cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this solution

L3 Networker

7/31/2024 Update: Updated ETA for 10.2.11, 11.2.2

7/15/2024 Update: Current ETA for 10.2.11, addl bug info.

5/14/2024 Update: See below - Bug ID and PANOS fixed versions.

5/6/2024 Update: See below.

 

Some additional info that might be useful:

 

Impacts:

  • Any Chromium-based browser (Google Chrome, ARC, Brave, Opera, MS Edge, etc.) gets Kyber enabled by default.
    • Workaround: As noted above, "Disabling the Kyber flags fixes the issue" for now.
  • Any applications that use the 3/22/2024 or later versions of the Chromium Embedded Framework (CEF) may also have Kyber on by default.
    • The macOS Slack Desktop App may be one of these apps. 
      • Workarounds: TBD.
      • These may be more challenging because these apps that embed CEF don't typically have the flags exposed.

 

5/6/2024 Update:

  • Chromium Embedded Framework (CEF), Slack, and Kyber:
    • I have traffic logs of traffic from the macOS Slack Desktop app showing the typical decrypt-unsupport-param" errors seen with TLS1.3 traffic with Kyber enabled.
  • SSL Decryption Workaround:
    • Per PAN TAC, the workaround in the SSL Decryption is to disable the following unsupported mode checks. This will allow all TLS1.3 packets with Kyber enabled to bypass SSL Decryption.
      • The upside is that users are functional.
      • The downside is that a significant (and growing) percentage of traffic is now bypassing SSL Decryption.
    • Unblock unsupported mode checksUnblock unsupported mode checks
    • This has an unintended consequence; Any traffic with unsupported SSL/TLS versions is now allowed to bypass SSL Decryption. So, you may also need to also broaden the min/max SSL/TLS Protocol versions in order to catch as much encrypted traffic as possible:
    • SSL Versions.png

 

5/14/2024 Update

  • Updates from my TAC case:
    • PAN ID: PAN-253546
    • Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0

 

7/15/2024 & 7/31/2024 Update

  • "The issue is caused when the large client hello is split into multiple packets and these arrive as out of order on the firewall." - PAN TAC.
    • Observation: This happened with Chromium-based browsers, including Google Chrome, on a very regular basis.
  • 10.2.11, one of the fixed versions, is scheduled to ship around the end of July 2024 mid-August 2024.
    • Keep in mind that its software - it ships when PAN says its ready. The date here is an estimate only.
  • Shipped: 11.2.2 shipped on 7/31/2024.
  • Not Kyber related, but related and useful: As of PANOS 11.1, PAN firewalls can detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 session...

View solution in original post

Who Me Too'd this solution