bug 887321 - initial OCSP stapling telemetry r=briansmith

2024-09-13 09:24:08 -07:00 · 2013-12-16 09:32:16 -08:00 · 2013-12-16 09:32:16 -08:00 · c5f0099402
commit c5f0099402
parent f07ef3ba59
4 changed files with 45 additions and 0 deletions
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@ -909,9 +909,20 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
      // We will fall back to fetching revocation information.
      PRErrorCode ocspErrorCode = PR_GetError();
      if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
+        // stapled OCSP response present but invalid for some reason
+        Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
        return rv;
+      } else {
+        // stapled OCSP response present but expired
+        Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
      }
+    } else {
+      // stapled OCSP response present and good
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
    }
+  } else {
+    // no stapled OCSP response
+    Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
  }

  CERTCertList *verifyCertChain = nullptr;
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@ -108,5 +108,20 @@ function run_test() {
  // test_ocsp_stapling_expired.js

  add_test(function() { fakeOCSPResponder.stop(run_next_test); });
+
+  add_test(check_ocsp_stapling_telemetry);
+  run_next_test();
+}
+
+function check_ocsp_stapling_telemetry() {
+  let histogram = Cc["@mozilla.org/base/telemetry;1"]
+                    .getService(Ci.nsITelemetry)
+                    .getHistogramById("SSL_OCSP_STAPLING")
+                    .snapshot();
+  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 1); // 1 connection with a good response
+  do_check_eq(histogram.counts[2], 14); // 14 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
+  do_check_eq(histogram.counts[4], 11); // 11 connections with bad responses
  run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@ -81,5 +81,19 @@ function run_test() {
                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                ocspResponseRevoked);
  add_test(function() { ocspResponder.stop(run_next_test); });
+  add_test(check_ocsp_stapling_telemetry);
+  run_next_test();
+}
+
+function check_ocsp_stapling_telemetry() {
+  let histogram = Cc["@mozilla.org/base/telemetry;1"]
+                    .getService(Ci.nsITelemetry)
+                    .getHistogramById("SSL_OCSP_STAPLING")
+                    .snapshot();
+  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
+  do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 8); // 8 connections with an expired response
+  do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
  run_next_test();
 }
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -4693,5 +4693,10 @@
    "kind": "enumerated",
    "n_values": 8,
    "description": "Type of handshake (1=resumption, 2=false started, 3=chose not to false start, 4=not allowed to false start)"
+  },
+  "SSL_OCSP_STAPLING": {
+    "kind": "enumerated",
+    "n_values": 8,
+    "description": "Status of OCSP stapling on this handshake (1=present, good; 2=none; 3=present, expired; 4=present, other error)"
  }
 }