Closed Bug 1310516 Opened 4 years ago Closed 4 years ago
Enable TLS 1
.3 by default
TLS 1.3 is disabled by default. We would like to enable the latest version for Firefox 52. This bug will increment the default value of security.tls.version.max to 4 (TLS 1.3). We will retain insecure fallback to TLS 1.2; a later bug might change the value of security.tls.version.fallback-limit to 4. The fallback limit will remain at 3 (TLS 1.2) until we have broader information about server intolerance to the TLS 1.3 handshake. This does not include 0-RTT for HTTP, that will follow later.
Priority: -- → P2
Comment on attachment 8807415 [details] Bug 1310516 - Enable TLS 1.3, https://reviewboard.mozilla.org/r/90554/#review90850 LGTM, but we should also bump the value that's in nsNSSComponent.cpp (see comment). ::: netwerk/base/security-prefs.js:6 (Diff revision 1) > /* This Source Code Form is subject to the terms of the Mozilla Public > * License, v. 2.0. If a copy of the MPL was not distributed with this > * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > > pref("security.tls.version.min", 1); > -pref("security.tls.version.max", 3); > +pref("security.tls.version.max", 4); The value at https://dxr.mozilla.org/mozilla-central/rev/8e8b146fcb8b268e3c09b646087c6b2ef9f0af6f/security/manager/ssl/nsNSSComponent.cpp#1657 also needs to be bumped, looks like.
Attachment #8807415 - Flags: review?(dkeeler) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/11d72a9e3365 Enable TLS 1.3, r=keeler
What is the draft number of the TLS 1.3 implemented in the latest firefox beta? (at the time of writing is firefox 52 beta 3)
Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 final version? Will firefox 52 ESR will have the TLS final version (not draft) someday? I know that it's not enabled by default but I can turn it on, I Would like to know. Isn't it bad to enable by default a draft version of TLS in Firefox 53 when it will be released as the final version? The diferent draft versions are not compatible with each other, right?
(In reply to Stephanie from comment #11) > Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 > final version? -18 > Will firefox 52 ESR will have the TLS final version (not draft) someday? No. > > I know that it's not enabled by default but I can turn it on, I Would like > to know. > > Isn't it bad to enable by default a draft version of TLS in Firefox 53 when > it will be released as the final version? No. > The diferent draft versions are not compatible with each other, right? No, but two implementations which support disjoint draft versions should properly negotiate TLS 1.2
it seems this didn't make it into FF 52 -- about:config shows security.tls.version.max with default value of 3 -- is this coming in 53 instead?
We expect to have the latest results of our compatibility testing soon. The earlier ones showed some issues that caused us to delay release. It's fairly safe to flip the pref if you know what to expect, but there are a small number of people who will encounter compatibility issues and won't know how to deal with them, so we are keeping it off until we're certain that it's not regressing compatibility much.
You need to log in before you can comment on or make changes to this bug.