Security.tls.version.*: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(→‎UI: expanded descriptions and added Thunderbird)
m (→‎Possible values and their effects: emphasize pref names better)
Line 10: Line 10:
==Possible values and their effects==
==Possible values and their effects==
Both security.tls.version.min and security.tls.version.max can currently range from 0 to 2, which will be extended once further protocol versions are supported (i.e., TLS 1.2 support will be indicated by a preference value of 3). Together, the two preferences specify the ''range'' of protocols which are supported:
Both security.tls.version.min and security.tls.version.max can currently range from 0 to 2, which will be extended once further protocol versions are supported (i.e., TLS 1.2 support will be indicated by a preference value of 3). Together, the two preferences specify the ''range'' of protocols which are supported:
* security.tls.version.'''min''' specifies the minimum required protocol version (thus, the lowest version allowed to fall back to when higher versions are not available).  
* '''security.tls.version.min''' specifies the minimum required protocol version (thus, the lowest version allowed to fall back to when higher versions are not available).  
* security.tls.version.'''max''' specifies the maximum supported protocol version (thus, the highest version to initiate a connection with before falling back to lower versions).
* '''security.tls.version.max''' specifies the maximum supported protocol version (thus, the highest version to initiate a connection with before falling back to lower versions).
If security.tls.version.min and security.tls.version.max are equal, only one protocol version will be supported. The behavior is undefined if security.tls.version.min is ''larger'' than the security.tls.version.max value.
If security.tls.version.min and security.tls.version.max are equal, only one protocol version will be supported. The behavior is undefined if security.tls.version.min is ''larger'' than the security.tls.version.max value.



Revision as of 14:57, 29 May 2013

Background

The Secure Socket Layer protocol (SSL) and its successor, the Transport Layer Security protocol (TLS), define how a browser or e-mail client communicates with a server using an encrypted connection or data stream. There are various versions of this protocol where TLS can be thought of as the continuation of SSL with a new numbering scheme. Versions used between the client software and the server have to match, thus both sides have to support at least one common version.

SSL 3.0 is currently the lowest accepted encryption protocol, TLS 1.2 the highest defined, where Mozilla applications only support SSL 3.0, TLS 1.0 (the equivalent of a hypothetical SSL 3.1 version), and TLS 1.1 at this time. Some institutions prohibit the use of SSL 3.0 due to security concerns, thus it has to be disabled. TLS 1.1 is not yet widely supported by many servers, and needs finalization of some components in the Mozilla backend, thus SSL 3.0 and TLS 1.0 are currently supported by default.

You can disable SSL 3.0 or enable TLS 1.1 by using these preferences, or enforce the use of a specific protocol version. At initiation of a secure connection, the highest selected version (maximum supported protocol) will be attempted first. If support by the server isn't indicated or the attempt fails, the next lower version will be attempted until the lowest allowed version (minimum required protocol) is reached (see however Caveats for TLS 1.1 fallback handling). If it fails as well, the connection eventually fails with an error.

Possible values and their effects

Both security.tls.version.min and security.tls.version.max can currently range from 0 to 2, which will be extended once further protocol versions are supported (i.e., TLS 1.2 support will be indicated by a preference value of 3). Together, the two preferences specify the range of protocols which are supported:

  • security.tls.version.min specifies the minimum required protocol version (thus, the lowest version allowed to fall back to when higher versions are not available).
  • security.tls.version.max specifies the maximum supported protocol version (thus, the highest version to initiate a connection with before falling back to lower versions).

If security.tls.version.min and security.tls.version.max are equal, only one protocol version will be supported. The behavior is undefined if security.tls.version.min is larger than the security.tls.version.max value.

0

SSL 3.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the minimum required version.)

1

TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)

2

TLS 1.1 is the minimum required / maximum supported encryption protocol.

Caveats

  • These preferences replace the deprecated security.enable_ssl3 and security.enable_tls boolean settings. Upon upgrade, the old preferences are not automatically migrated. Instead, the user has to reinstate any limitations such as prohibiting fallback to SSL 3.0 (in this case by setting security.tls.version.min to 1, indicating TLS 1.0 being the minimum required protocol).
  • It is not possible to skip intermediate protocols. For example, supporting SSL 3.0 and TLS 1.1 implies that TLS 1.0 is supported as well.
  • There is currently no fallback from TLS 1.1 to earlier protocols. Thus, selecting security.tls.version.max = 2 for TLS 1.1 support results in the connection failing when the server connected to doesn't support TLS 1.1. Once the fallback is implemented, the default for the maximum supported version is expected to be changed to 2.

UI

Mozilla Firefox

The UI for selecting the required range of encryption protocols has been removed in Firefox 23.0 and later, thus you'll need to change them in about:config.

SeaMonkey

SeaMonkey continues to provide a UI in the Edit → Preferences → Privacy & Security → SSL tab. With version 2.20, a third box for TLS 1.1 has been added, and the logic disallows selection of protocol combinations not supported by these preferences. (There is a forum thread discussing the UI variants.)

Thunderbird

Thunderbird doesn't offer any UI for these options, thus you'll have to use the Config Editor to change them.

First checked in

2013-04-12 by Brian Smith

Has an effect in

  • Firefox and Thunderbird (nightly trunk builds since 2013-04-13; 23.0a1 and later)
  • SeaMonkey (nightly trunk builds since 2013-04-13; 2.20a1 and later)

Related bugs

See also

External links