Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

ERR_SSL_PROTOCOL_ERROR on the newest Chrome 131

Hi,

we have such problem on every webpages with the newest chrome version 131 error appears:

ERR_SSL_PROTOCOL_ERROR 

as I read Chrome implemented any new TLS mechanism in this version:

https://chromestatus.com/feature/5257822742249472

is any solution for this?

16 REPLIES 16
sw2090
SuperUser
SuperUser

ok the official workaround (that's what they said) that TAC just gave me in a call is to change Policies to proxy mode inspection. They're working on it internally and it will "hopefully be fixed with the next FOS Update"...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
pminarik

If it helps you feel a bit better, given that this is a flow-mode specific issue, the fix will most likely be "just" an IPS engine update. A complete firmware update probably won't be necessary.

[ corrections always welcome ]
FortiGab
New Contributor II

so the problem cannot be fixed by new ips engine update? @pminarik 

something different from what happened with kyber? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

which component is suffering ML-KEM ?

 
Living our FortiLife
Living our FortiLife
pminarik

Functionally the same situation as with Kyber. Just a new key exchange type that needs to be handled correctly by IPS engine. Note that if you set the Chrome flag "use-ml-kem" to disabled, it should revert to using Kyber and keep working (a temp solution, of course).

 

Fix will come in an updated IPS engine. There is no public fixed version of it yet (no firmware-default engines nor engines pushed via FortiGuard have a full fix yet)

The default 7.0.16 IPS engine has a partial fix, same for the engine pushed from FortiGuard for 7.2 (349 currently).

 

The fixes should be ready very soon. For most FortiOS branches, you will likely need to open a support ticket with TAC to request them initially. Automated distribution via FortiGuard will presumably happen eventually, but with some delay. (global deployment of a new engine version needs to be done with caution)

[ corrections always welcome ]
sw2090
SuperUser
SuperUser

they also have released a technical support doc on this: ERR_SSL_PROTOCOL_ERROR when using Flow-ba... - Fortinet Community

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
SuperUser
SuperUser

oh and NO, Fortinet, switching from DPI to certificate inspection is NOT a solution

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
SuperUser
SuperUser

It looks like if Fortinet has started deploying a fixed IPS engine via FortiGuard in 7.2 from November 19th on.

7.4 and 7.6 seem to get the fix with a firmware update though - as far as i read.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors