diff --git a/browser/components/preferences/in-content/advanced.js b/browser/components/preferences/in-content/advanced.js index 90949210a..4f56df81e 100644 --- a/browser/components/preferences/in-content/advanced.js +++ b/browser/components/preferences/in-content/advanced.js @@ -169,8 +169,17 @@ var gAdvancedPane = { }, /** - * security.OCSP.enabled is an integer value for legacy reasons. - * A value of 1 means OCSP is enabled. Any other value means it is disabled. + * readEnableOCSP is used by the preferences UI to determine whether or not + * the checkbox for OCSP fetching should be checked (it returns true if it + * should be checked and false otherwise). The about:config preference + * "security.OCSP.enabled" is an integer rather than a boolean, so it can't be + * directly mapped from {true,false} to {checked,unchecked}. The possible + * values for "security.OCSP.enabled" are: + * 0: fetching is disabled + * 1: fetch for all certificates + * 2: fetch only for EV certificates + * Hence, if "security.OCSP.enabled" is non-zero, the checkbox should be + * checked. Otherwise, it should be unchecked. */ readEnableOCSP: function () { @@ -179,16 +188,28 @@ var gAdvancedPane = { if (preference.value === undefined) { return true; } - return preference.value == 1; + return preference.value != 0; }, /** - * See documentation for readEnableOCSP. + * writeEnableOCSP is used by the preferences UI to map the checked/unchecked + * state of the OCSP fetching checkbox to the value that the preference + * "security.OCSP.enabled" should be set to (it returns that value). See the + * readEnableOCSP documentation for more background. We unfortunately don't + * have enough information to map from {true,false} to all possible values for + * "security.OCSP.enabled", but a reasonable alternative is to map from + * {true,false} to {,0}. That is, if the box is checked, + * "security.OCSP.enabled" will be set to whatever default it should be, given + * the platform and channel. If the box is unchecked, the preference will be + * set to 0. Obviously this won't work if the default is 0, so we will have to + * revisit this if we ever set it to 0. */ writeEnableOCSP: function () { var checkbox = document.getElementById("enableOCSP"); - return checkbox.checked ? 1 : 0; + var defaults = Services.prefs.getDefaultBranch(null); + var defaultValue = defaults.getIntPref("security.OCSP.enabled"); + return checkbox.checked ? defaultValue : 0; }, /** diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index 17b851b7e..fc471396a 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -37,7 +37,11 @@ pref("security.remember_cert_checkbox_default_setting", true); pref("security.ask_for_password", 0); pref("security.password_lifetime", 30); -pref("security.OCSP.enabled", 1); +// The supported values of this pref are: +// 0: do not fetch OCSP +// 1: fetch OCSP for DV and EV certificates +// 2: fetch OCSP only for EV certificates +pref("security.OCSP.enabled", 2); pref("security.OCSP.require", false); pref("security.OCSP.GET.enabled", false); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 2369791de..135af10dc 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -187,7 +187,7 @@ GetRevocationBehaviorFromPrefs(/*out*/ CertVerifier::OcspDownloadConfig* odc, // 0 = disabled // 1 = enabled for everything (default) // 2 = enabled for EV certificates only - int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 1); + int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 2); switch (ocspLevel) { case 0: *odc = CertVerifier::ocspOff; break; case 2: *odc = CertVerifier::ocspEVOnly; break; @@ -714,7 +714,7 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut, rangeOut.max = (uint16_t) maxFromPrefs; } -static const int32_t OCSP_ENABLED_DEFAULT = 1; +static const int32_t OCSP_ENABLED_DEFAULT = 2; static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false; static const bool FALSE_START_ENABLED_DEFAULT = true; static const bool NPN_ENABLED_DEFAULT = true;