Hi,
we have such problem on every webpages with the newest chrome version 131 error appears:
ERR_SSL_PROTOCOL_ERROR
as I read Chrome implemented any new TLS mechanism in this version:
https://chromestatus.com/feature/5257822742249472
is any solution for this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Same problem here since today. If we turn of SSL deep inspection, we have no problem. But that is not a good solution.
No problems with other browsers
Based on some initial tests:
proxy-mode inspection seems to work (tested 7.6.0).
Flow-mode has problems. This will need a new IPS engine release.
As a workaround you can go to chrome://flags, and disable the post-quantum feature flags:
#enable-tls13-kyber
#use-ml-kem
ya indeed,
getting more and more tickets from my clients that this happens.
I've read that post-quantum was enabled by google in Chrome 124 already.
I am going to perform some testing in FOS 7.2 to see if it works in proxy mode.
I also opened a ticket with TAC on this.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
yes I can now confirm: also in FOS 7.2:
TLSv1.3 broken with DPI in flow mode
TLSv1.3 works with DPI in proxy mode (policy + security profile group + filter profiles)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
humm my TAC ticket has escalated to a senior within 15mins ;)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Well, that escalated quickly.
I believe the switch from Kyber to ML-KEM is what is causing the issue. Chrome 131 switched post-quantum key agreement from Kyber to ML-KEM. Disabling the flag via GPO is what we ended up doing at our org until FortiOS 7.2.x supports ML-KEM.
This resolved the issue for us
This link has some details on this: https://chromestatus.com/feature/5257822742249472
Accoarding to this disabling the Flag is not a solution because its going to be removed at all with chrome v141. Then you GPO will no longer work.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.