Bug 957667: Decouple OCSP stapling pref from the OCSP fetching pref, and couple the OCSP required pref to the OCSP fetching pref, r=keeler

--HG-- extra : rebase_source : 86cb86f76f4def579fcf07e479025852849c34f8 extra : source : 08115711a4e6e77971c9e872fb6c68e88ac9693e
2014-01-08 08:51:06 -08:00 · 2014-01-08 08:51:06 -08:00 · b6cabfc2be
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -1001,11 +1001,15 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)

  bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
                                             false);
+
+  // This preference controls whether we do OCSP fetching and does not affect
+  // OCSP stapling.
  // 0 = disabled, 1 = enabled
  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
                                            OCSP_ENABLED_DEFAULT);

-  bool ocspRequired = Preferences::GetBool("security.OCSP.require", false);
+  bool ocspRequired = ocspEnabled &&
+    Preferences::GetBool("security.OCSP.require", false);

  // We measure the setting of the pref at startup only to minimize noise by
  // addons that may muck with the settings, though it probably doesn't matter.
@ -1019,9 +1023,6 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)

  bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
                                                  true);
-  if (!ocspEnabled) {
-    ocspStaplingEnabled = false;
-  }
  PublicSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
  PrivateSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);