Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1431316 - TLSv1.3: security.tls.version.max = 4 has no effect
Summary: TLSv1.3: security.tls.version.max = 4 has no effect
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 25
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1415140 1432889
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-11 07:24 UTC by hostmaster
Modified: 2017-05-29 14:25 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-29 14:25:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description hostmaster 2017-03-11 07:24:20 UTC 
Description of problem:
Fedora 25 x86_64 build of Firefox 52 has broken TLSv1.3 support, security.tls.version.max = 4 has no effect.

Version-Release number of selected component (if applicable):
firefox-52.0-1.fc25.x86_64

Steps to Reproduce:
1. mv .mozilla .mozilla.OK (so Firefox starts with defaults and no plugins)
2. Set security.tls.version.max to 4 in about:config
3. Restart Firefox 52
4. Verify that security.tls.version.max is really 4
5. Open webpage with TLSv1.3 support (e,g, https://www.cloudflare.com/ or https://test.felsing.net)

Actual results:
Fedora 25 Firefox negotiates to TLSv1.2, only even if web site supports TLSv1.3. 
Original Mozilla Firefox binaries negotiates TLSv1.3.

Expected results:
Fedora 25 Firefox 52 should behave like Original Mozilla Firefox 52 and should negotiate to TLSv1.3 if security.tls.version.max is 4 and remote supports TLSv1.3.

Additional info:

build information of firefox-52.0-1.fc25.x86_64

about:buildconfig
Build platform
target
x86_64-unknown-linux-gnu
Build tools
Compiler 	Version 	Compiler flags
/usr/bin/gcc -std=gnu99 	6.3.1 	-Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -O2 -g -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wformat-security -Wformat -Werror=format-security -fno-delete-null-pointer-checks -fPIC -Wl,-z,relro -Wl,-z,now -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/usr/bin/g++ -std=gnu++11 	6.3.1 	-Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -O2 -g -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wformat-security -Wformat -Werror=format-security -fno-delete-null-pointer-checks -fPIC -Wl,-z,relro -Wl,-z,now -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer
Configure options

--enable-application=browser --disable-tests --enable-rust --enable-system-ffi --enable-default-toolkit=cairo-gtk3 --with-mozilla-api-keyfile=../mozilla-api-key MAKE=make --enable-system-hunspell --enable-gio --enable-necko-wifi --enable-official-branding --enable-optimize --enable-pie --enable-pulseaudio --enable-release --enable-startup-notification --disable-strip --disable-system-cairo --disable-system-sqlite --disable-updater --enable-url-classifier --libdir=/usr/lib64 --prefix=/usr --with-pthreads --with-system-bz2 --without-system-icu --with-system-jpeg --with-system-libvpx --with-system-nspr --with-system-nss --with-system-zlib
Comment 1 Martin Stransky 2017-03-13 10:16:42 UTC 
Kai, could you please look at it? Thanks!
Comment 2 Kai Engert (:kaie) (inactive account) 2017-03-13 10:25:52 UTC 
NSS in Fedora has TLS 1.3 intentionally disabled.

Because some application other than Firefox have experienced issues with TLS 1.3 enabled, we're waiting for compatibility fixes, prior to enabling it.
Comment 3 Christian Stadelmann 2017-03-25 12:34:15 UTC 
See also: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/44O6EYI3GW7HSUU6YXLKIYGXZ5REM2KW/
Comment 4 Christian Stadelmann 2017-05-28 13:47:22 UTC 
Tested with https://www.ssllabs.com/ssltest/viewMyClient.html, this issue is now gone, at least on Fedora 26. Please close the bug report.
Note You need to log in before you can comment on or make changes to this bug.