// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. "use strict";
// In which we connect to a number of domains (as faked by a server running // locally) with and without OCSP stapling enabled to determine that good // things happen and bad things don't.
// Enable the collection (during test) for all products so even products // that don't collect the data will be able to run the test without failure.
Services.prefs.setBoolPref( "toolkit.telemetry.testing.overrideProductsCheck", true
);
// This stapled response is from a CA that is untrusted and did not issue // the server's certificate.
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem");
add_test(function () {
certDB.setCertTrust(
otherTestCA,
Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.UNTRUSTED
);
run_next_test();
});
add_ocsp_test( "ocsp-stapling-good-other-ca.example.com",
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true, true
);
// The stapled response is from a CA that is trusted but did not issue the // server's certificate.
add_test(function () {
certDB.setCertTrust(
otherTestCA,
Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL
);
run_next_test();
}); // TODO(bug 979055): When using ByName instead of ByKey, the error here is // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
add_ocsp_test( "ocsp-stapling-good-other-ca.example.com",
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true, true
);
// TODO: Test the case where the signing cert can't be found at all, which // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
add_ocsp_test( "ocsp-stapling-malformed.example.com",
SEC_ERROR_OCSP_MALFORMED_REQUEST, true
);
add_ocsp_test( "ocsp-stapling-srverr.example.com",
SEC_ERROR_OCSP_SERVER_ERROR, true
);
add_ocsp_test( "ocsp-stapling-trylater.example.com",
SEC_ERROR_OCSP_TRY_SERVER_LATER, true, true
);
add_ocsp_test( "ocsp-stapling-needssig.example.com",
SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true
);
add_ocsp_test( "ocsp-stapling-unauthorized.example.com",
SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true
);
add_ocsp_test( "ocsp-stapling-unknown.example.com",
SEC_ERROR_OCSP_UNKNOWN_CERT, true
);
add_ocsp_test( "ocsp-stapling-good-other.example.com",
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, true
); // If the server doesn't staple an OCSP response, we continue as normal // (this means that even though stapling is enabled, we expect an OCSP // request).
add_connection_test( "ocsp-stapling-none.example.com",
PRErrorCodeSuccess, function () {
gExpectOCSPRequest = true;
clearOCSPCache();
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
}
);
add_ocsp_test( "ocsp-stapling-empty.example.com",
SEC_ERROR_OCSP_MALFORMED_RESPONSE, true
);
// ocsp-stapling-expired.example.com and // ocsp-stapling-expired-fresh-ca.example.com are handled in // test_ocsp_stapling_expired.js
// Check that OCSP responder certificates with key sizes below 1024 bits are // rejected, even when the main certificate chain keys are at least 1024 bits.
add_ocsp_test( "keysize-ocsp-delegated.example.com",
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true, true
);
function check_ocsp_stapling_telemetry() {
let histogram = Services.telemetry
.getHistogramById("SSL_OCSP_STAPLING")
.snapshot();
equal(
histogram.values[0],
0, "Should have 0 connections for unused histogram bucket 0"
);
equal(
histogram.values[1],
5, "Actual and expected connections with a good response should match"
);
equal(
histogram.values[2],
18, "Actual and expected connections with no stapled response should match"
);
equal(
histogram.values[3] || 0,
0, "Actual and expected connections with an expired response should match"
);
equal(
histogram.values[4],
21, "Actual and expected connections with bad responses should match"
);
run_next_test();
}
function run_test() {
do_get_profile();
Services.prefs.setIntPref("security.OCSP.enabled", 1); // This test may sometimes fail on android due to an OCSP request timing out. // That aspect of OCSP requests is not what we're testing here, so we can just // bump the timeout and hopefully avoid these failures.
Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
let fakeOCSPResponder = new HttpServer();
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
ok(
gExpectOCSPRequest, "Should be getting an OCSP request only when expected"
);
});
fakeOCSPResponder.start(8888);
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
