Closed
Bug 1342082
Opened 9 years ago
Closed 9 years ago
Disable TLS 1.3 for FF52 Release
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: ekr, Assigned: ekr)
Details
(Keywords: dev-doc-complete)
Attachments
(1 file, 1 obsolete file)
|
2.22 KB,
patch
|
keeler
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Per discussion on e-mail, I want to disable TLS 1.3 for FF 52 Release. This patch does that.
Attachment #8840459 -
Flags: review?(dkeeler)
|
Assignee | |
Comment 1•9 years ago
|
||
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8840459 [details] [diff] [review]
13.patch
Review of attachment 8840459 [details] [diff] [review]:
-----------------------------------------------------------------
Looks like I wasn't in that discussion, but I trust your judgement.
::: netwerk/base/security-prefs.js
@@ +2,5 @@
> * License, v. 2.0. If a copy of the MPL was not distributed with this
> * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
>
> pref("security.tls.version.min", 1);
> +pref("security.tls.version.max", 3);
This should be sufficient, but I think it would be safest to set PSM_DEFAULT_MAX_TLS_VERSION to 3 at https://dxr.mozilla.org/mozilla-central/rev/32dcdde1fc64fc39a9065dc4218265dbc727673f/security/manager/ssl/nsNSSComponent.cpp#1627 as well.
Attachment #8840459 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Comment 3•9 years ago
|
||
I didn't know about that setting. Keeler, I am about to get on a plane and I know relman would like to get this done today. Do you think you could make that other change and get this landed? Sorry about the rush?
Flags: needinfo?(dkeeler)
|
|
||
Comment 5•9 years ago
|
||
Here's the patch. Try is in progress here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c8d175cdf0970f9d7e91026409355c166927a8b4
Attachment #8840459 -
Attachment is obsolete: true
Attachment #8840538 -
Flags: review+
|
|
Assignee | |
Comment 6•9 years ago
|
||
Thanks, Keeler. I will be in PDX this afternoon and I owe you a drink
|
|
Assignee | |
Comment 7•9 years ago
|
||
Relman people, here is the disabling patch
Flags: needinfo?(lhenry)
Flags: needinfo?(jcristau)
|
||
Comment 8•9 years ago
|
||
Keeler do you mind requesting uplift so we keep all our flags in a row?
Flags: needinfo?(lhenry) → needinfo?(dkeeler)
|
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8840538 [details] [diff] [review]
1342082-disable-tls-1.3.diff
(In reply to Eric Rescorla (:ekr) from comment #6)
> Thanks, Keeler. I will be in PDX this afternoon and I owe you a drink
Just my luck this is the one day I'm not in the office :(
In any case, the try run isn't quite done, but it's looking green, so:
Approval Request Comment
[Feature/Bug causing the regression]: bug 1310516 enabled TLS 1.3 by default
[User impact if declined]: interoperability concerns, iiuc
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: no - this is for 52 only
[Needs manual test from QE? If yes, steps to reproduce]: no, but you could test by going to https://www.cloudflare.com/, opening the page info dialog, going to the security tab, and checking that under "Technical Details" it says TLS 1.2 and not TLS 1.3
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: it just changes the default to a previously-known good value
[String changes made/needed]: none
Attachment #8840538 -
Flags: approval-mozilla-beta?
|
|
||
Updated•9 years ago
|
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 10•9 years ago
|
||
Also in office tomorrow!
|
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8840538 [details] [diff] [review]
1342082-disable-tls-1.3.diff
As discussed in email let's uplift this to beta, hoping to get it in today's build. If it doesn't make it in, then we will uplift to m-r next week for the RC build.
Attachment #8840538 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 12•9 years ago
|
||
| bugherder uplift | ||
status-firefox52:
--- → fixed
|
|
||
Updated•9 years ago
|
Assignee: nobody → ekr
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox53:
--- → wontfix
status-firefox54:
--- → wontfix
Flags: needinfo?(jcristau)
Resolution: --- → FIXED
|
||
Comment 13•9 years ago
|
||
Reproduced the issue with an affected build (52.0b8-build1, 20170220070057) using Ubuntu 16.04 x64 with the instructions from Comment 9.
This is verified fixed on 52.0b9-build2 (20170223185858) using:
- Ubuntu 16.04 x64,
- Windows 10 x64,
- macOS 10.12.3
cloudflare.com now shows TLS 1.2 in Page Info :: Security :: Technical Details.
Status: RESOLVED → VERIFIED
|
|
||
Comment 14•9 years ago
|
||
| bugherder uplift | ||
status-firefox-esr52:
--- → fixed
|
||
Updated•9 years ago
|
Keywords: dev-doc-needed
|
|
||
Updated•9 years ago
|
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•