Hi Jamie, > What steps are taken to verify client certificates? In particular, are > validity dates checked?
I can read on http://www.apsis.ch/pound/ that "Pound just passes this information without checking it in any way (except for signature and encryption correctness)", so I really would check validity dates within your application. > Are X-SSL-* headers from the client stripped? No, but the web page says you can (and should) strip these for yourself; please search for "HeadDeny X-SSL" on the page for details. > Is there a way to disallow self-signed certs? (ie, only allow certs > that my CA has signed.) That's what the "VerifyList" setting is for; simply set it to a file which contains the root certificates you trust (in PEM format). You have to place it in the HTTPSListener block you use for client certification. Jonas
signature.asc
Description: This is a digitally signed message part
