You are not logged in. Please login or register.
Active topics Unanswered topics
Welcome to the wolfSSL Forums!
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
References
Stable Releases - download stable product releases.
Development Branch - latest development branch on GitHub.
wolfSSL Manual - wolfSSL (formerly CyaSSL) product manual and API reference.
Search options
chrisc wrote:Hi,
Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.
If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to. With OCSP, one of the things you would still need though is the cert serial number.
If you want to implement OCSP with wolfSSL, we could help if you would like.
Regards,
Chris
Yes, the OCSP route was consideration but (as you say) we still need the serial number.
Also, it's not actually a "CRL" in the traditional sense ... that's just a convenient name to label the functionality. Think of it as some kind of embedded server that cannot depend on an external OCSP service. Revoked serial-numbers are pushed to the "embedded server", persisted there, and cached in memory for runtime lookups. It's intended to be a very lightweight environment and the number of revocations will remain low over time. Resolving any of this, though, requires the equivalent of peerCert.getSerialNumber().
Is there a plan to add this to wolfSSL and, if so, when is that likely to happen?
Thanks chrisc
chrisc wrote:Why do you need the serial number?
Hi chrisc,
I require some means of implementing a CRL (of client certs) ... how would you recommend I go about doing that?
Thanks much;
Hello,
I'd like to gain access to the dates associated with a peer-certificate, yet can't yet find a way to do that using wolfSSL. How should I go about that?
Also, are the notBefore and notAfter dates of a client-certificate tested (and potentially rejected) via a SSL_CTX_set_verify(..., SSL_VERIFY_PEER | SSL_FAIL_IF_NO_PEER_CERT); ?
If the answer is "no" to both, how can I ensure a client-certificate presented (to a server) has not expired?
thanks much;
Hi,
I need to obtain the serial-number of a peer-certificate, and figured I'd be able to retrieve it via X509_get_serialNumber() in conjunction with ASN1_INTEGER_get(). However, this always returns 0 and it seems to be hard-coded that way in the wolfSSL source?
Am I doing something daft?
Posts found: 6
Generated in 0.015 seconds (94% PHP - 6% DB) with 5 queries