Bug 1346298 Update or Remove Telemetry Probe: SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME r=jcj
authorui.manish <1991manish.kumar@gmail.com>
Wed, 16 Jan 2019 19:35:05 +0000
changeset 514126 eec2cd4998b3dfa7a336d86ab6f02ca49c2b79f3
parent 514125 50582093318ac50411fc4ddc0a4a730fb0b748d4
child 514127 0b3a6c7175ca027b27db5943f178f36c2c1e0672
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjcj
bugs1346298
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1346298 Update or Remove Telemetry Probe: SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME r=jcj Differential Revision: https://phabricator.services.mozilla.com/D16631
security/manager/ssl/SSLServerCertVerification.cpp
toolkit/components/telemetry/Histograms.json
toolkit/components/telemetry/histogram-whitelists.json
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -1136,60 +1136,22 @@ void GatherRootCATelemetry(const UniqueC
   AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA,
                                rootCert);
 }
 
 // These time are appoximate, i.e., doesn't account for leap seconds, etc
 const uint64_t ONE_WEEK_IN_SECONDS = (7 * (24 * 60 * 60));
 const uint64_t ONE_YEAR_IN_WEEKS = 52;
 
-// Gathers telemetry on the certificate lifetimes we observe in the wild
-void GatherEndEntityTelemetry(const UniqueCERTCertList& certList) {
-  CERTCertListNode* endEntityNode = CERT_LIST_HEAD(certList);
-  MOZ_ASSERT(endEntityNode && !CERT_LIST_END(endEntityNode, certList));
-  if (!endEntityNode || CERT_LIST_END(endEntityNode, certList)) {
-    return;
-  }
-
-  CERTCertificate* endEntityCert = endEntityNode->cert;
-  MOZ_ASSERT(endEntityCert);
-  if (!endEntityCert) {
-    return;
-  }
-
-  PRTime notBefore;
-  PRTime notAfter;
-
-  if (CERT_GetCertTimes(endEntityCert, &notBefore, &notAfter) != SECSuccess) {
-    return;
-  }
-
-  MOZ_ASSERT(notAfter > notBefore);
-  if (notAfter <= notBefore) {
-    return;
-  }
-
-  uint64_t durationInWeeks =
-      (notAfter - notBefore) / PR_USEC_PER_SEC / ONE_WEEK_IN_SECONDS;
-
-  if (durationInWeeks > (2 * ONE_YEAR_IN_WEEKS)) {
-    durationInWeeks = (2 * ONE_YEAR_IN_WEEKS) + 1;
-  }
-
-  Telemetry::Accumulate(Telemetry::SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME,
-                        durationInWeeks);
-}
-
 // There are various things that we want to measure about certificate
 // chains that we accept.  This is a single entry point for all of them.
 void GatherSuccessfulValidationTelemetry(const UniqueCERTCertList& certList) {
   GatherBaselineRequirementsTelemetry(certList);
   GatherEKUTelemetry(certList);
   GatherRootCATelemetry(certList);
-  GatherEndEntityTelemetry(certList);
 }
 
 void GatherTelemetryForSingleSCT(const ct::VerifiedSCT& verifiedSct) {
   // See SSL_SCTS_ORIGIN in Histograms.json.
   uint32_t origin = 0;
   switch (verifiedSct.origin) {
     case ct::VerifiedSCT::Origin::Embedded:
       origin = 1;
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -2377,25 +2377,16 @@
   "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED": {
     "record_in_processes": ["main", "content"],
     "alert_emails": ["seceng-telemetry@mozilla.com"],
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 16,
     "description": "SSL Handshake Key Exchange Algorithm for resumed handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
   },
-  "SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME": {
-    "record_in_processes": ["main", "content"],
-    "expires_in_version": "55",
-    "alert_emails": ["seceng-telemetry@mozilla.com"],
-    "kind": "enumerated",
-    "n_values": 125,
-    "releaseChannelCollection": "opt-out",
-    "description": "The lifetime of accepted HTTPS server certificates, in weeks, up to 2 years. Bucket 105 is all end-entity HTTPS server certificates with a lifetime > 2 years."
-  },
   "WEBSOCKETS_HANDSHAKE_TYPE": {
     "record_in_processes": ["main", "content"],
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 16,
     "description": "Websockets Handshake Results (ws-ok-plain, ws-ok-proxy, ws-failed-plain, ws-failed-proxy, wss-ok-plain, wss-ok-proxy, wss-failed-plain, wss-failed-proxy)"
   },
   "SPDY_VERSION2": {
--- a/toolkit/components/telemetry/histogram-whitelists.json
+++ b/toolkit/components/telemetry/histogram-whitelists.json
@@ -1024,17 +1024,16 @@
     "SSL_HANDSHAKE_TYPE",
     "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX",
     "SSL_KEA_DHE_KEY_SIZE_FULL",
     "SSL_KEA_ECDHE_CURVE_FULL",
     "SSL_KEA_RSA_KEY_SIZE_FULL",
     "SSL_KEY_EXCHANGE_ALGORITHM_FULL",
     "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED",
     "SSL_NPN_TYPE",
-    "SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME",
     "SSL_OCSP_STAPLING",
     "SSL_PERMANENT_CERT_ERROR_OVERRIDES",
     "SSL_REASONS_FOR_NOT_FALSE_STARTING",
     "SSL_SERVER_AUTH_EKU",
     "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX",
     "SSL_SYMMETRIC_CIPHER_FULL",
     "SSL_SYMMETRIC_CIPHER_RESUMED",
     "SSL_TLS10_INTOLERANCE_REASON_POST",
@@ -1209,17 +1208,16 @@
     "MEMORY_HEAP_ALLOCATED",
     "SYSTEM_FONT_FALLBACK_SCRIPT",
     "HTTP_REQUEST_PER_PAGE_FROM_CACHE",
     "SSL_TIME_UNTIL_READY",
     "SSL_TIME_UNTIL_HANDSHAKE_FINISHED_KEYED_BY_KA",
     "CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME",
     "CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME",
     "CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME",
-    "SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME",
     "SPDY_SERVER_INITIATED_STREAMS",
     "STS_POLL_AND_EVENTS_CYCLE",
     "STS_POLL_CYCLE",
     "STS_POLL_AND_EVENT_THE_LAST_CYCLE",
     "STS_POLL_BLOCK_TIME",
     "PRCONNECT_BLOCKING_TIME_NORMAL",
     "PRCONNECT_BLOCKING_TIME_SHUTDOWN",
     "PRCONNECT_BLOCKING_TIME_CONNECTIVITY_CHANGE",