test_ocsp_timeout.js (3783B)
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*- 2 // This Source Code Form is subject to the terms of the Mozilla Public 3 // License, v. 2.0. If a copy of the MPL was not distributed with this 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. 5 "use strict"; 6 7 // This test connects to ocsp-stapling-none.example.com to test that OCSP 8 // requests are cancelled if they're taking too long. 9 // ocsp-stapling-none.example.com doesn't staple an OCSP response, so 10 // connecting to it will cause a request to the OCSP responder. As with all of 11 // these tests, the OCSP AIA (i.e. the url of the responder) in the certificate 12 // is http://localhost:8888. Since this test opens a TCP socket listening on 13 // port 8888 that just accepts connections and then ignores them (with 14 // connect/read/write timeouts of 30 seconds), the OCSP requests should cancel 15 // themselves. When OCSP hard-fail is enabled, connections will be terminated. 16 // Otherwise, they will succeed. 17 18 var gSocketListener = { 19 onSocketAccepted(serverSocket, socketTransport) { 20 socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, 30); 21 socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30); 22 }, 23 24 onStopListening() {}, 25 }; 26 27 function run_test() { 28 do_get_profile(); 29 Services.prefs.setIntPref("security.OCSP.enabled", 1); 30 31 add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); 32 33 let socket = Cc["@mozilla.org/network/server-socket;1"].createInstance( 34 Ci.nsIServerSocket 35 ); 36 socket.init(8888, true, -1); 37 socket.asyncListen(gSocketListener); 38 39 add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 1000); 40 add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 2000); 41 add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 4000); 42 43 add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 3000); 44 add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 10000); 45 add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 15000); 46 47 add_test(function () { 48 socket.close(); 49 run_next_test(); 50 }); 51 run_next_test(); 52 } 53 54 function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) { 55 let startTime; 56 add_test(function () { 57 Services.prefs.setBoolPref("security.OCSP.require", useHardFail); 58 Services.prefs.setIntPref(timeoutPrefName, timeoutMilliseconds); 59 startTime = new Date(); 60 run_next_test(); 61 }); 62 63 add_connection_test( 64 "ocsp-stapling-none.example.com", 65 useHardFail ? SEC_ERROR_OCSP_SERVER_ERROR : PRErrorCodeSuccess, 66 clearSessionCache 67 ); 68 69 add_test(function () { 70 let endTime = new Date(); 71 let timeDifference = endTime - startTime; 72 info(`useHardFail = ${useHardFail}`); 73 info(`startTime = ${startTime.getTime()} (${startTime})`); 74 info(`endTime = ${endTime.getTime()} (${endTime})`); 75 info(`timeDifference = ${timeDifference}ms`); 76 // Date() is not guaranteed to be monotonic, so add extra fuzz time to 77 // prevent intermittent failures (this only appeared to be a problem on 78 // Windows XP). See Bug 1121117. 79 const FUZZ_MS = 300; 80 Assert.greater( 81 timeDifference + FUZZ_MS, 82 timeoutMilliseconds, 83 `OCSP timeout should be ~${timeoutMilliseconds}s for ` + 84 `${useHardFail ? "hard" : "soft"}-fail` 85 ); 86 // Make sure we didn't wait too long. 87 // (Unfortunately, we probably can't have a tight upper bound on 88 // how long is too long for this test, because we might be running 89 // on slow hardware.) 90 Assert.less( 91 timeDifference, 92 60000, 93 "Automatic OCSP timeout shouldn't be more than 60s" 94 ); 95 96 // Reset state 97 clearOCSPCache(); 98 Services.prefs.clearUserPref("security.OCSP.require"); 99 Services.prefs.clearUserPref(timeoutPrefName); 100 run_next_test(); 101 }); 102 }