mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 959026: Add telemetry about cases where we don't do OCSP fetching when we expect to, r=keeler
--HG-- extra : rebase_source : f7e9826569325f497273a92eec5127c414baa8bc extra : source : bb5bb5a1b571e54695a4c8d5be0cc447f29f0358
This commit is contained in:
parent
6bcc300a5c
commit
c2e23acd65
@ -95,6 +95,9 @@
|
||||
*/
|
||||
|
||||
#include "SSLServerCertVerification.h"
|
||||
|
||||
#include <cstring>
|
||||
|
||||
#include "CertVerifier.h"
|
||||
#include "nsIBadCertListener2.h"
|
||||
#include "nsICertOverrideService.h"
|
||||
@ -633,7 +636,7 @@ class SSLServerCertVerificationJob : public nsRunnable
|
||||
public:
|
||||
// Must be called only on the socket transport thread
|
||||
static SECStatus Dispatch(const void * fdForLogging,
|
||||
TransportSecurityInfo * infoObject,
|
||||
nsNSSSocketInfo * infoObject,
|
||||
CERTCertificate * serverCert,
|
||||
SECItem * stapledOCSPResponse,
|
||||
uint32_t providerFlags);
|
||||
@ -642,12 +645,12 @@ private:
|
||||
|
||||
// Must be called only on the socket transport thread
|
||||
SSLServerCertVerificationJob(const void * fdForLogging,
|
||||
TransportSecurityInfo * infoObject,
|
||||
nsNSSSocketInfo * infoObject,
|
||||
CERTCertificate * cert,
|
||||
SECItem * stapledOCSPResponse,
|
||||
uint32_t providerFlags);
|
||||
const void * const mFdForLogging;
|
||||
const RefPtr<TransportSecurityInfo> mInfoObject;
|
||||
const RefPtr<nsNSSSocketInfo> mInfoObject;
|
||||
const ScopedCERTCertificate mCert;
|
||||
const uint32_t mProviderFlags;
|
||||
const TimeStamp mJobStartTime;
|
||||
@ -655,7 +658,7 @@ private:
|
||||
};
|
||||
|
||||
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
const void * fdForLogging, TransportSecurityInfo * infoObject,
|
||||
const void * fdForLogging, nsNSSSocketInfo * infoObject,
|
||||
CERTCertificate * cert, SECItem * stapledOCSPResponse,
|
||||
uint32_t providerFlags)
|
||||
: mFdForLogging(fdForLogging)
|
||||
@ -855,7 +858,7 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo *infoObject,
|
||||
}
|
||||
|
||||
SECStatus
|
||||
AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
|
||||
AuthCertificate(nsNSSSocketInfo * infoObject, CERTCertificate * cert,
|
||||
SECItem * stapledOCSPResponse, uint32_t providerFlags)
|
||||
{
|
||||
if (cert->serialNumber.data &&
|
||||
@ -923,6 +926,25 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
|
||||
} else {
|
||||
// no stapled OCSP response
|
||||
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
|
||||
|
||||
uint32_t reasonsForNotFetching = 0;
|
||||
|
||||
char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
|
||||
if (!ocspURI) {
|
||||
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
|
||||
} else {
|
||||
if (std::strncmp(ocspURI, "http://", 7)) { // approximation
|
||||
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
|
||||
}
|
||||
PORT_Free(ocspURI);
|
||||
}
|
||||
|
||||
if (!infoObject->SharedState().IsOCSPFetchingEnabled()) {
|
||||
reasonsForNotFetching |= 2;
|
||||
}
|
||||
|
||||
Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
|
||||
reasonsForNotFetching);
|
||||
}
|
||||
|
||||
CERTCertList *verifyCertChain = nullptr;
|
||||
@ -1044,7 +1066,7 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
|
||||
|
||||
/*static*/ SECStatus
|
||||
SSLServerCertVerificationJob::Dispatch(const void * fdForLogging,
|
||||
TransportSecurityInfo * infoObject,
|
||||
nsNSSSocketInfo * infoObject,
|
||||
CERTCertificate * serverCert,
|
||||
SECItem * stapledOCSPResponse,
|
||||
uint32_t providerFlags)
|
||||
|
@ -136,6 +136,7 @@ SharedSSLState::SharedSSLState()
|
||||
, mMutex("SharedSSLState::mMutex")
|
||||
, mSocketCreated(false)
|
||||
, mOCSPStaplingEnabled(false)
|
||||
, mOCSPFetchingEnabled(false)
|
||||
{
|
||||
mIOLayerHelpers.Init();
|
||||
mClientAuthRemember->Init();
|
||||
|
@ -36,7 +36,11 @@ public:
|
||||
// Main-thread only
|
||||
void ResetStoredData();
|
||||
void NotePrivateBrowsingStatus();
|
||||
void SetOCSPStaplingEnabled(bool enabled) { mOCSPStaplingEnabled = enabled; }
|
||||
void SetOCSPOptions(bool fetchingEnabled, bool staplingEnabled)
|
||||
{
|
||||
mOCSPFetchingEnabled = fetchingEnabled;
|
||||
mOCSPStaplingEnabled = staplingEnabled;
|
||||
}
|
||||
|
||||
// The following methods may be called from any thread
|
||||
bool SocketCreated();
|
||||
@ -44,6 +48,7 @@ public:
|
||||
static void NoteCertOverrideServiceInstantiated();
|
||||
static void NoteCertDBServiceInstantiated();
|
||||
bool IsOCSPStaplingEnabled() const { return mOCSPStaplingEnabled; }
|
||||
bool IsOCSPFetchingEnabled() const { return mOCSPFetchingEnabled; }
|
||||
|
||||
private:
|
||||
void Cleanup();
|
||||
@ -58,6 +63,7 @@ private:
|
||||
Mutex mMutex;
|
||||
bool mSocketCreated;
|
||||
bool mOCSPStaplingEnabled;
|
||||
bool mOCSPFetchingEnabled;
|
||||
};
|
||||
|
||||
SharedSSLState* PublicSSLState();
|
||||
|
@ -1022,8 +1022,8 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)
|
||||
if (!ocspEnabled) {
|
||||
ocspStaplingEnabled = false;
|
||||
}
|
||||
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
|
||||
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
|
||||
PublicSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
|
||||
PrivateSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
|
||||
|
||||
setNonPkixOcspEnabled(ocspEnabled);
|
||||
|
||||
|
@ -5584,6 +5584,12 @@
|
||||
"n_values": 8,
|
||||
"description": "Status of OCSP stapling on this handshake (1=present, good; 2=none; 3=present, expired; 4=present, other error)"
|
||||
},
|
||||
"SSL_OCSP_MAY_FETCH": {
|
||||
"expires_in_version": "never",
|
||||
"kind": "enumerated",
|
||||
"n_values": 8,
|
||||
"description": "For non-stapling cases, is OCSP fetching a possibility? (0=yes, 1=no because missing/invalid OCSP URI, 2=no because fetching disabled, 3=no because both)"
|
||||
},
|
||||
"TELEMETRY_TEST_EXPIRED": {
|
||||
"expires_in_version": "4.0a1",
|
||||
"kind": "flag",
|
||||
|
Loading…
Reference in New Issue
Block a user