Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PixoPuro
New Contributor II

SSL Deep Inspection - Google Chrome

Hi, is anyone else having a problem doing deep inspection using Google Chrome?

 

Google Chrome version:  119.0.6045.160 (Versão oficial) 64 bits

 

Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3

google same policy/ssl profile from prints below.

facebook.com_chrome.png


 same policy ID from above - EGDE

facebook.com_edge.png

 

 

  same policy ID from abobe - firefox

faceook.com_firefox.png

 

 

 SSL Profile:

 

SSL_profile.png

Do you guys have some advices?
TY

 

Leandro
Leandro
1 Solution
smaruvala
Staff
Staff

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

View solution in original post

17 REPLIES 17
smaruvala
Staff
Staff

Hi,

 

- The command "set admin-https-ssl-versions" is used for GUI access of the Firewall. 

- I tried to check using the same chrome version. I didn't face any issue in which I saw the DigiCert CA certificate instead of the Fortigate certificate.

- Was the issue not seen when chrome version was older? 

- Is the issue seen in every or multiple users behind the Firewall?

- I don't see the page you are accessing in the chrome. Is it the facebook URL as well?

 

Regards,

Shiva

DarioP
New Contributor

Hi, the same issue with 400F, 7.0.13. WebFilter doesn't work too. But on some stations with Google Chrome 119.0.6045.160/64 deep inspection and WebFilter work fine. Interesting...

Regards

DarioP

 

smaruvala
Staff
Staff

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

PixoPuro
New Contributor II

Thank you, I was able to use deep inspection in Chrome with your tip. 

Leandro
Leandro
DarioP
New Contributor

Hi again,

It works for me. After disabling "TLS 1.3 hybridized Kyber support"  in Chrome everything looks fine.

 

Regards,

DarioP

smaruvala
Staff
Staff

Hi @DarioP ,

 

Great, Then it would be matching the same issue. Current IPS Engine is not supporting this. So the fixes will be coming soon.

 

Regards,

Shiva

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

tuan2tech
New Contributor III

Hi you

I disabled Kyber in Chrome and it worked. But why does it only fail on a few clients?

smaruvala

Hi,

 

I am assuming these updates in chrome is coming as staged update. Basically if we see 25519KyberDraft in the supported groups in the client hello packet then the Firewall will not support it. This will cause this issue. You may have to compare the working and non-working capture in the client and look for the supported groups extension header in the Client hello packet.

 

Regards,

Shiva

tuan2tech
New Contributor III

Hi you

Does Fortinet have an update with this error? Recently I encountered this error with other browsers like Edge, Firefox and I had to disable Kyber

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors