From dea6d4077fdf7b7d4d182d97063aaf7b6d62e24e Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Wed, 5 Aug 2015 17:26:40 -0400 Subject: [PATCH] Bug 1016555 - Disable OCSP checking for certificates covered by OneCRL --- browser/app/profile/firefox.js | 6 ++++-- mobile/android/app/mobile.js | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 597b3e2b0a73..19546ec37b74 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -52,6 +52,8 @@ pref("extensions.getAddons.link.url", "https://addons.mozilla.org/%LOCALE%/firef // Blocklist preferences pref("extensions.blocklist.enabled", true); +// OneCRL freshness checking depends on this value, so if you change it, +// please also update security.onecrl.maximum_staleness_in_seconds. pref("extensions.blocklist.interval", 86400); // Controls what level the blocklist switches from warning about items to forcibly // blocking them. @@ -1762,8 +1764,8 @@ pref("security.mixed_content.block_active_content", true); pref("security.cert_pinning.enforcement_level", 1); // Required blocklist freshness for OneCRL OCSP bypass -// (default should be at least as large as extensions.blocklist.interval) -pref("security.onecrl.maximum_staleness_in_seconds", 0); +// (default is 1.25% extensions.blocklist.interval, or 30 hours) +pref("security.onecrl.maximum_staleness_in_seconds", 108000); // Override the Gecko-default value of false for Firefox. pref("plain_text.wrap_long_lines", true); diff --git a/mobile/android/app/mobile.js b/mobile/android/app/mobile.js index 5ff8da2ad59e..3531d3158736 100644 --- a/mobile/android/app/mobile.js +++ b/mobile/android/app/mobile.js @@ -221,6 +221,8 @@ pref("extensions.compatability.locales.buildid", "0"); /* blocklist preferences */ pref("extensions.blocklist.enabled", true); +// OneCRL freshness checking depends on this value, so if you change it, +// please also update security.onecrl.maximum_staleness_in_seconds. pref("extensions.blocklist.interval", 86400); pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/"); pref("extensions.blocklist.detailsURL", "https://www.mozilla.com/%LOCALE%/blocklist/"); @@ -484,6 +486,10 @@ pref("security.mixed_content.block_active_content", true); // Enable pinning pref("security.cert_pinning.enforcement_level", 1); +// Required blocklist freshness for OneCRL OCSP bypass +// (default is 1.25% extensions.blocklist.interval, or 30 hours) +pref("security.onecrl.maximum_staleness_in_seconds", 108000); + // Only fetch OCSP for EV certificates pref("security.OCSP.enabled", 2);