Enable tls 1.3 by default

[Techguyprivate]

Describe the bug
A clear and concise description of what the bug is.
Tls 1.3 final has been published. Is it possible to enable it by default in waterfox. I have changed security.tls.version.max; to 4, yet no tls 1.3.

To Reproduce
Steps to reproduce the behavior:

1. Go to https://www.ssllabs.com/ssltest/viewMyClient.html

**Desktop (please complete the following information):

• OS:Windows
• Version 56.2.5

[WagnerGMD]

Hello,

I believe you can close this issue. Because we already talking about in this one (n°768).

Kind regards.

PS : At least thank you @Techguyprivate for the confirmation.
Like I said (in this post), right now the current value is still 3 (instead of 4). That's why for the moment, no I didn't check WaterFox_v56.2.5 because I had guess, it will be useless.

Another reason ?

• There is nothing (none mention) inside this article.
• Even today, @MrAlex94 apparently is (or remain) absent because it didn't yet reply (the fact is : 2 weeks already past)...
• The WaterFox -Website isn't yet update :

## Not available : https://www.waterfoxproject.org/
## Neither there : https://www.waterfoxproject.org/en-US/waterfox/new/
## Nothing (once again) : https://github.com/MrAlex94/Waterfox/releases
https://storage-waterfox.netdna-ssl.com/releases/win64/installer/Waterfox%2056.2.5%20Setup.exe

[bernhy]

Hi,

just raising security.tls.version.max to 4 will not be enough, as the nss libs in Waterfox are way too old and only support a draft version. I updated the tree to current libs to be able to connect to tlsv1.3 final sites.
I already asked Alex to include the source, but he didn't react, so looks like he is not interested in updating.

b.

[grahamperrin]

… he didn't react, …

From the postscript at https://redd.it/818z1k:

… an eye on Disqus, Reddit threads/comments, OCN and Twitter even if I don't respond directly; …

[grahamperrin]

… nss libs in Waterfox are way too old …

From The Waterfox Blog | Waterfox 56.2.6 Release:

• Updated NSS to 3.34

Also https://www.reddit.com/r/waterfox/comments/a7f5hz/-/ecj0hms/?context=1

grahamperrin@momh167-gjp4-8570p:~ % date ; uname -v
Wed Dec 26 03:11:00 GMT 2018
FreeBSD 13.0-CURRENT r342020 GENERIC 
grahamperrin@momh167-gjp4-8570p:~ % pkg query '%o %v %R' waterfox
www/waterfox 56.2.6 poudriere
grahamperrin@momh167-gjp4-8570p:~ % pkg query '%do %dv' waterfox | grep -i nss
security/nss 3.41_1
grahamperrin@momh167-gjp4-8570p:~ % 

[sergeevabc]

Accessing https://tls13.crypto.mozilla.org/ is still not possible, alas.

[grahamperrin]

about:config?filter=security.tls.version.max

– shows 4 for me (modified from the default 3).

That, with Waterfox 56.2.6 on FreeBSD-CURRENT, Mozilla's NSS TLS 1.3 Demo is reached; and Qualys SSL Labs - Projects / SSL Client Test uses the word experimental:

Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is recommended protocol version at the moment.
Experimental: Your user agent supports TLS 1.3.

[sergeevabc]

Qualys SSL Client Test confirms 1.3 is supported with security.tls.version.max;4, indeed.
However Mozilla's 1.3 Demo still outputs Connection Failed: SSL_ERROR_PROTOCOL_VERSION_ALERT.
I have just tried it with a (56.2.6 x64) fresh profile on Windows 7 x64.

These tests fail as well on my end so far:

• https://tls13.1d.pw/
• https://tls13.pinterjann.is/
• https://swifttls.org/
• https://tls.ctf.network/
• https://www.cloudflare.com/ssl/encrypted-sni/

[mparnelldmp]

For encrypted SNI, I think the feature will need to be ported over.

[sergeevabc]

@mparnelldmp, don’t bother with encrypted SNI, the 3rd column of that Cloudflare page is what relevant.

[grahamperrin]

These tests fail as well on my end so far:

• https://tls13.1d.pw

I get:

An error occurred during a connection to tls13.1d.pw. SSL received a malformed Server Hello handshake message. Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO

– and (side note) the can be blocked by Malwarebytes due to possible suspicious activity

• https://tls13.pinterjann.is

Congratulations! You're connected using TLSv1.3!

Cipher: TLS_AES_256_GCM_SHA384

Server running OpenSSL 1.1.1 and nginx 1.14.2

• https://swifttls.org

Date: 2019-01-06 17:59:56 +0000
TLS Version: TLS v1.3
Cipher: TLS_AES_128_GCM_SHA256


Your Request:
GET / HTTP/1.1
Host: swifttls.org
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:56.0; Waterfox) Gecko/20100101 Firefox/56.2.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,fr;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://github.com/MrAlex94/Waterfox/issues/783
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

• https://tls.ctf.network

You are connecting with TLSv1.3.

