Description of problem: Fedora 25 x86_64 build of Firefox 52 has broken TLSv1.3 support, security.tls.version.max = 4 has no effect. Version-Release number of selected component (if applicable): firefox-52.0-1.fc25.x86_64 Steps to Reproduce: 1. mv .mozilla .mozilla.OK (so Firefox starts with defaults and no plugins) 2. Set security.tls.version.max to 4 in about:config 3. Restart Firefox 52 4. Verify that security.tls.version.max is really 4 5. Open webpage with TLSv1.3 support (e,g, https://www.cloudflare.com/ or https://test.felsing.net) Actual results: Fedora 25 Firefox negotiates to TLSv1.2, only even if web site supports TLSv1.3. Original Mozilla Firefox binaries negotiates TLSv1.3. Expected results: Fedora 25 Firefox 52 should behave like Original Mozilla Firefox 52 and should negotiate to TLSv1.3 if security.tls.version.max is 4 and remote supports TLSv1.3. Additional info: build information of firefox-52.0-1.fc25.x86_64 about:buildconfig Build platform target x86_64-unknown-linux-gnu Build tools Compiler Version Compiler flags /usr/bin/gcc -std=gnu99 6.3.1 -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -O2 -g -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wformat-security -Wformat -Werror=format-security -fno-delete-null-pointer-checks -fPIC -Wl,-z,relro -Wl,-z,now -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe /usr/bin/g++ -std=gnu++11 6.3.1 -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -O2 -g -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wformat-security -Wformat -Werror=format-security -fno-delete-null-pointer-checks -fPIC -Wl,-z,relro -Wl,-z,now -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer Configure options --enable-application=browser --disable-tests --enable-rust --enable-system-ffi --enable-default-toolkit=cairo-gtk3 --with-mozilla-api-keyfile=../mozilla-api-key MAKE=make --enable-system-hunspell --enable-gio --enable-necko-wifi --enable-official-branding --enable-optimize --enable-pie --enable-pulseaudio --enable-release --enable-startup-notification --disable-strip --disable-system-cairo --disable-system-sqlite --disable-updater --enable-url-classifier --libdir=/usr/lib64 --prefix=/usr --with-pthreads --with-system-bz2 --without-system-icu --with-system-jpeg --with-system-libvpx --with-system-nspr --with-system-nss --with-system-zlib
Kai, could you please look at it? Thanks!
NSS in Fedora has TLS 1.3 intentionally disabled. Because some application other than Firefox have experienced issues with TLS 1.3 enabled, we're waiting for compatibility fixes, prior to enabling it.
See also: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/44O6EYI3GW7HSUU6YXLKIYGXZ5REM2KW/
Tested with https://www.ssllabs.com/ssltest/viewMyClient.html, this issue is now gone, at least on Fedora 26. Please close the bug report.