Closed
Bug 1479501
Opened 6 years ago
Closed 6 years ago
set fallback-limit pref to TLS 1.3 by default for Firefox 62
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: rhelmer, Assigned: mt)
References
Details
Attachments
(1 file)
|
46 bytes,
text/x-phabricator-request
|
ekr
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Review |
In bug 1473987 we did a phased roll-out of the TLS 1.3 fallback-limit to 95% of release channel users. ekr ran an analysis of the TLS errors we see from Telemetry and there wasn't any significant difference for users with the pref on vs. off. More specifically what should be done here is to change the "security.tls.version.fallback-limit" pref to 4. It is currently set to 3 here: https://searchfox.org/mozilla-central/rev/033d45ca70ff32acf04286244644d19308c359d5/security/manager/ssl/security-prefs.js#7
|
||
Updated•6 years ago
|
status-firefox61:
--- → wontfix
status-firefox62:
--- → affected
status-firefox63:
--- → affected
tracking-firefox62:
--- → +
tracking-firefox63:
--- → +
|
Reporter | |
Comment 2•6 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #1) > Is this still in the works for 62? Hm, I guess I was hoping an NSS peer would find this in triage and take care of it :) I can do it and ask for review though. ekr, just to double check, we want TLS fallback limit to be 1.3 for Firefox 62?
Flags: needinfo?(rhelmer) → needinfo?(ekr)
|
Assignee | |
Comment 4•6 years ago
|
||
Yeah, 4 for all values. We're on the road to remove that code, so we should just hard-code the value. I should get a patch in...
Flags: needinfo?(martin.thomson)
|
|
Assignee | |
Comment 5•6 years ago
|
||
We very carefully checked that version fallback wasn't needed for TLS 1.3, but forgot to disable it by default.
|
|
Assignee | |
Comment 6•6 years ago
|
||
Comment on attachment 8999066 [details] Bug 1479501 - Disable TLS version fallback, r?ekr Approval Request Comment [Feature/Bug causing the regression]: Bug 1479501 [User impact if declined]: occasional TLS version fallbacks, which aren't great for security or performance [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: This fix has been verified in Release. See bug 1473987. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: It's disabling code. And we're already running with 100% (or near it) in Release. [String changes made/needed]:
Attachment #8999066 -
Flags: approval-mozilla-beta?
|
||
Comment 7•6 years ago
|
||
Comment on attachment 8999066 [details] Bug 1479501 - Disable TLS version fallback, r?ekr OK, sounds like we're ready, let's do this for beta 17! Does this need a release note to mark the occasion?
Attachment #8999066 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 8•6 years ago
|
||
No release note please.
|
||
Comment 9•6 years ago
|
||
Comment on attachment 8999066 [details] Bug 1479501 - Disable TLS version fallback, r?ekr Eric Rescorla (:ekr) has approved the revision.
Attachment #8999066 -
Flags: review+
|
||
Comment 10•6 years ago
|
||
Pushed by martin.thomson@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/13ec6b447cc5 Disable TLS version fallback, r=ekr
|
||
Comment 11•6 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/f3d5a8acef59
|
||
Comment 12•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/13ec6b447cc5
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•6 years ago
|
Assignee: nobody → martin.thomson
|
||
Comment 13•6 years ago
|
||
Per comment 6, manual testing is not needed and also the automated coverage is present. Setting this as qe-verify -.
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•