ocsp, safebrowsing: refactor to finer choices per topic

author: tilpner 2020-04-05 20:48:13 +0200
committer: tilpner 2020-04-05 20:51:20 +0200
commit: 58a4f76dcad054cac6d5624b6f95e23145c16ae1 (patch)
tree: c8411c894bb93e58674cf344385e4c383adf6318 /profiles/ocsp.nix
parent: 5014c0ed2160393fb787b585127bce8f27fda722 (diff)
download: firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.tar.gz
firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.tar.xz
firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.zip
1 files changed, 25 insertions, 0 deletions
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
new file mode 100644
index 0000000..d56d8df
--- /dev/null
+++ b/profiles/ocsp.nix
@@ -0,0 +1,25 @@
+{ }: {
+  meta.description = ''
+    The Online Certificate Status Protocol is used to distrust revoked certificates.
+    When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
+    responsible certificate authority whether the received certificate is still valid.
+    It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
+  '';
+
+  enabled.preferences = {
+    security.OCSP = {
+      enabled = 1;
+      # OCSP is useless, if the response is not mandatory
+      require = true;
+    };
+
+    security.ssl = {
+      enable_ocsp_stapling = true;
+      enable_ocsp_must_staple = true;
+    };
+  };
+
+  disabled.preferences = {
+    security.OCSP.enabled = 0;
+  };
+}
author	tilpner	2020-04-05 20:48:13 +0200
committer	tilpner	2020-04-05 20:51:20 +0200
commit	58a4f76dcad054cac6d5624b6f95e23145c16ae1 (patch)
tree	c8411c894bb93e58674cf344385e4c383adf6318 /profiles/ocsp.nix
parent	5014c0ed2160393fb787b585127bce8f27fda722 (diff)
download	firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.tar.gz firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.tar.xz firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.zip