Can tls 1.3 be enabled in Fx 52.9 ESR?

User Help for Mozilla Firefox
Post Reply
User avatar
Scarlettrunner20
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by Scarlettrunner20 »

I know that tls 1.3 did not ship enabled by DEFAULT in Fx 52 ESR (but did in regular Fx 52).

I have enabled it in preferences on Fx 52.9 ESR. It does not work. It seems to me that it should work if the user enables it. I plan to use Fx 52.9 ESR for some time after it goes unsupported and it would be nice if I did not have switch to Basilisk to get tls 1.3.

Any comments on how to get it to work?
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by therube »

How are you determining whether it works or not?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
morat
Posts: 6403
Joined: February 3rd, 2009, 6:29 pm

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by morat »

Mozilla has a test server for TLS 1.3 testing.

More info: http://forums.mozillazine.org/viewtopic ... #p14806185
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by TheVisitor »

morat wrote:Mozilla has a test server for TLS 1.3 testing.

More info: http://forums.mozillazine.org/viewtopic ... #p14806185
Interesting.... Edge, Chrome and IE11 all report 'cannot establish secure connection'
YET Latest Nighly shows that I have reached the demo test page.... ??? Why, if its unsecure would latest Firefox still be allowing connections ?

Admittedly I don't know much about TLS security.
morat
Posts: 6403
Joined: February 3rd, 2009, 6:29 pm

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by morat »

@TheVisitor

I can't get the test server working in Chrome even when I set the tls13-variant flag to the highest draft number.

* open chrome://flags/#tls13-variant
* set flag from default to enabled draft 28
* restart

Perhaps the test server only works with Firefox.

You could test in Chrome by going to the Cloudflare site, opening the developer tools, going to the security tab, and checking the TLS # under "Connection".

You could test in Firefox by going to the Cloudflare site, opening the page info dialog, going to the security tab, and checking the TLS # under "Technical Details".

Cloudflare - supports TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
https://www.cloudflare.com/

TLS server test (open ip address link in new tab to view summary)
http://www.ssllabs.com/ssltest/
http://www.ssllabs.com/ssltest/analyze. ... dflare.com
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by therube »

Oh, just babbling...

Talk of "draft" version of 1.3.
Perhaps at the time, test server worked for "draft", but as time has gone on, test server now only works for final 1.3.
And perhaps FF 52... doesn't have the final 1.3 implementations, only draft?


On, https://www.ssllabs.com/ssltest/viewMyClient.html, with 1.3 enabled (security.tls.version.max;4), if you hover the Yes to TLS 1.3, in SeaMonkey 2.49.4 (& FF 52.9), it reads, "Draft 18".


https://blog.mozilla.org/security/2018/ ... fox-today/
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
morat
Posts: 6403
Joined: February 3rd, 2009, 6:29 pm

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by morat »

I can't get TLS 1.3 to work with Firefox ESR 52.9.0. (set security.tls.version.max pref to 4)

@therube

You are correct. Firefox 52 isn't using TLS 1.3 because the app hasn't been updated to the latest draft.

Enable TLS 1.3 by default - Comment 12
http://bugzilla.mozilla.org/show_bug.cgi?id=1310516#c12
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by therube »

Heh.
On opening https://tls13.crypto.mozilla.org/ - with a capable browser, it even tells you:
NSS TLS 1.3 Demo Server (draft 28).
You've reached a demo server that's running TLS 1.3 (draft 28) using NSS.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
James
Moderator
Posts: 27999
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by James »

Scarlettrunner20 wrote:I know that tls 1.3 did not ship enabled by DEFAULT in Fx 52 ESR (but did in regular Fx 52).
Firefox 60 Release and 60 ESR was the first to have TLS 1.3 enabled by default with security.tls.version.max set to 4 instead of 3 for TLS 1.2.

https://www.mozilla.org/firefox/60.0/releasenotes/
On-by-default support for draft-23 of the TLS 1.3 specification
User avatar
Scarlettrunner20
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by Scarlettrunner20 »

therube wrote:How are you determining whether it works or not?
Basilisk is my default browser but I use Fx 52.9 ESR a great deal also. I went to a site new to me on Basilisk recently and noticed to my surprise that it uses TLS 1.3. It's the first site I have been to that uses it:
https://www.caregiver.org/pilotIntegrat ... e_tid%3D70

So, I went there on all browsers including Edge and IE 11 and NONE used TLS 1.3 besides Basilisk.

I didn't know about the Mozilla test page until Morat posted about it here. I cannot reach the test page on ANY browser including Vivalidi and Basilisk (which is a bit weird but I wonder since it is forked off Fx 52 ESR if it is using an earlier draft version of TLS 1.3 and the test site wants a later version)? Fx 52.9ESR wanted to restore my default network security settings when I tried to reach Mozilla's test site on it. I have TLS 1.3 enabled in Fx preferences so I guess it wants to reset that to TLS 1.2.

SSLabs test for the above site says it supports TLS 1.3 draft 28.
https://www.ssllabs.com/ssltest/analyze ... d07&latest
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: Can tls 1.3 be enabled in Fx 52.9 ESR?

Post by frg »

You need NSPR 4.19 and NSS 3.38. Backported it to SeaMonkey 2.53 (56) yesterday but 52 is another case This is still on nspr 4.13.1 and nss 3.28.1 . I had some fun upgrading 56 to 3.36 previously and 52 is much older.

I wouldn't worry too much. I think even esr-60 has no support for draft 28 yet.
Post Reply