Thanks for your reply. I had a discussion with another engineer about this today. We came to the conclusion that there is no valid use case for our product to support both EC and RSA based cipher suites. We plan to go with one or the other. We'll most likely go with EC.

Thanks again,

Martin

I am currently evaluating wolfSSL as a replacement for OpenSSL on one of my company's products. For the most part I have been making use of the OpenSSL compatibility layer and in general things are working as expected.

The one exception is loading multiple self-signed certificates.

Currently the product supports both RSA and EC based cipher suites. With OpenSSL we load both an RSA and EC certificate for a given context on the server end. Here is a code snippet:

    
     if (!SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
         !SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
     {
         tr_error("CRYPTO_WEBSSL: Error loading certificate files\n");
     }


     if (!SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
         !SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
     {
         tr_error("CRYPTO_WEBSSL: Error loading private key files\n");
     }

This has always worked but with wolfSSL in place the client fails to connect to the server due to a handshake failure. The problem goes away when I load only the RSA cert or the EC cert. Of course it means that in either case only a subset of the cipher suites work.

Is this expected with wolfSSL? Is only one certificate type supported per context? Is there a way around this?