From abc4b35b8bc5ff9514ad3ac40c7cbe3fd7d27ea0 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Mon, 22 Jul 2024 08:31:32 +0100
Subject: [LW] Disable OCSP stapling hard fail

---
 firefox/user-overrides.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'firefox')

diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js
index 5856110..002c84b 100644
--- a/firefox/user-overrides.js
+++ b/firefox/user-overrides.js
@@ -83,4 +83,14 @@ user_pref("privacy.resistFingerprinting.testGranularityMask", 4);
  * [1] https://bugzilla.mozilla.org/1635603 ***/
 user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com");
 
+/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
+ * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR
+ * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
+ * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
+ * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
+ * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
+ * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+ * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
+user_pref("security.OCSP.require", false);
+
 user_pref("browser.fixup.domainsuffixwhitelist.i2p", true);
-- 
cgit v1.2.3-70-g09d2