Closed Bug 1479501 Opened 3 years ago Closed 3 years ago

set fallback-limit pref to TLS 1.3 by default for Firefox 62

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox61 --- wontfix
firefox62 + fixed
firefox63 + fixed

People

(Reporter: rhelmer, Assigned: mt)

References

Details

Attachments

(1 file)

In bug 1473987 we did a phased roll-out of the TLS 1.3 fallback-limit to 95% of release channel users.

ekr ran an analysis of the TLS errors we see from Telemetry and there wasn't any significant difference for users with the pref on vs. off.

More specifically what should be done here is to change the "security.tls.version.fallback-limit" pref to 4.

It is currently set to 3 here: https://searchfox.org/mozilla-central/rev/033d45ca70ff32acf04286244644d19308c359d5/security/manager/ssl/security-prefs.js#7
Is this still in the works for 62?
Flags: needinfo?(rhelmer)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #1)
> Is this still in the works for 62?

Hm, I guess I was hoping an NSS peer would find this in triage and take care of it :) I can do it and ask for review though.

ekr, just to double check, we want TLS fallback limit to be 1.3 for Firefox 62?
Flags: needinfo?(rhelmer) → needinfo?(ekr)
I think so. MT?
Flags: needinfo?(ekr) → needinfo?(martin.thomson)
Yeah, 4 for all values.

We're on the road to remove that code, so we should just hard-code the value.  I should get a patch in...
Flags: needinfo?(martin.thomson)
We very carefully checked that version fallback wasn't needed for TLS
1.3, but forgot to disable it by default.
Comment on attachment 8999066 [details]
Bug 1479501 - Disable TLS version fallback, r?ekr

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1479501
[User impact if declined]: occasional TLS version fallbacks, which aren't great for security or performance
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: This fix has been verified in Release.  See bug 1473987.
[Needs manual test from QE? If yes, steps to reproduce]:  No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It's disabling code.  And we're already running with 100% (or near it) in Release.
[String changes made/needed]:
Attachment #8999066 - Flags: approval-mozilla-beta?
Comment on attachment 8999066 [details]
Bug 1479501 - Disable TLS version fallback, r?ekr

OK, sounds like we're ready, let's do this for beta 17!
Does this need a release note to mark the occasion?
Attachment #8999066 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
No release note please.
Comment on attachment 8999066 [details]
Bug 1479501 - Disable TLS version fallback, r?ekr

Eric Rescorla (:ekr) has approved the revision.
Attachment #8999066 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/13ec6b447cc5
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Assignee: nobody → martin.thomson
See Also: → 1487517
Depends on: 1487517
See Also: 1487517
Per comment 6, manual testing is not needed and also the automated coverage is present. Setting this as qe-verify -.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.