bug 969048 - adjust OCSP stapling telemetry for insanity::pkix r=briansmith r=cviecco
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 13 Mar 2014 09:41:03 -0700
changeset 173430 21ad5a22138200921bbb78e155c2a573974dfd57
parent 173429 e522b5f583eebf07c5ed560856250150f208b4f3
child 173431 beb1b8402d96c3137ce7aeecab7e1f7a7a024945
push id26403
push userryanvm@gmail.com
push dateThu, 13 Mar 2014 19:32:04 +0000
treeherdermozilla-central@fe40387eba1a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith, cviecco
bugs969048
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 969048 - adjust OCSP stapling telemetry for insanity::pkix r=briansmith r=cviecco
security/certverifier/NSSCertDBTrustDomain.cpp
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -6,16 +6,17 @@
 
 #include "NSSCertDBTrustDomain.h"
 
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "certdb.h"
 #include "insanity/pkix.h"
+#include "mozilla/Telemetry.h"
 #include "nss.h"
 #include "ocsp.h"
 #include "pk11pub.h"
 #include "prerror.h"
 #include "prmem.h"
 #include "prprf.h"
 #include "secerr.h"
 #include "secmod.h"
@@ -162,26 +163,37 @@ NSSCertDBTrustDomain::CheckRevocation(
   // exception for expired responses because some servers, nginx in particular,
   // are known to serve expired responses due to bugs.
   if (stapledOCSPResponse) {
     PR_ASSERT(endEntityOrCA == MustBeEndEntity);
     SECStatus rv = VerifyAndMaybeCacheEncodedOCSPResponse(cert, issuerCert,
                                                           time,
                                                           stapledOCSPResponse);
     if (rv == SECSuccess) {
+      // stapled OCSP response present and good
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
       PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
              ("NSSCertDBTrustDomain: stapled OCSP response: good"));
       return rv;
     }
     if (PR_GetError() != SEC_ERROR_OCSP_OLD_RESPONSE) {
+      // stapled OCSP response present but invalid for some reason
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
       PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
              ("NSSCertDBTrustDomain: stapled OCSP response: failure"));
       return rv;
+    } else {
+      // stapled OCSP response present but expired
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
+      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
+             ("NSSCertDBTrustDomain: expired stapled OCSP response"));
     }
   } else {
+    // no stapled OCSP response
+    Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
     PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
            ("NSSCertDBTrustDomain: no stapled OCSP response"));
   }
 
   PRErrorCode cachedResponseErrorCode = 0;
   PRTime cachedResponseValidThrough = 0;
   bool cachedResponsePresent = mOCSPCache.Get(cert, issuerCert,
                                               cachedResponseErrorCode,
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -121,21 +121,21 @@ function add_tests_in_mode(useInsanity, 
   // test_ocsp_stapling_expired.js
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 1); // 1 connection with a good response
-  do_check_eq(histogram.counts[2], 14); // 14 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
-  do_check_eq(histogram.counts[4], 11); // 11 connections with bad responses
+  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 2 * 1); // 1 connection with a good response
+  do_check_eq(histogram.counts[2], 2 * 14); // 14 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
+  do_check_eq(histogram.counts[4], 2 * 11); // 11 connections with bad responses
   run_next_test();
 }
 
 function run_test() {
   do_get_profile();
 
   let certDB = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -102,15 +102,15 @@ function add_tests_in_mode(useInsanity)
                 ocspResponseUnknown);
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
-  do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 9); // 9 connections with an expired response
-  do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
+  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
+  do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 2 * 9); // 9 connections with an expired response
+  do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
   run_next_test();
 }