Remove Firefox Prefs for deprecated TLS Versions (1.0, 1.1).
Categories
(Core :: Security: PSM, enhancement, P3)
Tracking
()
People
(Reporter: Tom25519, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Steps to reproduce:
Nowadays, Chromium has been totally disable TLS 1.0 and 1.1.
Actual results:
Firefox still could use TLS 1.0 and 1.1. You can test it on https://tls-v1-0.badssl.com:1010/ and https://tls-v1-1.badssl.com:1011/ when security.tls.version.enable-deprecated
= true
.
Expected results:
I think should totally remove TLS 1.0/1.1 from NSS codebase and Firefox about:config in the future.
Comment 1•4 months ago
|
||
Removing the preferences to match Chrome's behaviour is reasonable.
However, BoringSSL has not removed TLS 1/1.1 support from their codebase. I expect that as BoringSSL is used in Google's server side products, they want to continue to support old clients. Similarly, NSS is also used in non-Firefox contexts and has a backwards-compat guarantee that we only break with major versions - so we're unlikely to remove support in the codebase itself in the near future.
Updated•4 months ago
|
Comment 2•4 months ago
|
||
I assume that this also has the same impact on Thunderbird!?
Comment 3•4 months ago
|
||
Correct. Thunderbird just follows platform for those prefs.
Description
•