Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PixoPuro
New Contributor II

SSL Deep Inspection - Google Chrome

Hi, is anyone else having a problem doing deep inspection using Google Chrome?

 

Google Chrome version:  119.0.6045.160 (Versão oficial) 64 bits

 

Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3

google same policy/ssl profile from prints below.

facebook.com_chrome.png


 same policy ID from above - EGDE

facebook.com_edge.png

 

 

  same policy ID from abobe - firefox

faceook.com_firefox.png

 

 

 SSL Profile:

 

SSL_profile.png

Do you guys have some advices?
TY

 

Leandro
Leandro
1 Solution
smaruvala
Staff
Staff

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

View solution in original post

17 REPLIES 17
quickit

Hi,

Good workaround, but this bug has not been fixed for more than 14 months.
It's still a problem.

Regards,
Bertalan

minheplus
New Contributor

Hardware 401F (Firmware 7.4.3), If web filter is turn on, Chrome cannot access website. Disable TLS 1.3 hybridized Kyber, problem is resolved. When Fortinet fix this issue?

tuan2tech
New Contributor III

I'm also having a hard time turning off Kyber for each computer. Our company has more than 100 pc

PixoPuro

stop using chatgpt

Leandro
Leandro
gperezarsoft
New Contributor II

We're having the same issue.

Only solution was to disable TLS1.3 kyber support on chromium based browsers or disable ssl-inspection (Which would be stupid since that's one of the security measures of the product).

After inspecting the issue further we discovered that we were having fragmentation issues with this kind of tls handshake, check this out. https://community.fortinet.com/t5/Support-Forum/Fortigates-with-PPPoE-WAN-suddenly-need-TCP-MSS-1452...

Seems that the only way to keep SSL INSPECTION and TLS 1.3 kyber support in browsers is to set the tcp-mss value to the correct size. Since we're using PPPoE ours is 1452, yours might be different. Once the tcp-mss is set, everything works... or does it?

Which surprises me is that fortigate hasn't said anything about it...

tuan2tech
New Contributor III

Why doesn't fortinet have an update to fix this problem? I also encountered an error of not being able to load SD-WAN rules with firmware 7.4.3

smaruvala
Staff
Staff

Hi,

 

Regarding the Kyber issue there is a KB

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

- This talks about the workarounds including the MSS settings.

 

Regards,

Shiva

 

gperezarsoft

Thank you smaruvala,

Might add that if you're following the "Disable kyber support" way you can use this registry keys in Edge, Chrome and Brave browsers which can be applied via GPO:

  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\PostQuantumKeyAgreementEnabled
  • HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\PostQuantumKeyAgreementEnabled
  • HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave\PostQuantumKeyAgreementEnabled

Setting the value to REG_DWORD 0.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors