Firefox Configuring Firefox for FIPS 140-2
This article is no longer maintained, so its content might be out of date.
Federal Information Processing Standard (FIPS) number 140-2 defines a large set of crypto security requirements for all software used by US Government employees. US Government employees need to know how to make Firefox be "FIPS 140 compliant". The steps shown below will bring your Firefox browser into compliance with FIPS 140-2 and also with NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations.
Table of Contents
Step 1: Disable SSL 2 and SSL 3, leaving only TLS
- At the top of the Firefox window, click on the button and then select At the top of the Firefox window, click on the menu and then select On the menu bar, click on the menu and select At the top of the Firefox window, click on the menu and select
- In the optionspreferences window, select the panel, then select the tab.
- Remove the check from the Use SSL 3.0 box, and ensure that the Use TLS 1.0 box is checked.
- Then click the button to begin step 2.
Step 2: Enable FIPS in Firefox's NSS Internal PKCS#11 module
- In the Device Manager window, select NSS Internal PKCS #11 Module, then click on the button.
- After you click the button, you should see the words FIPS 140 in your Device Manager window.
- Click to close the Device Manager window.
- Click Close the preferences window.
Step 3: Disable all the non-FIPS TLS cipher suites in about:config
-
In the Location bar, type about:config and press EnterReturn.
- The about:config "This might void your warranty!" warning page may appear. Click , to continue to the about:config page.
- In the text box by the word Filter:, type in ssl.
- You should see a page that has preferences that are similar to the ones shown below. Go through your preferences and compare each one to the ones shown below. If you don't have all the preferences shown below, or if you have preferences not shown below, don't worry about them. Just compare the preferences whose names match the ones shown below. Make sure that each of your ssl preferences has the same true/false value as shown below. If any preference does not have a matching value, double-click it to change it.
ssl
| Preference Name | Status | Type | Value |
| security.enable_ssl2 | default | boolean | false |
| security.enable_ssl3 | user set | boolean | false |
| security.ssl2.des_64 | default | boolean | false |
| security.ssl2.des_ede3_192 | default | boolean | false |
| security.ssl2.rc2_128 | default | boolean | false |
| security.ssl2.rc2_40 | default | boolean | false |
| security.ssl2.rc4_128 | default | boolean | false |
| security.ssl2.rc4_40 | default | boolean | false |
| security.ssl3.dhe_dss_aes_128_sha | default | boolean | true |
| security.ssl3.dhe_dss_aes_256_sha | default | boolean | true |
| security.ssl3.dhe_dss_camellia_128_sha | user set | boolean | false |
| security.ssl3.dhe_dss_camellia_256_sha | user set | boolean | false |
| security.ssl3.dhe_dss_des_ede3_sha | default | boolean | true |
| security.ssl3.dhe_dss_des_sha | default | boolean | false |
| security.ssl3.dhe_rsa_aes_128_sha | default | boolean | true |
| security.ssl3.dhe_rsa_aes_256_sha | default | boolean | true |
| security.ssl3.dhe_rsa_camellia_128_sha | user set | boolean | false |
| security.ssl3.dhe_rsa_camellia_256_sha | user set | boolean | false |
| security.ssl3.dhe_rsa_des_ede3_sha | default | boolean | true |
| security.ssl3.dhe_rsa_des_sha | default | boolean | false |
| security.ssl3.ecdh_ecdsa_aes_128_sha | default | boolean | true |
| security.ssl3.ecdh_ecdsa_aes_256_sha | default | boolean | true |
| security.ssl3.ecdh_ecdsa_des_ede3_sha | default | boolean | true |
| security.ssl3.ecdh_ecdsa_null_sha | default | boolean | false |
| security.ssl3.ecdh_ecdsa_rc4_128_sha | user set | boolean | false |
| security.ssl3.ecdh_rsa_aes_128_sha | default | boolean | true |
| security.ssl3.ecdh_rsa_aes_256_sha | default | boolean | true |
| security.ssl3.ecdh_rsa_des_ede3_sha | default | boolean | true |
| security.ssl3.ecdh_rsa_null_sha | default | boolean | false |
| security.ssl3.ecdh_rsa_rc4_128_sha | user set | boolean | false |
| security.ssl3.ecdhe_ecdsa_aes_128_sha | default | boolean | true |
| security.ssl3.ecdhe_ecdsa_aes_256_sha | default | boolean | true |
| security.ssl3.ecdhe_ecdsa_des_ede3_sha | default | boolean | true |
| security.ssl3.ecdhe_ecdsa_null_sha | default | boolean | false |
| security.ssl3.ecdhe_ecdsa_rc4_128_sha | user set | boolean | false |
| security.ssl3.ecdhe_rsa_aes_128_sha | default | boolean | true |
| security.ssl3.ecdhe_rsa_aes_256_sha | default | boolean | true |
| security.ssl3.ecdhe_rsa_des_ede3_sha | default | boolean | true |
| security.ssl3.ecdhe_rsa_null_sha | default | boolean | false |
| security.ssl3.ecdhe_rsa_rc4_128_sha | user set | boolean | false |
| security.ssl3.rsa_1024_des_cbc_sha | default | boolean | false |
| security.ssl3.rsa_1024_rc4_56_sha | default | boolean | false |
| security.ssl3.rsa_aes_128_sha | default | boolean | true |
| security.ssl3.rsa_aes_256_sha | default | boolean | true |
| security.ssl3.rsa_camellia_128_sha | user set | boolean | false |
| security.ssl3.rsa_camellia_256_sha | user set | boolean | false |
| security.ssl3.rsa_des_ede3_sha | default | boolean | true |
| security.ssl3.rsa_des_sha | default | boolean | false |
| security.ssl3.rsa_fips_des_ede3_sha | user set | boolean | false |
| security.ssl3.rsa_fips_des_sha | default | boolean | false |
| security.ssl3.rsa_null_md5 | default | boolean | false |
| security.ssl3.rsa_null_sha | default | boolean | false |
| security.ssl3.rsa_rc2_40_md5 | default | boolean | false |
| security.ssl3.rsa_rc4_128_md5 | user set | boolean | false |
| security.ssl3.rsa_rc4_128_sha | user set | boolean | false |
| security.ssl3.rsa_rc4_40_md5 | default | boolean | false |
When all the entries match, you're done. You should exit and restart Firefox to ensure that the changes are properly recorded.