Bug 585122 - Part 1. EV do not request CRL. r=briansmith.
authorCamilo Viecco <cviecco@mozilla.com>
Mon, 02 Dec 2013 11:08:06 -0800
changeset 174632 7063dc99de441cd6d641ab48122a68ca3c4467c2
parent 174631 8a355b5e2d7eb02231178b8a18c1e145b91874b9
child 174633 0c7a5bc1b06ec09ba4c82fa49742ba92b4c55e38
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith
bugs585122
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 585122 - Part 1. EV do not request CRL. r=briansmith.
security/manager/ssl/src/CertVerifier.cpp
--- a/security/manager/ssl/src/CertVerifier.cpp
+++ b/security/manager/ssl/src/CertVerifier.cpp
@@ -222,32 +222,33 @@ CertVerifier::VerifyCert(CERTCertificate
   cvin[2].value.scalar.time = time;
   i = 3;
   const size_t evParamLocation = i;
 
   if (evPolicy != SEC_OID_UNKNOWN) {
     // EV setup!
     // XXX 859872 The current flags are not quite correct. (use
     // of ocsp flags for crl preferences).
-    uint64_t revMethodFlags =
+    uint64_t ocspRevMethodFlags =
       CERT_REV_M_TEST_USING_THIS_METHOD
       | ((mOCSPDownloadEnabled && !localOnly) ?
           CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
       | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
       | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
       | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
-      | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
- 
+      | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
+      | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
+
     rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = revMethodFlags;
+    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl]
+      = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
 
     rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
     rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
-      = revMethodFlags
-      | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
+      = ocspRevMethodFlags;
 
     rev.leafTests.cert_rev_method_independent_flags =
     rev.chainTests.cert_rev_method_independent_flags =
       // avoiding the network is good, let's try local first
       CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
       // is overall revocation requirement strict or relaxed?
       |  CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
       ;