Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.
If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to. With OCSP, one of the things you would still need though is the cert serial number.
If you want to implement OCSP with wolfSSL, we could help if you would like.
Yes, the OCSP route was consideration but (as you say) we still need the serial number.
Also, it's not actually a "CRL" in the traditional sense ... that's just a convenient name to label the functionality. Think of it as some kind of embedded server that cannot depend on an external OCSP service. Revoked serial-numbers are pushed to the "embedded server", persisted there, and cached in memory for runtime lookups. It's intended to be a very lightweight environment and the number of revocations will remain low over time. Resolving any of this, though, requires the equivalent of peerCert.getSerialNumber().
Is there a plan to add this to wolfSSL and, if so, when is that likely to happen?