ERR_ECH_NOT_NEGOTIATED problem

What is the name of the domain?

logwin-logistics.com.pl

What is the issue you’re encountering

We are working on free plan and ECH feature (since few days) making us some problems. I just have a question ifI rise up to PRO plan can I disable ECH featrue? It will be disabled automaticly or how I can disable it? (related with ECH Protocol | Cloudflare SSL/TLS docs)

What is the current SSL/TLS setting?

Full

Can you describe what problem you are having and with which host name (logwin-logistics.com.pl doesn’t resolve)?

When we try to reach our few websites (cannot share with you exact hostnames) we have same error [ERR_ECH_NOT_NEGOTIATED] on chrome. I’m just wondering how to disable that ECH feature on cloudflare and If I rise up my plan to pro can I disable ECH somehow.

Hi @it.airocean-pl that should not be necessary if you disable TLS 1.3 on your zone that should fix the issue. Is there a way to replicate?

Matt

Tried already and it didnt fixed. I have done all thing from below reddit except disable ssl and allowlist on forti (have no access).
https://www.reddit.com/r/fortinet/comments/1fd9knx/err_ech_not_negotiated_encrypted_client_hello/

That will be great if someone from Cloudflare could confirm me that PRO plan have disabled ECH.

ECH is disabled on Pro Plans - an API to disable on Free plans will be available next week. It seems the problem is with Fortinet and blocking our domain. I will reach out to Fortinet to see if we can expedite a fix for all.

Great! thank you for answer. It’s good news. I misunderstood you at first look but I disabled TLS 1.3 on cloudflare and it helped. Before I only disabled tls 1.3 on chrome.

1 Like

Fortinet is not blocking the site. The issue seems to be that the encrypted client hello is breaking SSL inspection through the FortiGate. Implementing an SSL inspection bypass of the domain name cloudflare-ech.com will fix the ECH issue. However - this is a work around - not a fix.

Bypassing this domain name from inspection has the consequence of causing a bypassing of SSL inspection for ALL Cloudflare sites that use ECH.

The real question is - why is Cloudflare deploying a still experimental feature across their production environments - and turning it on by default!

According to IETF, ECH is currently only a “Proposed Standard”…

Cloudflare deploying this to production, and enabling it by default - was a mistake.

do you have an IPS profile enabled on the Fortigate policy. i found it was the IPS profile that was causing issues for me.

What was it that you changed?

Is there an update to this? I have seen that ECH has been removed as an option, but we´re still getting an ECH_NOT_NEGOTIATED error on a specific network in Google Chrome

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.