On 04/08/2013 05:09 PM, Martin Kosek wrote: > On 04/08/2013 03:47 PM, Dmitri Pal wrote: >> On 04/08/2013 08:42 AM, Martin Kosek wrote: >>> On 04/08/2013 10:48 AM, Jan Cholasta wrote: >>>> On 8.4.2013 10:47, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>. >>>>> >>>>> Honza >>>>> >>>> Re-sending with correct subject. >>>> >>> I tested the change both for upgrades and for fresh installs and it worked >>> fine >>> both cases, even when testing with Firefox enforcing mode. >>> >>> So far, as the biggest issue in current process I see NSS not being able to >>> fallback to other defined OCSP responder (I tested with Firefox 20). This >>> way, >>> Firefox will fail validating the FreeIPA site when the first tested OCSP >>> responder is not available (e.g. the original IPA CA signing the http cert, >>> or >>> an `ipa-ca.$domain` host that is currently not up). >> >> Have we filed a ticket with FF? > > AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open for > NSS: > https://bugzilla.mozilla.org/show_bug.cgi?id=797815 > > Rob seems to have more context about this bug background. > > Martin >
We may want to wait with pushing this patch until we get some response in the NSS Bugzilla above. If our request is rejected, we may be forced to use just a single CRL/OCSP (which would be probably the general one) and thus supersede patch 123. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel