Topic: Discussion of wolfSSL Features
This is in response to a thread started on the old wolfSSL forums -- now moved here:
What system are you on?
Do you think we should add a bug report category to the new forums? Go ahead and post to whichever one you like though we'd prefer the new forums I guess just to show it's being used
The next release will allow CA signed cert generation but there won't be an intermediate output where certs can be sent to other signers (just wolfSSL CA signing). Do you think another tool that provides intermediate certs would be useful? Is there anything wrong with the tools people are currently using or things you'd like to see improved?
I am experimenting with using wolfSSL to encrypt data traffic between two ARM microcontrollers (over TCP/IP as well as RS232, USB, etc) -- so one MCU acts as the server and the other as the client (both using certificates). As my system is memory constrained, I keep my bio transmit buffers small (since SSL already has sufficient buffer space for TX messages).
Actually, this brings up a question: is there anything wrong with leaving a single SSL session running for days, weeks, or months on end without closing it and reopening? (Should the encryption keys be refreshed every so often?)
If I am understanding you right, it sounds like the only option for a wolfSSL client to use a signed certificate will be for another device (running a CA or wolfSSL) to generate the public/private certificate pair, sign the public certificate, and then transmit the certificate pair to the wolfSSL client.
In the context of embedded devices, I think it would be nice to have the ability to have your embedded device generate its own public and private certificate pair and then present only its public key to a CA for signing (thereby eliminating the possibility of the private key being exposed).
I have been experimenting with OpenSSL's command line interface for certificate signing -- I guess that I am not overly impressed with the way they keep their database (in a text file, with a second text file keeping track of the current index number) -- but I don't have any real suggestions for how to improve this either...
For now it seems nice to keep your new forum structure (bugs and questions in one section) as it is easy to see what other wolfSSL are up to. If the # of posts start to get over whelming it might be a good idea to separate bugs from questions.