Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PixoPuro
New Contributor II

Created on ‎11-27-2023 11:54 AM Edited on ‎11-27-2023 12:27 PM

SSL Deep Inspection - Google Chrome

Hi, is anyone else having a problem doing deep inspection using Google Chrome?

 

Google Chrome version:  119.0.6045.160 (Versão oficial) 64 bits

 

Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3

google same policy/ssl profile from prints below.

facebook.com_chrome.png


 same policy ID from above - EGDE

facebook.com_edge.png

 

 

  same policy ID from abobe - firefox

faceook.com_firefox.png

 

 

 SSL Profile:

 

SSL_profile.png

Do you guys have some advices?
TY

 

Leandro
Leandro
Labels:
25134
0 Kudos
1 Solution
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:54 AM

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

View solution in original post

25062
17 REPLIES 17
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:01 AM

Hi,

 

- The command "set admin-https-ssl-versions" is used for GUI access of the Firewall. 

- I tried to check using the same chrome version. I didn't face any issue in which I saw the DigiCert CA certificate instead of the Fortigate certificate.

- Was the issue not seen when chrome version was older? 

- Is the issue seen in every or multiple users behind the Firewall?

- I don't see the page you are accessing in the chrome. Is it the facebook URL as well?

 

Regards,

Shiva

17427
DarioP
New Contributor

Created on ‎11-28-2023 12:33 AM

Hi, the same issue with 400F, 7.0.13. WebFilter doesn't work too. But on some stations with Google Chrome 119.0.6045.160/64 deep inspection and WebFilter work fine. Interesting...

Regards

DarioP

 

17400
0 Kudos
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:54 AM

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

25063
PixoPuro
New Contributor II
In response to smaruvala

Created on ‎11-28-2023 04:58 AM

Thank you, I was able to use deep inspection in Chrome with your tip. 

Leandro
Leandro
17338
0 Kudos
DarioP
New Contributor

Created on ‎11-28-2023 01:33 AM

Hi again,

It works for me. After disabling "TLS 1.3 hybridized Kyber support"  in Chrome everything looks fine.

 

Regards,

DarioP

17381
smaruvala
Staff
Staff

Created on ‎11-28-2023 02:02 AM

Hi @DarioP ,

 

Great, Then it would be matching the same issue. Current IPS Engine is not supporting this. So the fixes will be coming soon.

 

Regards,

Shiva

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

17373
tuan2tech
New Contributor III

Created on ‎12-06-2023 04:21 PM

Hi you

I disabled Kyber in Chrome and it worked. But why does it only fail on a few clients?

17137
0 Kudos
smaruvala
Staff
Staff
In response to tuan2tech

Created on ‎12-07-2023 03:48 AM

Hi,

 

I am assuming these updates in chrome is coming as staged update. Basically if we see 25519KyberDraft in the supported groups in the client hello packet then the Firewall will not support it. This will cause this issue. You may have to compare the working and non-working capture in the client and look for the supported groups extension header in the Client hello packet.

 

Regards,

Shiva

17115
tuan2tech
New Contributor III
In response to smaruvala

Created on ‎04-21-2024 08:43 PM

Hi you

Does Fortinet have an update with this error? Recently I encountered this error with other browsers like Edge, Firefox and I had to disable Kyber

13962
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.