Federal Information Processing Standard (FIPS) number 140-2 defines a large set of crypto security requirements for all software used by US Government employees. US Government employees need to know how to make Firefox 2 and Firefox 3 be "FIPS 140 compliant". The steps shown below will bring your Firefox browser into compliance with FIPS 140-2 and also with [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations]. __TOC__ = Step 1: Disable SSL 2 and SSL 3, leaving only TLS = # [[T:optionspreferences]]{for win}<br/> <br/> [[Image:toolsopt.png]]<br/> <br/>{/for} # In the {for win}options{/for}{for mac,linux}preferences{/for} window, select the {menu Advanced} panel, then select the {menu Encryption} tab. # Remove the check from the '''Use SSL 3.0''' box, and ensure that the '''Use TLS 1.0''' box is checked.{for win}<br/> <br/> [[Image:options.png]]<br/> <br/>{/for}{for mac}, as shown here: <br/> <br/> [[Image:FIPS-en-mac-1.jpg]] <br/> <br/> {/for} # Then click the {button Security Devices} button to begin step 2. = Step 2: Enable FIPS in Firefox's NSS Internal PKCS#11 module = # In the Device Manager window, select '''NSS Internal PKCS #11 Module''', then click on the {button Enable FIPS} button.{for win}<br/> <br/> [[Image:EnableFIPS.png]]<br/> <br/>{/for}{for mac}<br/> <br/> [[Image:FIPS-en-mac-2.jpg]]<br/> <br/>{/for} # After you click the {button Enable FIPS} button, you should see the words '''FIPS 140''' in your Device Manager window.{for win} <br/> <br/> [[Image:FIPS140.png]] <br/> <br/> {/for}{for mac}, as shown here: <br/> <br/> [[Image:FIPS-en-mac-3.jpg]] <br/> <br/> {/for} # Click {button OK} to close the Device Manager window. # {for win,linux}Click {button OK}{/for}{for mac}Close the preferences window{/for}. = Step 3: Disable all the non-FIPS TLS cipher suites in about:config = # [[T:aboutconfig]] # In the text box by the word '''Filter:''', type in '''ssl'''. # You should see a page that has preferences that are similar to the ones shown below. Go through your preferences and compare each one to the ones shown below. If you don't have all the preferences shown below, or if you have preferences not shown below, don't worry about them. Just compare the preferences whose names match the ones shown below. Make sure that each of your ssl preferences has the same true/false value as shown below. If any preference does not have a matching value, double-click it to change it. ~pre~ Filter: {note}ssl{/note} Preference Name Status Type Value security.enable_ssl2 default boolean false '''security.enable_ssl3 user set boolean false''' security.ssl2.des_64 default boolean false security.ssl2.des_ede3_192 default boolean false security.ssl2.rc2_128 default boolean false security.ssl2.rc2_40 default boolean false security.ssl2.rc4_128 default boolean false security.ssl2.rc4_40 default boolean false security.ssl3.dhe_dss_aes_128_sha default boolean true security.ssl3.dhe_dss_aes_256_sha default boolean true '''security.ssl3.dhe_dss_camellia_128_sha user set boolean false''' '''security.ssl3.dhe_dss_camellia_256_sha user set boolean false''' security.ssl3.dhe_dss_des_ede3_sha default boolean true security.ssl3.dhe_dss_des_sha default boolean false security.ssl3.dhe_rsa_aes_128_sha default boolean true security.ssl3.dhe_rsa_aes_256_sha default boolean true '''security.ssl3.dhe_rsa_camellia_128_sha user set boolean false''' '''security.ssl3.dhe_rsa_camellia_256_sha user set boolean false''' security.ssl3.dhe_rsa_des_ede3_sha default boolean true security.ssl3.dhe_rsa_des_sha default boolean false security.ssl3.ecdh_ecdsa_aes_128_sha default boolean true security.ssl3.ecdh_ecdsa_aes_256_sha default boolean true security.ssl3.ecdh_ecdsa_des_ede3_sha default boolean true security.ssl3.ecdh_ecdsa_null_sha default boolean false '''security.ssl3.ecdh_ecdsa_rc4_128_sha user set boolean false''' security.ssl3.ecdh_rsa_aes_128_sha default boolean true security.ssl3.ecdh_rsa_aes_256_sha default boolean true security.ssl3.ecdh_rsa_des_ede3_sha default boolean true security.ssl3.ecdh_rsa_null_sha default boolean false '''security.ssl3.ecdh_rsa_rc4_128_sha user set boolean false''' security.ssl3.ecdhe_ecdsa_aes_128_sha default boolean true security.ssl3.ecdhe_ecdsa_aes_256_sha default boolean true security.ssl3.ecdhe_ecdsa_des_ede3_sha default boolean true security.ssl3.ecdhe_ecdsa_null_sha default boolean false '''security.ssl3.ecdhe_ecdsa_rc4_128_sha user set boolean false''' security.ssl3.ecdhe_rsa_aes_128_sha default boolean true security.ssl3.ecdhe_rsa_aes_256_sha default boolean true security.ssl3.ecdhe_rsa_des_ede3_sha default boolean true security.ssl3.ecdhe_rsa_null_sha default boolean false '''security.ssl3.ecdhe_rsa_rc4_128_sha user set boolean false''' security.ssl3.rsa_1024_des_cbc_sha default boolean false security.ssl3.rsa_1024_rc4_56_sha default boolean false security.ssl3.rsa_aes_128_sha default boolean true security.ssl3.rsa_aes_256_sha default boolean true '''security.ssl3.rsa_camellia_128_sha user set boolean false''' '''security.ssl3.rsa_camellia_256_sha user set boolean false''' security.ssl3.rsa_des_ede3_sha default boolean true security.ssl3.rsa_des_sha default boolean false '''security.ssl3.rsa_fips_des_ede3_sha user set boolean false''' security.ssl3.rsa_fips_des_sha default boolean false security.ssl3.rsa_null_md5 default boolean false security.ssl3.rsa_null_sha default boolean false security.ssl3.rsa_rc2_40_md5 default boolean false '''security.ssl3.rsa_rc4_128_md5 user set boolean false''' '''security.ssl3.rsa_rc4_128_sha user set boolean false''' security.ssl3.rsa_rc4_40_md5 default boolean false ~/pre~ When all the entries match, you're done. You should exit and restart Firefox to ensure that the changes are properly recorded.

