Chrome/Edge 92: Problems with TLS decryption?

[German]Question: Has anyone experienced problems with Google Chrome 92 or its Edge counterpart when the called domain starts with the letter a (Amazon, Autodesk, etc.)? The tentatively rolled out CECPQ2 may be clashing with Fortigate 6.4.5 and the overarching Palo Alto solutions.


A blog reader alerted me to the following tweet on the subject. There appear to be issues with TLS decryption in Chrome/Edge 92 that impact proxy servers and firewalls. 

On you can find a post titled TLS Decryption and Chrome/Edge 92 – CECPQ2, looks like this is impacting Fortigate 6.4.5 along with the cross threaded Palo Altos, which gathers some information. The affected user writes:

TLS Decryption and Chrome/Edge 92 – CECPQ2

Just came across this this morning so I don't have all the facts locked down yet. But it would appear the version 92 of the chromium based browsers has started rolling out CECPQ2 to all domains starting with "a".

This has broken when I'm decrypting it. I've tried downgrading it to TLS1.2 with a decryption policy with no success. Bypassing of course works.

CECPQ2 – The Chromium Projects

There is a policy but I was hoping for a more global work around before i have to push it to thousands of computers.

Chrome Enterprise policy list and management | Documentation

Anyone else come across this and have any luck yet?

I'm running 10.0.5 on 5220's

Chrome optionally supports CECPQ2 in TLS 1.3 connections. The Chromium developers have probably started to enable CECPQ2 in Chromium 92 for all domains starting with the letter a. Later, domains starting with other letters are to follow. But this leads to difficulties in connection with Fortigate 6.4.5. Any of you who encountered similar problems?

CECPQ2 is the name for the combination of X25519 and an experimental post-quantum key agreement based on NTRU-HRSS-KEM. This combination provides at least the security of X25519, combined with the likelihood of withstanding future large quantum computers that might otherwise decrypt all existing TLS connections.

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, issue, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *