Closed
Bug 1352262
Opened 7 years ago
Closed 7 years ago
add preferences to configure OCSP timeout values
Categories
(Core :: Security: PSM, enhancement, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox55 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
Having hard-coded timeouts of 2 seconds and 10 seconds for DV and EV respectively isn't very flexible - we should make them configurable.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → dkeeler
Priority: -- → P1
Whiteboard: [psm-assigned]
Comment hidden (mozreview-request) |
Comment 2•7 years ago
|
||
mozreview-review |
Comment on attachment 8858163 [details] bug 1352262 - make OCSP timeout values configurable https://reviewboard.mozilla.org/r/130106/#review132896 Looks good. ::: security/certverifier/NSSCertDBTrustDomain.cpp:278 (Diff revision 1) > { > return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen); > } > > -static TimeDuration > -OCSPFetchingTypeToTimeoutTime(NSSCertDBTrustDomain::OCSPFetching ocspFetching) > +TimeDuration > +NSSCertDBTrustDomain::OCSPFetchingTypeToTimeoutTime() const Optional: Maybe we can rename this to something like `GetOCSPTimeout()` instead? Feels slightly weird to have this be named "XToY" when it no longer takes an X.
Attachment #8858163 -
Flags: review?(cykesiopka.bmo) → review+
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8858163 [details] bug 1352262 - make OCSP timeout values configurable https://reviewboard.mozilla.org/r/130106/#review133050 This patch looks good, but shouldn't we set those prefs to some defaults in security-prefs.js before merging? ::: security/manager/ssl/nsNSSComponent.cpp:183 (Diff revision 1) > static_cast<uint32_t>(0)); > > + uint32_t softTimeoutMillis = > + Preferences::GetUint("security.OCSP.timeoutMilliseconds.soft", > + OCSP_TIMEOUT_MILLISECONDS_SOFT_DEFAULT); > + if (softTimeoutMillis > OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX) { Nit: Why not use `std::min(softTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX)` here and next?
Attachment #8858163 -
Flags: review?(jjones) → review-
Comment hidden (mozreview-request) |
Assignee | ||
Comment 5•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8858163 [details] bug 1352262 - make OCSP timeout values configurable https://reviewboard.mozilla.org/r/130106/#review132896 Thanks! > Optional: Maybe we can rename this to something like `GetOCSPTimeout()` instead? > Feels slightly weird to have this be named "XToY" when it no longer takes an X. Sounds good.
Assignee | ||
Comment 6•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8858163 [details] bug 1352262 - make OCSP timeout values configurable https://reviewboard.mozilla.org/r/130106/#review133050 I suppose so. Not having them in security-prefs.js makes them hidden, but that tends to confuse people (e.g. when we said "just flip security.enterprise_roots.enabled!" they actually had to add the pref). > Nit: Why not use `std::min(softTimeoutMillis, OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX)` here and next? Heh - good call.
Comment 7•7 years ago
|
||
mozreview-review |
Comment on attachment 8858163 [details] bug 1352262 - make OCSP timeout values configurable https://reviewboard.mozilla.org/r/130106/#review133100 Interdiff looks great. 11/10 would review again
Attachment #8858163 -
Flags: review?(jjones) → review+
Assignee | ||
Comment 8•7 years ago
|
||
Try looks good: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4f78cc6e36f8 Thanks for the reviews!
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d0e27739f475 make OCSP timeout values configurable r=Cykesiopka,jcj
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/d0e27739f475
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in
before you can comment on or make changes to this bug.
Description
•