Jernej Jakob via FreeIPA-users wrote: > The "ipa-advise config-client-for-smart-card-auth" script enables OCSP > checks in httpd, the RHEL docs say to disable it if the client > certificates don't have an OCSP responder URL (third-party CA). [1] > > Apache httpd has an undocumented flag "no_ocsp_for_cert_ok" which will > pass certificates without OCSP URLs as valid but still perform OCSP > server checks for certificates that do have an OCSP URL. [2][3] > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth > [2] > https://bz.apache.org/bugzilla/show_bug.cgi?id=62112 > [3] > https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.57/modules/ssl/ssl_engine_ocsp.c?view=markup#l142
Thanks for the suggestion. I filed this RFE as https://pagure.io/freeipa/issue/9412 upstream. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
