Bug 932176: Add preference to control whether OCSP GET is used, off by default, r=cviecco

--HG--
extra : rebase_source : 7cbc273155d04bc64a110eda9216c6f727ce0c18
This commit is contained in:
Brian Smith 2013-10-24 14:32:09 -07:00
parent fcee792ee1
commit c4d5fa5097
4 changed files with 22 additions and 4 deletions

View File

@ -61,3 +61,4 @@ pref("security.password_lifetime", 30);
pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);

View File

@ -25,7 +25,8 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
ocsp_download_config odc,
ocsp_strict_config osc,
any_revo_fresh_config arfc,
const char *firstNetworkRevocationMethod)
const char *firstNetworkRevocationMethod,
ocsp_get_config ogc)
: mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
, mCRLDownloadEnabled(cdc == crl_download_allowed)
, mOCSPDownloadEnabled(odc == ocsp_on)
@ -33,6 +34,7 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
, mRequireRevocationInfo(arfc == any_revo_strict)
, mCRLFirst(firstNetworkRevocationMethod != nullptr &&
!strcmp("crl", firstNetworkRevocationMethod))
, mOCSPGETEnabled(ogc == ocsp_get_enabled)
{
MOZ_COUNT_CTOR(CertVerifier);
}
@ -230,8 +232,11 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = revMethodFlags;
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = revMethodFlags;
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
= revMethodFlags
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
rev.leafTests.cert_rev_method_independent_flags =
rev.chainTests.cert_rev_method_independent_flags =
@ -342,6 +347,8 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
// ocsp enabled controls network fetching, too
| ((mOCSPDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
;
rev.leafTests.preferred_methods[0] =

View File

@ -39,6 +39,7 @@ public:
enum ocsp_download_config { ocsp_off = 0, ocsp_on };
enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
enum any_revo_fresh_config { any_revo_relaxed = 0, any_revo_strict };
enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
@ -46,7 +47,8 @@ private:
CertVerifier(missing_cert_download_config ac, crl_download_config cdc,
ocsp_download_config odc, ocsp_strict_config osc,
any_revo_fresh_config arfc,
const char *firstNetworkRevocationMethod);
const char *firstNetworkRevocationMethod,
ocsp_get_config ogc);
~CertVerifier();
const bool mMissingCertDownloadEnabled;
@ -55,6 +57,7 @@ private:
const bool mOCSPStrict;
const bool mRequireRevocationInfo;
const bool mCRLFirst;
const bool mOCSPGETEnabled;
friend class ::nsNSSComponent;
};

View File

@ -940,6 +940,10 @@ void nsNSSComponent::setValidationOptions()
}
CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
// XXX: Always use POST for OCSP; see bug 871954 for undoing this.
bool ocspGetEnabled = Preferences::GetBool("security.OCSP.GET.enabled", false);
CERT_ForcePostMethodForOCSP(!ocspGetEnabled);
mDefaultCertVerifier = new CertVerifier(
aiaDownloadEnabled ?
CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
@ -951,7 +955,9 @@ void nsNSSComponent::setValidationOptions()
CertVerifier::ocsp_strict : CertVerifier::ocsp_relaxed,
anyFreshRequired ?
CertVerifier::any_revo_strict : CertVerifier::any_revo_relaxed,
firstNetworkRevo.get());
firstNetworkRevo.get(),
ocspGetEnabled ?
CertVerifier::ocsp_get_enabled : CertVerifier::ocsp_get_disabled);
/*
* The new defaults might change the validity of already established SSL sessions,
@ -1658,6 +1664,7 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
|| prefName.Equals("security.missing_cert_download.enabled")
|| prefName.Equals("security.first_network_revocation_method")
|| prefName.Equals("security.OCSP.require")
|| prefName.Equals("security.OCSP.GET.enabled")
|| prefName.Equals("security.ssl.enable_ocsp_stapling")) {
MutexAutoLock lock(mutex);
setValidationOptions();