Closed Bug 1310516 Opened 4 years ago Closed 4 years ago

Enable TLS 1.3 by default

Categories

(Core :: Security: PSM, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox52 --- fixed

People

(Reporter: mt, Assigned: mt)

Details

(Keywords: dev-doc-complete, Whiteboard: [psm-backlog])

Attachments

(1 file)

TLS 1.3 is disabled by default.  We would like to enable the latest version for Firefox 52.

This bug will increment the default value of security.tls.version.max to 4 (TLS 1.3).

We will retain insecure fallback to TLS 1.2; a later bug might change the value of security.tls.version.fallback-limit to 4.  The fallback limit will remain at 3 (TLS 1.2) until we have broader information about server intolerance to the TLS 1.3 handshake.

This does not include 0-RTT for HTTP, that will follow later.
Duplicate of this bug: 1286694
Priority: -- → P2
Whiteboard: [psm-backlog]
Comment on attachment 8807415 [details]
Bug 1310516 - Enable TLS 1.3,

https://reviewboard.mozilla.org/r/90554/#review90850

LGTM, but we should also bump the value that's in nsNSSComponent.cpp (see comment).

::: netwerk/base/security-prefs.js:6
(Diff revision 1)
>  /* This Source Code Form is subject to the terms of the Mozilla Public
>   * License, v. 2.0. If a copy of the MPL was not distributed with this
>   * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
>  
>  pref("security.tls.version.min", 1);
> -pref("security.tls.version.max", 3);
> +pref("security.tls.version.max", 4);

The value at https://dxr.mozilla.org/mozilla-central/rev/8e8b146fcb8b268e3c09b646087c6b2ef9f0af6f/security/manager/ssl/nsNSSComponent.cpp#1657 also needs to be bumped, looks like.
Attachment #8807415 - Flags: review?(dkeeler) → review+
https://hg.mozilla.org/mozilla-central/rev/11d72a9e3365
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
What is the draft number of the TLS 1.3 implemented in the latest firefox beta? (at the time of writing is firefox 52 beta 3)
-18
Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 final version?
Will firefox 52 ESR will have the TLS final version (not draft) someday?

I know that it's not enabled by default but I can turn it on, I Would like to know.

Isn't it bad to enable by default a draft version of TLS in Firefox 53 when it will be released as the final version?

The diferent draft versions are not compatible with each other, right?
(In reply to Stephanie from comment #11)
> Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52
> final version?

-18


> Will firefox 52 ESR will have the TLS final version (not draft) someday?

No.

> 
> I know that it's not enabled by default but I can turn it on, I Would like
> to know.
> 
> Isn't it bad to enable by default a draft version of TLS in Firefox 53 when
> it will be released as the final version?

No.


> The diferent draft versions are not compatible with each other, right?

No, but two implementations which support disjoint draft versions should properly
negotiate TLS 1.2
it seems this didn't make it into FF 52 -- about:config shows security.tls.version.max with default value of 3 -- is this coming in 53 instead?
Flags: needinfo?(martin.thomson)
We expect to have the latest results of our compatibility testing soon.  The earlier ones showed some issues that caused us to delay release.  It's fairly safe to flip the pref if you know what to expect, but there are a small number of people who will encounter compatibility issues and won't know how to deal with them, so we are keeping it off until we're certain that it's not regressing compatibility much.
Flags: needinfo?(martin.thomson)
Assignee: nobody → martin.thomson
You need to log in before you can comment on or make changes to this bug.