TLS1.3, XP and Firefox

[FranceBB]

It's summer 2018 and TLS 1.3 it's just round the corner, as it seems websites are slowly beginning to adopt the new standard, yet our beloved XP still struggles to fully support TLS1.2 due to the lack of ECC, which will hopefully be added in the near future with a monthly update.

So far, we have been relying on Advanced Chrome to get Chrome 54 (and I spoof my Chrome like so "chrome.exe" --user-agent="Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.70 Safari/537.36"), but unfortunately it uses crypto.dll which doesn't support ECC (yet). So far, the solution was to simply open Firefox to visit the sites that required ECC, but now that TLS1.3 is gonna be deployed, we might be in trouble.

I tested my browser using https://www.ssllabs.com/ssltest/viewMyClient.html and it shows TLS1.2 on both Chrome and Firefox, however, I did remember that Firefox started introducing TLS1.3 as beta first and as silent update later, leaving it disabled for normal users, so I crossed my fingers and I tried to turn it on in my Firefox 52 ESR.

To do so, I changed the security.tls.version.max setting from "3" to "4" in about:config, then I closed it, opened it again and I did the TLS test again without luck.

It seems that TLS1.3 has been included in later versions of Firefox, which leads me to the question: what should we do now?

Edited August 14, 2018 by FranceBB

[dencorso]

And yet, changing security.tls.version.max to 4, closing and reopening FF 52 esr does work...
I don't understand why it didn't work for you (notice that I'm spoofing the NT version as 6.1, however, if that makes any difference).

[FranceBB]

@dencorso... that's weird. I'm gonna try again and I'm gonna reboot my pc this time. Perhaps it didn't update the settings for whatever reason, or perhaps it was just the cache.

Anyway, I contacted Microsoft and I have very good news:

Screenshot:

Full Chat:

Quote

Frank:
A year ago, you announced support for TLS 1.1 and TLS 1.2 in Windows
Embedded POSReady 2009, however it's mid-2018 now and TLS1.3 is just round
the corner and it will be the next standard for quite some time. It would be
really useful to add support for TLS1.3 as well and I think I'm not the only
customer that would like to see it supported. Are you already working on it? If
not, will you add support for TLS1.3 in the future? Will you at least consider
adding it? Thank you in advance.

Mary:
Thanks for contacting Microsoft support, my name is MaryRose I. Please allow
me a few moments while I review the information you provided.

Mary:
Hello there

Frank:
Hi

Mary:
I do understand that a lot of you are looking forward for that specific support,
however, Microsoft is still planning this kind of support that can help you on
different issues involved.
But technically, we are working on that one...

Mary:
However, we do not have specific dates on when but all I can say is that yes,
Microsoft is working on it.

Frank:
Perfect! That's great! Even just knowing that you are working on it is a greast
news!

Mary:
Please bear with us about this and thank you so much, we do appreciate it.

Mary:
But right now, since it does not have yet the support, this kind of issue will fall
under our pro support.

Mary:
Pro support team is open Pacific time 8:30 am to 5:30 pm, Monday to Friday:
CALL 18006427676 and select option for PRO SUPPORT

Mary:
But about your request and other loyal customer, we are currently working on it

Frank:
Perfect. Thank you. I think that's about it. I'm gonna end the chat now.

Mary:
Take care.

Edited August 14, 2018 by FranceBB

[Bersaglio]

55 minutes ago, FranceBB said:

that's weird. I'm gonna try again and I'm gonna reboot my pc this time. Perhaps it didn't update the settings for whatever reason, or perhaps it was just the cache.

Try completely uninstalling Avast. Just disabling it probably don't help but uninstalling should do the trick. TLS 1.3 draft is perfectly working in FF 52.9.0 ESR for me too.

[Dclem]

Just adding that I too have modified security.tls.version.max to 4 and have positive results using Firefox ESR 52.9.0

[heinoganda]

@FranceBB

Under Windows XP, which can not compete with modern encryption technologies, Avast can only control what Windows XP supports for HTTPS connections, meaning that every HTTPS web page is blocked where it is not verifiable. For this reason, you should deactivate the HTTPS scanning function in the Web Protection component of Avast!

Edited August 14, 2018 by heinoganda

[roytam1]

16 hours ago, FranceBB said:

@dencorso... that's weird. I'm gonna try again and I'm gonna reboot my pc this time. Perhaps it didn't update the settings for whatever reason, or perhaps it was just the cache.

Anyway, I contacted Microsoft and I have very good news:

Screenshot:

Full Chat:

I think you should ask oleaut32 issue in this moment as well :)

[FranceBB]

18 hours ago, Bersaglio said:

k. TLS 1.3 draft is perfectly working in FF 52.9.0 ESR for me too

I see...

I created a file with the Avast Support Tool and I'm gonna submit it to Avast to report that TLS1.3 is not working.

I'm also gonna report it in the beta forum.

 

@roytam1... I asked it months ago to the regular support and they submitted my enquiry to the specific technical team, but I wasn't able to speak directly with them 'cause I don't have Microsoft Premium Support nor Microsoft Pro Support, so they probably read my enquiry - which was basically filled with the informations collected in this forum - but they never replied.

[MaterSystem]

You can use New Moon 28 instead

[ED_Sln]

On 8/14/2018 at 12:20 PM, FranceBB said:

It seems that TLS1.3 has been included in later versions of Firefox, which leads me to the question: what should we do now? 

Use Basilisk 52/55:

 

[FranceBB]

On 8/14/2018 at 5:10 PM, heinoganda said:

@FranceBB

Under Windows XP, which can not compete with modern encryption technologies, Avast can only control what Windows XP supports for HTTPS connections, meaning that every HTTPS web page is blocked where it is not verifiable. For this reason, you should deactivate the HTTPS scanning function in the Web Protection component of Avast!

Filip Braun from the Avast Team is now working on it.

[roytam1]

On 8/17/2018 at 1:05 AM, ED_Sln said:

Use Basilisk 52/55:

 

 

On 8/15/2018 at 7:21 PM, MaterSystem said:

You can use New Moon 28 instead

Both Firefox 52 ESR, New Moon, and Basilisk still use Draft version of TLS 1.3.

The RFC version of TLS 1.3 have just landed to NSS, time to test it.

[roytam1]

2 hours ago, roytam1 said:

Both Firefox 52 ESR, New Moon, and Basilisk still use Draft version of TLS 1.3.

The RFC version of TLS 1.3 have just landed to NSS, time to test it.

made some test builds:

 

[SRainharp]

@FranceBB You should mention ECC and POSReady 2009

[Sampei.Nihira]

15 hours ago, roytam1 said:

 

Both Firefox 52 ESR, New Moon, and Basilisk still use Draft version of TLS 1.3.

The RFC version of TLS 1.3 have just landed to NSS, time to test it.

Yes.

Usually Draft 18.

______________________________________________

Also Chrome 68.x uses Draft 23 as default.

To enable Draft 28, the final version, you need to make the change below:

 

Edited August 28, 2018 by Sampei.Nihira