Federal Information Processing Standard (FIPS) number 140-2 defines a large set of crypto security requirements for all software used by US Government employees. US Government employees need to know how to make Firefox 2 and Firefox 3 be "FIPS 140 compliant". The steps shown below will bring your Firefox browser into compliance with FIPS 140-2 and also with NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations.

Step 1: Disable SSL 2 and SSL 3, leaving only TLS

1. In the Menu bar at the top of the screen, click Firefox and select Settings (select Preferences on older macOS versions).Click the menu button and select Settings.
   
   
   
   
2. In the optionspreferences window, select the Advanced panel, then select the Encryption tab.
3. Remove the check from the Use SSL 3.0 box, and ensure that the Use TLS 1.0 box is checked.
   
   
   
   , as shown here:
   
   
   
   
4. Then click the Security Devices button to begin step 2.

Step 2: Enable FIPS in Firefox's NSS Internal PKCS#11 module

1. In the Device Manager window, select NSS Internal PKCS #11 Module, then click on the Enable FIPS button.
   
   
   
   
   
   
   
   
2. After you click the Enable FIPS button, you should see the words FIPS 140 in your Device Manager window.
   
   
   
   , as shown here:
   
   
   
   
3. Click OK to close the Device Manager window.
4. Click OKClose the preferences window.

Step 3: Disable all the non-FIPS TLS cipher suites in about:config

1. Type about:config in the address bar and press EnterReturn.
   A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.
2. In the text box by the word Filter:, type in ssl.
3. You should see a page that has preferences that are similar to the ones shown below. Go through your preferences and compare each one to the ones shown below. If you don't have all the preferences shown below, or if you have preferences not shown below, don't worry about them. Just compare the preferences whose names match the ones shown below. Make sure that each of your ssl preferences has the same true/false value as shown below. If any preference does not have a matching value, double-click it to change it.

