5/14/2024 Update: See below - Bug ID and PANOS fixed versions.
5/6/2024 Update: See below.
Some additional info that might be useful:
- Chromium commit to "Enable PostQuantumKyber by default on desktop" occured on 3/12/2024
- Chromium Embedded Framework (CEF) was updated to Chromium v124 on 3/22/2024.
- Google Chrome enabled "TLS 1.3 hybridized Kyber support" in v124 on 4/16/2004.
Impacts:
- Any Chromium-based browser (Google Chrome, ARC, Brave, Opera, MS Edge, etc.) gets Kyber enabled by default.
- Workaround: As noted above, "Disabling the Kyber flags fixes the issue" for now.
- Any applications that use the 3/22/2024 or later versions of the Chromium Embedded Framework (CEF) may also have Kyber on by default.
- The macOS Slack Desktop App may be one of these apps.
- Workarounds: TBD.
- These may be more challenging because these apps that embed CEF don't typically have the flags exposed.
5/6/2024 Update:
- Chromium Embedded Framework (CEF), Slack, and Kyber:
- I have traffic logs of traffic from the macOS Slack Desktop app showing the typical decrypt-unsupport-param" errors seen with TLS1.3 traffic with Kyber enabled.
- SSL Decryption Workaround:
- Per PAN TAC, the workaround in the SSL Decryption is to disable the following unsupported mode checks. This will allow all TLS1.3 packets with Kyber enabled to bypass SSL Decryption.
- The upside is that users are functional.
- The downside is that a significant (and growing) percentage of traffic is now bypassing SSL Decryption.
Unblock unsupported mode checks- This has an unintended consequence; Any traffic with unsupported SSL/TLS versions is now allowed to bypass SSL Decryption. So, you may also need to also broaden the min/max SSL/TLS Protocol versions in order to catch as much encrypted traffic as possible:
5/14/2024 Update
- Updates from my TAC case:
- PAN ID: PAN-253546
- Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0
