On 05/02/2012 06:04 PM, Duncan wrote:
<interesting crypto gossip snipped>
if the site uses self-signed certs and you accept the valid
one, if it changes, at least to another self-signed, you'll normally get
the usual warnings all over again, and can act accordingly.
Very good point. So pan ideally should check for consistency at least
when starting a new session, and complain only if the cert changes
between sessions.
Hm. I've never thought about it before, but any ssl client may routinely
open hundreds or even thousands of connections during a single session,
right? Does the client then trot off to verify the server cert for every
one of those thousands of connections? That's a lot of bandwidth used.