cancel
Showing results for 
Search instead for 
Did you mean: 

TLS 1.2 support !

Highlighted
New User

TLS 1.2 support !

Which future Firefox version is planned for TLS 1.2 support?

Why IE, Safari, and Opera are ahead of Firefox in that very important particular security feature!

Come' on Mozilla, instead of the countless rapid releases, concentrate on the security part.

19 REPLIES
Site Moderator

Re: TLS 1.2 support !

Firefox 23 will have at least TLS 1.1 support.
It is not known which Firefox version will have TLS 1.2 support.
Note that most browser that support TLS 1.2 may have disabled this because of issues with servers that do not support it and thus can make it impossible to connect to them.


  • Bug 733647 - Implement TLS 1.1 (RFC 4346) in Gecko (Firefox, Thunderbird), on by default
  • Bug 480514 - Implement support for TLS 1.2 (RFC 5246)

(please do not comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)

New User

Re: TLS 1.2 support !

I agree, but since OpenSSL 1.0.1e supports TLS 1.2, and most important websites do, it's time for Mozilla to raise the bar.

We should not keep reading in the security magazines that drawback for Firefox.....

SUMO Contributor

Re: TLS 1.2 support !

Firefox 24 (current Aurora) has already supported TLS 1.2 (disabled by default same as TLS 1.1 on Fx 23).

New User

Re: TLS 1.2 support !

still doesnt work in ff25 (25.0a1 (2013-07-12))

https://www.mikestoolbox.org/ Current time: Fri, 12 Jul 2013 19:40:16 GMT TLS negotiation time: 0.700498 seconds Client Version: TLS 1.0

but internet explorer 10 works: Current time: Fri, 12 Jul 2013 19:41:49 GMT TLS negotiation time: 0.228705 seconds Client Version: TLS 1.2

thats a shame

SUMO Contributor

Re: TLS 1.2 support !

Hi ololo123, I get an invalid certificate for that site.

According to this bug report, TLS 1.2 requires a couple of different patches and then compatibility testing, so completion is not imminent: Bug 861266 – Implement TLS 1.2 (RFC 5246) in Gecko (Firefox, Thunderbird), on by default.

Note on the bug tracking system: If forum members can contribute to the development, please feel free to pitch in. Otherwise, it's generally not helpful to add comments to bugs (unless there is a call for test cases), but you can register on the Bugzilla site and "vote" for them to be fixed. See:

All Star

Re: TLS 1.2 support !

Surely if the site does not support TLS 1.2, Firefox could step down to TLS 1.1? That would seem to be the best way to handle encryption?

SUMO Contributor

Re: TLS 1.2 support !

Firefox Nightly 25.0a1

  • security.tls.version.max = 3 (TLS 1.2); default is 2 (TLS 1.0)
  • security.tls.version.min = 0 (SSL 3.0); default

Test results

As jscher2000 mentioned, neither TLS 1.1 nor 1.2 has not been enabled by default (Bug 733647 and 861266) because of several backward compatibility (Bug 839310 and 861310) and implementation of cipher suite for TLS 1.2 (Bug 707275).

All Star

Re: TLS 1.2 support !

Then have Firefox support all three. What is the big problem?

New User

Re: TLS 1.2 support !

So from what I've seen here, FF23 is claimed to have TLS1.1 support, but if you activate it, the implementation doesn't allow the server to select a lower protocol version even when you have the min/max protocol controls for the browser set to enable them.

Since RFC 4346 explicitly defines the TLS 1.1 protocol to work this way, its a bit funny to say you have TLS 1.1 support when you have a non-compliant implementation. Not having this feature makes setting TLS 1.1 relatively pointless when it will cause the browser to fail to connect on a significant percentage of all web sites. In other words, your current implementation is pretty unusable.

Your internal settings to control the SSL protocol as a range are exactly what is needed - so I see you have the correct intention and I will assume you are trying to get there as quick as you can. My questions are:

1) What is the defect to actually support the protocol ranges specified and what FF release is it targeted for?

2) There seems to be indications in some responses that TLS 1.2 is supported on some release - can you confirm that? Is it correct that it doesn't allow the server to select a lower protocol if it doesn't support TLS 1.2?

3) If you have TLS 1.2 now, or have it planned, will it offer the clienthello extension for hash and signature algorithms and offer a SHA256 hash? - e.g. is it NIST 800-131a complaint?

4) What cipher suites do you support for TLS 1.1 (and for TLS 1.2 if it is around) and is there a way to control them on the client side? (or at least limit them to a set that has 112 bit security strength for NIST 800-131a compliance)?

I assume you are aware that NIST 800-131a requires 112 bit security strength by 2014 which implies you need SHA-256 signatures which implies you need TLS 1.2 with the client hello extension for hash and signature algorithms with SHA256 hash in the list. This standard will drive a number of folks to scramble for whatever browsers have this support. I'm hoping Firefox is one of them. Thanks in advance for any info...