blob: d109b54a78ec9570e1132c6e71a93b6338739989 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
{ config, lib, ... }: {
meta.description = ''
The Online Certificate Status Protocol is used to distrust revoked certificates.
When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
responsible certificate authority whether the received certificate is still valid.
It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
'';
options = {
ocsp.enable = lib.mkEnableOption "OCSP";
};
config = lib.mkMerge [
(lib.mkIf config.ocsp.enable {
preferences = {
security.OCSP = {
enabled = 1;
# OCSP is useless, if the response is not mandatory
require = true;
};
security.ssl = {
enable_ocsp_stapling = true;
enable_ocsp_must_staple = true;
};
};
})
(lib.mkIf (!config.ocsp.enable) {
preferences = {
security.OCSP.enabled = 0;
};
})
];
}
|