1483129 - Enable the TLS 1.3 final version number

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement)

Description

[Martin Thomson [:mt:]]

Now that RFC 8446 has happened, we should use the final version number.

We need to retain the ability to version DTLS, so that will need some care.

There are also reports of the downgrade protection in TLS 1.3 being fragile in some deployments.  We haven't tested that (we couldn't), so we'll probably need some sort of control on that so that we can either roll it out progressively, or back out that bit if necessary.

Comment 2

[Masatoshi Kimura [:emk]]

When the downgrade protection is a problem even though we no longer fallback to lower versions anyway?

Comment 3

[Dennis Clarke]

Looks like Chromium has support in place for Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.42 Safari/537.36 as that has hit www.tls13.net neatly. Firefox nightly must be close.

Comment 4

[Jasmin]

I think that was my client. I'm using Chromium Beta patched with the latest boringssl and https://chromium-review.googlesource.com/c/chromium/src/+/1172504 .

Sorry for the confusion :)

Comment 5

[Dennis Clarke]

Looks like a clean web agent GET and no errors and that means it works. 
Nothing else has.

Comment 6

[Martin Thomson [:mt:]]

https://hg.mozilla.org/projects/nss/rev/ee357b00f2e6c44589dcd406097357888d59ef06

Comment 7

[Dennis Clarke]

This is NOT resolved. The very latest nightly Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Built from https://hg.mozilla.org/mozilla-central/rev/e4e2245fc1428c33db179ca2f242b922ad988d79 does not work.  Can NOT reach site www.tls13.net which does run the actual TLS 1.3 protocol and has been checked with openssl s_client.

Comment 8

[Martin Thomson [:mt:]]

Dennis, this is not a Firefox bug.  The fix will be in Firefox when NSS is next integrated there.  Be patient.

Comment 9

[Dennis Clarke]

Well things are working like a charm now with rev/b75561ff5ffec3164338952adfe58620e5e3bc1d