Bug 1010068 - Disable OCSP for DV certificates in Firefox for Android r=keeler
☠☠ backed out by 8e525037fc7a ☠ ☠
authorRichard Barnes <rbarnes@mozilla.com>
Fri, 15 May 2015 16:17:47 -0400
changeset 276556 fe10feec1edef68862f1733a65b0b0fd34c5a0ff
parent 276555 4b4e3bb1097cc0ec296a521d6954b68bc3723c68
child 276557 8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
push id897
push userjlund@mozilla.com
push dateMon, 14 Sep 2015 18:56:12 +0000
treeherdermozilla-release@9411e2d2b214 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1010068
milestone41.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1010068 - Disable OCSP for DV certificates in Firefox for Android r=keeler
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/moz.build
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -455,22 +455,35 @@ NSSCertDBTrustDomain::CheckRevocation(En
 
   // TODO: We still need to handle the fallback for expired responses. But,
   // if/when we disable OCSP fetching by default, it would be ambiguous whether
   // security.OCSP.enable==0 means "I want the default" or "I really never want
   // you to ever fetch OCSP."
 
   Duration shortLifetime(mCertShortLifetimeInDays * Time::ONE_DAY_IN_SECONDS);
 
-  if ((mOCSPFetching == NeverFetchOCSP) ||
-      (validityDuration < shortLifetime) ||
-      (endEntityOrCA == EndEntityOrCA::MustBeCA &&
-       (mOCSPFetching == FetchOCSPForDVHardFail ||
-        mOCSPFetching == FetchOCSPForDVSoftFail ||
-        blocklistIsFresh))) {
+  // In general, we will not do a live OCSP fetch if:
+  // (a) We have been configured not to, or
+  // (b) The certificate is sufficiently short-lived
+  // (c) We are validating a CA certificate for DV
+  bool willNotFetch = (mOCSPFetching == NeverFetchOCSP) ||
+                      (validityDuration < shortLifetime) ||
+                      ((endEntityOrCA == EndEntityOrCA::MustBeCA) &&
+                       ((mOCSPFetching == FetchOCSPForDVHardFail) ||
+                        (mOCSPFetching == FetchOCSPForDVSoftFail) ||
+                        blocklistIsFresh));
+#ifdef MOZ_FENNEC
+  // For Fennec, we will use stapled or cached OCSP, but we will not do
+  // a live fetch for any non-EV validation.
+  willNotFetch = (mOCSPFetching == NeverFetchOCSP) ||
+                 ((mOCSPFetching != LocalOnlyOCSPForEV) &&
+                  (mOCSPFetching != FetchOCSPForEV));
+#endif
+
+  if (willNotFetch) {
     // We're not going to be doing any fetching, so if there was a cached
     // "unknown" response, say so.
     if (cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) {
       return Result::ERROR_OCSP_UNKNOWN_CERT;
     }
     // If we're doing hard-fail, we want to know if we have a cached response
     // that has expired.
     if (mOCSPFetching == FetchOCSPForDVHardFail &&
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -66,9 +66,12 @@ if CONFIG['_MSC_VER']:
   CXXFLAGS += [
     '-wd4100', # 'symbol' : unreferenced formal parameter
     '-wd4127', # conditional expression is constant
     '-wd4946', # reinterpret_cast used between related types
   ]
 
 FAIL_ON_WARNINGS = True
 
+if CONFIG['MOZ_BUILD_APP'] == 'mobile/android':
+    DEFINES['MOZ_FENNEC'] = True
+
 FINAL_LIBRARY = 'xul'