[Freeipa-devel] [PATCH] 123 Use http instead of https for OCSP and CRL URLs in IPA certificate profile
Martin Kosek
mkosek at redhat.com
Mon Apr 8 12:42:47 UTC 2013
On 04/08/2013 10:48 AM, Jan Cholasta wrote:
> On 8.4.2013 10:47, Jan Cholasta wrote:
>> Hi,
>>
>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
>>
>> Honza
>>
>
> Re-sending with correct subject.
>
I tested the change both for upgrades and for fresh installs and it worked fine
both cases, even when testing with Firefox enforcing mode.
So far, as the biggest issue in current process I see NSS not being able to
fallback to other defined OCSP responder (I tested with Firefox 20). This way,
Firefox will fail validating the FreeIPA site when the first tested OCSP
responder is not available (e.g. the original IPA CA signing the http cert, or
an `ipa-ca.$domain` host that is currently not up).
Martin
More information about the Freeipa-devel
mailing list