This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

jjhernandez
L3 Networker

‎04-30-2024 06:40 PM - edited ‎07-31-2024 01:30 PM

7/31/2024 Update: Updated ETA for 10.2.11, 11.2.2

7/15/2024 Update: Current ETA for 10.2.11, addl bug info.

5/14/2024 Update: See below - Bug ID and PANOS fixed versions.

5/6/2024 Update: See below.

 

Some additional info that might be useful:

 

Impacts:

  • Any Chromium-based browser (Google Chrome, ARC, Brave, Opera, MS Edge, etc.) gets Kyber enabled by default.
    • Workaround: As noted above, "Disabling the Kyber flags fixes the issue" for now.
  • Any applications that use the 3/22/2024 or later versions of the Chromium Embedded Framework (CEF) may also have Kyber on by default.
    • The macOS Slack Desktop App may be one of these apps. 
      • Workarounds: TBD.
      • These may be more challenging because these apps that embed CEF don't typically have the flags exposed.

 

5/6/2024 Update:

  • Chromium Embedded Framework (CEF), Slack, and Kyber:
    • I have traffic logs of traffic from the macOS Slack Desktop app showing the typical decrypt-unsupport-param" errors seen with TLS1.3 traffic with Kyber enabled.
  • SSL Decryption Workaround:
    • Per PAN TAC, the workaround in the SSL Decryption is to disable the following unsupported mode checks. This will allow all TLS1.3 packets with Kyber enabled to bypass SSL Decryption.
      • The upside is that users are functional.
      • The downside is that a significant (and growing) percentage of traffic is now bypassing SSL Decryption.
    • Unblock unsupported mode checksUnblock unsupported mode checks
    • This has an unintended consequence; Any traffic with unsupported SSL/TLS versions is now allowed to bypass SSL Decryption. So, you may also need to also broaden the min/max SSL/TLS Protocol versions in order to catch as much encrypted traffic as possible:
    • SSL Versions.png

 

5/14/2024 Update

  • Updates from my TAC case:
    • PAN ID: PAN-253546
    • Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0

 

7/15/2024 & 7/31/2024 Update

  • "The issue is caused when the large client hello is split into multiple packets and these arrive as out of order on the firewall." - PAN TAC.
    • Observation: This happened with Chromium-based browsers, including Google Chrome, on a very regular basis.
  • 10.2.11, one of the fixed versions, is scheduled to ship around the end of July 2024 mid-August 2024.
    • Keep in mind that its software - it ships when PAN says its ready. The date here is an estimate only.
  • Shipped: 11.2.2 shipped on 7/31/2024.
  • Not Kyber related, but related and useful: As of PANOS 11.1, PAN firewalls can detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 session...

View solution in original post

3 people found this solution to be helpful.
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks