[Freeipa-devel] [PATCH] 123 Use http instead of https for OCSP and CRL URLs in IPA certificate profile
Dmitri Pal
dpal at redhat.com
Mon Apr 8 13:47:10 UTC 2013
On 04/08/2013 08:42 AM, Martin Kosek wrote:
> On 04/08/2013 10:48 AM, Jan Cholasta wrote:
>> On 8.4.2013 10:47, Jan Cholasta wrote:
>>> Hi,
>>>
>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
>>>
>>> Honza
>>>
>> Re-sending with correct subject.
>>
> I tested the change both for upgrades and for fresh installs and it worked fine
> both cases, even when testing with Firefox enforcing mode.
>
> So far, as the biggest issue in current process I see NSS not being able to
> fallback to other defined OCSP responder (I tested with Firefox 20). This way,
> Firefox will fail validating the FreeIPA site when the first tested OCSP
> responder is not available (e.g. the original IPA CA signing the http cert, or
> an `ipa-ca.$domain` host that is currently not up).
Have we filed a ticket with FF?
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list