Hi.
I disagree.
And openssl crl disagrees with you too. There are no sha1 (or other)
fingerprints there, serial numbers are stored there :)
As far as I understand in most of the cases where X509 is used for
OpenVPN, single (mostly probable self-signed) CA is used for
authentication so serial number should be sane enough to understand
which is which.
Anyway, feel free to add sha1 (you name it) fingerprint additionally to
my patch - more information on the cause of denial of connection the better.
On 25.08.2015 9:38, grarpamp wrote:
On Mon, Aug 24, 2015 at 12:54 PM, Boris Lytochkin
<lytbo...@yandex-team.ru> wrote:
Log serial number of revoked certificate
In most of situations admin of OpenVPN server needs to know which particular
certificate is used by client.
Cert serial numbers found in the wild are hardly unique (witness
the Mozilla CA bundle), thus no one with a sane mind refers to them
as identifiers, nor do libraries/apps use them for things like cert pinning,
nor should people be encouraged to think they are unique (even though
there may now be some spec for that, but history precedes). The only place
they'd have meaning is as text string for the local issuer, but it's really just
duplication of work.
The sha1 (or better) fingerprint of the cert should be used instead.
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671
