Closed Bug 1643229 Opened 1 year ago Closed 1 year ago

Disable TLS 1.0 and 1.1 by default in Firefox 78

Categories

(Core :: Security: PSM, task)

task

Tracking

()

VERIFIED FIXED
mozilla79
Tracking Status
firefox-esr68 --- unaffected
firefox77 --- unaffected
firefox78 --- verified
firefox79 --- verified

People

(Reporter: mt, Assigned: mt)

References

(Blocks 1 open bug)

Details

(Keywords: site-compat)

Attachments

(1 file)

The code currently keeps TLS 1.0 enabled in release versions. That's not good, because we planned to not have that in 78.

Assignee: nobody → mt
Status: NEW → ASSIGNED
Keywords: site-compat
Pushed by mthomson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a53f3bd24c2c
Disable TLS 1.0 in release channels, r=keeler

Comment on attachment 9154073 [details]
Bug 1643229 - Disable TLS 1.0 in release channels, r?keeler

Beta/Release Uplift Approval Request

  • User impact if declined: Users get TLS 1.0 a little longer, which is likely better for compatibility, but not that great for their security. As we have agreed with other browsers to deprecate this protocol, and told them that it was happening in Firefox 78, it would not be good if this were declined.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: https://tls-v1-0.badssl.com:1010/
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The web compatibility risk is fairly significant here. We have a mechanism to re-enable the protocol with one click. That mechanism is good but not perfect. It fails to capture the case where a subresource is blocked due to the change, but we have only seen one case where this was a problem and that has since been fixed on the server end.
  • String changes made/needed: None
Attachment #9154073 - Flags: approval-mozilla-beta?

Being first movers on this seems like a risky thing to do. What's the reason for doing this in 78 rather than 79?

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

[Tracking Requested - why for this release]: The Firefox 78 uplift request is requested but not merged yet.

Comment on attachment 9154073 [details]
Bug 1643229 - Disable TLS 1.0 in release channels, r?keeler

Per Wennie, approved for 78 rc1.

Attachment #9154073 - Flags: approval-mozilla-beta? → approval-mozilla-release+
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

The issue is verified fixed using Fx78.0RC and Fx79.0a1 on Windows 10, Ubuntu 18.04 and macOS 10.14. TLS 1.0 and 1.1 are disabled by default. Please note that no issues regarding the TLS disable have come up during our web-compat testing for the RC validation.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.