Om de ûnderfining foar jo te ferbetterjen is tydlik de funksjonaliteit dan dizze website troch ûnderhâldswurk beheind. Wannear in artikel jo probleem net oplost en jo in fraach stelle wolle, kin ús stipemienskip jo helpe yn @FirefoxSupport op Twitter en /r/firefox op Reddit.

Avatar for Username

Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

unsuccessful when trying to force Firefox to send TLS 1.0 requests by setting security.tls.version.max=1

bennetthaselton
bennetthaselton
more options

I want to test a group of sites to see if they accept TLS 1.0 connections.

Many sources including https://support.mozilla.org/en-US/questions/1101896 say that you can force Firefox to send TLS 1.0 requests by setting security.tls.version.max to 1, and I have done this successfully in the past to test if a site supported TLS 1.0. (Sometimes a site allows access over TLS 1.0 but disables certain features such as submitting credit card numbers.)

However, I am now getting inconsistent results when trying to do this. I set security.tls.version.max to 1 and restart the browser. Then I go to https://www.google.com/, click the padlock and navigate to more information, and it says "Connected encrypted (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.3)". Note, TLS 1.3. But I could swear the first time I loaded https://www.google.com/ the same dialog box said the connection was using TLS 1.0.

Meanwhile other sites like https://wikipedia.org/ and https://twitter.com/ fail to load with SSL_ERROR_PROTOCOL_VERSION_ALERT. I understand why (they don't support TLS 1.0), but I don't understand why the connection to Google is showing TLS 1.3 in the same browser window.

Is there some mechanism by which a site that initially accepts the TLS 1.0 connection, is then forcing Firefox to switch to 1.3, overriding the security.tls.version.max setting? That doesn't make sense but it's the only thing that seems consistent with observation.

Thanks!

I want to test a group of sites to see if they accept TLS 1.0 connections. Many sources including https://support.mozilla.org/en-US/questions/1101896 say that you can force Firefox to send TLS 1.0 requests by setting security.tls.version.max to 1, and I have done this successfully in the past to test if a site supported TLS 1.0. (Sometimes a site allows access over TLS 1.0 but disables certain features such as submitting credit card numbers.) However, I am now getting inconsistent results when trying to do this. I set security.tls.version.max to 1 and restart the browser. Then I go to https://www.google.com/, click the padlock and navigate to more information, and it says "Connected encrypted (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.3)". Note, TLS 1.3. But I could swear the first time I loaded https://www.google.com/ the same dialog box said the connection was using TLS 1.0. Meanwhile other sites like https://wikipedia.org/ and https://twitter.com/ fail to load with SSL_ERROR_PROTOCOL_VERSION_ALERT. I understand why (they don't support TLS 1.0), but I don't understand why the connection to Google is showing TLS 1.3 in the same browser window. Is there some mechanism by which a site that initially accepts the TLS 1.0 connection, is then forcing Firefox to switch to 1.3, overriding the security.tls.version.max setting? That doesn't make sense but it's the only thing that seems consistent with observation. Thanks!

Alle antwurden (4)

James
James
  • Top 25 Contributor
  • Moderator
more options

https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/ https://www.mozilla.org/firefox/78.0/releasenotes/

https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect Note: The option to enable TLS 1.0 and 1.1 has been removed from the error page in Firefox version 97.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Works for me. This gives me TLS 1.0

  • security.tls.version.max 1
  • security.tls.version.min 1

This gives me TLS 1.1

  • security.tls.version.max 2
  • security.tls.version.min 1
bennetthaselton
bennetthaselton Fraacheigener
more options

James said
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/ https://www.mozilla.org/firefox/78.0/releasenotes/ https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect Note: The option to enable TLS 1.0 and 1.1 has been removed from the error page in Firefox version 97.

I see that, but it just says that by default, they've now set security.tls.version.min to 3 by default, i.e. requiring mininum TLS 1.2 by default.

That doesn't really address the problem I'm seeing, which is that I set security.tls.version.min and security.tls.version.max to 1 (i.e. TLS 1.0) manually, but when I browse www.google.com I see it (sometimes) switching to TLS 1.3 anyway.

bennetthaselton
bennetthaselton Fraacheigener
more options

cor-el said
Works for me. This gives me TLS 1.0
  • security.tls.version.max 1
  • security.tls.version.min 1
This gives me TLS 1.1
  • security.tls.version.max 2
  • security.tls.version.min 1

What version are you on? I'm on 91.13.0esr on Windows 10.