Firefox TLS 1.2 Support

Since release 24, Firefox supports Transport Layer Security (TLS) 1.2. However, in with standard settings Firefox does not yet enable TLS 1.2 but just uses the old Secure Socket Layer (SSL) 3.0 and TLS 1.0 standard. The SSL 3.0 and TLS 1.0 standards are vulnerable to the so called BEAST attacks.

You can change that behaviour by changing the following settings in the about:config page of Firefox:

security.tls.version.min 0
security.tls.version.max 3


The numbers are codes for the different SSL/TLS versions:

0 - SSL 3.0
1 - TLS 1.0
2 - TLS 1.1
3 - TLS 1.2


Even if the older SSL 3.0 and TLS 1.0 standards are vulnerable, it usually is not useful to disable it as a lot of webservers do not yet support the newer TLS 1.1 or TLS 1.2 standards. It would no longer be possible to connect to such sites if security.tls.version.min would be set to 2 or 3.

Global Firefox Settings on Linux

Today, I got an request to enforce various Firefox settings globally for all users on several Linux hosts.

All you have to do is creating two files in your Firefox installation directory (usually /usr/lib/firefox):

File: $FIREFOX_INSTALL_DIR/defaults/pref/000-local-config

// The file must start with a comment line
pref("general.config.filename", "local-config.js");
pref("general.config.obscure_value", 0);

File: $FIREFOX_INSTALL_DIR/local-config.js

// The file must start with a comment line

// Enforce the use of a Web Proxy Autodiscovery file
lockPref("network.proxy.autoconfig_url", "http://wpad.somedomain.com/wpad.dat");
lockPref("network.proxy.type", 2);

// Disable Firefox Save Per Side Download Feature
pref("browser.download.lastDir.savePerSite", false);

// Disable Firefox Displaying History in New Tabs
pref("browser.newtabpage.enabled", false);
pref("browser.newtabpage.url", "about:blank");

Setting set using the lockPref() function cannot be changed by the users (they are greyed out). Everything that has been set using the pref() function is valid unless the user overrides the setting.

This procedure has been tested with Firefox 23.

Trouble with Android and OpenBSD Access Points

This year started with trouble as I discovered that my Android tablet permanently lost the connection to my OpenBSD 5.2 access point (athn(4)). The connection was unuseable and I was frustrated that it did not work with my new gadget. I tried to find a solution and spend a lot of time studing all kind of online forums. However, without success. So, I decided use instead a Linux based of the shelf access point and my OpenBSD box went to my storage room.

Last week I gave OpenBSD a second chance. And after a few minutes searching the Internet I found a post to the Android issue. It seems that OpenBSD 5.2 did not support the energy saving features used by many mobile devices. However, they improved OpenBSD in the meanwhile and the update to 5.3 solved the issue.

Unfortunately, one point is still open. The connection hangs when Android awakes from sleep and the Wi-Fi sleep policy (keep Wi-Fi on during sleep) is set to "always".
Set it to 'never'. With that setting Android turns Wi-Fi of if it goes to sleep and automatically reconnects to the access point after wake-up. This way my Android tablet works fine with OpenBSD 5.3.

See also:

• Wireless Access Point Using OpenBSD
• OpenBSD Issue with Android and the Atheros Driver
• Set Wi-Fi Sleep Policy to Never
• Save Battery Keeping Wi-Fi Alive (don't do that when using an OpenBSD access point)