librewolf-bot/settings
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

add OCSP stapled and hard-fail as backup

Browse source
This commit is contained in:
fxbrit 2022-03-09 15:22:45 +01:00
parent 4fd96942aa
commit a96d3f7110
2 changed files with 16 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
docs/Changelog.md
View file

@ -1,7 +1,7 @@
This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
# 5.6
# 6.0
**target commit**:
@ -10,12 +10,14 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl
**References**:
- we are going to force history to custom mode and hide the UI for always on PB mode, a bunch of pointers are collected in [this MR](https://gitlab.com/librewolf-community/browser/source/-/merge_requests/21).
- [handlers prefs are deprecated](https://bugzilla.mozilla.org/show_bug.cgi?id=1733497).
- for OCSP see [this issue](https://gitlab.com/librewolf-community/settings/-/issues/150).
#### Added preferences
```
pref("privacy.history.custom", true);
pref("browser.privatebrowsing.autostart", false);
defaultPref("browser.preferences.moreFromMozilla", false); // hide about:preferences#moreFromMozilla
defaultPref("security.OCSP.require", true); // set to hard-fail
```
#### Removed preferences
@ -33,6 +35,11 @@ lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", "");
lockPref("gecko.handlerService.schemes.ircs.0.name", "");
```
#### Changed preferences
```
defaultPref("security.OCSP.enabled", 1);
```
# 5.5
**target commit**: 0fc1ff53c99379d9d4625de65ea51287d57a0a3a

15
librewolf.cfg
View file

@ -6,7 +6,7 @@
*
* WARNING: please make sure the first line of this file is empty. this is a known bug.
*/
defaultPref("librewolf.cfg.version", "5.6");
defaultPref("librewolf.cfg.version", "6.0");
/** INDEX
@ -205,14 +205,15 @@ defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certific
defaultPref("security.ssl.require_safe_negotiation", true);
defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
/**
* our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use
* CRL instead, particularly the CRLite solution with no OCSP fallback.
* switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require
* enabling OCSP and setting it to hard-fail. OCSP is stapled by default.
* our strategy with revocation is to perform all possible checks with CRL, but when a cert
* cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and
* increase security.
* switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP.
*/
defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching
defaultPref("security.remote_settings.crlite_filters.enabled", true);
defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback
defaultPref("security.pki.crlite_mode", 2); // mode 2 means enforce CRL checks
defaultPref("security.OCSP.enabled", 1); // default
defaultPref("security.OCSP.require", true); // set to hard-fail
/** [SECTION] TLS/SSL */
lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security