New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable tls 1.3 by default #783

Open
Techguyprivate opened this Issue Nov 4, 2018 · 20 comments

Comments

Projects
None yet
10 participants
@Techguyprivate
Copy link

Techguyprivate commented Nov 4, 2018

Describe the bug
A clear and concise description of what the bug is.
Tls 1.3 final has been published. Is it possible to enable it by default in waterfox. I have changed security.tls.version.max; to 4, yet no tls 1.3.

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://www.ssllabs.com/ssltest/viewMyClient.html

**Desktop (please complete the following information):

  • OS:Windows
  • Version 56.2.5
@WagnerGMD

This comment has been minimized.

Copy link

WagnerGMD commented Nov 4, 2018

Hello,

I believe you can close this issue. Because we already talking about in this one (n°768).

Kind regards.

PS : At least thank you @Techguyprivate for the confirmation.
Like I said (in this post), right now the current value is still 3 (instead of 4). That's why for the moment, no I didn't check WaterFox_v56.2.5 because I had guess, it will be useless.

Another reason ?

  • There is nothing (none mention) inside this article.
  • Even today, @MrAlex94 apparently is (or remain) absent because it didn't yet reply (the fact is : 2 weeks already past)...
  • The WaterFox -Website isn't yet update :
## Not available : https://www.waterfoxproject.org/
## Neither there : https://www.waterfoxproject.org/en-US/waterfox/new/
## Nothing (once again) : https://github.com/MrAlex94/Waterfox/releases
https://storage-waterfox.netdna-ssl.com/releases/win64/installer/Waterfox%2056.2.5%20Setup.exe
@bernhy

This comment has been minimized.

Copy link

bernhy commented Nov 15, 2018

Hi,

just raising security.tls.version.max to 4 will not be enough, as the nss libs in Waterfox are way too old and only support a draft version. I updated the tree to current libs to be able to connect to tlsv1.3 final sites.
I already asked Alex to include the source, but he didn't react, so looks like he is not interested in updating.

b.

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Nov 16, 2018

… he didn't react, …

From the postscript at https://redd.it/818z1k:

… an eye on Disqus, Reddit threads/comments, OCN and Twitter even if I don't respond directly; …

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Dec 26, 2018

… nss libs in Waterfox are way too old …

From The Waterfox Blog | Waterfox 56.2.6 Release:

  • Updated NSS to 3.34

Also https://www.reddit.com/r/waterfox/comments/a7f5hz/-/ecj0hms/?context=1

grahamperrin@momh167-gjp4-8570p:~ % date ; uname -v
Wed Dec 26 03:11:00 GMT 2018
FreeBSD 13.0-CURRENT r342020 GENERIC 
grahamperrin@momh167-gjp4-8570p:~ % pkg query '%o %v %R' waterfox
www/waterfox 56.2.6 poudriere
grahamperrin@momh167-gjp4-8570p:~ % pkg query '%do %dv' waterfox | grep -i nss
security/nss 3.41_1
grahamperrin@momh167-gjp4-8570p:~ % 
@sergeevabc

This comment has been minimized.

Copy link

sergeevabc commented Jan 4, 2019

Accessing https://tls13.crypto.mozilla.org/ is still not possible, alas.

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 4, 2019

about:config?filter=security.tls.version.max

– shows 4 for me (modified from the default 3).

That, with Waterfox 56.2.6 on FreeBSD-CURRENT, Mozilla's NSS TLS 1.3 Demo is reached; and Qualys SSL Labs - Projects / SSL Client Test uses the word experimental:

Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is recommended protocol version at the moment.
Experimental: Your user agent supports TLS 1.3.

@sergeevabc

This comment has been minimized.

Copy link

sergeevabc commented Jan 4, 2019

Qualys SSL Client Test confirms 1.3 is supported with security.tls.version.max;4, indeed.
However Mozilla's 1.3 Demo still outputs Connection Failed: SSL_ERROR_PROTOCOL_VERSION_ALERT.
I have just tried it with a (56.2.6 x64) fresh profile on Windows 7 x64.

These tests fail as well on my end so far:

@mparnelldmp

This comment has been minimized.

Copy link

mparnelldmp commented Jan 4, 2019

For encrypted SNI, I think the feature will need to be ported over.

@sergeevabc

This comment has been minimized.

Copy link

sergeevabc commented Jan 4, 2019

@mparnelldmp, don’t bother with encrypted SNI, the 3rd column of that Cloudflare page is what relevant.

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 6, 2019

These tests fail as well on my end so far:

I get:

An error occurred during a connection to tls13.1d.pw. SSL received a malformed Server Hello handshake message. Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO

– and (side note) the can be blocked by Malwarebytes due to possible suspicious activity

Congratulations! You're connected using TLSv1.3!

