Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Enable TLS 1.3 by default

RESOLVED FIXED in Firefox 52

Status

()

Core
Security: PSM
P2
normal
RESOLVED FIXED
9 months ago
4 months ago

People

(Reporter: mt, Unassigned)

Tracking

({dev-doc-complete})

unspecified
mozilla52
dev-doc-complete
Points:
---

Firefox Tracking Flags

(firefox52 fixed)

Details

(Whiteboard: [psm-backlog])

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

9 months ago
TLS 1.3 is disabled by default.  We would like to enable the latest version for Firefox 52.

This bug will increment the default value of security.tls.version.max to 4 (TLS 1.3).

We will retain insecure fallback to TLS 1.2; a later bug might change the value of security.tls.version.fallback-limit to 4.  The fallback limit will remain at 3 (TLS 1.2) until we have broader information about server intolerance to the TLS 1.3 handshake.

This does not include 0-RTT for HTTP, that will follow later.

Updated

9 months ago
Duplicate of this bug: 1286694
Priority: -- → P2
Whiteboard: [psm-backlog]
Comment hidden (mozreview-request)

Comment 3

9 months ago
mozreview-review
Comment on attachment 8807415 [details]
Bug 1310516 - Enable TLS 1.3,

https://reviewboard.mozilla.org/r/90554/#review90850

LGTM, but we should also bump the value that's in nsNSSComponent.cpp (see comment).

::: netwerk/base/security-prefs.js:6
(Diff revision 1)
>  /* This Source Code Form is subject to the terms of the Mozilla Public
>   * License, v. 2.0. If a copy of the MPL was not distributed with this
>   * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
>  
>  pref("security.tls.version.min", 1);
> -pref("security.tls.version.max", 3);
> +pref("security.tls.version.max", 4);

The value at https://dxr.mozilla.org/mozilla-central/rev/8e8b146fcb8b268e3c09b646087c6b2ef9f0af6f/security/manager/ssl/nsNSSComponent.cpp#1657 also needs to be bumped, looks like.
Attachment #8807415 - Flags: review?(dkeeler) → review+
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 6

9 months ago
Pushed by martin.thomson@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/11d72a9e3365
Enable TLS 1.3, r=keeler

Comment 7

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/11d72a9e3365
Status: NEW → RESOLVED
Last Resolved: 9 months ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Keywords: dev-doc-needed
Added to https://developer.mozilla.org/en-US/Firefox/Releases/52#Security
Keywords: dev-doc-needed → dev-doc-complete

Comment 9

6 months ago
What is the draft number of the TLS 1.3 implemented in the latest firefox beta? (at the time of writing is firefox 52 beta 3)

Comment 10

6 months ago
-18

Comment 11

4 months ago
Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 final version?
Will firefox 52 ESR will have the TLS final version (not draft) someday?

I know that it's not enabled by default but I can turn it on, I Would like to know.

Isn't it bad to enable by default a draft version of TLS in Firefox 53 when it will be released as the final version?

The diferent draft versions are not compatible with each other, right?

Comment 12

4 months ago
(In reply to Stephanie from comment #11)
> Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52
> final version?

-18


> Will firefox 52 ESR will have the TLS final version (not draft) someday?

No.

> 
> I know that it's not enabled by default but I can turn it on, I Would like
> to know.
> 
> Isn't it bad to enable by default a draft version of TLS in Firefox 53 when
> it will be released as the final version?

No.


> The diferent draft versions are not compatible with each other, right?

No, but two implementations which support disjoint draft versions should properly
negotiate TLS 1.2

Comment 13

4 months ago
it seems this didn't make it into FF 52 -- about:config shows security.tls.version.max with default value of 3 -- is this coming in 53 instead?
Flags: needinfo?(martin.thomson)
(Reporter)

Comment 14

4 months ago
We expect to have the latest results of our compatibility testing soon.  The earlier ones showed some issues that caused us to delay release.  It's fairly safe to flip the pref if you know what to expect, but there are a small number of people who will encounter compatibility issues and won't know how to deal with them, so we are keeping it off until we're certain that it's not regressing compatibility much.
Flags: needinfo?(martin.thomson)
You need to log in before you can comment on or make changes to this bug.