Closed Bug 1352262 Opened 7 years ago Closed 7 years ago

add preferences to configure OCSP timeout values

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: keeler, Assigned: keeler)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

bug 1352262 - make OCSP timeout values configurable
59 bytes, text/x-review-board-request
Cykesiopka
: review+
jcj
: review+
Details 
Having hard-coded timeouts of 2 seconds and 10 seconds for DV and EV respectively isn't very flexible - we should make them configurable.
Assignee: nobody → dkeeler
Priority: -- → P1
Whiteboard: [psm-assigned]
Comment on attachment 8858163 [details]
bug 1352262 - make OCSP timeout values configurable

https://reviewboard.mozilla.org/r/130106/#review132896

Looks good.

::: security/certverifier/NSSCertDBTrustDomain.cpp:278
(Diff revision 1)
>  {
>    return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
>  }
>  
> -static TimeDuration
> -OCSPFetchingTypeToTimeoutTime(NSSCertDBTrustDomain::OCSPFetching ocspFetching)
> +TimeDuration
> +NSSCertDBTrustDomain::OCSPFetchingTypeToTimeoutTime() const

Optional: Maybe we can rename this to something like `GetOCSPTimeout()` instead?
Feels slightly weird to have this be named "XToY" when it no longer takes an X.
Attachment #8858163 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8858163 [details]
bug 1352262 - make OCSP timeout values configurable

https://reviewboard.mozilla.org/r/130106/#review133050

This patch looks good, but shouldn't we set those prefs to some defaults in security-prefs.js before merging?

::: security/manager/ssl/nsNSSComponent.cpp:183
(Diff revision 1)
>                           static_cast<uint32_t>(0));
>  
> +  uint32_t softTimeoutMillis =
> +    Preferences::GetUint("security.OCSP.timeoutMilliseconds.soft",
> +                         OCSP_TIMEOUT_MILLISECONDS_SOFT_DEFAULT);
> +  if (softTimeoutMillis > OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX) {

Nit: Why not use `std::min(softTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX)` here and next?
Attachment #8858163 - Flags: review?(jjones) → review-
Comment on attachment 8858163 [details]
bug 1352262 - make OCSP timeout values configurable

https://reviewboard.mozilla.org/r/130106/#review132896

Thanks!

> Optional: Maybe we can rename this to something like `GetOCSPTimeout()` instead?
> Feels slightly weird to have this be named "XToY" when it no longer takes an X.

Sounds good.
Comment on attachment 8858163 [details]
bug 1352262 - make OCSP timeout values configurable

https://reviewboard.mozilla.org/r/130106/#review133050

I suppose so. Not having them in security-prefs.js makes them hidden, but that tends to confuse people (e.g. when we said "just flip security.enterprise_roots.enabled!" they actually had to add the pref).

> Nit: Why not use `std::min(softTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX)` here and next?

Heh - good call.
Comment on attachment 8858163 [details]
bug 1352262 - make OCSP timeout values configurable

https://reviewboard.mozilla.org/r/130106/#review133100

Interdiff looks great. 11/10 would review again
Attachment #8858163 - Flags: review?(jjones) → review+
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d0e27739f475
make OCSP timeout values configurable r=Cykesiopka,jcj
https://hg.mozilla.org/mozilla-central/rev/d0e27739f475
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: