set fallback-limit pref to TLS 1.3 by default for Firefox 62

RESOLVED FIXED in Firefox 62

Status

()

enhancement
RESOLVED FIXED
11 months ago
9 months ago

People

(Reporter: rhelmer, Assigned: mt)

Tracking

unspecified
mozilla63
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox61 wontfix, firefox62+ fixed, firefox63+ fixed)

Details

Attachments

(1 attachment)

Reporter

Description

11 months ago
In bug 1473987 we did a phased roll-out of the TLS 1.3 fallback-limit to 95% of release channel users.

ekr ran an analysis of the TLS errors we see from Telemetry and there wasn't any significant difference for users with the pref on vs. off.

More specifically what should be done here is to change the "security.tls.version.fallback-limit" pref to 4.

It is currently set to 3 here: https://searchfox.org/mozilla-central/rev/033d45ca70ff32acf04286244644d19308c359d5/security/manager/ssl/security-prefs.js#7
Is this still in the works for 62?
Flags: needinfo?(rhelmer)
Reporter

Comment 2

10 months ago
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #1)
> Is this still in the works for 62?

Hm, I guess I was hoping an NSS peer would find this in triage and take care of it :) I can do it and ask for review though.

ekr, just to double check, we want TLS fallback limit to be 1.3 for Firefox 62?
Flags: needinfo?(rhelmer) → needinfo?(ekr)

Comment 3

10 months ago
I think so. MT?
Flags: needinfo?(ekr) → needinfo?(martin.thomson)
Assignee

Comment 4

10 months ago
Yeah, 4 for all values.

We're on the road to remove that code, so we should just hard-code the value.  I should get a patch in...
Flags: needinfo?(martin.thomson)
Assignee

Comment 5

10 months ago
We very carefully checked that version fallback wasn't needed for TLS
1.3, but forgot to disable it by default.
Assignee

Comment 6

10 months ago
Comment on attachment 8999066 [details]
Bug 1479501 - Disable TLS version fallback, r?ekr

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1479501
[User impact if declined]: occasional TLS version fallbacks, which aren't great for security or performance
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: This fix has been verified in Release.  See bug 1473987.
[Needs manual test from QE? If yes, steps to reproduce]:  No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It's disabling code.  And we're already running with 100% (or near it) in Release.
[String changes made/needed]:
Attachment #8999066 - Flags: approval-mozilla-beta?
Comment on attachment 8999066 [details]
Bug 1479501 - Disable TLS version fallback, r?ekr

OK, sounds like we're ready, let's do this for beta 17!
Does this need a release note to mark the occasion?
Attachment #8999066 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee

Comment 8

10 months ago
No release note please.

Comment 9

10 months ago
Comment on attachment 8999066 [details]
Bug 1479501 - Disable TLS version fallback, r?ekr

Eric Rescorla (:ekr) has approved the revision.
Attachment #8999066 - Flags: review+

Comment 12

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/13ec6b447cc5
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Assignee: nobody → martin.thomson
See Also: → 1487517
Depends on: 1487517
See Also: 1487517
Per comment 6, manual testing is not needed and also the automated coverage is present. Setting this as qe-verify -.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.