I suspect the problem is in our firewall: https://community.fortinet.com/t5/FortiGate/Technical-Tip-ERR-SSL-PROTOCOL-ERROR-when-using-Flow-based-Deep/ta-p/357555
On Mon, Nov 25, 2024 at 2:44 PM frank picabia <fpica...@gmail.com> wrote: > I've been struggling with this issue on a couple of our Apache servers, > but not all. > > In the last week or two, Chrome has updated their browser and that is when > some users > started to experience SSLProtocol error in the browser. Nothing is logged > on the server with normal warn level of logging set. > > We have found three ways to dodge the error. In chrome the feature ML-KEM > can be changed from Default to Disabled, and then it is fine. > Alternatively, the > SSLProtocol in apache configuration can be set to only TLS 1.2 and then > Chrome > can load the site. Or Alternatively the site can be used with Firefox and > it is fine > even while TLS 1.3 is in effect. > > I've run through a lot of diagnosis with ChatGPT and tried a lot of > options for CipherSuite > and SSLOpenSSLConfCmd . Nothing on that level has helped. We have a lot > of Apache servers where nothing too elaborate has been configured for > SSLCipherSuite and they don't exhibit any problem. > > Earlier I did find one of our sites had an unconfigured <VirtualHost > _default_:443> > setup, and once I removed that, then it resolved this issue. For the > sites having a problem today, I am unable to find any config junk that > could be similar. > > The site gets an A+ at SSL Qualsys Labs SSL test and I don't see any > issues flagged in the detailed break down. > > I've seen the problem in Apache 2.4.62 on Debian 12, and also in Apache > 2.4.62 for Windows built by the Apache Lounge project. > > I have other servers with Apache and there are no problems in the same > Chrome from them. > > It's a bizarre set of circumstances to troubleshoot. It might be the case > that like the system with the leftover _default_:443 VirtualHost, there is > another sort of config error that can cause these SSL Protocol problems > now, and only recently, and only in Chrome (or maybe Edge). > > I'm running out of ideas of things to check. Has no one else run into > this since Nov 12th or so? > > >