Cipher: TLS_AES_256_GCM_SHA384

Server running OpenSSL 1.1.1 and nginx 1.14.2

Date: 2019-01-06 17:59:56 +0000
TLS Version: TLS v1.3
Cipher: TLS_AES_128_GCM_SHA256


Your Request:
GET / HTTP/1.1
Host: swifttls.org
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:56.0; Waterfox) Gecko/20100101 Firefox/56.2.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.5,fr;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://github.com/MrAlex94/Waterfox/issues/783
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

You are connecting with TLSv1.3.

Your browser supports TLS 1.3, which encrypts the server certificate.

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 26, 2019

In Reddit we have a report,

I checked 56.2.6 and see that TLS 1.3 (RFC8446) is not supported.

security.tls.version.max set to 4, …

Does any other user of 56.2.6 find this problem – TLS 1.3 not supported?

@magiruuvelvet

This comment has been minimized.

Copy link

magiruuvelvet commented Jan 26, 2019

Out of iterest I just tried the above mozilla test page in the Chromium Web Engine (Vivaldi Browser and QtWebEngine via Falkon Browser), both failed with an SSL exception.

Only curl and wget was able to understand TLS 1.3.

So Firefox Quantum is the only browser who understands TLS 1.3 if I'm not wrong. 🤔

EDIT: Safari Apple WebKit also works with TLS 1.3 (GNOME Epiphany Web).

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 27, 2019

@laniakea64

This comment has been minimized.

Copy link
Contributor

laniakea64 commented Jan 27, 2019

Does any other user of 56.2.6 find this problem – TLS 1.3 not supported?

I also see this. I think #783 (comment) is still the case - currently Waterfox uses NSS 3.34, but full TLS 1.3 support requires at least NSS 3.39.

@tmkk

This comment has been minimized.

Copy link

tmkk commented Jan 27, 2019

Waterfox supports TLS 1.3 draft 18 but it's too old. NSS 3.39 or later is required to support the final version of TLS 1.3 as stated above.

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 27, 2019

… NSS 3.39 or later is required to support the final version of TLS 1.3 …

Yeah, I'm still good, it seems (albeit on an unsupported OS) with a locally-built installation:

root@momh167-gjp4-8570p:~ # date ; uname -v
Sun Jan 27 09:02:00 GMT 2019
FreeBSD 13.0-CURRENT r343308 GENERIC-NODEBUG 
root@momh167-gjp4-8570p:~ # poudriere jail -i -j head | grep -i version
Jail version:      13.0-CURRENT 1300009
root@momh167-gjp4-8570p:~ # pkg query '%o %v %R' nss waterfox
security/nss 3.41.1 poudriere
www/waterfox 56.2.6 poudriere
root@momh167-gjp4-8570p:~ # pkg query '%do %dv' waterfox | grep -i nss
security/nss 3.41.1
root@momh167-gjp4-8570p:~ # 

Test pages aside … in simple terms, please, what are the possible/likely ill effects when Waterfox with inferior NSS 3.34 visits a production site that requires (or benefits from) TLS 1.3? Does anyone have an example URL handy?

TIA

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 27, 2019

https://tls13.crypto.mozilla.org/

From #783 (comment):

… Firefox Quantum … understands TLS 1.3 … Safari Apple WebKit also works with TLS 1.3 (GNOME Epiphany Web).

On FreeBSD-CURRENT I get the page OK with Firefox, surf, Waterfox and Web. No go in Chromium, Falkon, Iridium or SeaMonkey.

I might try building SeaMonkey with NSS 3.41.1, but not Chromium or Iridium (Chromium-based browsers are excruciatingly slow to build).

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 30, 2019

An error occurred during a connection to tls13.1d.pw. SSL received a malformed Server Hello handshake message. Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO

This also happens at https://tls13.1d.pw/ with Waterfox 56.2.6 using NSS 3.42.

@grahamperrin

This comment has been minimized.

Copy link
Contributor

grahamperrin commented Jan 30, 2019

@Lorienna

This comment has been minimized.

Copy link

Lorienna commented Jan 30, 2019

This also happens at https://tls13.1d.pw/ with Waterfox 56.2.6 using NSS 3.42.

That's because it requires bug 1430268 (see the Mozregression results below).

Website Pushlog Push date Milestone NSS version TLS 1.3 draft
https://www.cloudflare.com/ssl/encrypted-sni/ Pushlog Jan 2018 59.0a1 3.35 beta1 23
https://tls13.1d.pw/ Pushlog Jan 2018 59.0a1 3.35 beta1 23
https://swifttls.org/ Pushlog Mar 2018 61.0a1 3.37 beta c5dffd6269ea 26
https://tls.ctf.network/ Pushlog Apr 2018 61.0a1 3.37 beta 3e452651e282 28
https://tls13.pinterjann.is/
https://tls13.crypto.mozilla.org/
Pushlog Aug 2018 63.0a1 3.39 beta2 RFC 8446
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment