#450: disable OCSP for DV certs

browser/components/preferences/in-content/advanced.js

@@ -169,8 +169,17 @@ var gAdvancedPane = {
   },
 
   /**
-   * security.OCSP.enabled is an integer value for legacy reasons.
-   * A value of 1 means OCSP is enabled. Any other value means it is disabled.
+   * readEnableOCSP is used by the preferences UI to determine whether or not
+   * the checkbox for OCSP fetching should be checked (it returns true if it
+   * should be checked and false otherwise). The about:config preference
+   * "security.OCSP.enabled" is an integer rather than a boolean, so it can't be
+   * directly mapped from {true,false} to {checked,unchecked}. The possible
+   * values for "security.OCSP.enabled" are:
+   * 0: fetching is disabled
+   * 1: fetch for all certificates
+   * 2: fetch only for EV certificates
+   * Hence, if "security.OCSP.enabled" is non-zero, the checkbox should be
+   * checked. Otherwise, it should be unchecked.
    */
   readEnableOCSP: function ()
   {
@@ -179,16 +188,28 @@ var gAdvancedPane = {
     if (preference.value === undefined) {
       return true;
     }
-    return preference.value == 1;
+    return preference.value != 0;
   },
 
   /**
-   * See documentation for readEnableOCSP.
+   * writeEnableOCSP is used by the preferences UI to map the checked/unchecked
+   * state of the OCSP fetching checkbox to the value that the preference
+   * "security.OCSP.enabled" should be set to (it returns that value). See the
+   * readEnableOCSP documentation for more background. We unfortunately don't
+   * have enough information to map from {true,false} to all possible values for
+   * "security.OCSP.enabled", but a reasonable alternative is to map from
+   * {true,false} to {<the default value>,0}. That is, if the box is checked,
+   * "security.OCSP.enabled" will be set to whatever default it should be, given
+   * the platform and channel. If the box is unchecked, the preference will be
+   * set to 0. Obviously this won't work if the default is 0, so we will have to
+   * revisit this if we ever set it to 0.
    */
   writeEnableOCSP: function ()
   {
     var checkbox = document.getElementById("enableOCSP");
-    return checkbox.checked ? 1 : 0;
+    var defaults = Services.prefs.getDefaultBranch(null);
+    var defaultValue = defaults.getIntPref("security.OCSP.enabled");
+    return checkbox.checked ? defaultValue : 0;
   },
 
   /**

netwerk/base/security-prefs.js

@@ -37,7 +37,11 @@ pref("security.remember_cert_checkbox_default_setting", true);
 pref("security.ask_for_password",        0);
 pref("security.password_lifetime",       30);
 
-pref("security.OCSP.enabled", 1);
+// The supported values of this pref are:
+// 0: do not fetch OCSP
+// 1: fetch OCSP for DV and EV certificates
+// 2: fetch OCSP only for EV certificates
+pref("security.OCSP.enabled", 2);
 pref("security.OCSP.require", false);
 pref("security.OCSP.GET.enabled", false);
 

security/manager/ssl/nsNSSComponent.cpp

@@ -187,7 +187,7 @@ GetRevocationBehaviorFromPrefs(/*out*/ CertVerifier::OcspDownloadConfig* odc,
   // 0 = disabled
   // 1 = enabled for everything (default)
   // 2 = enabled for EV certificates only
-  int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 1);
+  int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 2);
   switch (ocspLevel) {
     case 0: *odc = CertVerifier::ocspOff; break;
     case 2: *odc = CertVerifier::ocspEVOnly; break;
@@ -714,7 +714,7 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
   rangeOut.max = (uint16_t) maxFromPrefs;
 }
 
-static const int32_t OCSP_ENABLED_DEFAULT = 1;
+static const int32_t OCSP_ENABLED_DEFAULT = 2;
 static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
 static const bool FALSE_START_ENABLED_DEFAULT = true;
 static const bool NPN_ENABLED_DEFAULT = true;