In bug 1473987 we did a phased roll-out of the TLS 1.3 fallback-limit to 95% of release channel users. ekr ran an analysis of the TLS errors we see from Telemetry and there wasn't any significant difference for users with the pref on vs. off. More specifically what should be done here is to change the "security.tls.version.fallback-limit" pref to 4. It is currently set to 3 here: https://searchfox.org/mozilla-central/rev/033d45ca70ff32acf04286244644d19308c359d5/security/manager/ssl/security-prefs.js#7
Is this still in the works for 62?
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #1) > Is this still in the works for 62? Hm, I guess I was hoping an NSS peer would find this in triage and take care of it :) I can do it and ask for review though. ekr, just to double check, we want TLS fallback limit to be 1.3 for Firefox 62?
Flags: needinfo?(rhelmer) → needinfo?(ekr)
I think so. MT?
Flags: needinfo?(ekr) → needinfo?(martin.thomson)
Yeah, 4 for all values. We're on the road to remove that code, so we should just hard-code the value. I should get a patch in...
We very carefully checked that version fallback wasn't needed for TLS 1.3, but forgot to disable it by default.
Comment on attachment 8999066 [details] Bug 1479501 - Disable TLS version fallback, r?ekr Approval Request Comment [Feature/Bug causing the regression]: Bug 1479501 [User impact if declined]: occasional TLS version fallbacks, which aren't great for security or performance [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: This fix has been verified in Release. See bug 1473987. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: It's disabling code. And we're already running with 100% (or near it) in Release. [String changes made/needed]:
Attachment #8999066 - Flags: approval-mozilla-beta?
Comment on attachment 8999066 [details] Bug 1479501 - Disable TLS version fallback, r?ekr OK, sounds like we're ready, let's do this for beta 17! Does this need a release note to mark the occasion?
Attachment #8999066 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
No release note please.
Comment on attachment 8999066 [details] Bug 1479501 - Disable TLS version fallback, r?ekr Eric Rescorla (:ekr) has approved the revision.
Attachment #8999066 - Flags: review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/13ec6b447cc5 Disable TLS version fallback, r=ekr
Per comment 6, manual testing is not needed and also the automated coverage is present. Setting this as qe-verify -.
You need to log in before you can comment on or make changes to this bug.