Re: CertificateExactMatch for the ldap HEAD branch (ITS#2719/ITS#2771).

[Mark Ruijter <openldap@siennax.com>]

> I have not checked your patch, but notice that some OpenSSL routines
> were not able to handle serial numbers larger that 32 bits (that are
> legal and the Microsoft Certificate Server customarily creates) unless
> they are not represented as integers but as some non
> standard-compliant series of decimal or even hexadecimal thingies
> separated by colons.  I painfully wrote code what would produce an
> integer of unrestricted length (that OpenLDAP's own integerMatch
> supported).  And I could not do it with standard OpenSSL routines.
The openssl routines that I tried (0.9.6 and higher) handle serials 
longer the 32 bit like
102199425239041956261964087300121083924 without problems.

Are there even longer / stranger serials then these around? I now that 
some CA's seem to want
to encode lots of private extension information and the kitchen sink 
into this field. :-)

--
-------------------------------------------- 
 ___  _ __  _  _
/ __/| `  |\ \/ /  Mark Ruijter
\__ \|  | | )  (   mark.ruijter@siennax.com
|___/|__|_|/_/\_\  06 - 53713459

--------------------------------------------