Bug 1675138 - Set CRLite to enforcement mode in Nightly-only r=keeler

We have ~10 months of CRLite telemetry-mode data in both Beta and Nightly, and about 2 months with data that has been kept up-to-date, and that telemetry agrees with our end-of-2019 experiment that CRLite should indeed speed up versus OCSP. To confirm, we should enable the Enforce mode for Nightly users; that will stop collecting the CRLITE_FASTER_THAN_OCSP_MS and OCSP_FASTER_THAN_CRLITE_MS but should cause an improvement in SSL_TIME_UNTIL_READY as a weighting of the CRLITE_FASTER_THAN_OCSP_MS vs the percentage of cache-miss first page loads: we expect it'll mostly affect the outliers. Differential Revision: https://phabricator.services.mozilla.com/D95814
dothq · Nov 3, 2020 · 09bb61e · 09bb61e
1 parent c938c74
commit 09bb61e
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
@@ -183,7 +183,11 @@ pref("security.pki.distrust_ca_policy", 2);
 // 0: Disable CRLite entirely
 // 1: Enable and check revocations via CRLite, but only collect telemetry
 // 2: Enable and enforce revocations via CRLite
+#if defined(NIGHTLY_BUILD)
+pref("security.pki.crlite_mode", 2);
+#else
 pref("security.pki.crlite_mode", 1);
+#endif
 
 // Represents the expected certificate transparency log merge delay (including
 // the time to generate a CRLite filter). Currently 28 hours in seconds.