Closed Bug 1304383 Opened 8 years ago Closed 8 years ago

tls 1.3 not working in ffx 49.0 (win32) - tried on both win7/x64 and winxp/x86

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: abittner, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20160916101415 Steps to reproduce: latest release 49.0 win32 32bit tried according to various info blogs and about:config set properly. tried those three test servers for tls 1.3 implementation from here: <https://github.com/tlswg/tls13-spec/wiki/Implementations> none of those three test servers give me a tls 1.3 established connection when viewing the security details of the url. the mozilla testserver gives a firefox error page and if i want to submit these kind of errors back to mozilla i have properly set: security.tls.version.max (user set) integer 4 i have also restarted the whole ffox browser several times and tried two different windows (xp professional 32bit, win7 x64 64bit) platforms. firefox 49.0 final 32bit installer same result. no tls 1.3 on those three test sites. anyone have a valid tls 1.3 test site that actually works with firefox 49.0 establishing a tls 1.3 connection according to some or any of the current or recent tls 1.3 drafts? how is this stuff actually being tested and verified implemented? thanks. regards. Actual results: surfing to: <https://tls13.crypto.mozilla.org/> results in: An error occurred during a connection to tls13.crypto.mozilla.org. Peer reports incompatible or unsupported protocol version. Error code: SSL_ERROR_PROTOCOL_VERSION_ALERT
Martin, I saw TLS 1.3 has been enabled in FF49 (bug 1250568). Is it normal https://tls13.crypto.mozilla.org/ doesn't work after setting security.tls.version.max=4?
Component: Untriaged → Security: PSM
Flags: needinfo?(martin.thomson)
Product: Firefox → Core
It works in Nightly 52 after Bug 1264578.
My suspicion is that this was caused by the server not being updated to the latest version. The HTTP patch shouldn't have affected whether we can connect. The server was probably updated at the same time. The reason for the alert is that we probably hit the fallback detection code. While we are doing draft versions of the protocol, if there is a mismatch in the draft version we support, the server will pick TLS 1.2. However, since the client is configured for TLS 1.3 and the server indicates that it could have supported TLS 1.3 (see the paragraph on downgrade detection here: https://tlswg.github.io/tls13-spec/#rfc.section.4.1.3) we abort the connection. That's something we're fixing in the next version of the protocol. Welcome to the ragged edge of protocol development folks.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(martin.thomson)
Resolution: --- → INVALID
so all the blog people out there talking or rather misinforming that firefox 49 has some kind of tls 1.3 support is already outdated or actually meanwhile deprecated information as ffx 49 does not have any tls 1.3 draft version support that is still valid as of today any more? someone should tip off or clarify the firefox 49 situation regarding tls 1.3 then and make it absolutely clear about whats happening with tls 1.3 in firefox and what is not happening. thanks.
I today tried the win32 firefox 50 beta6 and even win32 nightly 52 installer (firefox-52.0a1.en-US.win32.installer.exe) but both of them don't connect to tls 1.3 sites. At least the mozilla host fails to handshake and the cloudlare always brings up the non-tls1.3 message <https://github.com/tlswg/tls13-spec/wiki/Implementations> so I don wonder now which if at all or any firefox version should have a working tls 1.3 engine?
nightly 52 is from october 11th 2016, C:\Program Files\Nightly>.\sigcheck.exe -a -vs firefox.exe Sigcheck v2.30 - File version and signature viewer Copyright (C) 2004-2015 Mark Russinovich Sysinternals - www.sysinternals.com C:\Program Files\Nightly\firefox.exe: Verified: Signed Signing date: 14:41 11.10.2016 Publisher: Mozilla Corporation Company: Mozilla Corporation Description: Nightly Product: Nightly Prod version: 52.0a1 File version: 52.0a1 MachineType: 32-bit Binary Version: 52.0.0.6128 Original Name: firefox.exe Internal Name: Nightly Copyright: Firefox and Mozilla Developers; available under the MPL 2 license. Comments: n/a Entropy: 6.77 VT detection: 0/55 VT link: <https://www.virustotal.com/file/c8b0c4dc54afbbf9efaba0e921cc646f7e9fe42e2428ce15ac5994d02ece503b/analysis/>
Firefox 52 is not using TLS 1.3 because it has been updated to the latest draft and most sites that previously supported TLS 1.3 haven't been updated yet.
You need to log in before you can comment on or make changes to this bug.