add OCSP stapled and hard-fail as backup

2022-03-09 15:22:45 +01:00 · 2022-03-09 15:22:45 +01:00 · a96d3f7110
commit a96d3f7110
parent 4fd96942aa
2 changed files with 16 additions and 8 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -1,7 +1,7 @@
 This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
 Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
-# 5.6
+# 6.0
 **target commit**:
@ -10,12 +10,14 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl
 **References**:
 - we are going to force history to custom mode and hide the UI for always on PB mode, a bunch of pointers are collected in [this MR](https://gitlab.com/librewolf-community/browser/source/-/merge_requests/21).
 - [handlers prefs are deprecated](https://bugzilla.mozilla.org/show_bug.cgi?id=1733497).
 - for OCSP see [this issue](https://gitlab.com/librewolf-community/settings/-/issues/150).
 #### Added preferences
 ```
 pref("privacy.history.custom", true);
 pref("browser.privatebrowsing.autostart", false);
 defaultPref("browser.preferences.moreFromMozilla", false); // hide about:preferences#moreFromMozilla
 defaultPref("security.OCSP.require", true); // set to hard-fail
 ```
 #### Removed preferences
@ -33,6 +35,11 @@ lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.ircs.0.name", "");
 ```
 #### Changed preferences
 ```
 defaultPref("security.OCSP.enabled", 1);
 ```
 # 5.5
 **target commit**: 0fc1ff53c99379d9d4625de65ea51287d57a0a3a
--- a/librewolf.cfg
+++ b/librewolf.cfg
@ -6,7 +6,7 @@
 * 
 * WARNING: please make sure the first line of this file is empty. this is a known bug.
 */
-defaultPref("librewolf.cfg.version", "5.6");
+defaultPref("librewolf.cfg.version", "6.0");
 /** INDEX
@ -205,14 +205,15 @@ defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certific
 defaultPref("security.ssl.require_safe_negotiation", true);
 defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /**
- * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use
+ * our strategy with revocation is to perform all possible checks with CRL, but when a cert
- * CRL instead, particularly the CRLite solution with no OCSP fallback.
+ * cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and
- * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require
+ * increase security.
- * enabling OCSP and setting it to hard-fail. OCSP is stapled by default.
+ * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP.
 */
 defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching
 defaultPref("security.remote_settings.crlite_filters.enabled", true);
-defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback
+defaultPref("security.pki.crlite_mode", 2); // mode 2 means enforce CRL checks
 defaultPref("security.OCSP.enabled", 1); // default
 defaultPref("security.OCSP.require", true); // set to hard-fail
 /** [SECTION] TLS/SSL */
 lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security