Closed Bug 1623536 Opened 4 years ago Closed 4 years ago

Re-enable TLS 1.0 in Firefox 75 (Beta)

Categories

(Core :: Security: PSM, task, P1)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla76
Project Flags:
Webcompat Priority P1
Tracking Flags:
Tracking Status
firefox74 --- wontfix
firefox75 blocking verified

People

(Reporter: mt, Assigned: mt)

References

Details

(Keywords: site-compat)

Attachments

(2 files)

Bug 1623536 - Re-enable TLS 1.0, r?keeler
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
Bug 1623536 - Fix busted test, a=??
47 bytes, text/x-phabricator-request
Details | Review

+++ This bug was initially created as a clone of Bug #1623534 +++

The recent announcement from Google to delay the Chrome release indicates that they will not honour the agreement to turn TLS 1.0 off at this time. That's understandable, but that leaves Firefox as the only major browser to have TLS 1.0 disabled in any way right now.

We have also seen people ask that we provide more support for people who might have to use online tools, and this would help avoid some bustage.

I would like to request that we land a change to re-enable TLS 1.0 in Firefox 75 Beta.

[Tracking Requested - why for this release]: The change has to be uplifted to 75 Beta.

status-firefox74: --- → fix-optional
status-firefox75: --- → affected
status-firefox76: --- → affected
tracking-firefox75: --- → ?
Keywords: site-compat

MozReview-Commit-ID: Lp5YyX7agFl

Comment on attachment 9134296 [details]
Bug 1623536 - Re-enable TLS 1.0, r?keeler

Beta/Release Uplift Approval Request

  • User impact if declined: We had previously agreed to disable TLS 1.0. But other browsers have delayed their deployments of this change, so we are the only browser not to allow TLS 1.0 to work.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This expands compatibility by changing a well-tested pref. This restores the state as of two releases prior.
  • String changes made/needed: none
Attachment #9134296 - Flags: approval-mozilla-beta?
Webcompat Priority: --- → P1

AIUI this is beta-only, and 76 keeps it disabled?

Flags: needinfo?(mt)

This bug is tracked by a release manager but with a small severity so change it to major.
For more information, please visit auto_nag documentation.

Severity: normal → major

Comment on attachment 9134296 [details]
Bug 1623536 - Re-enable TLS 1.0, r?keeler

Blocker bug, uplift approved for 75 beta 6, thanks.

Attachment #9134296 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

https://hg.mozilla.org/releases/mozilla-beta/rev/5fc6400346af

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

Yes, we might need some time to work out what to do with 76, but I am hoping that we'll be back on track. I'm checking with other browsers on status.

Flags: needinfo?(mt)

MozReview-Commit-ID: 7BH2ctZyrEq

Depends on D67418

Flags: qe-verify+
QA Whiteboard: [qa-triaged]

I have verified the following, using the latest Firefox Beta 75.0b6 (Build ID: 20200319224147) on Windows 10 x64, macOS 10.15, and Ubuntu Linux 18.04 x64.

  • The value of the security.tls.version.min pref is by default set to 1.
  • The TLS v1.0 handshake is successfully done between the Firefox browser and the following URL https://tls-v1-0.badssl.com:1010/.
  • The https://tls-v1-0.badssl.com:1010/ website will return an error if the value of the security.tls.version.min pref is manually set to 2 or 3 or 4.
Status: RESOLVED → VERIFIED
status-firefox75: fixedverified

76 goes to Beta next week - I assume we want to land a similar change before then?

status-firefox74: fix-optionalwontfix
Flags: needinfo?(mt)

We are currently discussing plans. I expect that we'll have to roll a bunch of code back and expect a decision shortly. (Keeping needinfo set as a reminder.)

Google will resume release of Chrome 81 during the week of April 7:
https://blog.chromium.org/2020/03/chrome-and-chrome-os-release-updates.html

It's very unlikely that Google will roll out TLS 1.0/1.1 removal in Chrome 81. Currently, we plan to pick up our deprecation plans in Beta 77, monitor for two cycles, and then let ride to Release 78, but we will keep monitoring the situation.

Bug 1626495 tracks re-enabling TLS 1.0 for 76 and 77.

Flags: needinfo?(mt)
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: