Configuring Firefox for FIPS 140-2

This article is no longer maintained, so its content might be out of date.

Federal Information Processing Standard (FIPS) number 140-2 defines a large set of crypto security requirements for all software used by US Government employees. US Government employees need to know how to make Firefox be "FIPS 140 compliant". The steps shown below will bring your Firefox browser into compliance with FIPS 140-2 and also with NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations.

Step 1: Disable SSL 2 and SSL 3, leaving only TLS

  1. In the Menu bar at the top of the screen, click Firefox and then select Preferences or Settings, depending on your macOS version.Click the menu button Fx89menuButton and select Settings.
  2. In the optionspreferences window, select the Advanced panel, then select the Encryption tab.
  3. Remove the check from the Use SSL 3.0 box, and ensure that the Use TLS 1.0 box is checked.

    options.png



    FIPS-en-mac-1.jpg

  4. Then click the Security Devices button to begin step 2.


Step 2: Enable FIPS in Firefox's NSS Internal PKCS#11 module

  1. In the Device Manager window, select NSS Internal PKCS #11 Module, then click on the Enable FIPS button.

    EnableFIPS.png



    FIPS-en-mac-2.jpg

  2. After you click the Enable FIPS button, you should see the words FIPS 140 in your Device Manager window.

    FIPS140.png



    FIPS-en-mac-3.jpg

  3. Click OK to close the Device Manager window.
  4. Click OKClose the preferences window.


Step 3: Disable all the non-FIPS TLS cipher suites in about:config

  1. Type about:config in the address bar and press EnterReturn.
    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.
  2. In the text box by the word Filter:, type in ssl.
  3. You should see a page that has preferences that are similar to the ones shown below. Go through your preferences and compare each one to the ones shown below. If you don't have all the preferences shown below, or if you have preferences not shown below, don't worry about them. Just compare the preferences whose names match the ones shown below. Make sure that each of your ssl preferences has the same true/false value as shown below. If any preference does not have a matching value, double-click it to change it.
Filter:
ssl
Preference Name Status Type Value
security.enable_ssl2 default boolean false
security.enable_ssl3 user set boolean false
security.ssl2.des_64 default boolean false
security.ssl2.des_ede3_192 default boolean false
security.ssl2.rc2_128 default boolean false
security.ssl2.rc2_40 default boolean false
security.ssl2.rc4_128 default boolean false
security.ssl2.rc4_40 default boolean false
security.ssl3.dhe_dss_aes_128_sha default boolean true
security.ssl3.dhe_dss_aes_256_sha default boolean true
security.ssl3.dhe_dss_camellia_128_sha user set boolean false
security.ssl3.dhe_dss_camellia_256_sha user set boolean false
security.ssl3.dhe_dss_des_ede3_sha default boolean true
security.ssl3.dhe_dss_des_sha default boolean false
security.ssl3.dhe_rsa_aes_128_sha default boolean true
security.ssl3.dhe_rsa_aes_256_sha default boolean true
security.ssl3.dhe_rsa_camellia_128_sha user set boolean false
security.ssl3.dhe_rsa_camellia_256_sha user set boolean false
security.ssl3.dhe_rsa_des_ede3_sha default boolean true
security.ssl3.dhe_rsa_des_sha default boolean false
security.ssl3.ecdh_ecdsa_aes_128_sha default boolean true
security.ssl3.ecdh_ecdsa_aes_256_sha default boolean true
security.ssl3.ecdh_ecdsa_des_ede3_sha default boolean true
security.ssl3.ecdh_ecdsa_null_sha default boolean false
security.ssl3.ecdh_ecdsa_rc4_128_sha user set boolean false
security.ssl3.ecdh_rsa_aes_128_sha default boolean true
security.ssl3.ecdh_rsa_aes_256_sha default boolean true
security.ssl3.ecdh_rsa_des_ede3_sha default boolean true
security.ssl3.ecdh_rsa_null_sha default boolean false
security.ssl3.ecdh_rsa_rc4_128_sha user set boolean false
security.ssl3.ecdhe_ecdsa_aes_128_sha default boolean true
security.ssl3.ecdhe_ecdsa_aes_256_sha default boolean true
security.ssl3.ecdhe_ecdsa_des_ede3_sha default boolean true
security.ssl3.ecdhe_ecdsa_null_sha default boolean false
security.ssl3.ecdhe_ecdsa_rc4_128_sha user set boolean false
security.ssl3.ecdhe_rsa_aes_128_sha default boolean true
security.ssl3.ecdhe_rsa_aes_256_sha default boolean true
security.ssl3.ecdhe_rsa_des_ede3_sha default boolean true
security.ssl3.ecdhe_rsa_null_sha default boolean false
security.ssl3.ecdhe_rsa_rc4_128_sha user set boolean false
security.ssl3.rsa_1024_des_cbc_sha default boolean false
security.ssl3.rsa_1024_rc4_56_sha default boolean false
security.ssl3.rsa_aes_128_sha default boolean true
security.ssl3.rsa_aes_256_sha default boolean true
security.ssl3.rsa_camellia_128_sha user set boolean false
security.ssl3.rsa_camellia_256_sha user set boolean false
security.ssl3.rsa_des_ede3_sha default boolean true
security.ssl3.rsa_des_sha default boolean false
security.ssl3.rsa_fips_des_ede3_sha user set boolean false
security.ssl3.rsa_fips_des_sha default boolean false
security.ssl3.rsa_null_md5 default boolean false
security.ssl3.rsa_null_sha default boolean false
security.ssl3.rsa_rc2_40_md5 default boolean false
security.ssl3.rsa_rc4_128_md5 user set boolean false
security.ssl3.rsa_rc4_128_sha user set boolean false
security.ssl3.rsa_rc4_40_md5 default boolean false

When all the entries match, you're done. You should exit and restart Firefox to ensure that the changes are properly recorded.

These fine people helped write this article:

Illustration of hands

Volunteer

Grow and share your expertise with others. Answer questions and improve our knowledge base.

Learn More