mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-29 15:52:07 +00:00
Bug 932176: Add preference to control whether OCSP GET is used, off by default, r=cviecco
--HG-- extra : rebase_source : 4452d8959f22152512ed428184726c9834f6e4c3
This commit is contained in:
parent
f8b15362cf
commit
a4eca92369
@ -23,3 +23,4 @@ pref("security.password_lifetime", 30);
|
||||
|
||||
pref("security.OCSP.enabled", 1);
|
||||
pref("security.OCSP.require", false);
|
||||
pref("security.OCSP.GET.enabled", false);
|
||||
|
@ -25,7 +25,8 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
|
||||
ocsp_download_config odc,
|
||||
ocsp_strict_config osc,
|
||||
any_revo_fresh_config arfc,
|
||||
const char *firstNetworkRevocationMethod)
|
||||
const char *firstNetworkRevocationMethod,
|
||||
ocsp_get_config ogc)
|
||||
: mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
|
||||
, mCRLDownloadEnabled(cdc == crl_download_allowed)
|
||||
, mOCSPDownloadEnabled(odc == ocsp_on)
|
||||
@ -33,6 +34,7 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
|
||||
, mRequireRevocationInfo(arfc == any_revo_strict)
|
||||
, mCRLFirst(firstNetworkRevocationMethod != nullptr &&
|
||||
!strcmp("crl", firstNetworkRevocationMethod))
|
||||
, mOCSPGETEnabled(ogc == ocsp_get_enabled)
|
||||
{
|
||||
MOZ_COUNT_CTOR(CertVerifier);
|
||||
}
|
||||
@ -230,8 +232,11 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
|
||||
|
||||
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
|
||||
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = revMethodFlags;
|
||||
|
||||
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
|
||||
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = revMethodFlags;
|
||||
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
|
||||
= revMethodFlags
|
||||
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
|
||||
|
||||
rev.leafTests.cert_rev_method_independent_flags =
|
||||
rev.chainTests.cert_rev_method_independent_flags =
|
||||
@ -342,6 +347,8 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
|
||||
// ocsp enabled controls network fetching, too
|
||||
| ((mOCSPDownloadEnabled && !localOnly) ?
|
||||
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
|
||||
|
||||
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
|
||||
;
|
||||
|
||||
rev.leafTests.preferred_methods[0] =
|
||||
|
@ -39,6 +39,7 @@ public:
|
||||
enum ocsp_download_config { ocsp_off = 0, ocsp_on };
|
||||
enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
|
||||
enum any_revo_fresh_config { any_revo_relaxed = 0, any_revo_strict };
|
||||
enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
|
||||
|
||||
bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
|
||||
|
||||
@ -46,7 +47,8 @@ private:
|
||||
CertVerifier(missing_cert_download_config ac, crl_download_config cdc,
|
||||
ocsp_download_config odc, ocsp_strict_config osc,
|
||||
any_revo_fresh_config arfc,
|
||||
const char *firstNetworkRevocationMethod);
|
||||
const char *firstNetworkRevocationMethod,
|
||||
ocsp_get_config ogc);
|
||||
~CertVerifier();
|
||||
|
||||
const bool mMissingCertDownloadEnabled;
|
||||
@ -55,6 +57,7 @@ private:
|
||||
const bool mOCSPStrict;
|
||||
const bool mRequireRevocationInfo;
|
||||
const bool mCRLFirst;
|
||||
const bool mOCSPGETEnabled;
|
||||
friend class ::nsNSSComponent;
|
||||
};
|
||||
|
||||
|
@ -1057,6 +1057,10 @@ void nsNSSComponent::setValidationOptions()
|
||||
}
|
||||
CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
|
||||
|
||||
// XXX: Always use POST for OCSP; see bug 871954 for undoing this.
|
||||
bool ocspGetEnabled = Preferences::GetBool("security.OCSP.GET.enabled", false);
|
||||
CERT_ForcePostMethodForOCSP(!ocspGetEnabled);
|
||||
|
||||
mDefaultCertVerifier = new CertVerifier(
|
||||
aiaDownloadEnabled ?
|
||||
CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
|
||||
@ -1068,7 +1072,9 @@ void nsNSSComponent::setValidationOptions()
|
||||
CertVerifier::ocsp_strict : CertVerifier::ocsp_relaxed,
|
||||
anyFreshRequired ?
|
||||
CertVerifier::any_revo_strict : CertVerifier::any_revo_relaxed,
|
||||
firstNetworkRevo.get());
|
||||
firstNetworkRevo.get(),
|
||||
ocspGetEnabled ?
|
||||
CertVerifier::ocsp_get_enabled : CertVerifier::ocsp_get_disabled);
|
||||
|
||||
/*
|
||||
* The new defaults might change the validity of already established SSL sessions,
|
||||
@ -1730,6 +1736,7 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
|
||||
|| prefName.Equals("security.missing_cert_download.enabled")
|
||||
|| prefName.Equals("security.first_network_revocation_method")
|
||||
|| prefName.Equals("security.OCSP.require")
|
||||
|| prefName.Equals("security.OCSP.GET.enabled")
|
||||
|| prefName.Equals("security.ssl.enable_ocsp_stapling")) {
|
||||
MutexAutoLock lock(mutex);
|
||||
setValidationOptions();
|
||||
|
Loading…
Reference in New Issue
Block a user