Menu
▾
▴
Re: [Openvpn-devel] Log cert serial no if it is revoked
|
From: Boris L. <lyt...@ya...> - 2015-08-25 07:13:13
|
Hi. I disagree. And openssl crl disagrees with you too. There are no sha1 (or other) fingerprints there, serial numbers are stored there :) As far as I understand in most of the cases where X509 is used for OpenVPN, single (mostly probable self-signed) CA is used for authentication so serial number should be sane enough to understand which is which. Anyway, feel free to add sha1 (you name it) fingerprint additionally to my patch - more information on the cause of denial of connection the better. On 25.08.2015 9:38, grarpamp wrote: > On Mon, Aug 24, 2015 at 12:54 PM, Boris Lytochkin > <lyt...@ya...> wrote: >> Log serial number of revoked certificate >> In most of situations admin of OpenVPN server needs to know which particular >> certificate is used by client. > Cert serial numbers found in the wild are hardly unique (witness > the Mozilla CA bundle), thus no one with a sane mind refers to them > as identifiers, nor do libraries/apps use them for things like cert pinning, > nor should people be encouraged to think they are unique (even though > there may now be some spec for that, but history precedes). The only place > they'd have meaning is as text string for the local issuer, but it's really just > duplication of work. > The sha1 (or better) fingerprint of the cert should be used instead. > > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671 |
