MozillaZine

Can tls 1.3 be enabled in Fx 52.9 ESR?

User Help for Mozilla Firefox
Scarlettrunner20

User avatar
 
Posts: 1010
Joined: February 13th, 2003, 5:06 pm

Post Posted August 13th, 2018, 3:32 am

I know that tls 1.3 did not ship enabled by DEFAULT in Fx 52 ESR (but did in regular Fx 52).

I have enabled it in preferences on Fx 52.9 ESR. It does not work. It seems to me that it should work if the user enables it. I plan to use Fx 52.9 ESR for some time after it goes unsupported and it would be nice if I did not have switch to Basilisk to get tls 1.3.

Any comments on how to get it to work?

therube

User avatar
 
Posts: 19108
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted August 13th, 2018, 5:27 am

How are you determining whether it works or not?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

morat
 
Posts: 2864
Joined: February 3rd, 2009, 6:29 pm

Post Posted August 13th, 2018, 5:34 am

Mozilla has a test server for TLS 1.3 testing.

More info: viewtopic.php?p=14806185#p14806185

TheVisitor
 
Posts: 4681
Joined: May 13th, 2012, 10:43 am

Post Posted August 13th, 2018, 6:14 am

morat wrote:Mozilla has a test server for TLS 1.3 testing.

More info: viewtopic.php?p=14806185#p14806185


Interesting.... Edge, Chrome and IE11 all report 'cannot establish secure connection'
YET Latest Nighly shows that I have reached the demo test page.... ??? Why, if its unsecure would latest Firefox still be allowing connections ?

Admittedly I don't know much about TLS security.

morat
 
Posts: 2864
Joined: February 3rd, 2009, 6:29 pm

Post Posted August 13th, 2018, 6:55 am

@TheVisitor

I can't get the test server working in Chrome even when I set the tls13-variant flag to the highest draft number.

* open chrome://flags/#tls13-variant
* set flag from default to enabled draft 28
* restart

Perhaps the test server only works with Firefox.

You could test in Chrome by going to the Cloudflare site, opening the developer tools, going to the security tab, and checking the TLS # under "Connection".

You could test in Firefox by going to the Cloudflare site, opening the page info dialog, going to the security tab, and checking the TLS # under "Technical Details".

Cloudflare - supports TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
https://www.cloudflare.com/

TLS server test (open ip address link in new tab to view summary)
http://www.ssllabs.com/ssltest/
http://www.ssllabs.com/ssltest/analyze.html?d=www.cloudflare.com

therube

User avatar
 
Posts: 19108
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted August 13th, 2018, 8:50 am

Oh, just babbling...

Talk of "draft" version of 1.3.
Perhaps at the time, test server worked for "draft", but as time has gone on, test server now only works for final 1.3.
And perhaps FF 52... doesn't have the final 1.3 implementations, only draft?


On, https://www.ssllabs.com/ssltest/viewMyClient.html, with 1.3 enabled (security.tls.version.max;4), if you hover the Yes to TLS 1.3, in SeaMonkey 2.49.4 (& FF 52.9), it reads, "Draft 18".


https://blog.mozilla.org/security/2018/ ... fox-today/
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

morat
 
Posts: 2864
Joined: February 3rd, 2009, 6:29 pm

Post Posted August 13th, 2018, 9:20 am

I can't get TLS 1.3 to work with Firefox ESR 52.9.0. (set security.tls.version.max pref to 4)

@therube

You are correct. Firefox 52 isn't using TLS 1.3 because the app hasn't been updated to the latest draft.

Enable TLS 1.3 by default - Comment 12
http://bugzilla.mozilla.org/show_bug.cgi?id=1310516#c12

therube

User avatar
 
Posts: 19108
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted August 13th, 2018, 5:30 pm

Heh.
On opening https://tls13.crypto.mozilla.org/ - with a capable browser, it even tells you:
NSS TLS 1.3 Demo Server (draft 28).
You've reached a demo server that's running TLS 1.3 (draft 28) using NSS.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

James
Moderator

User avatar
 
Posts: 27406
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted August 13th, 2018, 5:38 pm

Scarlettrunner20 wrote:I know that tls 1.3 did not ship enabled by DEFAULT in Fx 52 ESR (but did in regular Fx 52).

Firefox 60 Release and 60 ESR was the first to have TLS 1.3 enabled by default with security.tls.version.max set to 4 instead of 3 for TLS 1.2.

https://www.mozilla.org/firefox/60.0/releasenotes/
On-by-default support for draft-23 of the TLS 1.3 specification

Scarlettrunner20

User avatar
 
Posts: 1010
Joined: February 13th, 2003, 5:06 pm

Post Posted August 13th, 2018, 5:44 pm

therube wrote:How are you determining whether it works or not?


Basilisk is my default browser but I use Fx 52.9 ESR a great deal also. I went to a site new to me on Basilisk recently and noticed to my surprise that it uses TLS 1.3. It's the first site I have been to that uses it:
https://www.caregiver.org/pilotIntegrat ... e_tid%3D70

So, I went there on all browsers including Edge and IE 11 and NONE used TLS 1.3 besides Basilisk.

I didn't know about the Mozilla test page until Morat posted about it here. I cannot reach the test page on ANY browser including Vivalidi and Basilisk (which is a bit weird but I wonder since it is forked off Fx 52 ESR if it is using an earlier draft version of TLS 1.3 and the test site wants a later version)? Fx 52.9ESR wanted to restore my default network security settings when I tried to reach Mozilla's test site on it. I have TLS 1.3 enabled in Fx preferences so I guess it wants to reset that to TLS 1.2.

SSLabs test for the above site says it supports TLS 1.3 draft 28.
https://www.ssllabs.com/ssltest/analyze ... d07&latest

frg
 
Posts: 626
Joined: December 15th, 2015, 1:20 pm

Post Posted August 14th, 2018, 11:59 pm

You need NSPR 4.19 and NSS 3.38. Backported it to SeaMonkey 2.53 (56) yesterday but 52 is another case This is still on nspr 4.13.1 and nss 3.28.1 . I had some fun upgrading 56 to 3.36 previously and 52 is much older.

I wouldn't worry too much. I think even esr-60 has no support for draft 28 yet.

Return to Firefox Support


Who is online

Users browsing this forum: No registered users and 11 guests