4.2 Set OCSP Response Policy

Information

This setting dictates whether Firefox will consider a given certificate to be invalid if it is unable to obtain an Online Certificate Status Protocol (OCSP) response for it.

Rationale:

Requiring an OCSP response will reduce an adversary's ability to successfully leverage a compromised and revoked certificate.

Impact:

Requiring an OCSP response increases opportunity for valid certificates to be deemed invalid. This may occur if OCSP server becomes unavailable or is not accessible.

Solution

To establish the recommended configuration, set security.ocsp.require to true:

Type about:config in the address bar

Type security.ocsp.require in the filter

Ensure the setting is set as prescribed.

OR

Open the mozilla.cfg file in the installation directory with a text editor

Add the following lines to mozilla.cfg:

lockPref('security.ocsp.require', true);

Default Value:

False

See Also

https://workbench.cisecurity.org/files/4299

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Unix

Control ID: dd0338d83b3cd8532bedfd60dd95c5846da9df35867fad3fad321def90bf6f6e