Support Ticket

⚲

Support Troubleshooting SASE

Chrome 124 may break SSL handshake

Modified on: Wed, 12 Feb, 2025 at 11:08 PM

Issue:

Chrome changed the setting 'TLS 1.3 Hybridized Kyber Support' from disabled to enable by default. This makes Client hello packets in SSL handshake to be over 1500 bytes. Path MTU (PMTU) over the internet is typically less than 1500 bytes. When chrome enables 'TLS 1.3 Hybridized Kyber Support', client hello is over 1500 bytes. Client hello packages will be sent more than one packet. When Client hello packets go via firewall in internet doing SSL proxy and these packets received out of order, SSL handshake does not go through and user connection fails.

Browsers affected:

Google Chrome version 124 and above
Edge version 124 and above (Edge uses chromium)

Workaround:

Disable 'chrome://flags/#enable-tls13-kyber' flag on chrome.

Disable 'edge://flags/#enable-tls13-kyber ' flag on edge.

Permanent fix:

Versa is working on permanent fix on VOS.

It is being tracked under Versa internal bug ID 110688.

bug ID 110688 was fixed in June 2024 and hotfix was released in July 2024.

More reading on this issue:

https://tldr.fail/

https://www.reddit.com/r/sysadmin/comments/1carvpd/chrome_124_breaks_tls_handshake/

https://www.bleepingcomputer.com/news/security/google-chromes-new-post-quantum-cryptography-may-break-tls-connections/

Chrome bug:

https://issues.chromium.org/u/0/issues/336007383

https://issues.chromium.org/u/0/issues/339141094

Did you find it helpful? Yes No

More articles in SASE

See all 16 articles