Federal Information Processing Standard (FIPS) number 140-2 defines a large set of crypto security requirements for all software used by US Government employees. US Government employees need to know how to make Firefox be "FIPS 140 compliant". The steps shown below will bring your Firefox browser into compliance with FIPS 140-2 and also with NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations.
Table of Contents
Step 1: Disable SSL 2 and SSL 3, leaving only TLS
- In the Menu bar at the top of the screen, click and then select or , depending on your macOS version.Click the menu button and select .
- In the optionspreferences window, select the panel, then select the tab.
- Remove the check from the Use SSL 3.0 box, and ensure that the Use TLS 1.0 box is checked.
- Then click the button to begin step 2.
Step 2: Enable FIPS in Firefox's NSS Internal PKCS#11 module
- In the Device Manager window, select NSS Internal PKCS #11 Module, then click on the
button. - After you click the
button, you should see the words FIPS 140 in your Device Manager window. - Click to close the Device Manager window.
- Click Close the preferences window.
Step 3: Disable all the non-FIPS TLS cipher suites in about:config
- Type about:config in the address bar and press EnterReturn.
A warning page may appear. Click to go to the about:config page. - In the text box by the word Filter:, type in ssl.
- You should see a page that has preferences that are similar to the ones shown below. Go through your preferences and compare each one to the ones shown below. If you don't have all the preferences shown below, or if you have preferences not shown below, don't worry about them. Just compare the preferences whose names match the ones shown below. Make sure that each of your ssl preferences has the same true/false value as shown below. If any preference does not have a matching value, double-click it to change it.
Preference Name | Status | Type | Value |
security.enable_ssl2 | default | boolean | false |
security.enable_ssl3 | user set | boolean | false |
security.ssl2.des_64 | default | boolean | false |
security.ssl2.des_ede3_192 | default | boolean | false |
security.ssl2.rc2_128 | default | boolean | false |
security.ssl2.rc2_40 | default | boolean | false |
security.ssl2.rc4_128 | default | boolean | false |
security.ssl2.rc4_40 | default | boolean | false |
security.ssl3.dhe_dss_aes_128_sha | default | boolean | true |
security.ssl3.dhe_dss_aes_256_sha | default | boolean | true |
security.ssl3.dhe_dss_camellia_128_sha | user set | boolean | false |
security.ssl3.dhe_dss_camellia_256_sha | user set | boolean | false |
security.ssl3.dhe_dss_des_ede3_sha | default | boolean | true |
security.ssl3.dhe_dss_des_sha | default | boolean | false |
security.ssl3.dhe_rsa_aes_128_sha | default | boolean | true |
security.ssl3.dhe_rsa_aes_256_sha | default | boolean | true |
security.ssl3.dhe_rsa_camellia_128_sha | user set | boolean | false |
security.ssl3.dhe_rsa_camellia_256_sha | user set | boolean | false |
security.ssl3.dhe_rsa_des_ede3_sha | default | boolean | true |
security.ssl3.dhe_rsa_des_sha | default | boolean | false |
security.ssl3.ecdh_ecdsa_aes_128_sha | default | boolean | true |
security.ssl3.ecdh_ecdsa_aes_256_sha | default | boolean | true |
security.ssl3.ecdh_ecdsa_des_ede3_sha | default | boolean | true |
security.ssl3.ecdh_ecdsa_null_sha | default | boolean | false |
security.ssl3.ecdh_ecdsa_rc4_128_sha | user set | boolean | false |
security.ssl3.ecdh_rsa_aes_128_sha | default | boolean | true |
security.ssl3.ecdh_rsa_aes_256_sha | default | boolean | true |
security.ssl3.ecdh_rsa_des_ede3_sha | default | boolean | true |
security.ssl3.ecdh_rsa_null_sha | default | boolean | false |
security.ssl3.ecdh_rsa_rc4_128_sha | user set | boolean | false |
security.ssl3.ecdhe_ecdsa_aes_128_sha | default | boolean | true |
security.ssl3.ecdhe_ecdsa_aes_256_sha | default | boolean | true |
security.ssl3.ecdhe_ecdsa_des_ede3_sha | default | boolean | true |
security.ssl3.ecdhe_ecdsa_null_sha | default | boolean | false |
security.ssl3.ecdhe_ecdsa_rc4_128_sha | user set | boolean | false |
security.ssl3.ecdhe_rsa_aes_128_sha | default | boolean | true |
security.ssl3.ecdhe_rsa_aes_256_sha | default | boolean | true |
security.ssl3.ecdhe_rsa_des_ede3_sha | default | boolean | true |
security.ssl3.ecdhe_rsa_null_sha | default | boolean | false |
security.ssl3.ecdhe_rsa_rc4_128_sha | user set | boolean | false |
security.ssl3.rsa_1024_des_cbc_sha | default | boolean | false |
security.ssl3.rsa_1024_rc4_56_sha | default | boolean | false |
security.ssl3.rsa_aes_128_sha | default | boolean | true |
security.ssl3.rsa_aes_256_sha | default | boolean | true |
security.ssl3.rsa_camellia_128_sha | user set | boolean | false |
security.ssl3.rsa_camellia_256_sha | user set | boolean | false |
security.ssl3.rsa_des_ede3_sha | default | boolean | true |
security.ssl3.rsa_des_sha | default | boolean | false |
security.ssl3.rsa_fips_des_ede3_sha | user set | boolean | false |
security.ssl3.rsa_fips_des_sha | default | boolean | false |
security.ssl3.rsa_null_md5 | default | boolean | false |
security.ssl3.rsa_null_sha | default | boolean | false |
security.ssl3.rsa_rc2_40_md5 | default | boolean | false |
security.ssl3.rsa_rc4_128_md5 | user set | boolean | false |
security.ssl3.rsa_rc4_128_sha | user set | boolean | false |
security.ssl3.rsa_rc4_40_md5 | default | boolean | false |
When all the entries match, you're done. You should exit and restart Firefox to ensure that the changes are properly recorded.