[Freeipa-devel] [PATCH] 123 Use http instead of https for OCSP and CRL URLs in IPA certificate profile
Martin Kosek
mkosek at redhat.com
Mon Apr 8 15:09:13 UTC 2013
On 04/08/2013 03:47 PM, Dmitri Pal wrote:
> On 04/08/2013 08:42 AM, Martin Kosek wrote:
>> On 04/08/2013 10:48 AM, Jan Cholasta wrote:
>>> On 8.4.2013 10:47, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
>>>>
>>>> Honza
>>>>
>>> Re-sending with correct subject.
>>>
>> I tested the change both for upgrades and for fresh installs and it worked fine
>> both cases, even when testing with Firefox enforcing mode.
>>
>> So far, as the biggest issue in current process I see NSS not being able to
>> fallback to other defined OCSP responder (I tested with Firefox 20). This way,
>> Firefox will fail validating the FreeIPA site when the first tested OCSP
>> responder is not available (e.g. the original IPA CA signing the http cert, or
>> an `ipa-ca.$domain` host that is currently not up).
>
> Have we filed a ticket with FF?
AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open for NSS:
https://bugzilla.mozilla.org/show_bug.cgi?id=797815
Rob seems to have more context about this bug background.
Martin
More information about the Freeipa-devel
mailing list