bug 1366100 - disable OCSP fetching for DV certificates in nightly r?jcj,jaws
After this change, the platform will only fetch OCSP responses for EV
certificates (in nightly).
MozReview-Commit-ID: 3d9kzCYmnsa
--- a/browser/components/preferences/in-content-old/advanced.js
+++ b/browser/components/preferences/in-content-old/advanced.js
@@ -212,34 +212,55 @@ var gAdvancedPane = {
return 2;
}
return 1;
}
return 0;
},
/**
- * security.OCSP.enabled is an integer value for legacy reasons.
- * A value of 1 means OCSP is enabled. Any other value means it is disabled.
+ * readEnableOCSP is used by the preferences UI to determine whether or not
+ * the checkbox for OCSP fetching should be checked (it returns true if it
+ * should be checked and false otherwise). The about:config preference
+ * "security.OCSP.enabled" is an integer rather than a boolean, so it can't be
+ * directly mapped from {true,false} to {checked,unchecked}. The possible
+ * values for "security.OCSP.enabled" are:
+ * 0: fetching is disabled
+ * 1: fetch for all certificates
+ * 2: fetch only for EV certificates
+ * Hence, if "security.OCSP.enabled" is non-zero, the checkbox should be
+ * checked. Otherwise, it should be unchecked.
*/
readEnableOCSP() {
var preference = document.getElementById("security.OCSP.enabled");
// This is the case if the preference is the default value.
if (preference.value === undefined) {
return true;
}
- return preference.value == 1;
+ return preference.value != 0;
},
/**
- * See documentation for readEnableOCSP.
+ * writeEnableOCSP is used by the preferences UI to map the checked/unchecked
+ * state of the OCSP fetching checkbox to the value that the preference
+ * "security.OCSP.enabled" should be set to (it returns that value). See the
+ * readEnableOCSP documentation for more background. We unfortunately don't
+ * have enough information to map from {true,false} to all possible values for
+ * "security.OCSP.enabled", but a reasonable alternative is to map from
+ * {true,false} to {<the default value>,0}. That is, if the box is checked,
+ * "security.OCSP.enabled" will be set to whatever default it should be, given
+ * the platform and channel. If the box is unchecked, the preference will be
+ * set to 0. Obviously this won't work if the default is 0, so we will have to
+ * revisit this if we ever set it to 0.
*/
writeEnableOCSP() {
var checkbox = document.getElementById("enableOCSP");
- return checkbox.checked ? 1 : 0;
+ var defaults = Services.prefs.getDefaultBranch(null);
+ var defaultValue = defaults.getIntPref("security.OCSP.enabled");
+ return checkbox.checked ? defaultValue : 0;
},
/**
* When the user toggles the layers.acceleration.disabled pref,
* sync its new value to the gfx.direct2d.disabled pref too.
*/
updateHardwareAcceleration() {
if (AppConstants.platform == "win") {
--- a/browser/components/preferences/in-content/privacy.js
+++ b/browser/components/preferences/in-content/privacy.js
@@ -1126,36 +1126,56 @@ var gPrivacyPane = {
{
blockVisible: false,
sessionVisible: false,
allowVisible: true,
prefilledHost: "",
permissionType: "install"
},
-
/**
- * security.OCSP.enabled is an integer value for legacy reasons.
- * A value of 1 means OCSP is enabled. Any other value means it is disabled.
+ * readEnableOCSP is used by the preferences UI to determine whether or not
+ * the checkbox for OCSP fetching should be checked (it returns true if it
+ * should be checked and false otherwise). The about:config preference
+ * "security.OCSP.enabled" is an integer rather than a boolean, so it can't be
+ * directly mapped from {true,false} to {checked,unchecked}. The possible
+ * values for "security.OCSP.enabled" are:
+ * 0: fetching is disabled
+ * 1: fetch for all certificates
+ * 2: fetch only for EV certificates
+ * Hence, if "security.OCSP.enabled" is non-zero, the checkbox should be
+ * checked. Otherwise, it should be unchecked.
*/
readEnableOCSP() {
var preference = document.getElementById("security.OCSP.enabled");
// This is the case if the preference is the default value.
if (preference.value === undefined) {
return true;
}
- return preference.value == 1;
+ return preference.value != 0;
},
/**
- * See documentation for readEnableOCSP.
+ * writeEnableOCSP is used by the preferences UI to map the checked/unchecked
+ * state of the OCSP fetching checkbox to the value that the preference
+ * "security.OCSP.enabled" should be set to (it returns that value). See the
+ * readEnableOCSP documentation for more background. We unfortunately don't
+ * have enough information to map from {true,false} to all possible values for
+ * "security.OCSP.enabled", but a reasonable alternative is to map from
+ * {true,false} to {<the default value>,0}. That is, if the box is checked,
+ * "security.OCSP.enabled" will be set to whatever default it should be, given
+ * the platform and channel. If the box is unchecked, the preference will be
+ * set to 0. Obviously this won't work if the default is 0, so we will have to
+ * revisit this if we ever set it to 0.
*/
writeEnableOCSP() {
var checkbox = document.getElementById("enableOCSP");
- return checkbox.checked ? 1 : 0;
+ var defaults = Services.prefs.getDefaultBranch(null);
+ var defaultValue = defaults.getIntPref("security.OCSP.enabled");
+ return checkbox.checked ? defaultValue : 0;
},
/**
* Displays the user's certificates and associated options.
*/
showCertificates() {
gSubDialog.open("chrome://pippki/content/certManager.xul");
},
--- a/security/manager/ssl/security-prefs.js
+++ b/security/manager/ssl/security-prefs.js
@@ -42,17 +42,25 @@ pref("security.password_lifetime",
// 0: disable detecting Family Safety mode and importing the root
// 1: only attempt to detect Family Safety mode (don't import the root)
// 2: detect Family Safety mode and import the root
// (This is only relevant to Windows 8.1)
pref("security.family_safety.mode", 2);
pref("security.enterprise_roots.enabled", false);
+// The supported values of this pref are:
+// 0: do not fetch OCSP
+// 1: fetch OCSP for DV and EV certificates
+// 2: fetch OCSP only for EV certificates
+#ifdef RELEASE_OR_BETA
pref("security.OCSP.enabled", 1);
+#else
+pref("security.OCSP.enabled", 2);
+#endif
pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);
#ifdef RELEASE_OR_BETA
pref("security.OCSP.timeoutMilliseconds.soft", 2000);
#else
pref("security.OCSP.timeoutMilliseconds.soft", 1000);
#endif
pref("security.OCSP.timeoutMilliseconds.hard", 10000);