MozillaZine

How to disable SSL3 protocol in Firefox 25 Nightly?

Discussion about official Mozilla Firefox builds
abcuser
 
Posts: 261
Joined: March 12th, 2007, 11:19 pm

Post Posted June 26th, 2013, 1:18 am

Hi,
on Windows XP I have installed Firefox 25 Nightly and I looked to security settings to disable SSL3 protocol. So I did:
1. Tools | Options | Advanced | Certificates (Firefox 25) which looks similar to Tools | Options | Advanced | Encryption (Firefox 22).

It looks like "Protocols" section with two options "Use SSL 3.0" and "Use TLS 1.0" have disappeared from Firefox 25 compared to Firefox 22. OK, probably some security GUI design decision, to prevent non-technical users to accidentally disable TLS or/and SSL.

So advance settings that should be taken care in about:config. I searched the settings in about:config and in filter Search box typed in "security.enable" and I see security.enable_ssl3 and security.enable_tls settings disappeared from Firefox 25, but this two settings are still available in Firefox 22. Print-screen of Firefox 22 (left site) and Firefox 25 (right site): http://i.imgur.com/HETwcM2.png

I like to disable SSL3 protocol, because it is just not secure anymore. In Firefox 22 I can do the GUI way or in about:config.

Now a question. How to disable SSL3 protocol in Firefox 25 Nightly?

It looks to me that Firefox 25 does not provide any option to end-user to control SSL protocol that end-user's browser is willing to support and in this case it FORCES end-user to use SSL3 protocol if SSL_server decides to communicate in SSL3 protocol. This looks to me as a security hole.

Currently in Firefox 22 I always disable SSL3 protocol and if there is a SSL_server that would like to communicate using SSL3 I like to get and error of not being able to display web page - I just don't want to see any web page that uses non-secure protocol.

Regards

eiji-gravion
 
Posts: 2
Joined: June 26th, 2013, 2:44 am

Post Posted June 26th, 2013, 2:56 am

SSLv3 is no more "insecure" than TLSv1, other than the lack of ECDHE support. I think Mozilla did a great thing by removing these options, especially from the GUI. The majority of people don't understand enough about SSL/TLS to be making any decisions regarding the configuration of it.

jscher2000

User avatar
 
Posts: 10761
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA

Post Posted June 26th, 2013, 8:16 am

Firefox 23 and later use a new pair of preferences for specifying the range of permissible encryption protocols. This article has the details on security.tls.version.min and security.tls.version.max: http://kb.mozillazine.org/Security.tls.version.*

rsx11m
Moderator
 
Posts: 14429
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted June 26th, 2013, 9:20 am

Be careful activating TLS 1.1 or 1.2, the fallback to TLS 1.0 isn't implemented yet and may leave you with a broken connection if the server you are connecting to is intolerant to those newer versions.

And yes, Firefox decided to remove the preferences UI whereas SeaMonkey opted for leaving it in and adding new boxes to accommodate selecting the newer protocols.

(moving to Firefox Builds as this is about a nightly developer build.)

abcuser
 
Posts: 261
Joined: March 12th, 2007, 11:19 pm

Post Posted June 27th, 2013, 4:01 am

@eiji-gravion, I totally agree, removing this kind of settings from GUI is good to prevent unintentionally lowering of the security. But I don't really agree about "SSLv3 is no more "insecure" than TLSv1..." it is also a difference which cipher suites it is allowed to use, e.g. TLSv1.0 can also use 256-keys, see: https://www.openssl.org/docs/apps/ciphe ... UITE_NAMES

@jscher2000, thanks for the provided link. So answer to my question 'How to disable SSLv3 is':
security.tls.version.max = 1 (set as default)
security.tls.version.min = 1 (default is 0)
Above pair of settings only allows TLSv1.0 by Firefox browser.

@rsx11m, thanks for warning. I tested above min/max Firefox 25 settings with Apache 2.2 using openSSL 1.0.1. I have monitored network traffic with Wireshark and it looks like all protocols are working fine in Firefox 25 (max=0: SSLv3, max=1: TLSv1.0, max=2: TLSv1.1 and max=3: TLSv1.2). Thanks for warning, but I have downloaded Firefox 25 development only for doing some tests.

eiji-gravion
 
Posts: 2
Joined: June 26th, 2013, 2:44 am

Post Posted June 27th, 2013, 12:02 pm

abcuser wrote:@eiji-gravion, I totally agree, removing this kind of settings from GUI is good to prevent unintentionally lowering of the security. But I don't really agree about "SSLv3 is no more "insecure" than TLSv1..." it is also a difference which cipher suites it is allowed to use, e.g. TLSv1.0 can also use 256-keys, see: https://www.openssl.org/docs/apps/ciphe ... UITE_NAMES

That doesn't mean they can't be used with SSLv3. I took a screenshot of my ClientHello (with only SSLv3 enabled) in Firefox, there are 256-bit ciphers available to use.

http://s16.postimg.org/eyc4lsjnn/Clipboard0111.png

Return to Firefox Builds


Who is online

Users browsing this forum: No registered users and 2 guests