Bug 1010068 - Disable OCSP for DV certificates in Firefox for Android. r=keeler, a=lizzard
authorRichard Barnes <rbarnes@mozilla.com>
Mon, 15 Jun 2015 13:53:47 -0700
changeset 275066 0ddc5628704f72f0913507cb80afc48ef113f1fb
parent 275065 7333a8d7b494c79743a88056a03810f150a0fce8
child 275067 970295c941453fefa3cf00309e85f12e53db86a8
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, lizzard
bugs1010068
milestone40.0a2
Bug 1010068 - Disable OCSP for DV certificates in Firefox for Android. r=keeler, a=lizzard
mobile/android/app/mobile.js
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_keysize_ev.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_timeout.js
security/manager/ssl/tests/unit/test_ocsp_url.js
--- a/mobile/android/app/mobile.js
+++ b/mobile/android/app/mobile.js
@@ -464,16 +464,19 @@ pref("security.alternate_certificate_err
 pref("security.warn_viewing_mixed", false); // Warning is disabled.  See Bug 616712.
 
 // Block insecure active content on https pages
 pref("security.mixed_content.block_active_content", true);
 
 // Enable pinning
 pref("security.cert_pinning.enforcement_level", 1);
 
+// Only fetch OCSP for EV certificates
+pref("security.OCSP.enabled", 2);
+
 // Override some named colors to avoid inverse OS themes
 pref("ui.-moz-dialog", "#efebe7");
 pref("ui.-moz-dialogtext", "#101010");
 pref("ui.-moz-field", "#fff");
 pref("ui.-moz-fieldtext", "#1a1a1a");
 pref("ui.-moz-buttonhoverface", "#f3f0ed");
 pref("ui.-moz-buttonhovertext", "#101010");
 pref("ui.-moz-combobox", "#fff");
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -29,17 +29,17 @@ namespace mozilla { namespace psm {
 
 const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
 const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
 
 CertVerifier::CertVerifier(OcspDownloadConfig odc,
                            OcspStrictConfig osc,
                            OcspGetConfig ogc,
                            PinningMode pinningMode)
-  : mOCSPDownloadEnabled(odc == ocspOn)
+  : mOCSPDownloadConfig(odc)
   , mOCSPStrict(osc == ocspStrict)
   , mOCSPGETEnabled(ogc == ocspGetEnabled)
   , mPinningMode(pinningMode)
 {
 }
 
 CertVerifier::~CertVerifier()
 {
@@ -211,18 +211,21 @@ CertVerifier::VerifyCert(CERTCertificate
 
   Input certDER;
   rv = certDER.Init(cert->derCert.data, cert->derCert.len);
   if (rv != Success) {
     PR_SetError(MapResultToPRErrorCode(rv), 0);
     return SECFailure;
   }
 
-  NSSCertDBTrustDomain::OCSPFetching ocspFetching
-    = !mOCSPDownloadEnabled ||
+  // We configure the OCSP fetching modes separately for EV and non-EV
+  // verifications.
+  NSSCertDBTrustDomain::OCSPFetching defaultOCSPFetching
+    = (mOCSPDownloadConfig == ocspOff) ||
+      (mOCSPDownloadConfig == ocspEVOnly) ||
       (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
     : !mOCSPStrict              ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
                                 : NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
 
   OcspGetConfig ocspGETConfig = mOCSPGETEnabled ? ocspGetEnabled
                                                 : ocspGetDisabled;
 
   Input stapledOCSPResponseInput;
@@ -237,17 +240,17 @@ CertVerifier::VerifyCert(CERTCertificate
     }
     stapledOCSPResponse = &stapledOCSPResponseInput;
   }
 
   switch (usage) {
     case certificateUsageSSLClient: {
       // XXX: We don't really have a trust bit for SSL client authentication so
       // just use trustEmail as it is the closest alternative.
-      NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
+      NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache,
                                        pinArg, ocspGETConfig, pinningDisabled,
                                        MIN_RSA_BITS_WEAK, nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::digitalSignature,
                           KeyPurposeId::id_kp_clientAuth,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       break;
@@ -255,27 +258,29 @@ CertVerifier::VerifyCert(CERTCertificate
 
     case certificateUsageSSLServer: {
       // TODO: When verifying a certificate in an SSL handshake, we should
       // restrict the acceptable key usage based on the key exchange method
       // chosen by the server.
 
