Bug 1368599 - Disable TLS 1.3 by default for Release 55. r=keeler, a=jcristau FENNEC_55_0b14_BUILD1 FENNEC_55_0b14_RELEASE
authorEKR <ekr@rtfm.com>
Mon, 31 Jul 2017 12:29:35 -0400
changeset 619903 116b3910f1c72ae12ed330ed7942ac1afeea953e
parent 619902 255a5ed0ca253ccf92d088b9bc871df1f8735f1b
child 619904 52cefa439a7d8a6e8fd7e653050906570abed9f2
child 620303 aa08b24ffb91cbcc8ba53e9fc6b3aa3cdd7ebac1
push id71861
push userbmo:edilee@mozilla.com
push dateWed, 02 Aug 2017 20:06:54 +0000
reviewerskeeler, jcristau
bugs1368599
milestone55.0
Bug 1368599 - Disable TLS 1.3 by default for Release 55. r=keeler, a=jcristau
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/security-prefs.js
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1562,17 +1562,17 @@ void nsNSSComponent::setValidationOption
 // Enable the TLS versions given in the prefs, defaulting to TLS 1.0 (min) and
 // TLS 1.2 (max) when the prefs aren't set or set to invalid values.
 nsresult
 nsNSSComponent::setEnabledTLSVersions()
 {
   // keep these values in sync with security-prefs.js
   // 1 means TLS 1.0, 2 means TLS 1.1, etc.
   static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 1;
-  static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 4;
+  static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 3;
 
   uint32_t minFromPrefs = Preferences::GetUint("security.tls.version.min",
                                                PSM_DEFAULT_MIN_TLS_VERSION);
   uint32_t maxFromPrefs = Preferences::GetUint("security.tls.version.max",
                                                PSM_DEFAULT_MAX_TLS_VERSION);
 
   SSLVersionRange defaults = {
     SSL_LIBRARY_VERSION_3_0 + PSM_DEFAULT_MIN_TLS_VERSION,
--- a/security/manager/ssl/security-prefs.js
+++ b/security/manager/ssl/security-prefs.js
@@ -1,14 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 pref("security.tls.version.min", 1);
-pref("security.tls.version.max", 4);
+pref("security.tls.version.max", 3);
 pref("security.tls.version.fallback-limit", 3);
 pref("security.tls.insecure_fallback_hosts", "");
 pref("security.tls.enable_0rtt_data", false);
 
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.enable_ocsp_stapling", true);
 pref("security.ssl.enable_false_start", true);