Topic: Discussion of wolfSSL Features

This is in response to a thread started on the old wolfSSL forums -- now moved here:

What system are you on?

Do you think we should add a bug report category to the new forums?  Go ahead and post to whichever one you like though we'd prefer the new forums I guess just to show it's being used smile

The next release will allow CA signed cert generation but there won't be an intermediate output where certs can be sent to other signers (just wolfSSL CA signing).  Do you think another tool that provides intermediate certs would be useful?  Is there anything wrong with the tools people are currently using or things you'd like to see improved?

My application:
I am experimenting with using wolfSSL to encrypt data traffic between two ARM microcontrollers (over TCP/IP as well as RS232, USB, etc) -- so one MCU acts as the server and the other as the client (both using certificates). As my system is memory constrained, I keep my bio transmit buffers small (since SSL already has sufficient buffer space for TX messages).

Actually, this brings up a question: is there anything wrong with leaving a single SSL session running for days, weeks, or months on end without closing it and reopening?  (Should the encryption keys be refreshed every so often?)

Signing Certs:
If I am understanding you right, it sounds like the only option for a wolfSSL client to use a signed certificate will be for another device (running a CA or wolfSSL) to generate the public/private certificate pair, sign the public certificate, and then transmit the certificate pair to the wolfSSL client.

In the context of embedded devices, I think it would be nice to have the ability to have your embedded device generate its own public and private certificate pair and then present only its public key to a CA for signing (thereby eliminating the possibility of the private key being exposed).

I have been experimenting with OpenSSL's command line interface for certificate signing -- I guess that I am not overly impressed with the way they keep their database (in a text file, with a second text file keeping track of the current index number) -- but I don't have any real suggestions for how to improve this either...

For now it seems nice to keep your new forum structure (bugs and questions in one section) as it is easy to see what other wolfSSL are up to. If the # of posts start to get over whelming it might be a good idea to separate bugs from questions.


Re: Discussion of wolfSSL Features

It depends.  Some people say not to use a session more than 500 seconds in case the server's private key is compromised.  Some say not to send more than a certain amount of data, certainly not more than 4 GB.  If you control the server and know the private key is secure you don't really gain much by continually starting and stopping a session unless you're transferring large amounts of known plaintext data.

wolfSSL can create public or private keys.  Certificates are only public in the SSL domain.  And more than the public key is needed to create/sign a public certificate.  All of the common name elements and days valid are needed in addition at the minimum.  Maybe wolfSSL will add a cert ready for signing type structure that isn't x.509 request standard, that's a lot of ASN.1/X.509 code that doesn't add much to our embedded SSL product.  I'll keep that in mind.


Re: Discussion of wolfSSL Features

Okay, thanks.

After hearing what you have to say here, I agree that adding unsigned certificate generation is probably not worth the effort and code space required -- especially if it isn't even x.509 standard.