I can’t change the min and max TLS versions with either policies.json or mozilla.cfg
I need to set the max TLS version to 1.3 and the min version to 1.2 on my shstems. The max and min TLS versions are set to 4 and 3 by default in about:config. If I use lockPref(“security.tls.version.max”,”3”), it is still 4 in about:config for some reason. If I set the min version to 2, it is still 3. This also doesn’t work if I use “SSLVersionMin”: “tls1.2” how can I fix this issue? Thank you in advance!
선택된 해결법
The values you want are already the default values. Here are the valid values for security.tls.version.max and security.tls.version.min:
1 => TLS 1.0 2 => TLS 1.1 3 => TLS 1.2 4 => TLS 1.3
You can verify the effect of changes using: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
But if you need to lock them:
For policies.json:
You need to use SSLVersionMax and SSLVersionMin as described on https://github.com/mozilla/policy-templates#sslversionmax
That is because the Preferences policy does not allow setting security.* preferences
General reference: Customize Firefox using policies.json
For Autoconfig:
Is your setup working at all -- the only problem is with the two preferences? See: Customize Firefox using AutoConfig
문맥에 따라 이 답변을 읽어주세요 👍 0모든 댓글 (6)
선택된 해결법
The values you want are already the default values. Here are the valid values for security.tls.version.max and security.tls.version.min:
1 => TLS 1.0 2 => TLS 1.1 3 => TLS 1.2 4 => TLS 1.3
You can verify the effect of changes using: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
But if you need to lock them:
For policies.json:
You need to use SSLVersionMax and SSLVersionMin as described on https://github.com/mozilla/policy-templates#sslversionmax
That is because the Preferences policy does not allow setting security.* preferences
General reference: Customize Firefox using policies.json
For Autoconfig:
Is your setup working at all -- the only problem is with the two preferences? See: Customize Firefox using AutoConfig
The TLS has been at minimum 1.2 since the Fx 78 Release. https://www.mozilla.org/firefox/78.0/releasenotes/
We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/
Whoops, thought this was a Thunderbird question at the time though the change of disabling TLS 1.0 and TLS 1.1 was made in Tb 78.0 also.
글쓴이 James 수정일시
We have a patch to clean these up a bit. Should be clearer in the next policy update.
jscher2000 - Support Volunteer said
The values you want are already the default values. Here are the valid values for security.tls.version.max and security.tls.version.min: 1 => TLS 1.0 2 => TLS 1.1 3 => TLS 1.2 4 => TLS 1.3 You can verify the effect of changes using: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
But if you need to lock them:
For policies.json:
You need to use SSLVersionMax and SSLVersionMin as described on https://github.com/mozilla/policy-templates#sslversionmax
That is because the Preferences policy does not allow setting security.* preferences
General reference: Customize Firefox using policies.json
For Autoconfig:
Is your setup working at all -- the only problem is with the two preferences? See: Customize Firefox using AutoConfig
Thank you! That definitely makes sense then since that lines up with what I want. I do need to lock them, so I’ll use those two policies. It works when I use that site as well. As for Autoconfig, my setup is working aside from those two preferences, although they’re fine anyway as is.
James said
The TLS has been at minimum 1.2 since the Fx 78 Release. https://www.mozilla.org/firefox/78.0/releasenotes/We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/
Whoops, thought this was a Thunderbird question at the time though the change of disabling TLS 1.0 and TLS 1.1 was made in Tb 78.0 also.
Oh okay that makes sense! It’s good that my TLS versions are working as expected then. Thank you!
Mike Kaply said
We have a patch to clean these up a bit. Should be clearer in the next policy update.
That’s good to hear. That’s a very helpful change for sure! Thank you!
Note that your question shows Unicode quotes (“;201c) and not normal quotes ("), so I'm not sure if this would work at all if you use this in the autoconfig.cfg file and not merely in your question.
- lockPref(“security.tls.version.max”,”3”)
cor-el said
Note that your question shows Unicode quotes (“;201c) and not normal quotes ("), so I'm not sure if this would work at all if you use this in the autoconfig.cfg file and not merely in your question.
- lockPref(“security.tls.version.max”,”3”)
Oh okay that makes sense. I will change that to normal quotes then. Thank you!