Bug 1579270 - Disable TLS 1.0 and TLS 1.1 in Nightly, r=jcj

This flips the default for security.tls.version.min to 3 (TLS 1.2) for the
Nightly channel.

Having had this pref at this level for the last year, I can confirm that this
does break the occasional site, but it is quite rare.  The intent of this change
is to start making it more obvious when sites don't support TLS 1.2.

I'm asking for wider review because this is a disruptive change.

Differential Revision: https://phabricator.services.mozilla.com/D45627

--HG--
extra : moz-landing-system : lando

browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js

@@ -21,7 +21,17 @@ function getConnectionState() {
   return document.getElementById("identity-popup").getAttribute("connection");
 }
 
+registerCleanupFunction(function() {
+  // Set preferences back to their original values
+  Services.prefs.clearUserPref("security.tls.version.min");
+  Services.prefs.clearUserPref("security.tls.version.max");
+});
+
 add_task(async function() {
+  // Run with all versions enabled for this test.
+  Services.prefs.setIntPref("security.tls.version.min", 1);
+  Services.prefs.setIntPref("security.tls.version.max", 4);
+
   await BrowserTestUtils.withNewTab("about:blank", async function(browser) {
     // Try deprecated versions
     await BrowserTestUtils.loadURI(browser, HTTPS_TLS1_0);

devtools/client/webconsole/test/browser/browser_webconsole_certificate_messages.js

@@ -21,6 +21,12 @@ const TLS_expected_message =
   " will be disabled in March 2020. Please upgrade" +
   " to TLS 1.2 or 1.3.";
 
+registerCleanupFunction(function() {
+  // Set preferences back to their original values
+  Services.prefs.clearUserPref("security.tls.version.min");
+  Services.prefs.clearUserPref("security.tls.version.max");
+});
+
 add_task(async function() {
   const hud = await openNewTabAndConsole(TEST_URI);
 
@@ -55,6 +61,9 @@ add_task(async function() {
   );
 
   info("Test TLS warnings");
+  // Run with all versions enabled for this test.
+  Services.prefs.setIntPref("security.tls.version.min", 1);
+  Services.prefs.setIntPref("security.tls.version.max", 4);
   onContentLog = waitForMessage(hud, TRIGGER_MSG);
   await loadDocument(TLS_1_0_URL);
   await onContentLog;

modules/libpref/init/all.js

@@ -19,7 +19,11 @@
 // improves readability, particular for conditional blocks that exceed a single
 // screen.
 
-pref("security.tls.version.min", 1);
+#ifdef RELEASE_OR_BETA
+  pref("security.tls.version.min", 1);
+#else
+  pref("security.tls.version.min", 3);
+#endif
 pref("security.tls.version.max", 4);
 pref("security.tls.version.fallback-limit", 4);
 pref("security.tls.insecure_fallback_hosts", "");