB

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-long-to/ta-p/313958

- This talks about the workarounds including the MSS settings.

Regards,

Shiva

gperezarsoft

Explorer

Thank you smaruvala,

Might add that if you're following the "Disable kyber support" way you can use this registry keys in Edge, Chrome and Brave browsers which can be applied via GPO:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\PostQuantumKeyAgreementEnabled
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\PostQuantumKeyAgreementEnabled
HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave\PostQuantumKeyAgreementEnabled

Setting the value to REG_DWORD 0.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded