firefox: with TLS 1.3 disabled in the config settings, firefox still connects to websites with TLS 1.3

ryan Sun, 27 Feb 2022 12:12:14 -0800

Package: firefox-esr
Version: 91.6.0esr-1~deb10u1
Severity: normal

Dear Maintainer,



In Firefox, suppose I go to about:config and set 

security.tls.version.max = 3

which disables TLS 1.3 and leaves TLS 1.2 as the highest security setting.  If 
I check the browser at ssllabs.com, it confirms TLS 1.2 is the highest 
available protocol and lists the appropriate cipher suites.  Yet, a number of 
websites (e.g. Google, Facebook, Youtube) connect with TLS 1.3 and a new cipher 
suite; at least, that is what I learn when I click on the lockbox in the 
address bar.  What is going on?

I have toggled 

security.tls.version.fallback-limit

between 3 and 4, but it does not seem to make any difference.  Also, how does a 
person choose the cipher suites for TLS 1.3?  They do not seem to be listed 
under 

security.ssl3

in the about:config settings.


-- Package-specific info:

-- Extensions information
Name: Amazon.com
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled

Name: Bing
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled

Name: Dark theme
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: user-disabled

Name: DoH Roll-Out
Location: /usr/lib/firefox-esr/browser/features/doh-roll...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: DuckDuckGo
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled

Name: eBay
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled

Name: Firefox Alpenglow theme
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: user-disabled

Name: Firefox Screenshots
Location: /usr/lib/firefox-esr/browser/features/screensh...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: Form Autofill
Location: /usr/lib/firefox-esr/browser/features/formautof...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: Google
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled

Name: HTTPS Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere-...@eff.org.xpi
Status: user-disabled

Name: Light theme
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: user-disabled

Name: Picture-In-Picture
Location: /usr/lib/firefox-esr/browser/features/pictureinpict...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: Proxy Failover
Location: 
/home/ryan/.mozilla/firefox/dmo9765r.default-esr/features/{1fced3c4-2a9d-408a-a698-e1f3a6bb7717}/proxy-failo...@mozilla.com.xpi
Status: enabled

Name: System theme theme
Location: /usr/lib/firefox-esr/omni.ja
Package: firefox-esr
Status: enabled

Name: Web Compatibility Interventions
Location: /usr/lib/firefox-esr/browser/features/webcom...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: WebCompat Reporter
Location: 
/usr/lib/firefox-esr/browser/features/webcompat-repor...@mozilla.org.xpi
Package: firefox-esr
Status: user-disabled

Name: Wikipedia (en)
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled


-- Addons package information
ii  firefox-esr    91.6.0esr-1~deb10u1 amd64        Mozilla Firefox web browser 
- Extended Support Release (ESR)

-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox-esr depends on:
ii  debianutils         4.8.6.1
ii  fontconfig          2.13.1-2
ii  libatk1.0-0         2.30.0-2
ii  libc6               2.28-10
ii  libcairo-gobject2   1.16.0-4+deb10u1
ii  libcairo2           1.16.0-4+deb10u1
ii  libdbus-1-3         1.12.20-0+deb10u1
ii  libdbus-glib-1-2    0.110-4
ii  libevent-2.1-6      2.1.8-stable-4
ii  libffi6             3.2.1-9
ii  libfontconfig1      2.13.1-2
ii  libfreetype6        2.9.1-3+deb10u2
ii  libgcc1             1:8.3.0-6
ii  libgdk-pixbuf2.0-0  2.38.1+dfsg-1
ii  libglib2.0-0        2.58.3-2+deb10u3
ii  libgtk-3-0          3.24.5-1
ii  libpango-1.0-0      1.42.4-8~deb10u1
ii  libstdc++6          8.3.0-6
ii  libx11-6            2:1.6.7-1+deb10u2
ii  libx11-xcb1         2:1.6.7-1+deb10u2
ii  libxcb-shm0         1.13.1-2
ii  libxcb1             1.13.1-2
ii  libxcomposite1      1:0.4.4-2
ii  libxdamage1         1:1.1.4-3+b3
ii  libxext6            2:1.3.3-1+b2
ii  libxfixes3          1:5.0.3-1
ii  libxrender1         1:0.9.10-1
ii  procps              2:3.3.15-2
ii  zlib1g              1:1.2.11.dfsg-1

Versions of packages firefox-esr recommends:
ii  libavcodec58  7:4.1.8-0+deb10u1

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-6
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-7
ii  libgssapi-krb5-2       1.17-3+deb10u3
ii  pulseaudio             12.2-4+deb10u1

-- no debconf information

Bug#1006558: /usr/bin/firefox: with TLS 1.3 disabled in the config settings, firefox still connects to websites with TLS 1.3

Reply via email to