Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
darkarts
- Hobby Astronomer
- Posts: 17
- Joined: 2020-06-03, 14:21
- Location: UK
Unread post
by darkarts » 2023-11-28, 12:01
Hello all.
I've just been prompted to upgrade to v32.5.1 and the Release Notes include this:
Restricted protocol fallback for TLS. Pale Moon no longer (by default) allows TLS 1.3 to fall back to earlier protocol versions during the initial handshake.
Before upgrading, please could someone explain the detail here? Specifically, if a server does not offer TLSv1.3 will the new PM refuse to connect? And if that's the case, what is the approved way of changing this behaviour from the default?
Thanks very much.
-
Moonchild
- Pale Moon guru
- Posts: 35651
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Unread post
by Moonchild » 2023-11-28, 15:52
This only applies to protocol downgrades, not to the server not offering TLS 1.3 to begin with. if a server does not offer TLS 1.3, the TLS 1.2 will be negotiated right away, and nothing has changed in that respect.
Previously, Pale Moon would allow the protocol to be downgraded from TLS 1.3 to TLS 1.2 during initial handshake. Our recent upgrade of NSS already implemented a downgrade sentinel for that but unfortunately the resulting error message was not very transparent and we ran into specific middleware causing this to be triggered when there was a certificate error. The new configuration will present the user with the relevant cert error and no longer respond to the downgrade request by the middleware/server.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
darkarts
- Hobby Astronomer
- Posts: 17
- Joined: 2020-06-03, 14:21
- Location: UK
Unread post
by darkarts » 2023-11-28, 17:32
Thanks for this extra detail which all makes perfect sense. Hoped it would be along these lines.
I'll proceed with the PM upgrade now with confidence.