 #ifndef MOZ_NO_EV_CERTS
       // Try to validate for EV first.
+      NSSCertDBTrustDomain::OCSPFetching evOCSPFetching
+        = (mOCSPDownloadConfig == ocspOff) ||
+          (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::LocalOnlyOCSPForEV
+                                    : NSSCertDBTrustDomain::FetchOCSPForEV;
+
       CertPolicyId evPolicy;
       SECOidTag evPolicyOidTag;
       SECStatus srv = GetFirstEVPolicy(cert, evPolicy, evPolicyOidTag);
       if (srv == SECSuccess) {
         NSSCertDBTrustDomain
-          trustDomain(trustSSL,
-                      ocspFetching == NSSCertDBTrustDomain::NeverFetchOCSP
-                        ? NSSCertDBTrustDomain::LocalOnlyOCSPForEV
-                        : NSSCertDBTrustDomain::FetchOCSPForEV,
-                      mOCSPCache, pinArg, ocspGETConfig, mPinningMode,
-                      MIN_RSA_BITS, hostname, builtChain);
+          trustDomain(trustSSL, evOCSPFetching, mOCSPCache, pinArg,
+                      ocspGETConfig, mPinningMode, MIN_RSA_BITS, hostname,
+                      builtChain);
         rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
                                           KeyUsage::digitalSignature,// (EC)DHE
                                           KeyUsage::keyEncipherment, // RSA
                                           KeyUsage::keyAgreement,    // (EC)DH
                                           KeyPurposeId::id_kp_serverAuth,
                                           evPolicy, stapledOCSPResponse,
                                           ocspStaplingStatus);
         if (rv == Success) {
@@ -288,39 +293,40 @@ CertVerifier::VerifyCert(CERTCertificate
 #endif
 
       if (flags & FLAG_MUST_BE_EV) {
         rv = Result::ERROR_POLICY_VALIDATION_FAILED;
         break;
       }
 
       // Now try non-EV.
-      NSSCertDBTrustDomain trustDomain(trustSSL, ocspFetching, mOCSPCache,
-                                       pinArg, ocspGETConfig, mPinningMode,
-                                       MIN_RSA_BITS, hostname, builtChain);
+      NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
+                                       mOCSPCache, pinArg, ocspGETConfig,
+                                       mPinningMode, MIN_RSA_BITS, hostname,
+                                       builtChain);
       rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
                                         KeyUsage::digitalSignature, // (EC)DHE
                                         KeyUsage::keyEncipherment, // RSA
                                         KeyUsage::keyAgreement, // (EC)DH
                                         KeyPurposeId::id_kp_serverAuth,
                                         CertPolicyId::anyPolicy,
                                         stapledOCSPResponse,
                                         ocspStaplingStatus);
       if (rv == Success) {
         if (keySizeStatus) {
           *keySizeStatus = KeySizeStatus::LargeMinimumSucceeded;
         }
         break;
       }
 
       // If that failed, try again with a smaller minimum key size.
-      NSSCertDBTrustDomain trustDomainWeak(trustSSL, ocspFetching, mOCSPCache,
-                                           pinArg, ocspGETConfig, mPinningMode,
-                                           MIN_RSA_BITS_WEAK, hostname,
-                                           builtChain);
+      NSSCertDBTrustDomain trustDomainWeak(trustSSL, defaultOCSPFetching,
+                                           mOCSPCache, pinArg, ocspGETConfig,
+                                           mPinningMode, MIN_RSA_BITS_WEAK,
+                                           hostname, builtChain);
       rv = BuildCertChainForOneKeyUsage(trustDomainWeak, certDER, time,
                                         KeyUsage::digitalSignature, // (EC)DHE
                                         KeyUsage::keyEncipherment, // RSA
                                         KeyUsage::keyAgreement, // (EC)DH
                                         KeyPurposeId::id_kp_serverAuth,
                                         CertPolicyId::anyPolicy,
                                         stapledOCSPResponse,
                                         ocspStaplingStatus);
@@ -331,30 +337,32 @@ CertVerifier::VerifyCert(CERTCertificate
           *keySizeStatus = KeySizeStatus::AlreadyBad;
         }
       }
 