• https://cloudflare.com/ssl/encrypted-sni

Your browser supports TLS 1.3, which encrypts the server certificate.

[grahamperrin]

In Reddit we have a report,

I checked 56.2.6 and see that TLS 1.3 (RFC8446) is not supported.

security.tls.version.max set to 4, …

Does any other user of 56.2.6 find this problem – TLS 1.3 not supported?

[magiruuvelvet]

Out of iterest I just tried the above mozilla test page in the Chromium Web Engine (Vivaldi Browser and QtWebEngine via Falkon Browser), both failed with an SSL exception.

Only curl and wget was able to understand TLS 1.3.

So Firefox Quantum is the only browser who understands TLS 1.3 if I'm not wrong. 🤔

EDIT: Safari Apple WebKit also works with TLS 1.3 (GNOME Epiphany Web).

[grahamperrin]

Cross reference https://www.reddit.com/comments/9ihvgq/-/ef1jzdl/

[laniakea64]

Does any other user of 56.2.6 find this problem – TLS 1.3 not supported?

I also see this. I think #783 (comment) is still the case - currently Waterfox uses NSS 3.34, but full TLS 1.3 support requires at least NSS 3.39.

[tmkk]

Waterfox supports TLS 1.3 draft 18 but it's too old. NSS 3.39 or later is required to support the final version of TLS 1.3 as stated above.

[grahamperrin]

… NSS 3.39 or later is required to support the final version of TLS 1.3 …

Yeah, I'm still good, it seems (albeit on an unsupported OS) with a locally-built installation:

root@momh167-gjp4-8570p:~ # date ; uname -v
Sun Jan 27 09:02:00 GMT 2019
FreeBSD 13.0-CURRENT r343308 GENERIC-NODEBUG 
root@momh167-gjp4-8570p:~ # poudriere jail -i -j head | grep -i version
Jail version:      13.0-CURRENT 1300009
root@momh167-gjp4-8570p:~ # pkg query '%o %v %R' nss waterfox
security/nss 3.41.1 poudriere
www/waterfox 56.2.6 poudriere
root@momh167-gjp4-8570p:~ # pkg query '%do %dv' waterfox | grep -i nss
security/nss 3.41.1
root@momh167-gjp4-8570p:~ # 

Test pages aside … in simple terms, please, what are the possible/likely ill effects when Waterfox with inferior NSS 3.34 visits a production site that requires (or benefits from) TLS 1.3? Does anyone have an example URL handy?

TIA

[grahamperrin]

https://tls13.crypto.mozilla.org/

From #783 (comment):

… Firefox Quantum … understands TLS 1.3 … Safari Apple WebKit also works with TLS 1.3 (GNOME Epiphany Web).

On FreeBSD-CURRENT I get the page OK with Firefox, surf, Waterfox and Web. No go in Chromium, Falkon, Iridium or SeaMonkey.

I might try building SeaMonkey with NSS 3.41.1, but not Chromium or Iridium (Chromium-based browsers are excruciatingly slow to build).

[grahamperrin]

An error occurred during a connection to tls13.1d.pw. SSL received a malformed Server Hello handshake message. Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO

This also happens at https://tls13.1d.pw/ with Waterfox 56.2.6 using NSS 3.42.

[grahamperrin]

NB

I'll update NSS in 56.3 to the latest master branch version :-)

We're at 56.2.7. Not yet 56.3.

[Lorienna]

This also happens at https://tls13.1d.pw/ with Waterfox 56.2.6 using NSS 3.42.

That's because it requires bug 1430268 (see the Mozregression results below).

Website	Pushlog	Push date	Milestone	NSS version	TLS 1.3 draft
https://www.cloudflare.com/ssl/encrypted-sni/	Pushlog	Jan 2018	59.0a1	3.35 beta1	23
https://tls13.1d.pw/	Pushlog	Jan 2018	59.0a1	3.35 beta1	23
https://swifttls.org/	Pushlog	Mar 2018	61.0a1	3.37 beta c5dffd6269ea	26
https://tls.ctf.network/	Pushlog	Apr 2018	61.0a1	3.37 beta 3e452651e282	28
https://tls13.pinterjann.is/ https://tls13.crypto.mozilla.org/	Pushlog	Aug 2018	63.0a1	3.39 beta2	RFC 8446

[sheddup]

I noticed if I set security.tls.version.min to 4 then check for updates the browser will crash. (Win10x64)

[grahamperrin]

@sheddup can you raise a separate issue for that? Thanks.

[WagnerGMD]

Hi,

thank you for the explanation @bernhy and sorry for my late reply (I had forgot and I was absent for a long time).

[MrAlex94]

TLS 1.3 will remain disabled by default for v56. v68 has it enabled by default. AFAIK, TLS 1.2 with a decent cipher is still considered secure, there's no point forcing early adoption of a critical piece of software that needs careful implementation.

[Ketchup901]

@MrAlex94 We can't control what TLS version sites decide to force. What reason is there not to implement TLS 1.3 in Waterfox?

[hawkeye116477]

@Techguyprivate After 2 years, your dream come true 😄