Issue

Chrome enabled 'TLS 1.3 Hybridized Kyber Support' by default starting in version 124. This causes the TLS Client Hello packet to exceed 1500 bytes, requiring fragmentation. When fragmented Client Hello packets arrive out of order at an SSL-proxying firewall, the SSL handshake fails and the connection drops.

Browsers affected

  • Google Chrome 124 and above
  • Microsoft Edge 124 and above (Chromium-based)

Workaround

Disable the Kyber flag in your browser:

  • Chrome: chrome://flags/#enable-tls13-kyber → Disabled
  • Edge: edge://flags/#enable-tls13-kyber → Disabled

Permanent fix

Fixed in Versa Bug-ID: 110688. Hotfix released on July 2024.

Further reading

Chromium bug reports