security.tls.version.min/max

Hi,
In securing IceDragon from Poodle, Beast, and other SSL vulnerablities, I first went to https://www.ssllabs.com/ssltest/viewMyClient.html, which told me I only had TLS 1.0 and SSL v3 enabled. I went into about:config, and I see the defaults are security.tls.version.min = 0 and max = 1.

I changed them to min = 1 and max = 3, and that URL now tells me I have only TLS 1.0, 1.1, and 1.2 enabled, which is good (we should all be disabling SSL2 and SSL3 in any browsers).

My question is why the default max is 1, with TLS 1.1 and 1.2 disabled? Are the disabled protocols actually supported by IceDragon?

Can you please set the default min to 1 in the next version, to follow Firefox’s lead? The POODLE Attack and the End of SSL 3.0 - Mozilla Security Blog Then you don’t have to get IceDragon up to FF v34 but you still close the SSL v3 vulnerabilities.

Hi lpthomas and welcome. :slight_smile:

Being based upon Firefox 26, IceDragon has the support and configuration Firefox 26 had.

The protocols TLS 1.1 and 1.2 are supported, but it was not entirely without reason they were not enabled by default in Firefox until version 27. See Bug 733647

Also note that Firefox 26 did not support the ciphersuite AES-GCM, which is the biggest advantage with TLS 1.2.