This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How to disable SSL and the older TLS in Firefox?

  • 6 àwọn èsì
  • 3 ní àwọn ìṣòro yìí
  • Èsì tí ó kẹ́hìn lọ́wọ́ James

more options

Hi!

First of all, mods, if I chose the wrong category and this had to go in "customize settings and preferences" feel free to move it :)

So, for several reasons I decided to completely disable SSL and the old TLS 1.0 and 1.1. I still didn't decide if TLS 1.2 is still important or it's enough with 1.3 so for now I am leaving them both. I did this system wide, with PowerShell, following the instructions in THIS THIS article.

But then there's Firefox. I don't know if Firefox can establish SSL (or old TLS) connections despite the system "ban". But I came across THIS THIS article about how to enable TLS 1.3 in Firefox and when I went in about:config and I typed "security" I saw that there are a lot of voices with SSL and a lot more about TLS than just the security.tls.version.max mentioned in that article, so I am here to ask you what to do to be 1000% sure that all SSL and older TLS are completely disabled in Firefox, and that only TLS 1.3 is enabled.

If you have reasons to believe that disabling TLS 1.2 is not a good idea, let me know, but in THIS THIS article I've read that 1.3 is much better and it's anyway backwards compatible with 1.2 in case some server only supports 1.2, so I decided to leave only 1.3.

Thanks!

Hi! First of all, mods, if I chose the wrong category and this had to go in "customize settings and preferences" feel free to move it :) So, for several reasons I decided to completely disable SSL and the old TLS 1.0 and 1.1. I still didn't decide if TLS 1.2 is still important or it's enough with 1.3 so for now I am leaving them both. I did this system wide, with PowerShell, following the instructions in [https://techpress.net/disable-tls-1-0-tls-1-1-using-powershell-on-windows-10-11/ THIS] THIS article. But then there's Firefox. I don't know if Firefox can establish SSL (or old TLS) connections despite the system "ban". But I came across [https://www.thewindowsclub.com/how-to-enable-or-disable-tls-1-3-in-windows-10/ THIS] THIS article about how to enable TLS 1.3 in Firefox and when I went in about:config and I typed "security" I saw that there are a lot of voices with SSL and a lot more about TLS than just the security.tls.version.max mentioned in that article, so I am here to ask you what to do to be 1000% sure that all SSL and older TLS are completely disabled in Firefox, and that only TLS 1.3 is enabled. If you have reasons to believe that disabling TLS 1.2 is not a good idea, let me know, but in [https://www.ssldragon.com/blog/tls-1-2-vs-1-3/ THIS] THIS article I've read that 1.3 is much better and it's anyway backwards compatible with 1.2 in case some server only supports 1.2, so I decided to leave only 1.3. Thanks!

All Replies (6)

more options

I'm not sure we're using older protocols. See https://browserleaks.com/tls to confirm.

Helpful?

more options

TyDraniu said

I'm not sure we're using older protocols. See https://browserleaks.com/tls to confirm.

Thanks, I had forgotten about that website, so useful. It doesn't show anything at all about SSL, so I suppose it's not active? It only shows TSL and it says that 1.2 and 1.3 are enabled, while the older ones aren't. Now, does this mean that Firefox can bypass the system wide settings? I mean, I have 1.2 disabled system wide... Anyway where it says "handshake" it says 1.3, so I guess this means that although 1.2 is enabled the active one is 1.3?

An off topic question which I don't think it's worth opening a new thread for, I had a look at the other things that browserleaks offer and in the canvas test it says 100% unique in their database. Is this how it is supposed to be to avoid fingerprinting? Is uniqueness not a bad thing for fingerprinting, which helps them identify you? And if so, how is this happening when I have the Enhanced Tracking Protection in FF in Custom with all cross sites cookies disabled and the tracking and fingerprinting option in "in all windows", and CanvasBlocker on top of that (although in the Stealth preset, which maybe doesn't block all fingerprinting in exchange for making it more difficult to spot that you are using anti-fingerprint, but still, it should not suck so much to make me 100% unique).

Thanks

Ti ṣàtúnṣe nípa AlternativeTotal2211

Helpful?

more options

Just to know, are comments in this place held for review before they are posted? Because my reply to you disappeared after I sent it. So, this comment is also a test, if I see it posted immediately that's already an answer, although I still wouldn't know why the previous one wasn't posted. Hmm...

Helpful?

more options

Ah, ok, so, this was posted, so I have no idea what happened to the previous one.

Ok, then, again:

thanks for the reply, I had forgotten about that website, super helpful.

So, supposedly it should show info about SSL and TSL but it wasn't saying anything about SSL. Does that mean that it's not even present or what?

About TLS it was saying that 1.2 and 1.3 are enabled, 1.0 and 1.1 are not. Now the question would be, does this mean that Firefox "bypass" the system wide settings? I mean, I have TLS 1.2 completely disabled system wide... Anyway, where it says "handshake" it shows 1.3. Am I correct to assume that this means that the active protocol is 1.3 and that 1.2 will only be used when a website can't do otherwise? Which bring to the next question: what happened to "1.3 is backwards compatible with 1.2"?

Oki, thanks :)

Helpful?

more options

Firefox uses prefs in about:config to set maximum and the minimum TLS version (3:TLS 1.2; 4:TLS 1.3).

  • security.tls.version.max (4)
  • security.tls.version.min (3)

Note that Firefox comes with security.tls.version.enable-deprecated to enable TLS 1.0 and 1.1.

Helpful?

more options

The TLS 1.1, 1.0 has been disabled by default since Firefox 78.0 and the option to enable TLS 1.0 and 1.1 was removed from the error page in Firefox 97.

https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/ https://www.mozilla.org/firefox/78.0/releasenotes/

We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.

AlternativeTotal2211 said

Just to know, are comments in this place held for review before they are posted? Because my reply to you disappeared after I sent it. So, this comment is also a test, if I see it posted immediately that's already an answer, although I still wouldn't know why the previous one wasn't posted. Hmm

For non trusted contributors if you have a link in your reply that is not of a short whitelisted list of sites then it will likely get hidden as spam and needing approval. We have to do this as spammers do post spam links in their replies, often hidden with a period or comma so they may get missed if not for the auto-flag. Also just so you know, try not to use three of more periods like ... as it may trigger the auto flag of reply as spam.

Helpful?

Béèrè ìbéèrè

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.