On 04/08/2013 05:09 PM, Martin Kosek wrote:
> On 04/08/2013 03:47 PM, Dmitri Pal wrote:
>> On 04/08/2013 08:42 AM, Martin Kosek wrote:
>>> On 04/08/2013 10:48 AM, Jan Cholasta wrote:
>>>> On 8.4.2013 10:47, Jan Cholasta wrote:
>>>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
>>>> Re-sending with correct subject.
>>> I tested the change both for upgrades and for fresh installs and it worked
>>> both cases, even when testing with Firefox enforcing mode.
>>> So far, as the biggest issue in current process I see NSS not being able to
>>> fallback to other defined OCSP responder (I tested with Firefox 20). This
>>> Firefox will fail validating the FreeIPA site when the first tested OCSP
>>> responder is not available (e.g. the original IPA CA signing the http cert,
>>> an `ipa-ca.$domain` host that is currently not up).
>> Have we filed a ticket with FF?
> AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open for
> Rob seems to have more context about this bug background.
We may want to wait with pushing this patch until we get some response in the
NSS Bugzilla above. If our request is rejected, we may be forced to use just a
single CRL/OCSP (which would be probably the general one) and thus supersede
Freeipa-devel mailing list