367878 - Mistake in PSM's OCSP pref switching code

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Kai Engert [:KaiE:]]

Based on code inspection, I wonder if the following code found in PSM is wrong.

static void setOCSPOptions(nsIPrefBranch * pref)
{
  switch (ocspEnabled) {
  case 0: // never use OCSP
    CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
    CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
    break;
  case 1: // use OCSP service URLs in certs
    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
    break;
  case 2: // always use given OCSP default responder
    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
    CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
    CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
    break;

Support a user has option 2 set, and changes configuration to 1.

If I understand correctly, NSS will still use the default OCSP responder, and we need to disable it.

Comment 1

[Kai Engert [:KaiE:]]

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/manager/ssl/src/nsNSSComponent.cpp&rev=1.143#956

Comment 2

[Kai Engert [:KaiE:]]

Attachment: Patch v1

Bob, do you agree this single line change makes sense?

Comment 3

[Kai Engert [:KaiE:]]

Do you agree that we should clear the SSL session cache when the application enables OCSP, or switches to a different OCSP responder?

My testing was:
- start app, OCSP disabled
- load https://us.etrade.com
- enable OCSP
- reload https://us.etrade.com

Expected behaviour: OCSP request

Actual behaviour: No OCSP request

Comment 4

[Kai Engert [:KaiE:]]

Attachment: Additional Patch

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 252463 [details] [diff] [review]
Additional Patch

r=nelson

Comment 6

[Robert Relyea]

Comment on attachment 252459 [details] [diff] [review]
Patch v1

r+=rrelyea

yes.

Comment 7

[Kai Engert [:KaiE:]]

both patches checked in to trunk, marking fixed