Option to block port 80 breaks HTTPS

[SkewedZeppelin]

Recently had a Mull user unable to visit many websites. My Mull has certification revocation strictly enforced with preference to CRLite and fallback to OCSP.

OCSP however runs on port 80.

I don't know the internals of how this feature works, but presumably could either allowlist the OCSP domains or try to identify OCSP requests.

The former is likely easier, but more fragile.

I do however keep a list of known OCSP domains here:

• https://github.com/divestedcg/dnsrm/blob/master/Infra-Certs.txt
• https://github.com/divestedcg/dnsrm/blob/master/Infra-Certs2.txt

(If you know of a more maintained list that'd be appreciated :slightly_smiling_face: )

I've also seen a lot of blocklists contain these, so maybe an option to exclude them as well would be good.

[ignoramous]

Thanks.

presumably could either allowlist the OCSP domains

We'll try to include this allowlist it in the next version.

Does the fork bypass stapled OSCP?

you know of a more maintained list that'd be appreciated

I thought raw OSCP (vs stapled) was niche.

[SkewedZeppelin]

It does prefer CRLite and stapling, but still seems to fallback to plain OCSP queries for some sites.

Mull uses arkenfox for this which covers it here https://github.com/arkenfox/user.js/issues/1576