Closed
Bug 1310516
Opened 8 years ago
Closed 8 years ago
Enable TLS 1.3 by default
Categories
(Core :: Security: PSM, defect, P2)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: mt, Assigned: mt)
Details
(Keywords: dev-doc-complete, Whiteboard: [psm-backlog])
Attachments
(1 file)
TLS 1.3 is disabled by default. We would like to enable the latest version for Firefox 52. This bug will increment the default value of security.tls.version.max to 4 (TLS 1.3). We will retain insecure fallback to TLS 1.2; a later bug might change the value of security.tls.version.fallback-limit to 4. The fallback limit will remain at 3 (TLS 1.2) until we have broader information about server intolerance to the TLS 1.3 handshake. This does not include 0-RTT for HTTP, that will follow later.
Priority: -- → P2
Whiteboard: [psm-backlog]
Comment hidden (mozreview-request) |
Comment 3•8 years ago
|
||
mozreview-review |
Comment on attachment 8807415 [details] Bug 1310516 - Enable TLS 1.3, https://reviewboard.mozilla.org/r/90554/#review90850 LGTM, but we should also bump the value that's in nsNSSComponent.cpp (see comment). ::: netwerk/base/security-prefs.js:6 (Diff revision 1) > /* This Source Code Form is subject to the terms of the Mozilla Public > * License, v. 2.0. If a copy of the MPL was not distributed with this > * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > > pref("security.tls.version.min", 1); > -pref("security.tls.version.max", 3); > +pref("security.tls.version.max", 4); The value at https://dxr.mozilla.org/mozilla-central/rev/8e8b146fcb8b268e3c09b646087c6b2ef9f0af6f/security/manager/ssl/nsNSSComponent.cpp#1657 also needs to be bumped, looks like.
Attachment #8807415 -
Flags: review?(dkeeler) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Pushed by martin.thomson@gmail.com: https://hg.mozilla.org/integration/autoland/rev/11d72a9e3365 Enable TLS 1.3, r=keeler
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/11d72a9e3365
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Updated•8 years ago
|
Keywords: dev-doc-needed
Comment 8•7 years ago
|
||
Added to https://developer.mozilla.org/en-US/Firefox/Releases/52#Security
Keywords: dev-doc-needed → dev-doc-complete
What is the draft number of the TLS 1.3 implemented in the latest firefox beta? (at the time of writing is firefox 52 beta 3)
Comment 10•7 years ago
|
||
-18
Comment 11•7 years ago
|
||
Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 final version? Will firefox 52 ESR will have the TLS final version (not draft) someday? I know that it's not enabled by default but I can turn it on, I Would like to know. Isn't it bad to enable by default a draft version of TLS in Firefox 53 when it will be released as the final version? The diferent draft versions are not compatible with each other, right?
Comment 12•7 years ago
|
||
(In reply to Stephanie from comment #11) > Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 > final version? -18 > Will firefox 52 ESR will have the TLS final version (not draft) someday? No. > > I know that it's not enabled by default but I can turn it on, I Would like > to know. > > Isn't it bad to enable by default a draft version of TLS in Firefox 53 when > it will be released as the final version? No. > The diferent draft versions are not compatible with each other, right? No, but two implementations which support disjoint draft versions should properly negotiate TLS 1.2
Comment 13•7 years ago
|
||
it seems this didn't make it into FF 52 -- about:config shows security.tls.version.max with default value of 3 -- is this coming in 53 instead?
Flags: needinfo?(martin.thomson)
Assignee | ||
Comment 14•7 years ago
|
||
We expect to have the latest results of our compatibility testing soon. The earlier ones showed some issues that caused us to delay release. It's fairly safe to flip the pref if you know what to expect, but there are a small number of people who will encounter compatibility issues and won't know how to deal with them, so we are keeping it off until we're certain that it's not regressing compatibility much.
Flags: needinfo?(martin.thomson)
Updated•7 years ago
|
Assignee: nobody → martin.thomson
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•