VOOZH about

URL: https://bugzilla.mozilla.org/show_bug.cgi?id=1310516

⇱ 1310516 - Enable TLS 1.3 by default

Closed Bug 1310516 Opened 9 years ago Closed 9 years ago

Enable TLS 1.3 by default

Enable TLS 1.3 by default
Core
Security: PSM
unspecified
All
All
defect
Points:
---
RESOLVED FIXED
RESOLVED
FIXED
mozilla52
Iteration:
---
a11y-review
Accessibility Severity
Performance Impact
Size Estimate
Webcompat Priority
Webcompat Score
Tracking Status
firefox52 --- fixed
Tracking Status
relnote-firefox
thunderbird_esr115
thunderbird_esr140
firefox52
firefox-esr115
firefox-esr140
firefox-esr153
firefox152
firefox153
firefox154
---
[psm-backlog]
QA Whiteboard:
---
Has STR:
---
Change Request:
---
Bug Flags:
Signature:
None
This bug is publicly visible. 

 












 
 

 

 
 
 
 
58 bytes,
 text/x-review-board-request 

 		
 
 
keeler

:
 
 review+
 

 
 Details
 





 
















TLS 1.3 is disabled by default. We would like to enable the latest version for Firefox 52.

This bug will increment the default value of security.tls.version.max to 4 (TLS 1.3).

We will retain insecure fallback to TLS 1.2; a later bug might change the value of security.tls.version.fallback-limit to 4. The fallback limit will remain at 3 (TLS 1.2) until we have broader information about server intolerance to the TLS 1.3 handshake.

This does not include 0-RTT for HTTP, that will follow later.
Priority: -- → P2
Whiteboard: [psm-backlog]

 
 

 
 

 

 
 Comment hidden (mozreview-request)
 
 
 

 

 


 

 Attachment #8807415 -
 Flags: review?(dkeeler)

 
 

 

 
 

 
 

 
 


 

 
 

 Comment 3
 
9 years ago
 

 		
 


 

 mozreview-review
 
 
 

 


 
 
Comment on attachment 8807415 [details]
Bug 1310516 - Enable TLS 1.3,

https://reviewboard.mozilla.org/r/90554/#review90850

LGTM, but we should also bump the value that's in nsNSSComponent.cpp (see comment).

::: netwerk/base/security-prefs.js:6
(Diff revision 1)
> /* This Source Code Form is subject to the terms of the Mozilla Public
> * License, v. 2.0. If a copy of the MPL was not distributed with this
> * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
> 
> pref("security.tls.version.min", 1);
> -pref("security.tls.version.max", 3);
> +pref("security.tls.version.max", 4);

The value at https://dxr.mozilla.org/mozilla-central/rev/8e8b146fcb8b268e3c09b646087c6b2ef9f0af6f/security/manager/ssl/nsNSSComponent.cpp#1657 also needs to be bumped, looks like.

 Attachment #8807415 -
 Flags: review?(dkeeler) → review+

 
 

 
 

 

 
 Comment hidden (mozreview-request)
 
 
 

 

 

 
 

 
 

 

 
 Comment hidden (mozreview-request)
 
 
 

 

 
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52

 
 

 

 
 

 
 

 
 


 

 
 

 Comment 9
 
9 years ago
 

 		
 


 
 


 
 
What is the draft number of the TLS 1.3 implemented in the latest firefox beta? (at the time of writing is firefox 52 beta 3)
Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52 final version?
Will firefox 52 ESR will have the TLS final version (not draft) someday?

I know that it's not enabled by default but I can turn it on, I Would like to know.

Isn't it bad to enable by default a draft version of TLS in Firefox 53 when it will be released as the final version?

The diferent draft versions are not compatible with each other, right?
(In reply to Stephanie from comment #11)
> Hello! What is the draft number of the TLS 1.3 implemented in the firefox 52
> final version?

-18


> Will firefox 52 ESR will have the TLS final version (not draft) someday?

No.

> 
> I know that it's not enabled by default but I can turn it on, I Would like
> to know.
> 
> Isn't it bad to enable by default a draft version of TLS in Firefox 53 when
> it will be released as the final version?

No.


> The diferent draft versions are not compatible with each other, right?

No, but two implementations which support disjoint draft versions should properly
negotiate TLS 1.2
it seems this didn't make it into FF 52 -- about:config shows security.tls.version.max with default value of 3 -- is this coming in 53 instead?
Flags: needinfo?(martin.thomson)

 
 

 

 
 

 
 Assignee
 

 
 


 

 
 

 Comment 14
 
9 years ago
 

 		
 


 
 


 
 
We expect to have the latest results of our compatibility testing soon. The earlier ones showed some issues that caused us to delay release. It's fairly safe to flip the pref if you know what to expect, but there are a small number of people who will encounter compatibility issues and won't know how to deal with them, so we are keeping it off until we're certain that it's not regressing compatibility much.
Flags: needinfo?(martin.thomson)
Assignee: nobody → martin.thomson

 You need to log in
 before you can comment on or make changes to this bug.