You can follow the bug here: https://bugzilla.mozilla.org/show_bug.cgi?id=1690594
If all goes well, it will ship in Firefox 86, Firefox 78.8 which release on 2021-02-23 . You will set it with the Preferences policy. Your scenario sounds like a good idea. We're discussing internally whether we should be resetting that pref every so often.... Mike On Thu, Feb 4, 2021 at 12:57 PM <[email protected]> wrote: > Hello Mike, > > > > Thanks a lot for your reply and confirmation you’ll take care of this in > the GPO ADMX. > > It will make it a lot easier for us down here > > Can I ask you when you plan to release this update? > > > > Let me just try to explain you what our objective is: > > > > Today’s setup on our side is > > Thanks to GPO > > - TLSmin 1.0 > > - TLSmax 1.3 > > èusers : are happy because no popup, no warning, no blocking when they > access sites in TLS 1.0/1.1 > > èIT Teams : are worry because > > 1) We are not happy with the level of security offer to ALL users (no > matter if they use or not old TLS versions). I mean for a few old sites we > have to let all TLS versions alive > > 2) With such a configuration we can’t inventory precisely who access > sites with such old TLS versions and therefore we can’t have any proactive > action on this situation > > 3) We know that soon or later but quite soon you guys on Mozilla will > no more support TLS 1.0/1.1. What will happen at that time if we have not > taken this usages …. > > > > Solutions we have been thinking of are > > > > 1) We force right now TLSmin at 1.2 > > a. Good for security > > b. Bad for users who will lose connectivity to TLS 1.0/1.1 sites and > could be also the case for sites on the internet which are not TLS 1.2 > compatible > > 2) We remove TLSmin 1.0 and TLSmax 1.3 > > a. Good and bad for security > > i. We go back to the > native behaviour (=TLS1.0/1.1 inactivated by default) > > ii. Only user in the > old TLS versions use cases will get a warning popup and thx to the button > provided he will be able to override the warning. This action will set > tls-depreciated at TRUE > > iii. Problem is that > this will set up tls depreciated at TRUE for ALL sites and so by doing this > once the user will PERMANENTLY decrease the security of his FF ESR > > iv. At soon as it has > been applied (first occurrence) then the other TLS1.0/1.1 connections to > other sites will be unknown. This is not at all what we want > > 3) If we can FORCE tls-depreciated = FALSE with a GPO setting (our > request) and we remove TLSmin 1.0 and TLSmax 1.3 with the GPO then > > a. We have the same avantages than in 2) plus > > i. The downgrade of > the security level is this time TEMPORARY et it only happens if the user is > in the use cases TLS 1.0/1.1 > > ii. The fact that the > warning popup appears for those on the use cases will improve the reporting > on them > > iii. We send a clear > message to old tls sites admins and at the same time we offer them the > possibility to react before you guys do not support old tls versions > > iv. We propose a > solution to help admins and not block users > > v. The backdraw of this > solution 3) is that we push back the deadline we gave sites admins. > > > > I hope this helps you Mickael and you all understand our strategy and why > we would really appreciate this change on your side. > > The alternative for us would be to manage it at the .CFG level but then we > have to push back this file to all users …. > > > > Thanks again Mike > > > > > > Bien Cordialement / Best Regards > > > > [image: logo Orange] <http://www.orange.com/> > > > > *“Preparing the future, powering the present”* > > > > *Pascal Wulleput * > Orange Technology and Global Innovation – TGI > > Orange Labs Services – OLS > > Digital Infrastructure & End-to-end Secure Environments – DIESE > > Digital Workspace Services – DWS > > e-buro, Services & Maintenances – ESM > > > > tel: *+33 633 467 082* > > > [email protected] > > > > > > *De :* Enterprise [mailto:[email protected]] *De la part de* > Mike Kaply > *Envoyé :* mercredi 3 février 2021 16:56 > *À :* TARLO Marius OBS/OCB <[email protected]> > *Cc :* CHAPOT Frederic DTSI/DSI <[email protected]>; > [email protected]; CHEMINEL Mickael DTSI/DISU < > [email protected]> > *Objet :* Re: [Mozilla Enterprise] Is it possible to put > security.tls.version.enable-deprecated in the Firefox ESR ADMX template in > a near future? > > > > After discussion, I'll add this one to policy. > > > > Mike > > > > On Mon, Feb 1, 2021 at 11:08 AM Mike Kaply <[email protected]> wrote: > > I'm curious as to why you want this? > > > > It's not the users fault that they are running into TLS 1.0/1.1 sites. > Where are these TLS 1.0/1.1 sites coming from? Are they internal sites that > need to be upgraded? > > > > What you're proposing will train your users to click "bypass" on security > pages like that which I don't think you want to do. > > > > Mike Kaply > > > > On Mon, Feb 1, 2021 at 5:06 AM <[email protected]> wrote: > > Hello, > > > > We currently have TLS enabled from 1.0 to 1.3 (SSLversionmin to 1 and > SSLversionmax to 1.3) and we would like to set up the following > configuration : > > - Remove the 2 parameters SSLversionmin and SSLversionmax > > - When the user browses a TLS 1.0 or TLS 1.1 site, it shows a > “SSL_ERROR_UNSUPPORTED_VERSION” error, with a button “Enable TLS 1.0 and > 1.1” : we would like to have this error message appearing every time the > user launches Firefox (we don’t want the user to click it once and have > forever *security.tls.version.enable-deprecated* set to true, but we want > the user having to click it every time) > > > > It would be easy to set this up by setting > *security.tls.version.enable-deprecated* to *false* in the GPO (then it’s > set to *false* when the user launches Firefox, and if he clicks the > button, it’s set to *true* temporarily during his session but the next > time he launches it would be reset to false again) > > > > But unfortunately for us, it’s not in the Preferences part of the ADMX ( > https://github.com/mozilla/policy-templates/blob/v2.7/README.md#preferences > ) > > > > Would it be possible to have it added in the ADMX in a near future? > > > > Thank you very much for your answer! > > > > Cordialement / Best regards, > > [image: http://www.orange.com/sirius/logos_mail/orange_logo.gif] > <http://www.orange.com/> > > *Marius TARLO* > Maintenance e-buro > * Orange* > <http://annuaire.sso.infra.ftgroup/entities/ou=Orange,ou=entities>/*OBS* > <http://annuaire.sso.infra.ftgroup/entities/ou=OBS,ou=Orange,ou=entities>/ > *SCE* > <http://annuaire.sso.infra.ftgroup/entities/ou=SCE,ou=OBS,ou=Orange,ou=entities> > /*OCB SUBS* > <http://annuaire.sso.infra.ftgroup/entities/ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities> > /*DACF* > <http://annuaire.sso.infra.ftgroup/entities/ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities> > /*DS* > <http://annuaire.sso.infra.ftgroup/entities/ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities> > /*CS* > <http://annuaire.sso.infra.ftgroup/entities/ou=CS,ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities> > /*TMI ORA* > <http://annuaire.sso.infra.ftgroup/entities/ou=TMI%20ORA,ou=CS,ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities> > > *Orange* > <http://annuaire.sso.infra.ftgroup/entities/ou=Orange,ou=entities>/*TGI* > <http://annuaire.sso.infra.ftgroup/entities/ou=TGI,ou=Orange,ou=entities>/ > *OLS* > <http://annuaire.sso.infra.ftgroup/entities/ou=OLS,ou=TGI,ou=Orange,ou=entities> > /*DIESE* > <http://annuaire.sso.infra.ftgroup/entities/ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities> > /*DWS* > <http://annuaire.sso.infra.ftgroup/entities/ou=GWIS,ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities> > /*ESM* > <http://annuaire.sso.infra.ftgroup/entities/ou=MSSM,ou=GWIS,ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities> > tél. +33 1 42 75 34 25 > [email protected] > > > > _________________________________________________________________________________________________________________________ > > > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > > they should not be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and delete > this message and its attachments. > > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > > Thank you. > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete > this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > >
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
