You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL → x509 serial number
Hi,
I need to obtain the serial-number of a peer-certificate, and figured I'd be able to retrieve it via X509_get_serialNumber() in conjunction with ASN1_INTEGER_get(). However, this always returns 0 and it seems to be hard-coded that way in the wolfSSL source?
Am I doing something daft?
Hi,
wolfSSL does all verification internally (signature, date, domain name). The X509_get_serialNumber() function is part of wolfSSL's OpenSSL Compatibility layer, and is currently just a stub that always returns 0.
Why do you need the serial number?
Regards,
Chris
Why do you need the serial number?
Hi chrisc,
I require some means of implementing a CRL (of client certs) ... how would you recommend I go about doing that?
Thanks much;
Hi,
Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.
If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to. With OCSP, one of the things you would still need though is the cert serial number.
If you want to implement OCSP with wolfSSL, we could help if you would like.
Regards,
Chris
Hi,
Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.
If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to. With OCSP, one of the things you would still need though is the cert serial number.
If you want to implement OCSP with wolfSSL, we could help if you would like.
Regards,
Chris
Yes, the OCSP route was consideration but (as you say) we still need the serial number.
Also, it's not actually a "CRL" in the traditional sense ... that's just a convenient name to label the functionality. Think of it as some kind of embedded server that cannot depend on an external OCSP service. Revoked serial-numbers are pushed to the "embedded server", persisted there, and cached in memory for runtime lookups. It's intended to be a very lightweight environment and the number of revocations will remain low over time. Resolving any of this, though, requires the equivalent of peerCert.getSerialNumber().
Is there a plan to add this to wolfSSL and, if so, when is that likely to happen?
Thanks chrisc
topher,
Sounds like an interesting embedded SSL project. What kind of server are you creating? Currently, getSerialNumber() functionality isn't on our list, but if you have a need for it, we can work with you to add the functionality.
Regards,
Chris
wolfSSL - Embedded SSL Library → wolfSSL → x509 serial number
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.020 seconds (90% PHP - 10% DB) with 11 queries