From 58a4f76dcad054cac6d5624b6f95e23145c16ae1 Mon Sep 17 00:00:00 2001
From: tilpner
Date: Sun, 5 Apr 2020 20:48:13 +0200
Subject: ocsp, safebrowsing: refactor to finer choices per topic

---
 profiles/ocsp.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 profiles/ocsp.nix

(limited to 'profiles/ocsp.nix')

diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
new file mode 100644
index 0000000..d56d8df
--- /dev/null
+++ b/profiles/ocsp.nix
@@ -0,0 +1,25 @@
+{ }: {
+  meta.description = ''
+    The Online Certificate Status Protocol is used to distrust revoked certificates.
+    When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
+    responsible certificate authority whether the received certificate is still valid.
+    It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
+  '';
+
+  enabled.preferences = {
+    security.OCSP = {
+      enabled = 1;
+      # OCSP is useless, if the response is not mandatory
+      require = true;
+    };
+
+    security.ssl = {
+      enable_ocsp_stapling = true;
+      enable_ocsp_must_staple = true;
+    };
+  };
+
+  disabled.preferences = {
+    security.OCSP.enabled = 0;
+  };
+}
-- 
cgit v1.2.3