AnsweredAssumed Answered

Firefox soon to be less tolerant of TLS intolerance; SSL Labs test should fail with TLS 1.0-1.2 intolerance

Question asked by Dave Garrett on Feb 10, 2015
Latest reply on Feb 10, 2015 by Adm Selec

I previously stated that TLS 1.3 intolerance should be noted more seriously:

TLS 1.3 version intolerant servers should get lower grades

 

However, the issue of TLS 1.0-1.2 intolerance is now becoming a bigger deal and needs to have its warning upgraded. At bare minimum, all TLS intolerance <2.0 should autofail the protocol support section, seeing as it is explicitly an implementation error and not properly supporting the protocol. TLS version intolerance for current and past versions should be upgraded from just a minor warning to at most a 'C', probably a complete fail in the very near future. (depending on whitelist status)

 

Current Firefox Aurora 37 no longer does TLS insecure version fallbacks by default, unless the domain is in its whitelist. It will be shipping with a decent sized list, but it will probably only be permitted to shrink after that point. Sites not on that list will fail to connect if they have broken TLS implementations that can't properly handle TLS version negotiation. Hopefully, more browsers will start to crack down on this as well.

 

From Firefox 37 and on, the reference browser handshake simulation will generally need to assume TLS 1.0-1.2 intolerance will cause a connect attempt failure. (unless whitelisted, of course) Seeing as it is a security issue that is critical to interoperability, it should be listed loudly up top with a big red 'F'.

 

The initial whitelist is in here:

https://hg.mozilla.org/releases/mozilla-aurora/rev/1e9694bbffaa

 

I've got a meta-bug to track major sites' issues here:

1126620 – (TLS-Intolerance) [META] TLS 1.1/1.2 version intolerant sites

(I expect it to grow quite a bit about 3 seconds after 37 hits release)

 

I started using Qualys SSL Test to easily identify reported server connectivity issues and others are linking to and pasting parts of scans on Bugzilla as well. It's proving to be the best way to deal with broken sites in order to improve the state of dealing with them. It would make dealing with users reporting sites a bit easier if critical issues we find are always actually reflected in the simple grade up top.

Outcomes