Closed Bug 969048 Opened 10 years ago Closed 10 years ago

Adjust OCSP stapling telemetry for insanity::pkix

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: briansmith, Assigned: keeler)

References

Details

Attachments

(1 file, 1 obsolete file)

The way OCSP stapling telemetry is collected currently is specific to the way that the NSS validation works in that it checks the return value of CERT_CacheOCSPResponseFromSideChannel. The call to CERT_CacheOCSPResponseFromSideChannel is irrelevant to insanity::pkix and it should be removed. More importantly, we need to count OCSP-stapling-related errors based on either the result of CertVerifier::VerifyCert or some other way, so we know if there are any OCSP(-stapling)-related problem with insanity::pkix.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Priority: -- → P3
Attached patch patch (obsolete) — Splinter Review
The changes to SSLServerCertVerification.cpp are most clear when looked at with 'diff -w' (I can attach a patch generated like that if need be).
Attachment #8382610 - Flags: review?(brian)
Attachment #8382610 - Flags: review?(brian) → review+
Comment on attachment 8382610 [details] [diff] [review]
patch

Review of attachment 8382610 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/certverifier/NSSCertDBTrustDomain.cpp
@@ +177,5 @@
>      SECStatus rv = VerifyEncodedOCSPResponse(*this, cert, issuerCert, time,
>                                               stapledOCSPResponse, &validUntil);
>      if (rv == SECSuccess) {
> +      // stapled OCSP response present and good
> +      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);

Wow telemetry is now thread safe. Pinning telemetry then will be really easy!
Attachment #8382610 - Flags: review?(cviecco) → review+
Attached patch patch v1.1Splinter Review
rebased, carrying over r+s, inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/21ad5a221382
Attachment #8382610 - Attachment is obsolete: true
Attachment #8390610 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/21ad5a221382
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.