Before FreeIPA is able to support TLS 1.3 for the web interface, we need

• NSS 3.28 or newer with TLS 1.3 enabled. Currently NSS 3.28.1 has TLS 1.3 disabled on Fedora 25.
• TLSv1.3 protocol and TLS 1.3 cipher suites support in mod_nss, https://pagure.io/mod_nss/pull-request/35
• Optionally: new python-nss version with new TLS 1.3 cipher suites. I sent a couple of patches to John Dennis.
• Reconfigure nss.conf
  • Add TLS 1.3 cipher suites: {{{ NSSCipherSuite +aes_128_gcm_sha_256,+aes_256_gcm_sha_384,+chacha20_poly1305_sha_256 }}}
  • Add TLSv1.3 to {{{NSSProtocol}}}

I successfully tested python-nss and Firefox nightly against mod_nss with custom builds of NSS, mod_nss and python-nss. The builds are available in my personal COPR https://copr.fedorainfracloud.org/coprs/cheimes/nss/ .

We might have to disable secure renegotiations and set {{{NSSRequireSafeNegotiation off}}}, see https://bugzilla.redhat.com/show_bug.cgi?id=1423401