Bug 957667 - Decouple OCSP stapling pref from the OCSP fetching pref, and couple the OCSP required pref to the OCSP fetching pref. r=keeler, a=lsblakk
authorBrian Smith <brian@briansmith.org>
Wed, 08 Jan 2014 08:51:06 -0800
changeset 174832 b15a92ca0ec4ceff19ab9af1c1da068c5f9b2c8c
parent 174831 a1a43efa0c4467d0f34543d5d73bfde10bcac5a8
child 174833 17e6923abc9f04e8c725b03055dc158f7c882891
push id3224
push userlsblakk@mozilla.com
push dateTue, 04 Feb 2014 01:06:49 +0000
treeherdermozilla-beta@60c04d0987f1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, lsblakk
bugs957667
milestone28.0a2
Bug 957667 - Decouple OCSP stapling pref from the OCSP fetching pref, and couple the OCSP required pref to the OCSP fetching pref. r=keeler, a=lsblakk
security/manager/ssl/src/nsNSSComponent.cpp
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -996,39 +996,40 @@ CipherSuiteChangeObserver::Observe(nsISu
 
 // Caller must hold a lock on nsNSSComponent::mutex when calling this function
 void nsNSSComponent::setValidationOptions(bool isInitialSetting)
 {
   nsNSSShutDownPreventionLock locker;
 
   bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
                                              false);
+
+  // This preference controls whether we do OCSP fetching and does not affect
+  // OCSP stapling.
   // 0 = disabled, 1 = enabled
   int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
                                             OCSP_ENABLED_DEFAULT);
 
-  bool ocspRequired = Preferences::GetBool("security.OCSP.require", false);
+  bool ocspRequired = ocspEnabled &&
+    Preferences::GetBool("security.OCSP.require", false);
 
   // We measure the setting of the pref at startup only to minimize noise by
   // addons that may muck with the settings, though it probably doesn't matter.
   if (isInitialSetting) {
     Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled);
     Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
   }
 
   bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require",
                                                false);
   bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled",
                                                  false);
 
   bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
                                                   true);
-  if (!ocspEnabled) {
-    ocspStaplingEnabled = false;
-  }
   PublicSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
   PrivateSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
 
   setNonPkixOcspEnabled(ocspEnabled);
 
   CERT_SetOCSPFailureMode( ocspRequired ?
                            ocspMode_FailureIsVerificationFailure
                            : ocspMode_FailureIsNotAVerificationFailure);