Webserver are suddenly not reachable anymore due to TLS 1.3 hybridized Kyber support

In the last days we have had several support cases that suspiciously all had the same error description: many web servers can no longer be reached with the Chrome or Edge browser.

In our cases typically the Webfilter feature from one of our firewalls has been involved. Right now we are still missing a lot of information, but the problem seems to be related to the “TLS 1.3 hybridized Kyber support” feature from Chrome and Edge (both version 124).

This feature added support for the new quantum-resistant X25519Kyber768 encapsulation mechanism which is enabled by default. The result of this feature is that the “Client Hello” packet of the TLSv1.3 negotiation is getting huge – bigger than the normal MTU of a packet and therefor the packet needs to be fragmented. And this seems to cause some issues.

As a workaround you can disable this feature on your browser:


Additional information can be found here: https://tldr.fail/



Technical Tip: Web filter is not blocking websites on Google Chrome

Palo Alto Networks

Post-Quantum Cryptography Detection and Control

Known Issue in PANOS 11.2.0: PAN-254236: TLSv1.3 hybridized Kyber support in the latest versions of Chrome and Edge browsers results in dropped Client Hello packets when SSL/TLS handshake inspection is enabled.
Workaround: Disable SSL/TLS handshake inspection.


3 thoughts on “Webserver are suddenly not reachable anymore due to TLS 1.3 hybridized Kyber support

  1. Julian Reply

    Thanks for this information.

    I can confirm this bug, but I have a rather weird (or concerning?) observation:

    Right now I am in Türkiye. If I use a personal hotspot connection connection from my iPhone running iOS 17.4.1 with a local Vodafone TR sim card, the bug essentially prevents any SSL connection for Chromium-based browsers (also Microsoft Edge). Safari works without a problem.

    However: If I use a sim card from Telekom.de in roaming, Chrome and Edge opens every website via SSL without a problem.

    So the provider used to access a server seems to be relevant in this context.

    • mp Reply

      Hello Julian,
      The package size also seems to play a role in this problem. If the packet size is set small enough in the policy (set tcp-mss-receiver and tcp-mss-sender), then this problem does not occur. Apparently the mobile provider sets the packet size smaller accordingly, so it seems to work.

  2. Douglas Lawson Reply

    Can confirm as well. Additional steps for Fortigate involve switching from Flow Mode to Proxy Mode for security features.

Leave a Reply

Your email address will not be published. Required fields are marked *