Disable TLS 1.3 by default for FF 54

VERIFIED FIXED in Firefox 54

Status

()

VERIFIED FIXED
2 years ago
2 years ago

People

(Reporter: ekr, Assigned: ekr)

Tracking

unspecified
mozilla54
Points:
---

Firefox Tracking Flags

(firefox54+ verified)

Details

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
We need to disable TLS 1.3 before we ship FF 54.

Also, I want to disable short headers for this build.
(Assignee)

Comment 1

2 years ago
Created attachment 8873518 [details] [diff] [review]
0001-Bug-1368599-Disable-TLS-1.3-by-default-for-Release-5.patch
Flags: needinfo?(lhenry)
Attachment #8873518 - Flags: review?(dkeeler)
(Assignee)

Comment 2

2 years ago
Liz, the ni was just FYI
Adding tracking/affected flags.  if we can land this quickly it may make it into today's build.
status-firefox54: --- → affected
tracking-firefox54: --- → +
Flags: needinfo?(lhenry)
(Assignee)

Comment 4

2 years ago
JC, are you able to review this?
Flags: needinfo?(jjones)
Comment on attachment 8873518 [details] [diff] [review]
0001-Bug-1368599-Disable-TLS-1.3-by-default-for-Release-5.patch

Review of attachment 8873518 [details] [diff] [review]:
-----------------------------------------------------------------

I'm on it. Slow morning.
Attachment #8873518 - Flags: review?(dkeeler) → review+
(Assignee)

Comment 6

2 years ago
Comment on attachment 8873518 [details] [diff] [review]
0001-Bug-1368599-Disable-TLS-1.3-by-default-for-Release-5.patch

This is for approval on 54-beta (so it ends up in 54-release)

Approval Request Comment
[Feature/Bug causing the regression]: bug 1310516 enabled TLS 1.3 by default
[User impact if declined]: interoperability concerns, iiuc
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: no - this is for 53 only
[Needs manual test from QE? If yes, steps to reproduce]: no, but you could test by going to https://www.cloudflare.com/, opening the page info dialog, going to the security tab, and checking that under "Technical Details" it says TLS 1.2 and not TLS 1.3
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: it just changes the default to a previously-known good value
[String changes made/needed]: none
Attachment #8873518 - Flags: approval-mozilla-beta?
Comment on attachment 8873518 [details] [diff] [review]
0001-Bug-1368599-Disable-TLS-1.3-by-default-for-Release-5.patch

Makes sense, Beta54+
Attachment #8873518 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(Assignee)

Comment 8

2 years ago
I'd actually like to leave this on on Beta as long as I can and didn't read the calendar right (ideally we would just disable this on Beta). What's the last possible date we can land this to be safe for Release 54?
(Assignee)

Updated

2 years ago
Flags: needinfo?(rkothari)
(Assignee)

Comment 9

2 years ago
Alternately, we can just move to setting the pref in a system add-on targeted at the beta channel only. Would that be better?
Flags: needinfo?(laura)
(In reply to Eric Rescorla (:ekr) from comment #8)
> I'd actually like to leave this on on Beta as long as I can and didn't read
> the calendar right (ideally we would just disable this on Beta). What's the
> last possible date we can land this to be safe for Release 54?

If you want this on Beta54 and not Release54, we could do either of the following:
1) Time this uplift such that it's in the last RC, a bit tough to coordinate but possible.
2) Go-live with this pref on at first for release54 and then push a system add-on update to disable TLS 1.3 post go-live.

The problem with 2) is the lag. With 1) TLS1.3 will be disabled before it hits release 54
Flags: needinfo?(rkothari)
(Assignee)

Comment 11

2 years ago
I agree #2 is bad. WRT #1, could we just do it for the last beta? That would give us some slack, but not be risky?
Ok. Let's take land this patch in the ~last RC build or latest by Wed 6/7. Gerry, Wesley, Ryan fyi.
Flags: needinfo?(wkocher)
Flags: needinfo?(ryanvm)
Flags: needinfo?(gchang)
landed on beta as https://hg.mozilla.org/releases/mozilla-beta/rev/4f0bd6c5b03dafa6025621da30e1bc87008d027b
Flags: needinfo?(wkocher)
Flags: needinfo?(ryanvm)
status-firefox54: affected → fixed
outch ryan told this landed too soon, so backed out in https://hg.mozilla.org/releases/mozilla-beta/rev/a6a79438608114ac87218bcb467b1f8aa5d603f3
status-firefox54: fixed → affected
I don't think we should keep things out of RC1 if we want them in release, that kind of defeats the purpose of a release candidate...
Just chatted with Ritu, let's land this for RC1, that way we're all set if nothing else requires a respin this week.  Thanks.
Flags: needinfo?(ryanvm)
https://hg.mozilla.org/releases/mozilla-release/rev/bfd20b4c396b
Assignee: nobody → ekr
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox54: affected → fixed
Flags: needinfo?(ryanvm)
Flags: needinfo?(laura)
Flags: needinfo?(gchang)
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
The issue was verified on Firefox 54.0 (20170608175746), under Windows 7x64, Mac OS X 10.12.5 and Ubuntu 16.04x64, following the STR from Comment 6.  
TLS 1.2 is correctly displayed under Technical Details.
I'm marking this issue Verified Fixed.
Status: RESOLVED → VERIFIED
status-firefox54: fixed → verified
(Assignee)

Updated

2 years ago
Blocks: 1385927
You need to log in before you can comment on or make changes to this bug.