Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1431316

Summary: TLSv1.3: security.tls.version.max = 4 has no effect
Product: [Fedora] Fedora Reporter: hostmaster
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 25CC: dueno, fedora, gecko-bugs-nobody, hkario, hostmaster, jhorak, kengert, pjasicek, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-29 14:25:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1415140, 1432889    
Bug Blocks:    

Description hostmaster 2017-03-11 07:24:20 UTC 
Description of problem:
Fedora 25 x86_64 build of Firefox 52 has broken TLSv1.3 support, security.tls.version.max = 4 has no effect.

Version-Release number of selected component (if applicable):
firefox-52.0-1.fc25.x86_64

Steps to Reproduce:
1. mv .mozilla .mozilla.OK (so Firefox starts with defaults and no plugins)
2. Set security.tls.version.max to 4 in about:config
3. Restart Firefox 52
4. Verify that security.tls.version.max is really 4
5. Open webpage with TLSv1.3 support (e,g, https://www.cloudflare.com/ or https://test.felsing.net)

Actual results:
Fedora 25 Firefox negotiates to TLSv1.2, only even if web site supports TLSv1.3. 
Original Mozilla Firefox binaries negotiates TLSv1.3.

Expected results:
Fedora 25 Firefox 52 should behave like Original Mozilla Firefox 52 and should negotiate to TLSv1.3 if security.tls.version.max is 4 and remote supports TLSv1.3.

Additional info:

build information of firefox-52.0-1.fc25.x86_64

about:buildconfig
Build platform
target
x86_64-unknown-linux-gnu
Build tools
Compiler 	Version 	Compiler flags
/usr/bin/gcc -std=gnu99 	6.3.1 	-Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -O2 -g -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wformat-security -Wformat -Werror=format-security -fno-delete-null-pointer-checks -fPIC -Wl,-z,relro -Wl,-z,now -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/usr/bin/g++ -std=gnu++11 	6.3.1 	-Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -O2 -g -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wformat-security -Wformat -Werror=format-security -fno-delete-null-pointer-checks -fPIC -Wl,-z,relro -Wl,-z,now -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer
Configure options

--enable-application=browser --disable-tests --enable-rust --enable-system-ffi --enable-default-toolkit=cairo-gtk3 --with-mozilla-api-keyfile=../mozilla-api-key MAKE=make --enable-system-hunspell --enable-gio --enable-necko-wifi --enable-official-branding --enable-optimize --enable-pie --enable-pulseaudio --enable-release --enable-startup-notification --disable-strip --disable-system-cairo --disable-system-sqlite --disable-updater --enable-url-classifier --libdir=/usr/lib64 --prefix=/usr --with-pthreads --with-system-bz2 --without-system-icu --with-system-jpeg --with-system-libvpx --with-system-nspr --with-system-nss --with-system-zlib
Comment 1 Martin Stransky 2017-03-13 10:16:42 UTC 
Kai, could you please look at it? Thanks!
Comment 2 Kai Engert (:kaie) (inactive account) 2017-03-13 10:25:52 UTC 
NSS in Fedora has TLS 1.3 intentionally disabled.

Because some application other than Firefox have experienced issues with TLS 1.3 enabled, we're waiting for compatibility fixes, prior to enabling it.
Comment 3 Christian Stadelmann 2017-03-25 12:34:15 UTC 
See also: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/44O6EYI3GW7HSUU6YXLKIYGXZ5REM2KW/
Comment 4 Christian Stadelmann 2017-05-28 13:47:22 UTC 
Tested with https://www.ssllabs.com/ssltest/viewMyClient.html, this issue is now gone, at least on Fedora 26. Please close the bug report.