On Fri, Dec 9, 2011 at 12:33 PM, Jonas Pasche <[email protected]> wrote: > I can read on http://www.apsis.ch/pound/ that "Pound just passes this > information without checking it in any way (except for signature and > encryption correctness)", so I really would check validity dates within > your application.
For prosperity's sake, I'll mention this. I went groking through the source code to answer this question. It appears that all the HTTPS handling is done with OpenSSL and that pound does no verification on top of it. From OpenSSL's documention, it does seem to check that the certificate has valid dates on it. I haven't tested this empirically though. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