       break;
     }
 
     case certificateUsageSSLCA: {
-      NSSCertDBTrustDomain trustDomain(trustSSL, ocspFetching, mOCSPCache,
-                                       pinArg, ocspGETConfig, pinningDisabled,
-                                       MIN_RSA_BITS_WEAK, nullptr, builtChain);
+      NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
+                                       mOCSPCache, pinArg, ocspGETConfig,
+                                       pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
                           KeyPurposeId::id_kp_serverAuth,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       break;
     }
 
     case certificateUsageEmailSigner: {
-      NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
-                                       pinArg, ocspGETConfig, pinningDisabled,
-                                       MIN_RSA_BITS_WEAK, nullptr, builtChain);
+      NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
+                                       mOCSPCache, pinArg, ocspGETConfig,
+                                       pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::digitalSignature,
                           KeyPurposeId::id_kp_emailProtection,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       if (rv == Result::ERROR_INADEQUATE_KEY_USAGE) {
         rv = BuildCertChain(trustDomain, certDER, time,
                             EndEntityOrCA::MustBeEndEntity,
@@ -364,36 +372,37 @@ CertVerifier::VerifyCert(CERTCertificate
       }
       break;
     }
 
     case certificateUsageEmailRecipient: {
       // TODO: The higher level S/MIME processing should pass in which key
       // usage it is trying to verify for, and base its algorithm choices
       // based on the result of the verification(s).
-      NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
-                                       pinArg, ocspGETConfig, pinningDisabled,
-                                       MIN_RSA_BITS_WEAK, nullptr, builtChain);
+      NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
+                                       mOCSPCache, pinArg, ocspGETConfig,
+                                       pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::keyEncipherment, // RSA
                           KeyPurposeId::id_kp_emailProtection,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       if (rv == Result::ERROR_INADEQUATE_KEY_USAGE) {
         rv = BuildCertChain(trustDomain, certDER, time,
                             EndEntityOrCA::MustBeEndEntity,
                             KeyUsage::keyAgreement, // ECDH/DH
                             KeyPurposeId::id_kp_emailProtection,
                             CertPolicyId::anyPolicy, stapledOCSPResponse);
       }
       break;
     }
 
     case certificateUsageObjectSigner: {
-      NSSCertDBTrustDomain trustDomain(trustObjectSigning, ocspFetching,
+      NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
                                        mOCSPCache, pinArg, ocspGETConfig,
                                        pinningDisabled,
                                        MIN_RSA_BITS_WEAK, nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::digitalSignature,
                           KeyPurposeId::id_kp_codeSigning,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
@@ -413,33 +422,35 @@ CertVerifier::VerifyCert(CERTCertificate
         keyUsage = KeyUsage::keyCertSign;
         eku = KeyPurposeId::anyExtendedKeyUsage;
       } else {
         endEntityOrCA = EndEntityOrCA::MustBeEndEntity;
         keyUsage = KeyUsage::digitalSignature;
         eku = KeyPurposeId::id_kp_OCSPSigning;
       }
 
