I know that tls 1.3 did not ship enabled by DEFAULT in Fx 52 ESR (but did in regular Fx 52).
I have enabled it in preferences on Fx 52.9 ESR. It does not work. It seems to me that it should work if the user enables it. I plan to use Fx 52.9 ESR for some time after it goes unsupported and it would be nice if I did not have switch to Basilisk to get tls 1.3.
Any comments on how to get it to work?
Can tls 1.3 be enabled in Fx 52.9 ESR?
- Scarlettrunner20
- Posts: 1016
- Joined: February 13th, 2003, 5:06 pm
- therube
- Posts: 21699
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
How are you determining whether it works or not?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 6403
- Joined: February 3rd, 2009, 6:29 pm
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
Mozilla has a test server for TLS 1.3 testing.
More info: http://forums.mozillazine.org/viewtopic ... #p14806185
More info: http://forums.mozillazine.org/viewtopic ... #p14806185
-
- Posts: 5469
- Joined: May 13th, 2012, 10:43 am
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
Interesting.... Edge, Chrome and IE11 all report 'cannot establish secure connection'morat wrote:Mozilla has a test server for TLS 1.3 testing.
More info: http://forums.mozillazine.org/viewtopic ... #p14806185
YET Latest Nighly shows that I have reached the demo test page.... ??? Why, if its unsecure would latest Firefox still be allowing connections ?
Admittedly I don't know much about TLS security.
-
- Posts: 6403
- Joined: February 3rd, 2009, 6:29 pm
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
@TheVisitor
I can't get the test server working in Chrome even when I set the tls13-variant flag to the highest draft number.
* open chrome://flags/#tls13-variant
* set flag from default to enabled draft 28
* restart
Perhaps the test server only works with Firefox.
You could test in Chrome by going to the Cloudflare site, opening the developer tools, going to the security tab, and checking the TLS # under "Connection".
You could test in Firefox by going to the Cloudflare site, opening the page info dialog, going to the security tab, and checking the TLS # under "Technical Details".
Cloudflare - supports TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
https://www.cloudflare.com/
TLS server test (open ip address link in new tab to view summary)
http://www.ssllabs.com/ssltest/
http://www.ssllabs.com/ssltest/analyze. ... dflare.com
I can't get the test server working in Chrome even when I set the tls13-variant flag to the highest draft number.
* open chrome://flags/#tls13-variant
* set flag from default to enabled draft 28
* restart
Perhaps the test server only works with Firefox.
You could test in Chrome by going to the Cloudflare site, opening the developer tools, going to the security tab, and checking the TLS # under "Connection".
You could test in Firefox by going to the Cloudflare site, opening the page info dialog, going to the security tab, and checking the TLS # under "Technical Details".
Cloudflare - supports TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
https://www.cloudflare.com/
TLS server test (open ip address link in new tab to view summary)
http://www.ssllabs.com/ssltest/
http://www.ssllabs.com/ssltest/analyze. ... dflare.com
- therube
- Posts: 21699
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
Oh, just babbling...
Talk of "draft" version of 1.3.
Perhaps at the time, test server worked for "draft", but as time has gone on, test server now only works for final 1.3.
And perhaps FF 52... doesn't have the final 1.3 implementations, only draft?
On, https://www.ssllabs.com/ssltest/viewMyClient.html, with 1.3 enabled (security.tls.version.max;4), if you hover the Yes to TLS 1.3, in SeaMonkey 2.49.4 (& FF 52.9), it reads, "Draft 18".
https://blog.mozilla.org/security/2018/ ... fox-today/
Talk of "draft" version of 1.3.
Perhaps at the time, test server worked for "draft", but as time has gone on, test server now only works for final 1.3.
And perhaps FF 52... doesn't have the final 1.3 implementations, only draft?
On, https://www.ssllabs.com/ssltest/viewMyClient.html, with 1.3 enabled (security.tls.version.max;4), if you hover the Yes to TLS 1.3, in SeaMonkey 2.49.4 (& FF 52.9), it reads, "Draft 18".
https://blog.mozilla.org/security/2018/ ... fox-today/
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 6403
- Joined: February 3rd, 2009, 6:29 pm
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
I can't get TLS 1.3 to work with Firefox ESR 52.9.0. (set security.tls.version.max pref to 4)
@therube
You are correct. Firefox 52 isn't using TLS 1.3 because the app hasn't been updated to the latest draft.
Enable TLS 1.3 by default - Comment 12
http://bugzilla.mozilla.org/show_bug.cgi?id=1310516#c12
@therube
You are correct. Firefox 52 isn't using TLS 1.3 because the app hasn't been updated to the latest draft.
Enable TLS 1.3 by default - Comment 12
http://bugzilla.mozilla.org/show_bug.cgi?id=1310516#c12
- therube
- Posts: 21699
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
Heh.
On opening https://tls13.crypto.mozilla.org/ - with a capable browser, it even tells you:
On opening https://tls13.crypto.mozilla.org/ - with a capable browser, it even tells you:
NSS TLS 1.3 Demo Server (draft 28).
You've reached a demo server that's running TLS 1.3 (draft 28) using NSS.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- James
- Moderator
- Posts: 27999
- Joined: June 18th, 2003, 3:07 pm
- Location: Made in Canada
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
Firefox 60 Release and 60 ESR was the first to have TLS 1.3 enabled by default with security.tls.version.max set to 4 instead of 3 for TLS 1.2.Scarlettrunner20 wrote:I know that tls 1.3 did not ship enabled by DEFAULT in Fx 52 ESR (but did in regular Fx 52).
https://www.mozilla.org/firefox/60.0/releasenotes/
On-by-default support for draft-23 of the TLS 1.3 specification
- Scarlettrunner20
- Posts: 1016
- Joined: February 13th, 2003, 5:06 pm
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
Basilisk is my default browser but I use Fx 52.9 ESR a great deal also. I went to a site new to me on Basilisk recently and noticed to my surprise that it uses TLS 1.3. It's the first site I have been to that uses it:therube wrote:How are you determining whether it works or not?
https://www.caregiver.org/pilotIntegrat ... e_tid%3D70
So, I went there on all browsers including Edge and IE 11 and NONE used TLS 1.3 besides Basilisk.
I didn't know about the Mozilla test page until Morat posted about it here. I cannot reach the test page on ANY browser including Vivalidi and Basilisk (which is a bit weird but I wonder since it is forked off Fx 52 ESR if it is using an earlier draft version of TLS 1.3 and the test site wants a later version)? Fx 52.9ESR wanted to restore my default network security settings when I tried to reach Mozilla's test site on it. I have TLS 1.3 enabled in Fx preferences so I guess it wants to reset that to TLS 1.2.
SSLabs test for the above site says it supports TLS 1.3 draft 28.
https://www.ssllabs.com/ssltest/analyze ... d07&latest
-
- Posts: 1361
- Joined: December 15th, 2015, 1:20 pm
Re: Can tls 1.3 be enabled in Fx 52.9 ESR?
You need NSPR 4.19 and NSS 3.38. Backported it to SeaMonkey 2.53 (56) yesterday but 52 is another case This is still on nspr 4.13.1 and nss 3.28.1 . I had some fun upgrading 56 to 3.36 previously and 52 is much older.
I wouldn't worry too much. I think even esr-60 has no support for draft 28 yet.
I wouldn't worry too much. I think even esr-60 has no support for draft 28 yet.