Skip to content

Commit

Permalink
#450: disable OCSP for DV certs
Browse files Browse the repository at this point in the history
  • Loading branch information
classilla committed Dec 3, 2017
1 parent dbe5530 commit 71e9386
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 8 deletions.
31 changes: 26 additions & 5 deletions browser/components/preferences/in-content/advanced.js
Original file line number Diff line number Diff line change
Expand Up @@ -169,8 +169,17 @@ var gAdvancedPane = {
},

/**
* security.OCSP.enabled is an integer value for legacy reasons.
* A value of 1 means OCSP is enabled. Any other value means it is disabled.
* readEnableOCSP is used by the preferences UI to determine whether or not
* the checkbox for OCSP fetching should be checked (it returns true if it
* should be checked and false otherwise). The about:config preference
* "security.OCSP.enabled" is an integer rather than a boolean, so it can't be
* directly mapped from {true,false} to {checked,unchecked}. The possible
* values for "security.OCSP.enabled" are:
* 0: fetching is disabled
* 1: fetch for all certificates
* 2: fetch only for EV certificates
* Hence, if "security.OCSP.enabled" is non-zero, the checkbox should be
* checked. Otherwise, it should be unchecked.
*/
readEnableOCSP: function ()
{
Expand All @@ -179,16 +188,28 @@ var gAdvancedPane = {
if (preference.value === undefined) {
return true;
}
return preference.value == 1;
return preference.value != 0;
},

/**
* See documentation for readEnableOCSP.
* writeEnableOCSP is used by the preferences UI to map the checked/unchecked
* state of the OCSP fetching checkbox to the value that the preference
* "security.OCSP.enabled" should be set to (it returns that value). See the
* readEnableOCSP documentation for more background. We unfortunately don't
* have enough information to map from {true,false} to all possible values for
* "security.OCSP.enabled", but a reasonable alternative is to map from
* {true,false} to {<the default value>,0}. That is, if the box is checked,
* "security.OCSP.enabled" will be set to whatever default it should be, given
* the platform and channel. If the box is unchecked, the preference will be
* set to 0. Obviously this won't work if the default is 0, so we will have to
* revisit this if we ever set it to 0.
*/
writeEnableOCSP: function ()
{
var checkbox = document.getElementById("enableOCSP");
return checkbox.checked ? 1 : 0;
var defaults = Services.prefs.getDefaultBranch(null);
var defaultValue = defaults.getIntPref("security.OCSP.enabled");
return checkbox.checked ? defaultValue : 0;
},

/**
Expand Down
6 changes: 5 additions & 1 deletion netwerk/base/security-prefs.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,11 @@ pref("security.remember_cert_checkbox_default_setting", true);
pref("security.ask_for_password", 0);
pref("security.password_lifetime", 30);

pref("security.OCSP.enabled", 1);
// The supported values of this pref are:
// 0: do not fetch OCSP
// 1: fetch OCSP for DV and EV certificates
// 2: fetch OCSP only for EV certificates
pref("security.OCSP.enabled", 2);
pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);

Expand Down
4 changes: 2 additions & 2 deletions security/manager/ssl/nsNSSComponent.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ GetRevocationBehaviorFromPrefs(/*out*/ CertVerifier::OcspDownloadConfig* odc,
// 0 = disabled
// 1 = enabled for everything (default)
// 2 = enabled for EV certificates only
int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 1);
int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 2);
switch (ocspLevel) {
case 0: *odc = CertVerifier::ocspOff; break;
case 2: *odc = CertVerifier::ocspEVOnly; break;
Expand Down Expand Up @@ -714,7 +714,7 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
rangeOut.max = (uint16_t) maxFromPrefs;
}

static const int32_t OCSP_ENABLED_DEFAULT = 1;
static const int32_t OCSP_ENABLED_DEFAULT = 2;
static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
static const bool FALSE_START_ENABLED_DEFAULT = true;
static const bool NPN_ENABLED_DEFAULT = true;
Expand Down

0 comments on commit 71e9386

Please sign in to comment.