Enabling support for TLS 1.3 in NSS (not yet by default)

TL;DR: If you are packaging software that uses NSS, please test if it works correctly, if TLS 1.3 support is enabled. COPR packages are available. Although still in draft status, the development of the new TLS 1.3 protocol version is making progress. The upstream Mozilla NSS library already supports it, and has enabled support for it with version 3.29. We should work towards enabling the TLS 1.3 protocol in the systemwide version of NSS used by Fedora, too. (tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1432889 ) (Note that "enable support" means, that the code is enabled at build time. The protocol is still disabled by default, if an application chooses to use the default versions enabled by the NSS library. Enabling version TLS 1.3 as an NSS library default will be a separate, future step.) In theory, the pure presence of TLS 1.3 support in the NSS library shouldn't cause any issues. But unfortunately, it's not as simple as that. There are applications, which will query (at runtime) the library to obtain the range of supported SSL/TLS versions, and which will try to enable all of them. We have already identified at least one package that is failing because of that behavior: (openldap: https://bugzilla.redhat.com/show_bug.cgi?id=1415140 ) If an application controls the set of ciphersuites that are enabled, then enabling TLS 1.3 will not work, unless the application also enables the new TLS 1.3 specific ciphersuites. That means, enabling support for TLS 1.3 in NSS has the potential to break some applications. The last time we tried to enable it in updates-testing, we found the above openldap issue, and then we revoked that update. It isn't clear if we have already identified all packages which need to be adjusted for TLS 1.3 code presence (probably not). Could you please help to test if enabling TLS 1.3 support causes any issues with the applications you are using? There are experimental COPR packages available below, which are based on the most recent Fedora NSS packages, and which enable TLS 1.3 as the only change: https://copr.fedorainfracloud.org/coprs/kengert/nss-with-tls-1.3/ Please give feedback, if you experience problems. When you do, please remember to mention that you are using an TLS-1.3-enabled package. Note that upstream Firefox 52 has already enabled support for TLS 1.3 by default. At this time, because we don't build that code in our system NSS package, Firefox 52 in Fedora cannot use TLS 1.3 yet. Thanks in advance for your help Kai