Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Şu anda bakım nedeniyle sitemiz kısıtlı işlevsellik sunmaktadır. Mevcut makaleler sorununuzu çözmediyse ve bize soru sormak isterseniz Twitter’da @FirefoxSupport hesabından ve Reddit’teki /r/firefox subreddit'inden destek gönüllülerimize ulaşabilirsiniz.

Mozilla Destek’te Ara

Destek dolandırıcılığından kaçının. Mozilla sizden asla bir telefon numarasını aramanızı, mesaj göndermenizi veya kişisel bilgilerinizi paylaşmanızı istemez. Şüpheli durumları “Kötüye kullanım bildir” seçeneğini kullanarak bildirebilirsiniz.

Daha Fazlasını Öğren

GPO (Group Policy) Change security.tls.enable_0rtt_data

  • 8 yanıt
  • 1 kişi bu sorunu yaşıyor
  • 1 gösterim
  • Son yanıtı yazan: Mike Kaply

more options

Hello,

we have some trouble in our Enterprise Environment with tls 1.3 and 0rtt data. The integrated google search and other websites doesnt work as they should (Pages doesnt load and stay white).

So we want to turn of "security.tls.enable_0rtt_data" with Group Policy. But i cannot find a switch for this setting.

When i try to set security.tls.enable_0rtt_data with Preferences in GPO it doesnt work (old Preferences is empty) { "security.tls.enable_0rtt_data": { "Value": false, "Status": "locked" } }

With Preferences i am able to configure security.tls.hello_downgrade_check, but not security.tls.enable_0rtt_data

The only workaround would be to disable tls 1.3 completely and use tls 1.2. (security.tls.version.max = 3) Is there a solution for this?

Regards, Michael

Hello, we have some trouble in our Enterprise Environment with tls 1.3 and 0rtt data. The integrated google search and other websites doesnt work as they should (Pages doesnt load and stay white). So we want to turn of "security.tls.enable_0rtt_data" with Group Policy. But i cannot find a switch for this setting. When i try to set security.tls.enable_0rtt_data with Preferences in GPO it doesnt work (old Preferences is empty) { "security.tls.enable_0rtt_data": { "Value": false, "Status": "locked" } } With Preferences i am able to configure security.tls.hello_downgrade_check, but not security.tls.enable_0rtt_data The only workaround would be to disable tls 1.3 completely and use tls 1.2. (security.tls.version.max = 3) Is there a solution for this? Regards, Michael

Seçilen çözüm

FYI, the ability to set this pref via policy landed in the most recent Firefox and ESR.

Bu yanıtı konu içinde okuyun 👍 0

Tüm Yanıtlar (8)

more options

There is an entry about that Error. Open since 3 months!!!

https://bugzilla.mozilla.org/show_bug.cgi?id=1718520

more options

We don't allow all security prefs to work in policy for security reasons.

This is the first time I've heard about this one.

I'm reaching out to the security team.

more options

I'm going to add that pref to policy. It will be in the Firefox and ESR release in a couple weeks.

more options

Thank you very much Mike!

The Firefox Dev´s should implement another fallback routine for TLS 1.3 or disable 0-RTT Data in default settings. I think 0-RTT Data wont work in business environments with proxy servers. i dont know why, but google chrome can establish TLS 1.3 connections without any further configuration. (i dont know how chrome handle 0-RTT Data. They may have disabled it?)

Regards, Michael

more options

That bug has been marked a priority 1 now so someone should be looking at how to solve.

more options

Seçilen çözüm

FYI, the ability to set this pref via policy landed in the most recent Firefox and ESR.

more options

Thanks for your reply and your engagement. You can set this pref now via policy.

But the default behavior has not changed. You MUST set this preference in enterprise environments with a proxy server or Firefox ESR will not work properly as described in my first post.

more options

Unfortunately I don't control that. I've brought it up with the team that made this switch.

I would recommend opening a bug in bugzilla asking that the default be changed until Google changes it.