Closed Bug 945857 Opened 11 years ago Closed 11 years ago

Remove the security.fresh_revocation_info.require preference

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: briansmith, Assigned: retornam)

Details

(Whiteboard: [good first bug][mentor=briansmith])

Attachments

(2 files)

bug-945857.patch
6.26 KB, patch
briansmith
: review-
Details | Diff | Splinter Review
bug-945857.patch
6.31 KB, patch
briansmith
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #917047 +++

The security.fresh_revocation_info.require preference is intended to be like security.OCSP.require, except that security.OCSP.require is only for OCSP, but security.fresh_revocation_info.require allows fallback to CRLs. This option was added when the switch to make libpkix the default cert verification library was added.

We do not need both preferences. If CRL fallback is enabled then the security.OCSP.require preference should allow CRL fallback in the libpkix code. In other words, everywhere we respect the value of security.fresh_revocation_info.require, we should use the security.OCSP.require preference instead.

Besides removing the references to this pref in nsNSSComponent, we also need to remove the corresponding constructor parameter and member variable from CertVerifier.
Whiteboard: [good first bug] → [good first bug][mentor=briansmith]
Hi Brian,
I will take this.
Assignee: nobody → mozbugs.retornam
Attached patch bug-945857.patchSplinter Review 

        Attachment #8345562 -
        Flags: review?(brian)

    
    

    
  
Comment on attachment 8345562 [details] [diff] [review]
bug-945857.patch

Review of attachment 8345562 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the patch. Just one minor issue.

::: security/manager/ssl/src/CertVerifier.cpp
@@ +378,5 @@
>      // avoiding the network is good, let's try local first
>      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
>  
>      // is overall revocation requirement strict or relaxed?
> +    | CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT;

Please change this to just:

  rev.leafTests.cert_rev_method_independent_flags =
  rev.chainTests.cert_rev_method_independent_flags =
    // avoiding the network is good, let's try local first
    CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;

Note that CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT == 0.

        Attachment #8345562 -
        Flags: review?(brian) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug-945857.patchSplinter Review
      

    


  

        Attachment #8345573 -
        Flags: review?(brian)

        Attachment #8345573 -
        Flags: review?(brian) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/464ec8159135
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: