New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 1
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

Ressurect SSLVersionMin policy

Project Member Reported by jayhlee@google.com, Sep 14 2017 Back to list

Issue description

We removed SSLVersionMin in Chrome 52 but we still have many customers asking for the ability to force Chrome to disable TLS 1.0 / 1.1. We should consider restoring this policy.

Does it make sense that we would restore SSLVersionFallbackMin also or is that unnecessary?
 
Labels: -Type-Bug -Pri-2 Pri-3 Type-Feature
That's unnecessary; we removed TLS fallback (it's insecure).

Can you provide more details about why these customers are asking? While I can understand or speculate why some folks would request changing, it's useful to have good documented reasons, because there's a number of reasons why it would not make sense or not achieve specific security goals.

Comment 2 by jayhlee@google.com, Sep 25 2017

Status: Archived (was: Unconfirmed)
archiving this as customer does need after they fully explained their concerns.
If TLS fallback is insecure, just remove TLS 1.0 usage all together. 
This can be easily done on with Internet Explore by unchecking a box, or even easier, configure Microsoft SCHANNEL to remove TLS 1.0 support altogether. 
However, Chrome ignores Microsoft SCHANNEL

TLS 1.0 is insecure. Chrome allowing TLS 1.0 means the browser supports an insecure protocol. This means we can not trust chrome to protect end users from mis-configured websites. It's easier to configure Chrome to turn off TLS 1.0 than it is to fix hundreds of millions of websites. 

https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
Status: Assigned (was: Archived)
re-opening this issue as discussed.

Owner: svaldez@chromium.org
Steven, would you mind restoring this? Should be straightforward.
Restoring this ability would also go a great way to ensuring my organization complies with CJIS security Policy as well as PCI regulations. 

Thanks for looking into this!
Status: Fixed (was: Assigned)
Status: Fixed.

Does this mean the Policy option is now back?
if so, 
Which Version of Chrome will have this feature back? 

Do I need to download the latest Enterprise Policy template for this?

Thanks


You'll need M66 to get this feature. I believe you'll need to get a new enterprise policy template, or manually add the option.
 Issue 807151  has been merged into this issue.
Labels: M-66
Thanks for the info, 

I'll update the template library on the Domain Controller when it gets released. 
The policy "supported on" says 66+, but this policy was also in 39-43. For completeness, should supported on show 39-43,66 onward?

Sign in to add a comment