~pre~

Filter:

Preference Name                                Status      Type       Value

security.enable_ssl2 default boolean false security.enable_ssl3 user set boolean false security.ssl2.des_64 default boolean false security.ssl2.des_ede3_192 default boolean false security.ssl2.rc2_128 default boolean false security.ssl2.rc2_40 default boolean false security.ssl2.rc4_128 default boolean false security.ssl2.rc4_40 default boolean false security.ssl3.dhe_dss_aes_128_sha default boolean true security.ssl3.dhe_dss_aes_256_sha default boolean true security.ssl3.dhe_dss_camellia_128_sha user set boolean false security.ssl3.dhe_dss_camellia_256_sha user set boolean false security.ssl3.dhe_dss_des_ede3_sha default boolean true security.ssl3.dhe_dss_des_sha default boolean false security.ssl3.dhe_rsa_aes_128_sha default boolean true security.ssl3.dhe_rsa_aes_256_sha default boolean true security.ssl3.dhe_rsa_camellia_128_sha user set boolean false security.ssl3.dhe_rsa_camellia_256_sha user set boolean false security.ssl3.dhe_rsa_des_ede3_sha default boolean true security.ssl3.dhe_rsa_des_sha default boolean false security.ssl3.ecdh_ecdsa_aes_128_sha default boolean true security.ssl3.ecdh_ecdsa_aes_256_sha default boolean true security.ssl3.ecdh_ecdsa_des_ede3_sha default boolean true security.ssl3.ecdh_ecdsa_null_sha default boolean false security.ssl3.ecdh_ecdsa_rc4_128_sha user set boolean false security.ssl3.ecdh_rsa_aes_128_sha default boolean true security.ssl3.ecdh_rsa_aes_256_sha default boolean true security.ssl3.ecdh_rsa_des_ede3_sha default boolean true security.ssl3.ecdh_rsa_null_sha default boolean false security.ssl3.ecdh_rsa_rc4_128_sha user set boolean false security.ssl3.ecdhe_ecdsa_aes_128_sha default boolean true security.ssl3.ecdhe_ecdsa_aes_256_sha default boolean true security.ssl3.ecdhe_ecdsa_des_ede3_sha default boolean true security.ssl3.ecdhe_ecdsa_null_sha default boolean false security.ssl3.ecdhe_ecdsa_rc4_128_sha user set boolean false security.ssl3.ecdhe_rsa_aes_128_sha default boolean true security.ssl3.ecdhe_rsa_aes_256_sha default boolean true security.ssl3.ecdhe_rsa_des_ede3_sha default boolean true security.ssl3.ecdhe_rsa_null_sha default boolean false security.ssl3.ecdhe_rsa_rc4_128_sha user set boolean false security.ssl3.rsa_1024_des_cbc_sha default boolean false security.ssl3.rsa_1024_rc4_56_sha default boolean false security.ssl3.rsa_aes_128_sha default boolean true security.ssl3.rsa_aes_256_sha default boolean true security.ssl3.rsa_camellia_128_sha user set boolean false security.ssl3.rsa_camellia_256_sha user set boolean false security.ssl3.rsa_des_ede3_sha default boolean true security.ssl3.rsa_des_sha default boolean false security.ssl3.rsa_fips_des_ede3_sha user set boolean false security.ssl3.rsa_fips_des_sha default boolean false security.ssl3.rsa_null_md5 default boolean false security.ssl3.rsa_null_sha default boolean false security.ssl3.rsa_rc2_40_md5 default boolean false security.ssl3.rsa_rc4_128_md5 user set boolean false security.ssl3.rsa_rc4_128_sha user set boolean false security.ssl3.rsa_rc4_40_md5 default boolean false

~/pre~

When all the entries match, you're done. You should exit and restart Firefox to ensure that the changes are properly recorded.