diff options
Diffstat (limited to 'profiles/ocsp.nix')
| -rw-r--r-- | profiles/ocsp.nix | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix new file mode 100644 index 0000000..d56d8df --- /dev/null +++ b/profiles/ocsp.nix @@ -0,0 +1,25 @@ +{ }: { + meta.description = '' + The Online Certificate Status Protocol is used to distrust revoked certificates. + When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the + responsible certificate authority whether the received certificate is still valid. + It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons. + ''; + + enabled.preferences = { + security.OCSP = { + enabled = 1; + # OCSP is useless, if the response is not mandatory + require = true; + }; + + security.ssl = { + enable_ocsp_stapling = true; + enable_ocsp_must_staple = true; + }; + }; + + disabled.preferences = { + security.OCSP.enabled = 0; + }; +} |