Consider security.tls.version.min 3 by default – for a minimum of TLS 1.2

[grahamperrin]

https://phabricator.services.mozilla.com/D45798#C1639160NL22 lines 22–26:

#ifdef RELEASE_OR_BETA
  pref("security.tls.version.min", 1);
#else
  pref("security.tls.version.min", 3);
#endif

Consider changing the default from 1 to 3 for both Waterfox Classic and Waterfox Current.

Additional considerations

Mozilla bug 1579285 - Offer to re-enable TLS 1.0 and 1.1 on TLS version failure

• RESOLVED FIXED, Firefox 71
• I should not expect a comparable offer in Waterfox Classic or Waterfox Current
• advanced users may be directed to advice on manual setting of security.tls.version.min

From #783 (comment):

… AFAIK, TLS 1.2 with a decent cipher is still considered secure, …

From https://www.fxsitecompat.dev/en-CA/versions/71/

… Firefox 71 released on December 3, 2019. …

– and:

TLS 1.0 and 1.1 are now deprecated, disabled in Nightly

– with reference to:

• Bug 1579270 - Disable TLS 1.0 and 1.1 for Nightly
• Intent to unship: TLS 1.0 and TLS 1.1
• TLS 1.0 and 1.1 Removal Update - Mozilla Hacks

---

NB this issue is not about TLS 1.3 (there was a separate issue).

[grahamperrin]

Recently released Firefox 74.0 has TLS 1.0 and 1.1 disabled by default, with an error message such as this for sites that fall below the preferred level:

[hawkeye116477]

@grahamperrin dc85e2e