https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248097#M70577 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/3296">@emr_1</a>,</P><P>72 enables downgrade protection, and to an extent, the damage was already done with the release of 70. 72 is simply taking things a small step further. To prepare yourself for this, simply upgrade to one of the following and you should be good to go.&nbsp;</P><DIV><UL><LI>PAN-OS 8.1 must be&nbsp;<SPAN>≥&nbsp;</SPAN><SPAN>8.1.4</SPAN></LI><LI><SPAN>PAN-OS 8.0 must be ≥&nbsp;8.0.14</SPAN></LI><LI><SPAN>PAN-OS 7.1 must be ≥&nbsp;7.1.21</SPAN></LI></UL></DIV> Wed, 30 Jan 2019 04:20:32 GMT BPry 2019-01-30T04:20:32Z https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/247888#M70528 <P>Hello Guys,</P><P>&nbsp;</P><P>Which information is true?</P><P>Chrome 72(in topic) or Chrome 73(in article)?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chrome72.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18483iDE9D582B5DC262E5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="chrome72.png" alt="chrome72.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chrome73.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18484i22777BF91EE84355/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="chrome73.png" alt="chrome73.png" /></span></P> Tue, 29 Jan 2019 01:40:15 GMT https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/247888#M70528 emr_1 2019-01-29T01:40:15Z https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248097#M70577 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/3296">@emr_1</a>,</P><P>72 enables downgrade protection, and to an extent, the damage was already done with the release of 70. 72 is simply taking things a small step further. To prepare yourself for this, simply upgrade to one of the following and you should be good to go.&nbsp;</P><DIV><UL><LI>PAN-OS 8.1 must be&nbsp;<SPAN>≥&nbsp;</SPAN><SPAN>8.1.4</SPAN></LI><LI><SPAN>PAN-OS 8.0 must be ≥&nbsp;8.0.14</SPAN></LI><LI><SPAN>PAN-OS 7.1 must be ≥&nbsp;7.1.21</SPAN></LI></UL></DIV> Wed, 30 Jan 2019 04:20:32 GMT https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248097#M70577 BPry 2019-01-30T04:20:32Z https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248125#M70583 <P>Hi BPry,</P><P>&nbsp;</P><P>Thanks for your reply.</P><P>&nbsp;</P><P>I tested with my testbed : PA-5020 v8.0.13 with Chrome 72.</P><P>Here is test results.</P><P>&nbsp;</P><P>chrome://flags/#tls13-variant ## default<BR />chrome://flags/#enforce-tls13-downgrade ## default<BR />-&gt; I could access to the gmail</P><P>&nbsp;</P><P>chrome://flags/#tls13-variant ## default<BR />chrome://flags/#enforce-tls13-downgrade ## enabled<BR />-&gt; confirmed "ERR_TLS13_DOWNGRADE_DETECTED"</P><P>-&gt; also confirmed I could access to the gmail after I upgrade into 8.0.14.</P><P>&nbsp;</P><P>chrome://flags/#tls13-variant ## default<BR />chrome://flags/#enforce-tls13-downgrade ## disabled<BR />-&gt; I could access to the gmail</P><P>&nbsp;</P><P>Thus, I believe downgrade protection is not enabled in 72.&nbsp;</P> Wed, 30 Jan 2019 07:21:19 GMT https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248125#M70583 emr_1 2019-01-30T07:21:19Z https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248181#M70604 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/3296">@emr_1</a>,</P><P>They may have gotten enough pushback from Enterprise users that they chose not to enable it by Default; I know the original plan was to do so in 72. Looking through the Chromium commits I'm not seeing anything about it being switched in 73 either, they actually disabled the KeyUpdate function due to bugs.&nbsp;</P><P>&nbsp;</P><P>I wouldn't be suprised to see this goalpost keep getting pushed back to be honest.&nbsp;</P> Wed, 30 Jan 2019 14:54:31 GMT https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248181#M70604 BPry 2019-01-30T14:54:31Z https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248215#M70612 <P>Google pushed the full enforcement to Chrome version 73 (unless they push it again). They have enabled it in version 72 but only if you don't trust the CA.</P><P>&nbsp;</P><P>The advisory has now been updated to reflect this new info:</P><P><A href="https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-required-if-you-have-enabled-SSL-decryption-forward-proxy/ta-p/236596" target="_blank">https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-required-if-you-have-enabled-SSL-decryption-forward-proxy/ta-p/236596</A></P><P>&nbsp;</P> Wed, 30 Jan 2019 22:37:07 GMT https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248215#M70612 gwesson 2019-01-30T22:37:07Z https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248231#M70614 <P>Hi BPry, gwesson</P><P>&nbsp;</P><P>Thank you for replies. I understood the situation.</P> Thu, 31 Jan 2019 03:03:15 GMT https://live.paloaltonetworks.com/t5/general-topics/strict-tls-1-3-in-chrome-72-or-73/m-p/248231#M70614 emr_1 2019-01-31T03:03:15Z