-      NSSCertDBTrustDomain sslTrust(trustSSL, ocspFetching, mOCSPCache, pinArg,
-                                    ocspGETConfig, pinningDisabled,
+      NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
+                                    pinArg, ocspGETConfig, pinningDisabled,
                                     MIN_RSA_BITS_WEAK, nullptr, builtChain);
       rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
                           keyUsage, eku, CertPolicyId::anyPolicy,
                           stapledOCSPResponse);
       if (rv == Result::ERROR_UNKNOWN_ISSUER) {
-        NSSCertDBTrustDomain emailTrust(trustEmail, ocspFetching, mOCSPCache,
-                                        pinArg, ocspGETConfig, pinningDisabled,
-                                        MIN_RSA_BITS_WEAK, nullptr, builtChain);
+        NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
+                                        mOCSPCache, pinArg, ocspGETConfig,
+                                        pinningDisabled, MIN_RSA_BITS_WEAK,
+                                        nullptr, builtChain);
         rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
                             keyUsage, eku, CertPolicyId::anyPolicy,
                             stapledOCSPResponse);
         if (rv == Result::ERROR_UNKNOWN_ISSUER) {
           NSSCertDBTrustDomain objectSigningTrust(trustObjectSigning,
-                                                  ocspFetching, mOCSPCache,
-                                                  pinArg, ocspGETConfig,
+                                                  defaultOCSPFetching,
+                                                  mOCSPCache, pinArg,
+                                                  ocspGETConfig,
                                                   pinningDisabled,
                                                   MIN_RSA_BITS_WEAK,
                                                   nullptr, builtChain);
           rv = BuildCertChain(objectSigningTrust, certDER, time,
                               endEntityOrCA, keyUsage, eku,
                               CertPolicyId::anyPolicy, stapledOCSPResponse);
         }
       }
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -70,29 +70,31 @@ public:
 
   enum PinningMode {
     pinningDisabled = 0,
     pinningAllowUserCAMITM = 1,
     pinningStrict = 2,
     pinningEnforceTestMode = 3
   };
 
-  enum OcspDownloadConfig { ocspOff = 0, ocspOn };
+  enum OcspDownloadConfig {
+    ocspOff = 0,
+    ocspOn = 1,
+    ocspEVOnly = 2
+  };
   enum OcspStrictConfig { ocspRelaxed = 0, ocspStrict };
   enum OcspGetConfig { ocspGetDisabled = 0, ocspGetEnabled = 1 };
 
-  bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
-
   CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
                OcspGetConfig ogc, PinningMode pinningMode);
   ~CertVerifier();
 
   void ClearOCSPCache() { mOCSPCache.Clear(); }
 
-  const bool mOCSPDownloadEnabled;
+  const OcspDownloadConfig mOCSPDownloadConfig;
   const bool mOCSPStrict;
   const bool mOCSPGETEnabled;
   const PinningMode mPinningMode;
 
 private:
   OCSPCache mOCSPCache;
 };
 
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -186,20 +186,25 @@ GetOCSPBehaviorFromPrefs(/*out*/ CertVer
                          /*out*/ CertVerifier::OcspGetConfig* ogc,
                          const MutexAutoLock& /*proofOfLock*/)
 {
   MOZ_ASSERT(NS_IsMainThread());
   MOZ_ASSERT(odc);
   MOZ_ASSERT(osc);
   MOZ_ASSERT(ogc);
 
-  // 0 = disabled, otherwise enabled
-  *odc = Preferences::GetInt("security.OCSP.enabled", 1)
-       ? CertVerifier::ocspOn
-       : CertVerifier::ocspOff;
+  // 0 = disabled
+  // 1 = enabled for everything (default)
+  // 2 = enabled for EV certificates only
+  int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 1);
+  switch (ocspLevel) {
+    case 0: *odc = CertVerifier::ocspOff; break;
+    case 2: *odc = CertVerifier::ocspEVOnly; break;
+    default: *odc = CertVerifier::ocspOn; break;
+  }
 
   *osc = Preferences::GetBool("security.OCSP.require", false)
        ? CertVerifier::ocspStrict
        : CertVerifier::ocspRelaxed;
 
   // XXX: Always use POST for OCSP; see bug 871954 for undoing this.
   *ogc = Preferences::GetBool("security.OCSP.GET.enabled", false)
        ? CertVerifier::ocspGetEnabled
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -55,16 +55,17 @@ function check_telemetry() {
   do_check_eq(keySizeHistogram.counts[1], 0); // 0 successful verifications of 2048-bit keys
   do_check_eq(keySizeHistogram.counts[2], 12); // 12 successful verifications of 1024-bit keys
   do_check_eq(keySizeHistogram.counts[3], 48); // 48 verification failures
 
   run_next_test();
 }
 
 function run_test() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
   add_tls_server_setup("BadCertServer");
 
   let fakeOCSPResponder = new HttpServer();
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
   });
   fakeOCSPResponder.start(8888);
 
