nss/nss-turn-off-expired-ocsp-cert.patch

diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x
 verify NameConstraints.dcissallowed:x
   result pass
 
 # Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
 #
 # This tests that a non server certificate (i.e. id-kp-serverAuth
 # not present in EKU) does *NOT* have CN treated as dnsName for
 # purposes of Name Constraints validation
-verify NameConstraints.ocsp1:x
-  usage 10
-  result pass
+#verify NameConstraints.ocsp1:x
+#  usage 10
+#  result pass