Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-11-04 07:45:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

1212: note about pointlessness of soft-fail

Browse Source
This commit is contained in:
earthlng
2018-01-14 10:41:16 +01:00
committed by GitHub
parent a3bffb83bd
commit 8c35bf5d11
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
user.js
View File

@@ -743,6 +743,7 @@ user_pref("security.OCSP.enabled", 1);
/* 1212: set non-stapled OCSP to hard-fail /* 1212: set non-stapled OCSP to hard-fail
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
* OCSP fetching without hard-fail is completely pointless ("seat belts that break when they are needed most")
* For more info about the problems with soft/hard-fail (and OCSP in general) see [2] * For more info about the problems with soft/hard-fail (and OCSP in general) see [2]
* [NOTE] this pref is ignored if 'security.OCSP.enabled' is set to 0 * [NOTE] this pref is ignored if 'security.OCSP.enabled' is set to 0
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/