Hi, this ticket in FreeIPA came to my attention: https://fedorahosted.org/freeipa/ticket/4853 https://bugzilla.redhat.com/show_bug.cgi?id=1179220 FreeIPA isn't directly affected by the issue. But the Python client library of Dogtag PKI uses OpenSSL and therefore indirectly affects FreeIPA. It's also a bit related to #1253. Depending on how we want to solve #1253 we can fix FreeIPA's #4853 at the same time. I see two solutions: 1) Use NSS for TLS/SSL. That would delay crypto-policies, because NSS doesn't support it yet. 2) Write another SSL adapter for python-requests that allows us to use the system certs as well as specify the cipher list. Christian