Hi everyone,
I have a FortiGate 120G with deep inspection profile applied.
Since the update to v7.2.10 I have random issues and I think it does belong to quic.
This morning several clients called me to tell that www.google.at does not work any more in edge browser:
ERR_SSL_PROTOCOL_ERROR
First I did try to block quic via application control, that didn't help so I did create a policy blocking udp 443. Didn't help either.
So if blocking does not work I tried to allow it - as this telling me blocking is not neccesarry:
But this does not help either. What is really strange: the error messages does not appear to be consistent at all. Websites do work on some clients and on others they do not (using same firewall policy and same inspection profile).
The next hour these websites do work on clients that were affected before but then it does not work on other clients.
As a workaround I disable deep inspection for now... Any ideas how to fix this? Should I create a ticket?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:
As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue.
For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"
Hello,
I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:
Created on 11-19-2024 02:29 AM Edited on 11-19-2024 02:30 AM
I guess the flag does look different now in edge than what is described in your link:
There's potentially two options:
1: disable "use-ml-kem": This will disable the new ML-KEM key exchange and fall back to Kyber (handled correctly by IPS if you have up-to-date IPS engine).
2. disable "enable-tls13-kyber": This will completely disable post-quantum key exchange.
You can pick one based on if they're available in your flavor of Chromium-based browser.
Created on 11-21-2024 01:14 AM Edited on 11-21-2024 01:33 AM
Hello @pminarik
I found another website that does not work: https://immich.app
This site also does not work in firefox (SSL_ERROR_ECH_RETRY_WITH_ECH) or edge (ERR_ECH_NOT_NEGOTIATED)
the use-ml-kem flag can't be found in edge... there is only #enable-tls13-kyber. Any ideas how to proceed further?
The IPS engine on my FG120G is Version 7.00349
Edit: The website does work a few minutes later on firefox, but still not on Edge... (I did not change anything in the meantime)
This is unrelated.
ECH is Encrypted ClientHello, a feature not related to ML-KEM key exchange.
Have a look here for tips on dealing with ECH:
----------
For ML-KEM in Edge, it will suffice to disable the "enable-tls13-kyber" flag.
As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue.
For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.