1579270 - Disable TLS 1.0 and 1.1 for Nightly

Status: RESOLVED FIXED

(Core :: Security: PSM, task, P1)

Description

[Martin Thomson [:mt:]]

It's now time to start the process of deprecating TLS 1.0 and TLS 1.1.

Disabling these by default in Nightly should help us uncover more sites that aren't able to speak TLS 1.2.

Comment 1

[Martin Thomson [:mt:]]

Attachment: Bug 1579270 - Disable TLS 1.0 and TLS 1.1 in Nightly, r?keeler,jcj,ekr

This flips the default for security.tls.version.min to 3 (TLS 1.2) for the
Nightly channel.

Having had this pref at this level for the last year, I can confirm that this
does break the occasional site, but it is quite rare. The intent of this change
is to start making it more obvious when sites don't support TLS 1.2.

I'm asking for wider review because this is a disruptive change.

Comment 2

[Pulsebot]

Pushed by mthomson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0781e60dd54c
Disable TLS 1.0 and TLS 1.1 in Nightly, r=jcj

Comment 3

[Pulsebot]

Pushed by mthomson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f8020435c9fd
Disable TLS 1.0 and TLS 1.1 in Nightly, r=jcj

Comment 4

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/f8020435c9fd

Comment 5

[Kohei Yoshino]

Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/tls-1-0-and-1-1-are-now-deprecated/

Comment 6

[Pascal Chevrel:pascalc (PTO until august 14)]

I think this should be listed in Firefox Nightly 71 release notes, Martin, could you suggest a wording? Thanks

Comment 7

[Martin Thomson [:mt:]]

As long as this doesn't get copied to later releases...

Disabled TLS 1.0 and 1.1 by default.

Comment 8

[Chris Mills (Mozilla, MDN editor) [:cmills]]

I have documented this on MDN: see https://github.com/mdn/sprints/issues/2280#issuecomment-555578965 for all the details.

Let me know if you think this needs anything else at this stage; thanks!