mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-06-11 09:29:49 +00:00
#450: disable OCSP for DV certs
This commit is contained in:
parent
dbe5530d53
commit
71e9386e75
|
@ -169,8 +169,17 @@ var gAdvancedPane = {
|
||||||
},
|
},
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* security.OCSP.enabled is an integer value for legacy reasons.
|
* readEnableOCSP is used by the preferences UI to determine whether or not
|
||||||
* A value of 1 means OCSP is enabled. Any other value means it is disabled.
|
* the checkbox for OCSP fetching should be checked (it returns true if it
|
||||||
|
* should be checked and false otherwise). The about:config preference
|
||||||
|
* "security.OCSP.enabled" is an integer rather than a boolean, so it can't be
|
||||||
|
* directly mapped from {true,false} to {checked,unchecked}. The possible
|
||||||
|
* values for "security.OCSP.enabled" are:
|
||||||
|
* 0: fetching is disabled
|
||||||
|
* 1: fetch for all certificates
|
||||||
|
* 2: fetch only for EV certificates
|
||||||
|
* Hence, if "security.OCSP.enabled" is non-zero, the checkbox should be
|
||||||
|
* checked. Otherwise, it should be unchecked.
|
||||||
*/
|
*/
|
||||||
readEnableOCSP: function ()
|
readEnableOCSP: function ()
|
||||||
{
|
{
|
||||||
|
@ -179,16 +188,28 @@ var gAdvancedPane = {
|
||||||
if (preference.value === undefined) {
|
if (preference.value === undefined) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return preference.value == 1;
|
return preference.value != 0;
|
||||||
},
|
},
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* See documentation for readEnableOCSP.
|
* writeEnableOCSP is used by the preferences UI to map the checked/unchecked
|
||||||
|
* state of the OCSP fetching checkbox to the value that the preference
|
||||||
|
* "security.OCSP.enabled" should be set to (it returns that value). See the
|
||||||
|
* readEnableOCSP documentation for more background. We unfortunately don't
|
||||||
|
* have enough information to map from {true,false} to all possible values for
|
||||||
|
* "security.OCSP.enabled", but a reasonable alternative is to map from
|
||||||
|
* {true,false} to {<the default value>,0}. That is, if the box is checked,
|
||||||
|
* "security.OCSP.enabled" will be set to whatever default it should be, given
|
||||||
|
* the platform and channel. If the box is unchecked, the preference will be
|
||||||
|
* set to 0. Obviously this won't work if the default is 0, so we will have to
|
||||||
|
* revisit this if we ever set it to 0.
|
||||||
*/
|
*/
|
||||||
writeEnableOCSP: function ()
|
writeEnableOCSP: function ()
|
||||||
{
|
{
|
||||||
var checkbox = document.getElementById("enableOCSP");
|
var checkbox = document.getElementById("enableOCSP");
|
||||||
return checkbox.checked ? 1 : 0;
|
var defaults = Services.prefs.getDefaultBranch(null);
|
||||||
|
var defaultValue = defaults.getIntPref("security.OCSP.enabled");
|
||||||
|
return checkbox.checked ? defaultValue : 0;
|
||||||
},
|
},
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -37,7 +37,11 @@ pref("security.remember_cert_checkbox_default_setting", true);
|
||||||
pref("security.ask_for_password", 0);
|
pref("security.ask_for_password", 0);
|
||||||
pref("security.password_lifetime", 30);
|
pref("security.password_lifetime", 30);
|
||||||
|
|
||||||
pref("security.OCSP.enabled", 1);
|
// The supported values of this pref are:
|
||||||
|
// 0: do not fetch OCSP
|
||||||
|
// 1: fetch OCSP for DV and EV certificates
|
||||||
|
// 2: fetch OCSP only for EV certificates
|
||||||
|
pref("security.OCSP.enabled", 2);
|
||||||
pref("security.OCSP.require", false);
|
pref("security.OCSP.require", false);
|
||||||
pref("security.OCSP.GET.enabled", false);
|
pref("security.OCSP.GET.enabled", false);
|
||||||
|
|
||||||
|
|
|
@ -187,7 +187,7 @@ GetRevocationBehaviorFromPrefs(/*out*/ CertVerifier::OcspDownloadConfig* odc,
|
||||||
// 0 = disabled
|
// 0 = disabled
|
||||||
// 1 = enabled for everything (default)
|
// 1 = enabled for everything (default)
|
||||||
// 2 = enabled for EV certificates only
|
// 2 = enabled for EV certificates only
|
||||||
int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 1);
|
int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 2);
|
||||||
switch (ocspLevel) {
|
switch (ocspLevel) {
|
||||||
case 0: *odc = CertVerifier::ocspOff; break;
|
case 0: *odc = CertVerifier::ocspOff; break;
|
||||||
case 2: *odc = CertVerifier::ocspEVOnly; break;
|
case 2: *odc = CertVerifier::ocspEVOnly; break;
|
||||||
|
@ -714,7 +714,7 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
|
||||||
rangeOut.max = (uint16_t) maxFromPrefs;
|
rangeOut.max = (uint16_t) maxFromPrefs;
|
||||||
}
|
}
|
||||||
|
|
||||||
static const int32_t OCSP_ENABLED_DEFAULT = 1;
|
static const int32_t OCSP_ENABLED_DEFAULT = 2;
|
||||||
static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
|
static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
|
||||||
static const bool FALSE_START_ENABLED_DEFAULT = true;
|
static const bool FALSE_START_ENABLED_DEFAULT = true;
|
||||||
static const bool NPN_ENABLED_DEFAULT = true;
|
static const bool NPN_ENABLED_DEFAULT = true;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user