Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PixoPuro
New Contributor

Created on ‎11-27-2023 11:54 AM Edited on ‎11-27-2023 12:27 PM

SSL Deep Inspection - Google Chrome

Hi, is anyone else having a problem doing deep inspection using Google Chrome?

 

Google Chrome version:  119.0.6045.160 (Versão oficial) 64 bits

 

Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3

google same policy/ssl profile from prints below.

facebook.com_chrome.png


 same policy ID from above - EGDE

facebook.com_edge.png

 

 

  same policy ID from abobe - firefox

faceook.com_firefox.png

 

 

 SSL Profile:

 

SSL_profile.png

Do you guys have some advices?
TY

 

Labels:
7124
0 Kudos
1 Solution
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:54 AM

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

View solution in original post

7052
14 REPLIES 14
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:01 AM

Hi,

 

- The command "set admin-https-ssl-versions" is used for GUI access of the Firewall. 

- I tried to check using the same chrome version. I didn't face any issue in which I saw the DigiCert CA certificate instead of the Fortigate certificate.

- Was the issue not seen when chrome version was older? 

- Is the issue seen in every or multiple users behind the Firewall?

- I don't see the page you are accessing in the chrome. Is it the facebook URL as well?

 

Regards,

Shiva

6368
DarioP
New Contributor

Created on ‎11-28-2023 12:33 AM

Hi, the same issue with 400F, 7.0.13. WebFilter doesn't work too. But on some stations with Google Chrome 119.0.6045.160/64 deep inspection and WebFilter work fine. Interesting...

Regards

DarioP

 

6341
0 Kudos
smaruvala
Staff
Staff

Created on ‎11-28-2023 12:54 AM

Hi,

 

- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.

- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.

- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.

 

Regards,

Shiva

7053
PixoPuro
New Contributor
In response to smaruvala

Created on ‎11-28-2023 04:58 AM

Thank you, I was able to use deep inspection in Chrome with your tip. 

6279
0 Kudos
DarioP
New Contributor

Created on ‎11-28-2023 01:33 AM

Hi again,

It works for me. After disabling "TLS 1.3 hybridized Kyber support"  in Chrome everything looks fine.

 

Regards,

DarioP

6322
smaruvala
Staff
Staff

Created on ‎11-28-2023 02:02 AM

Hi @DarioP ,

 

Great, Then it would be matching the same issue. Current IPS Engine is not supporting this. So the fixes will be coming soon.

 

Regards,

Shiva

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

6314
tuan2tech
New Contributor II

Created on ‎12-06-2023 04:21 PM

Hi you

I disabled Kyber in Chrome and it worked. But why does it only fail on a few clients?

6079
0 Kudos
smaruvala
Staff
Staff
In response to tuan2tech

Created on ‎12-07-2023 03:48 AM

Hi,

 

I am assuming these updates in chrome is coming as staged update. Basically if we see 25519KyberDraft in the supported groups in the client hello packet then the Firewall will not support it. This will cause this issue. You may have to compare the working and non-working capture in the client and look for the supported groups extension header in the Client hello packet.

 

Regards,

Shiva

6057
tuan2tech
New Contributor II
In response to smaruvala

Created on ‎04-21-2024 08:43 PM

Hi you

Does Fortinet have an update with this error? Recently I encountered this error with other browsers like Edge, Firefox and I had to disable Kyber

2903
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.