Hi,
we have such problem on every webpages with the newest chrome version 131 error appears:
ERR_SSL_PROTOCOL_ERROR
as I read Chrome implemented any new TLS mechanism in this version:
https://chromestatus.com/feature/5257822742249472
is any solution for this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
ok the official workaround (that's what they said) that TAC just gave me in a call is to change Policies to proxy mode inspection. They're working on it internally and it will "hopefully be fixed with the next FOS Update"...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
If it helps you feel a bit better, given that this is a flow-mode specific issue, the fix will most likely be "just" an IPS engine update. A complete firmware update probably won't be necessary.
so the problem cannot be fixed by new ips engine update? @pminarik
something different from what happened with kyber? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...
which component is suffering ML-KEM ?
Created on 11-15-2024 02:03 AM Edited on 11-15-2024 02:04 AM
Functionally the same situation as with Kyber. Just a new key exchange type that needs to be handled correctly by IPS engine. Note that if you set the Chrome flag "use-ml-kem" to disabled, it should revert to using Kyber and keep working (a temp solution, of course).
Fix will come in an updated IPS engine. There is no public fixed version of it yet (no firmware-default engines nor engines pushed via FortiGuard have a full fix yet)
The default 7.0.16 IPS engine has a partial fix, same for the engine pushed from FortiGuard for 7.2 (349 currently).
The fixes should be ready very soon. For most FortiOS branches, you will likely need to open a support ticket with TAC to request them initially. Automated distribution via FortiGuard will presumably happen eventually, but with some delay. (global deployment of a new engine version needs to be done with caution)
they also have released a technical support doc on this: ERR_SSL_PROTOCOL_ERROR when using Flow-ba... - Fortinet Community
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
oh and NO, Fortinet, switching from DPI to certificate inspection is NOT a solution
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
It looks like if Fortinet has started deploying a fixed IPS engine via FortiGuard in 7.2 from November 19th on.
7.4 and 7.6 seem to get the fix with a firmware update though - as far as i read.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.