Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PixoPuro
New Contributor II

Created on ‎11-27-2023 11:54 AM Edited on ‎11-27-2023 12:27 PM

SSL Deep Inspection - Google Chrome

Hi, is anyone else having a problem doing deep inspection using Google Chrome?

 

Google Chrome version:  119.0.6045.160 (Versão oficial) 64 bits

 

Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3

google same policy/ssl profile from prints below.

facebook.com_chrome.png


 same policy ID from above - EGDE

facebook.com_edge.png

 

 

  same policy ID from abobe - firefox

faceook.com_firefox.png

 

 

 SSL Profile:

 

SSL_profile.png

Do you guys have some advices?
TY

 

Labels:
10778
0 Kudos
1 Solution
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:54 AM

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

View solution in original post

10706
16 REPLIES 16
minheplus
New Contributor

Created on ‎04-22-2024 03:51 AM

Hardware 401F (Firmware 7.4.3), If web filter is turn on, Chrome cannot access website. Disable TLS 1.3 hybridized Kyber, problem is resolved. When Fortinet fix this issue?

1599
0 Kudos
tuan2tech
New Contributor III
In response to minheplus

Created on ‎04-22-2024 05:59 PM

I'm also having a hard time turning off Kyber for each computer. Our company has more than 100 pc

1509
PixoPuro
New Contributor II
In response to juliaeldef548

Created on ‎04-25-2024 11:40 AM

stop using chatgpt

1036
gperezarsoft
New Contributor

Created on ‎05-15-2024 08:15 AM Edited on ‎05-15-2024 08:16 AM

We're having the same issue.

Only solution was to disable TLS1.3 kyber support on chromium based browsers or disable ssl-inspection (Which would be stupid since that's one of the security measures of the product).

After inspecting the issue further we discovered that we were having fragmentation issues with this kind of tls handshake, check this out. https://community.fortinet.com/t5/Support-Forum/Fortigates-with-PPPoE-WAN-suddenly-need-TCP-MSS-1452...

Seems that the only way to keep SSL INSPECTION and TLS 1.3 kyber support in browsers is to set the tcp-mss value to the correct size. Since we're using PPPoE ours is 1452, yours might be different. Once the tcp-mss is set, everything works... or does it?

Which surprises me is that fortigate hasn't said anything about it...

286
0 Kudos
tuan2tech
New Contributor III

Created on ‎05-15-2024 06:51 PM

Why doesn't fortinet have an update to fix this problem? I also encountered an error of not being able to load SD-WAN rules with firmware 7.4.3

255
0 Kudos
smaruvala
Staff
Staff

Created on ‎05-16-2024 12:32 AM

Hi,

 

Regarding the Kyber issue there is a KB

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

- This talks about the workarounds including the MSS settings.

 

Regards,

Shiva

 

229
gperezarsoft
New Contributor
In response to smaruvala

Created on ‎05-16-2024 01:07 AM

Thank you smaruvala,

Might add that if you're following the "Disable kyber support" way you can use this registry keys in Edge, Chrome and Brave browsers which can be applied via GPO:

  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\PostQuantumKeyAgreementEnabled
  • HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\PostQuantumKeyAgreementEnabled
  • HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave\PostQuantumKeyAgreementEnabled

Setting the value to REG_DWORD 0.

218
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.