NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will prompt
for a certificate if required but will attempt to re-do the handshake to
make this happen which will fail with newer versions of NSS.
This fixed version of NSS is currently in Fedora updates-testing but
this patch should work with either release.
Freeipa-devel mailing list