Closed Bug 1573118 Opened 2 years ago Closed 2 years ago

enable TLS 1.3 by default in NSS


(NSS :: Libraries, task, P2)



(Not tracked)



(Reporter: kdudka, Unassigned)




(2 files)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

I tried to connect with curl to a TLS server that accepts TLS 1.3 connections only.

Actual results:

The connection failed because TLS 1.3 was not enabled by default in NSS.

Expected results:

TLS 1.3 should be enabled by default in NSS. Firefox now enables TLS 1.3 by default and we have a pull request for curl to also enable it explicitly:

Type: defect → task

Seems like it's time, to me. I'll point the community to this bug for discussion.

Sounds good. Thanks for the quick update on this!

Note: It seems to me that we should not do this in 3.45, but maybe 3.46, so setting that target outright.

Target Milestone: --- → 3.46
Target Milestone: 3.46 → 3.47
Ever confirmed: true

A summary of the curl PR:
SSL_VersionRangeGetDefault returns the intersection of the system policy (0x1 to 0xffff by default -- basically unconstrained) with TLS 1.0 to 1.2:

static SSLVersionRange versions_defaults_stream = {

curl uses the SSL_VersionRangeGetDefault function to determine the default TLS versions that should be enabled. In Firefox, this is not used for that purpose. This potentially has to be changed when NSS changes the max to TLS 1.3:

Planning for 3.47 / Firefox 71.

Priority: -- → P2
Target Milestone: 3.47 → 3.48

As planned for 3.47, but now for 3.48.

These unit tests were broken by the change to TLS version defaults.

In retrospect, this shouldn't have been surprising, but now that it I'm seeing bustage, I'm somewhat surprised that there are so few failures.

You need to log in before you can comment on or make changes to this bug.