On 05/02/2012 06:04 PM, Duncan wrote: <interesting crypto gossip snipped>
> if the site uses self-signed certs and you accept the valid > one, if it changes, at least to another self-signed, you'll normally get > the usual warnings all over again, and can act accordingly. Very good point. So pan ideally should check for consistency at least when starting a new session, and complain only if the cert changes between sessions. Hm. I've never thought about it before, but any ssl client may routinely open hundreds or even thousands of connections during a single session, right? Does the client then trot off to verify the server cert for every one of those thousands of connections? That's a lot of bandwidth used. _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
