Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

ERR_SSL_PROTOCOL_ERROR on the newest Chrome 131

Hi,

we have such problem on every webpages with the newest chrome version 131 error appears:

ERR_SSL_PROTOCOL_ERROR 

as I read Chrome implemented any new TLS mechanism in this version:

https://chromestatus.com/feature/5257822742249472

is any solution for this?

16 REPLIES 16
sl_polyrack
New Contributor

Same problem here since today. If we turn of SSL deep inspection, we have no problem. But that is not a good solution.
No problems with other browsers

pminarik
Staff
Staff

Based on some initial tests:
proxy-mode inspection seems to work (tested 7.6.0).

Flow-mode has problems. This will need a new IPS engine release.

 

As a workaround you can go to chrome://flags, and disable the post-quantum feature flags:
#enable-tls13-kyber

#use-ml-kem 

[ corrections always welcome ]
sw2090
SuperUser
SuperUser

ya indeed,

getting more and more tickets from my clients that this happens.

I've read that post-quantum was enabled by google in Chrome 124 already.

I am going to perform some testing in FOS 7.2 to see if it works in proxy mode.

I also opened a ticket with TAC on this.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
SuperUser
SuperUser

yes I can now confirm: also in FOS 7.2: 

 

TLSv1.3 broken with DPI in flow mode

TLSv1.3 works with DPI in proxy mode (policy + security profile group + filter profiles)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
SuperUser
SuperUser

humm my TAC ticket has escalated to a senior within 15mins ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
edo84rm
New Contributor

Well, that escalated quickly.

tclark1
New Contributor

I believe the switch from Kyber to ML-KEM is what is causing the issue. Chrome 131 switched post-quantum key agreement from Kyber to ML-KEM. Disabling the flag via GPO is what we ended up doing at our org until FortiOS 7.2.x supports ML-KEM.

TN_Bob
New Contributor

This resolved the issue for us

sw2090
SuperUser
SuperUser

This link has some details on this: https://chromestatus.com/feature/5257822742249472

 

Accoarding to this disabling the Flag is not a solution because its going to be removed at all with chrome v141. Then you GPO will no longer work.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors