Hello- My question revolves around the Heartbleed issue with OpenSSL and what the impact is on Pound 2.6 (available from the epel repository on Fedora). Could someone please validate my theories on this subject:
Theory 1: Pound is compiled on whatever version of OpenSSL exists on the build server but is most likely compiled against header files and packaged with RPM to use shared libraries on the server rather than static libraries bundled with Pound. This means that you could issue a statement such as "openssl version" and determine safely which version of OpenSSL Pound is using based on the result. Theory 2: Pound uses OpenSSL for encryption/decryption but does not treat it as a back-end which would imply it does not serve content directly from OpenSSL to the client but rather passes the request to the back-end (then uses OpenSSL to encrypt the response) or drops it if not recognized. I confess, Theory 2 is wishful thinking. I'm sure there is a lot of SSL/TLS handshaking that back-ends are never involved with. Thanks D
