I am currently evaluating wolfSSL as a replacement for OpenSSL on one of my company's products. For the most part I have been making use of the OpenSSL compatibility layer and in general things are working as expected.
The one exception is loading multiple self-signed certificates.
Currently the product supports both RSA and EC based cipher suites. With OpenSSL we load both an RSA and EC certificate for a given context on the server end. Here is a code snippet:
if (!SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
!SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
{
tr_error("CRYPTO_WEBSSL: Error loading certificate files\n");
}
if (!SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
!SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
{
tr_error("CRYPTO_WEBSSL: Error loading private key files\n");
}
This has always worked but with wolfSSL in place the client fails to connect to the server due to a handshake failure. The problem goes away when I load only the RSA cert or the EC cert. Of course it means that in either case only a subset of the cipher suites work.
Is this expected with wolfSSL? Is only one certificate type supported per context? Is there a way around this?