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -72,16 +72,17 @@ function run_test() {
     addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
   }
   load_ca("evroot");
   load_ca("non-evroot-ca");
 
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           gEVExpected ? ["int-ev-valid", "ev-valid"]
                                       : ["ev-valid"]);
     check_ee_for_ev("ev-valid", gEVExpected);
     ocspResponder.stop(run_next_test);
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -140,13 +140,14 @@ function checkRSAChains(inadequateKeySiz
                            eeFullName ]
                        : [ eeFullName ];
   addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
                       [ intFullName ], eeFullName, false);
 }
 
 function run_test() {
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   checkRSAChains(2040, 2048);
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -11,16 +11,17 @@ function generateGoodOCSPResponse() {
   let args = [ ["good", "localhostAndExampleCom", "unused" ] ];
   let responses = generateOCSPResponses(args, "tlsserver");
   return responses[0];
 }
 
 function run_test() {
   do_get_profile();
   Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
   add_tls_server_setup("OCSPStaplingServer");
 
   let ocspResponder = new HttpServer();
   ocspResponder.registerPrefixHandler("/", function(request, response) {
     ++gFetchCount;
 
     do_print("gFetchCount: " + gFetchCount);
 
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
@@ -32,16 +32,17 @@ function run_test() {
   addCertFromFile(certdb, "test_ocsp_fetch_method/ca.der", 'CTu,CTu,CTu');
   addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   add_test(function() {
     clearOCSPCache();
     Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
     let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
     check_cert_err("a", PRErrorCodeSuccess);
     ocspResponder.stop(run_next_test);
   });
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -9,16 +9,17 @@
 // response with a bad signature. With security.OCSP.require set to true,
 // this should fail (but it also shouldn't cause assertion failures).
 
 let gOCSPRequestCount = 0;
 
 function run_test() {
   do_get_profile();
   Services.prefs.setBoolPref("security.OCSP.require", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   // We don't actually make use of stapling in this test. This is just how we
   // get a TLS connection.
   add_tls_server_setup("OCSPStaplingServer");
 
   let args = [["bad-signature", "localhostAndExampleCom", "unused"]];
   let ocspResponses = generateOCSPResponses(args, "tlsserver");
   let ocspResponseBadSignature = ocspResponses[0];
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -22,16 +22,17 @@ function add_ocsp_test(aHost, aExpectedR
     },
     function() {
       do_check_eq(gOCSPRequestCount, 1);
     });
 }
 
 do_get_profile();
 Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
 let args = [["good", "localhostAndExampleCom", "unused"],
              ["expiredresponse", "localhostAndExampleCom", "unused"],
              ["oldvalidperiod", "localhostAndExampleCom", "unused"],
              ["revoked", "localhostAndExampleCom", "unused"],
              ["unknown", "localhostAndExampleCom", "unused"],
             ];
 let ocspResponses = generateOCSPResponses(args, "tlsserver");
 // Fresh response, certificate is good.
--- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -21,16 +21,17 @@ let gSocketListener = {
     socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30);
   },
 
   onStopListening: function(serverSocket, status) {}
 };
 
 function run_test() {
   do_get_profile();
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   add_tls_server_setup("OCSPStaplingServer");
 
   let socket = Cc["@mozilla.org/network/server-socket;1"]
                  .createInstance(Ci.nsIServerSocket);
   socket.init(8888, true, -1);
   socket.asyncListen(gSocketListener);
 
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -34,16 +34,17 @@ function run_test() {
   addCertFromFile(certdb, "test_ocsp_url/ca.der", 'CTu,CTu,CTu');
   addCertFromFile(certdb, "test_ocsp_url/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });