Bug 957665 - Add telemetry to measure how many people have OCSP enabled. r=keeler, a=bajaj
authorBrian Smith <brian@briansmith.org>
Wed, 08 Jan 2014 08:59:53 -0800
changeset 167905 b79205dc4e1efaa75edbf1607e33d87f0e279884
parent 167904 891f559ab340ba3c5a9838902e67b23278639787
child 167906 68439aff871ab6cfbcb2c047b8338bf01ac0a4e0
push id428
push userbbajaj@mozilla.com
push dateTue, 28 Jan 2014 00:16:25 +0000
treeherdermozilla-release@cd72a7ff3a75 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, bajaj
bugs957665
milestone27.0
Bug 957665 - Add telemetry to measure how many people have OCSP enabled. r=keeler, a=bajaj
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSComponent.h
toolkit/components/telemetry/Histograms.json
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -6,16 +6,17 @@
 
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 
 #include "nsNSSComponent.h"
 
 #include "CertVerifier.h"
+#include "mozilla/Telemetry.h"
 #include "nsCertVerificationThread.h"
 #include "nsAppDirectoryServiceDefs.h"
 #include "nsComponentManagerUtils.h"
 #include "nsDirectoryServiceDefs.h"
 #include "nsICertOverrideService.h"
 #include "mozilla/Preferences.h"
 #include "nsThreadUtils.h"
 #include "mozilla/PublicSSL.h"
@@ -1002,28 +1003,36 @@ CipherSuiteChangeObserver::Observe(nsISu
     }
   }
   return NS_OK;
 }
 
 } // anonymous namespace
 
 // Caller must hold a lock on nsNSSComponent::mutex when calling this function
-void nsNSSComponent::setValidationOptions()
+void nsNSSComponent::setValidationOptions(bool isInitialSetting)
 {
   nsNSSShutDownPreventionLock locker;
 
   bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
                                              CRL_DOWNLOAD_DEFAULT);
   // 0 = disabled, 1 = enabled
   int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
                                             OCSP_ENABLED_DEFAULT);
 
   bool ocspRequired = Preferences::GetBool("security.OCSP.require",
                                            OCSP_REQUIRED_DEFAULT);
+
+  // We measure the setting of the pref at startup only to minimize noise by
+  // addons that may muck with the settings, though it probably doesn't matter.
+  if (isInitialSetting) {
+    Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled);
+    Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
+  }
+
   bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require",
                                                FRESH_REVOCATION_REQUIRED_DEFAULT);
   bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled",
                                                  MISSING_CERT_DOWNLOAD_DEFAULT);
 
   nsCString firstNetworkRevo =
     Preferences::GetCString("security.first_network_revocation_method");
   if (firstNetworkRevo.IsEmpty()) {
@@ -1337,17 +1346,17 @@ nsNSSComponent::InitializeNSS(bool showW
       SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, false);
 
       if (NS_FAILED(InitializeCipherSuite())) {
         PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to initialize cipher suite settings\n"));
         return NS_ERROR_FAILURE;
       }
 
       // dynamic options from prefs
-      setValidationOptions();
+      setValidationOptions(true);
 
       mHttpForNSS.initTable();
       mHttpForNSS.registerHttpClient();
 
       InstallLoadableRoots();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
       LaunchSmartCardThreads();
@@ -1754,17 +1763,17 @@ nsNSSComponent::Observe(nsISupports *aSu
                || prefName.Equals("security.CRL_download.enabled")
                || prefName.Equals("security.fresh_revocation_info.require")
                || prefName.Equals("security.missing_cert_download.enabled")
                || prefName.Equals("security.first_network_revocation_method")
                || prefName.Equals("security.OCSP.require")
                || prefName.Equals("security.OCSP.GET.enabled")
                || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
       MutexAutoLock lock(mutex);
-      setValidationOptions();
+      setValidationOptions(false);
     } else if (prefName.Equals("network.ntlm.send-lm-response")) {
       bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
                                          SEND_LM_DEFAULT);
       nsNTLMAuthModule::SetSendLM(sendLM);
     }
     if (clearSessionCache)
       SSL_ClearSessionCache();
   }
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@@ -179,17 +179,17 @@ public:
 private:
 
   nsresult InitializeNSS(bool showWarningBox);
   void ShutdownNSS();
 
   void InstallLoadableRoots();
   void UnloadLoadableRoots();
   void CleanupIdentityInfo();
-  void setValidationOptions();
+  void setValidationOptions(bool isInitialSetting);
   nsresult setEnabledTLSVersions();
   nsresult InitializePIPNSSBundle();
   nsresult ConfigureInternalPKCS11Token();
   nsresult RegisterObservers();
   nsresult DeregisterObservers();
 
   // Methods that we use to handle the profile change notifications (and to
   // synthesize a full profile change when we're just doing a profile startup):
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -4492,10 +4492,20 @@
     "kind": "enumerated",
     "n_values": 32,
     "description": "Symmetric cipher used in resumed handshake (null=0, rc4=1, 3des=4, aes-cbc=7, camellia=8, seed=9, aes-gcm=10)"
   },
   "SSL_OCSP_STAPLING": {
     "kind": "enumerated",
     "n_values": 8,
     "description": "Status of OCSP stapling on this handshake (1=present, good; 2=none; 3=present, expired; 4=present, other error)"
+  },
+  "CERT_OCSP_ENABLED": {
+    "expires_in_version": "never",
+    "kind": "boolean",
+    "description": "Is OCSP fetching enabled? (pref security.OCSP.enabled)"
+  },
+  "CERT_OCSP_REQUIRED": {
+    "expires_in_version": "never",
+    "kind": "boolean",
+    "description": "Is OCSP required when the cert has an OCSP URI? (pref security.OCSP.require)"
   }
 }