зеркало из https://github.com/mozilla/gecko-dev.git
bug 1085506 - gather telemetry for TLS handshake certificate verification errors r=rbarnes
This commit is contained in:
Родитель
151ecf016e
Коммит
3b4360319c
|
@ -295,7 +295,7 @@ private:
|
|||
|
||||
// A probe value of 1 means "no error".
|
||||
uint32_t
|
||||
MapCertErrorToProbeValue(PRErrorCode errorCode)
|
||||
MapOverridableErrorToProbeValue(PRErrorCode errorCode)
|
||||
{
|
||||
switch (errorCode)
|
||||
{
|
||||
|
@ -315,11 +315,39 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
|
|||
return 15;
|
||||
case SEC_ERROR_INVALID_TIME: return 16;
|
||||
}
|
||||
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
|
||||
NS_WARNING("Unknown certificate error code. Does MapOverridableErrorToProbeValue "
|
||||
"handle everything in DetermineCertOverrideErrors?");
|
||||
return 0;
|
||||
}
|
||||
|
||||
static uint32_t
|
||||
MapCertErrorToProbeValue(PRErrorCode errorCode)
|
||||
{
|
||||
uint32_t probeValue;
|
||||
switch (errorCode)
|
||||
{
|
||||
// see security/pkix/include/pkix/Result.h
|
||||
#define MOZILLA_PKIX_MAP(name, value, nss_name) case nss_name: probeValue = value; break;
|
||||
MOZILLA_PKIX_MAP_LIST
|
||||
#undef MOZILLA_PKIX_MAP
|
||||
default: return 0;
|
||||
}
|
||||
|
||||
// Since FATAL_ERROR_FLAG is 0x800, fatal error values are much larger than
|
||||
// non-fatal error values. To conserve space, we remap these so they start at
|
||||
// (decimal) 90 instead of 0x800. Currently there are ~50 non-fatal errors
|
||||
// mozilla::pkix might return, so saving space for 90 should be sufficient
|
||||
// (similarly, there are 4 fatal errors, so saving space for 10 should also
|
||||
// be sufficient).
|
||||
static_assert(FATAL_ERROR_FLAG == 0x800,
|
||||
"mozilla::pkix::FATAL_ERROR_FLAG is not what we were expecting");
|
||||
if (probeValue & FATAL_ERROR_FLAG) {
|
||||
probeValue ^= FATAL_ERROR_FLAG;
|
||||
probeValue += 90;
|
||||
}
|
||||
return probeValue;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
|
||||
PRTime now, PRErrorCode defaultErrorCodeToReport,
|
||||
|
@ -499,15 +527,15 @@ CertErrorRunnable::CheckCertOverrides()
|
|||
// different types of errors. Since this is telemetry and we just
|
||||
// want a ballpark answer, we don't care.
|
||||
if (mErrorCodeTrust != 0) {
|
||||
uint32_t probeValue = MapCertErrorToProbeValue(mErrorCodeTrust);
|
||||
uint32_t probeValue = MapOverridableErrorToProbeValue(mErrorCodeTrust);
|
||||
Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
|
||||
}
|
||||
if (mErrorCodeMismatch != 0) {
|
||||
uint32_t probeValue = MapCertErrorToProbeValue(mErrorCodeMismatch);
|
||||
uint32_t probeValue = MapOverridableErrorToProbeValue(mErrorCodeMismatch);
|
||||
Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
|
||||
}
|
||||
if (mErrorCodeTime != 0) {
|
||||
uint32_t probeValue = MapCertErrorToProbeValue(mErrorCodeTime);
|
||||
uint32_t probeValue = MapOverridableErrorToProbeValue(mErrorCodeTime);
|
||||
Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
|
||||
}
|
||||
|
||||
|
@ -590,6 +618,9 @@ CreateCertErrorRunnable(CertVerifier& certVerifier,
|
|||
MOZ_ASSERT(infoObject);
|
||||
MOZ_ASSERT(cert);
|
||||
|
||||
uint32_t probeValue = MapCertErrorToProbeValue(defaultErrorCodeToReport);
|
||||
Telemetry::Accumulate(Telemetry::SSL_CERT_VERIFICATION_ERRORS, probeValue);
|
||||
|
||||
uint32_t collected_errors = 0;
|
||||
PRErrorCode errorCodeTrust = 0;
|
||||
PRErrorCode errorCodeMismatch = 0;
|
||||
|
|
|
@ -6841,6 +6841,13 @@
|
|||
"n_values": 24,
|
||||
"description": "Was a certificate error overridden on this handshake? What was it? (0=unknown error (indicating bug), 1=no, >1=a specific error)"
|
||||
},
|
||||
"SSL_CERT_VERIFICATION_ERRORS": {
|
||||
"alert_emails": ["seceng@mozilla.org"],
|
||||
"expires_in_version": "default",
|
||||
"kind": "enumerated",
|
||||
"n_values": 100,
|
||||
"description": "If certificate verification failed in a TLS handshake, what was the error? (see mapping in SSLServerCertVerification.cpp)"
|
||||
},
|
||||
"SSL_PERMANENT_CERT_ERROR_OVERRIDES": {
|
||||
"alert_emails": ["seceng@mozilla.org"],
|
||||
"expires_in_version": "42",
|
||||
|
|
Загрузка…
Ссылка в новой задаче