On 04/08/2013 10:48 AM, Jan Cholasta wrote:
> On 8.4.2013 10:47, Jan Cholasta wrote:
>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
> Re-sending with correct subject.
I tested the change both for upgrades and for fresh installs and it worked fine
both cases, even when testing with Firefox enforcing mode.
So far, as the biggest issue in current process I see NSS not being able to
fallback to other defined OCSP responder (I tested with Firefox 20). This way,
Firefox will fail validating the FreeIPA site when the first tested OCSP
responder is not available (e.g. the original IPA CA signing the http cert, or
an `ipa-ca.$domain` host that is currently not up).
Freeipa-devel mailing list