Comparing the log.moz_log from running thunderbird with MOZ_LOG=nsHttp:3 and MOZ_LOG_FILE=log in the environment shows Http2Session::ConfirmTLSProfile gets version=304 from ssl->GetSSLVersionUsed() in 78.10.0 and version=ffffffff (nsISSLSocketControl::SSL_VERSION_UNKNOWN) in 78.11.0, which causes Http2Session::ConfirmTLSProfile "FAILED due to lack of TLS1.2" and INADEQUATE_SECURITY[1]:
I/nsHttp Http2Session::ConfirmTLSProfile 0x7f78dbdb7000 version=ffffffff I/nsHttp Http2Session::ConfirmTLSProfile 0x7f78dbdb7000 FAILED due to lack of TLS1.2 I/nsHttp Http2Session::SessionError 0x7f78dbdb7000 reason=0xc mPeerGoAwayReason=0x1f I/nsHttp Http2Session::ReadSegments 0x7f78dbdb7000 returning INADEQUATE_SECURITY 804b0052 Setting a breakpoint on SSL_GetChannelInfo revealed that it is called by PreliminaryHandshakeDone with len = 128 by 78.10.0 and len = 136 by 78.11.0, which causes `len > sizeof inf` to fail and return SECFailure (because `sizeof inf` is 128). It appears that SSLChannelInfo added pskType in NSS 3.54, echAccepted in NSS 3.60, and isFIPS in NSS 3.66. Perhaps there is a version mismatch? Best, Kevin [ConfirmTLSProfile]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/netwerk/protocol/http/Http2Session.cpp#l4194 [PreliminaryHandshakeDone]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/manager/ssl/nsNSSCallbacks.cpp#l700 [SSL_GetChannelInfo]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/nss/lib/ssl/sslinfo.c#l13 [SSLChannelInfo FF78]: https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/nss/lib/ssl/sslt.h#l293 [SSLChannelInfo tip]: https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ssl/sslt.h#l299