Helpful ReplyHot!ERR_SSL_PROTOCOL_ERROR on Google Chrome

Page: < 12 Showing page 2 of 2
Author
Jirka
Gold Member
  • Total Posts : 167
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/07 00:35:11 (permalink)
0
ShawnZA
Yeah all 6.2.* versions are full of bugs.
We get the SSL error while accessing allowed sites.
Are your policy set to proxy mode or flow mode?



I tried both the flow and the proxy. 
The allowed sites works great, the problem is only for FortiGuard blocked site.

Jirka
#21
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/07 07:27:46 (permalink) ☄ Helpfulby ShawnZA 2020/01/07 22:46:44
0
Have anybody used curl against theses sites? Inspect the certificate and if you see any stale cert clear them. You can also test in a incognito window and see if the problem exists.
 
It sounds  like a browser issues. FWIW. I check all of those sites from  fortios v6.2.3 and see no issues using chrome on windows { Version 78.0.3904.87 (Official Build) (64-bit) }
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#22
Cibura
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/12/07 08:17:33
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/24 09:07:56 (permalink)
0
Hi all, I've been following this thread since the beginning. I have 15 locations, each with a fortigate 60E or 90D. I use URL filtering exclusively. Accessing Gmail on Chrome is a problem on 6.0.6 all the way up to current 6.2.3. I have tested this in my lab, on a brand new 60E, with a brand new laptop connected as the only client, in a sterile environment, with nothing programmed into the fortigate except 1 policy for web access with URL filtering. I can duplicate the problem easily, and have tried every suggestion in the thread without success. I do not have this issue on other browsers. 
#23
Cibura
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/12/07 08:17:33
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/02/04 08:55:37 (permalink)
0
Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.
 
All of my static URL Web Filters end with:
* wildcard block
 
I changed it to:
[^.] regex block
 
and now everything works as it should. Wanted to get this out these asap in case it helps anyone.
#24
Cibura
Bronze Member
  • Total Posts : 25
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/12/07 08:17:33
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/02/04 08:55:44 (permalink) ☄ Helpfulby sensible 2020/04/20 06:41:43
0
Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.
 
All of my static URL Web Filters end with:
* wildcard block
 
I changed it to:
[^.] regex block
 
and now everything works as it should. Wanted to get this out these asap in case it helps anyone.
#25
tanr
Platinum Member
  • Total Posts : 802
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/02/04 09:01:42 (permalink)
0
Definitely pass the info on to TAC.
#26
ghondareyte
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/20 10:05:34
  • Location: Buenos Aires
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/02/20 10:08:48 (permalink)
0
Hi! I would like to know if you have some answer from the TAC? I have exactly the same problem with a customer in FortiOS 6.2.3 with DeepInspection.
 
Thanks!
 
#27
ghondareyte
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/20 10:05:34
  • Location: Buenos Aires
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/03/10 17:30:05 (permalink)
0
Hi! The solution given by the TAC of Fortinet was to block the service "SSL_TLS v1.3" at the Application Control profile of the users groups where was applied Deep Inspection. After this change at the APP Control, the issue was solved.
 
#28
sensible
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/20 06:41:11
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/04/20 07:03:15 (permalink)
0
Hey
 
(usually i lurk, but had to create an account to thank you)
 
I know this is an old thread. But this seems to have literally saved me from wasting countless days (30-40 hours minimum) that i've been spending on this.
I have a case open with the TAC. They are completely useless. I haven't had them actually resolve a single issue to date. But that's another issue....
I cannot believe this is still a thing they haven't addressed/fixed. Nor has the TAC mentioned this solution at all. I have tried several versions in 6.0.x on several of  our production VM01s, and on my 60E (lab/home). 
 
I was only seeing this issue with "FLOW MODE" web filtering. And mainly with Google Chrome.
 
Some segments on our network rely solely on STATIC only web filter profiles. No fortiguard. And nothing was working. I was trying every combination of "simple" and adding wildcards and multiple combinations of the same urls, not to mention regular expressions (for allowing simple domains).
I was constantly seeing "blocked" in my logs for several urls that were clearly allowed/exempted.
 
It didn't dawn on me to try a regex variation for the "block" @ the end of my list.
This helped me sort out my issue too. 
I also noticed my above issue with chrome was intermittent. I realised if i tested some sites in edge, then switched to chrome it would work on/off. This could be related to caching.
 
Cheers man. You're a saint.
Really appreciate it.
 
I'll be sure to link this thread to my TAC agent
 
 
Does anyone know how to ensure the "block" page shows for https blocks? I can't seem to get it to show. It works with PROXY mode profile, but not flow.
Note: I am using regular cert inspection (the default CA of my device) and imported the cert into my windows cert store, but doesn't even attempt to show up. 
 
 
 
#29
Page: < 12 Showing page 2 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5