add OCSP hard-fail error code

This commit is contained in:
Thorin-Oakenpants 2022-08-24 05:53:46 +00:00 committed by GitHub
parent 5780b6d197
commit 74be763f60
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -470,7 +470,8 @@ user_pref("security.tls.enable_0rtt_data", false);
* [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers...
* [1] https://en.wikipedia.org/wiki/Ocsp ***/ * [1] https://en.wikipedia.org/wiki/Ocsp ***/
user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
* [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
* It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it