Open Bug 1573118 Opened 2 months ago Updated 2 months ago

enable TLS 1.3 by default in NSS

Categories

(NSS :: Libraries, task, P2)

3.45

Tracking

(Not tracked)

People

(Reporter: kdudka, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

I tried to connect with curl to a TLS server that accepts TLS 1.3 connections only.

Actual results:

The connection failed because TLS 1.3 was not enabled by default in NSS.

Expected results:

TLS 1.3 should be enabled by default in NSS. Firefox now enables TLS 1.3 by default and we have a pull request for curl to also enable it explicitly:

https://github.com/curl/curl/pull/4187

Type: defect → task

Seems like it's time, to me. I'll point the community to this bug for discussion.

Sounds good. Thanks for the quick update on this!

Note: It seems to me that we should not do this in 3.45, but maybe 3.46, so setting that target outright.

Target Milestone: --- → 3.46
Target Milestone: 3.46 → 3.47
Status: UNCONFIRMED → NEW
Ever confirmed: true

A summary of the curl PR:
SSL_VersionRangeGetDefault returns the intersection of the system policy (0x1 to 0xffff by default -- basically unconstrained) with TLS 1.0 to 1.2:

static SSLVersionRange versions_defaults_stream = {
SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_2
};

curl uses the SSL_VersionRangeGetDefault function to determine the default TLS versions that should be enabled. In Firefox, this is not used for that purpose. This potentially has to be changed when NSS changes the max to TLS 1.3:
https://searchfox.org/mozilla-central/rev/7a5022a3/security/manager/ssl/nsNSSCallbacks.cpp#1280

Planning for 3.47 / Firefox 71.

Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.