Closed Bug 1573118 Opened 5 years ago Closed 5 years ago

enable TLS 1.3 by default in NSS

Categories

(NSS :: Libraries, task, P2)

Product:
NSS
Component:
Libraries
Version:
3.45
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kdudka, Unassigned)

References

Details

Attachments

(2 files)

Bug 1573118 - Enable TLS 1.3 by default, r?jcj
47 bytes, text/x-phabricator-request
Details | Review
Bug 1573118 - Fix busted unit tests, r?jcj
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

I tried to connect with curl to a TLS server that accepts TLS 1.3 connections only.

Actual results:

The connection failed because TLS 1.3 was not enabled by default in NSS.

Expected results:

TLS 1.3 should be enabled by default in NSS. Firefox now enables TLS 1.3 by default and we have a pull request for curl to also enable it explicitly:

https://github.com/curl/curl/pull/4187

Type: defect → task

Seems like it's time, to me. I'll point the community to this bug for discussion.

Sounds good. Thanks for the quick update on this!

Note: It seems to me that we should not do this in 3.45, but maybe 3.46, so setting that target outright.

Target Milestone: --- → 3.46
Target Milestone: 3.46 → 3.47
Status: UNCONFIRMED → NEW
Ever confirmed: true

A summary of the curl PR:
SSL_VersionRangeGetDefault returns the intersection of the system policy (0x1 to 0xffff by default -- basically unconstrained) with TLS 1.0 to 1.2:

static SSLVersionRange versions_defaults_stream = {
SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_2
};

curl uses the SSL_VersionRangeGetDefault function to determine the default TLS versions that should be enabled. In Firefox, this is not used for that purpose. This potentially has to be changed when NSS changes the max to TLS 1.3:
https://searchfox.org/mozilla-central/rev/7a5022a3/security/manager/ssl/nsNSSCallbacks.cpp#1280

Planning for 3.47 / Firefox 71.

Priority: -- → P2
Target Milestone: 3.47 → 3.48

As planned for 3.47, but now for 3.48.

https://hg.mozilla.org/projects/nss/rev/bc77cf318f388f55790b99d5f23a9c1f2bd9f900

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

These unit tests were broken by the change to TLS version defaults.

In retrospect, this shouldn't have been surprising, but now that it I'm seeing bustage, I'm somewhat surprised that there are so few failures.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: