author | David Keeler <dkeeler@mozilla.com> |
Thu, 13 Mar 2014 09:41:03 -0700 | |
changeset 173430 | 21ad5a22138200921bbb78e155c2a573974dfd57 |
parent 173429 | e522b5f583eebf07c5ed560856250150f208b4f3 |
child 173431 | beb1b8402d96c3137ce7aeecab7e1f7a7a024945 |
push id | 26403 |
push user | ryanvm@gmail.com |
push date | Thu, 13 Mar 2014 19:32:04 +0000 |
treeherder | mozilla-central@fe40387eba1a [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | briansmith, cviecco |
bugs | 969048 |
milestone | 30.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -6,16 +6,17 @@ #include "NSSCertDBTrustDomain.h" #include <stdint.h> #include "ExtendedValidation.h" #include "certdb.h" #include "insanity/pkix.h" +#include "mozilla/Telemetry.h" #include "nss.h" #include "ocsp.h" #include "pk11pub.h" #include "prerror.h" #include "prmem.h" #include "prprf.h" #include "secerr.h" #include "secmod.h" @@ -162,26 +163,37 @@ NSSCertDBTrustDomain::CheckRevocation( // exception for expired responses because some servers, nginx in particular, // are known to serve expired responses due to bugs. if (stapledOCSPResponse) { PR_ASSERT(endEntityOrCA == MustBeEndEntity); SECStatus rv = VerifyAndMaybeCacheEncodedOCSPResponse(cert, issuerCert, time, stapledOCSPResponse); if (rv == SECSuccess) { + // stapled OCSP response present and good + Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1); PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("NSSCertDBTrustDomain: stapled OCSP response: good")); return rv; } if (PR_GetError() != SEC_ERROR_OCSP_OLD_RESPONSE) { + // stapled OCSP response present but invalid for some reason + Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4); PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("NSSCertDBTrustDomain: stapled OCSP response: failure")); return rv; + } else { + // stapled OCSP response present but expired + Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3); + PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, + ("NSSCertDBTrustDomain: expired stapled OCSP response")); } } else { + // no stapled OCSP response + Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2); PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("NSSCertDBTrustDomain: no stapled OCSP response")); } PRErrorCode cachedResponseErrorCode = 0; PRTime cachedResponseValidThrough = 0; bool cachedResponsePresent = mOCSPCache.Get(cert, issuerCert, cachedResponseErrorCode,
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -121,21 +121,21 @@ function add_tests_in_mode(useInsanity, // test_ocsp_stapling_expired.js } function check_ocsp_stapling_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_OCSP_STAPLING") .snapshot(); - do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused - do_check_eq(histogram.counts[1], 1); // 1 connection with a good response - do_check_eq(histogram.counts[2], 14); // 14 connections with no stapled resp. - do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response - do_check_eq(histogram.counts[4], 11); // 11 connections with bad responses + do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused + do_check_eq(histogram.counts[1], 2 * 1); // 1 connection with a good response + do_check_eq(histogram.counts[2], 2 * 14); // 14 connections with no stapled resp. + do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response + do_check_eq(histogram.counts[4], 2 * 11); // 11 connections with bad responses run_next_test(); } function run_test() { do_get_profile(); let certDB = Cc["@mozilla.org/security/x509certdb;1"] .getService(Ci.nsIX509CertDB);
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -102,15 +102,15 @@ function add_tests_in_mode(useInsanity) ocspResponseUnknown); } function check_ocsp_stapling_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_OCSP_STAPLING") .snapshot(); - do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused - do_check_eq(histogram.counts[1], 0); // 0 connections with a good response - do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp. - do_check_eq(histogram.counts[3], 9); // 9 connections with an expired response - do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses + do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused + do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response + do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp. + do_check_eq(histogram.counts[3], 2 * 9); // 9 connections with an expired response + do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses run_next_test(); }