I am currently evaluating wolfSSL as a replacement for OpenSSL on one of my company's products. For the most part I have been making use of the OpenSSL compatibility layer and in general things are working as expected.

The one exception is loading multiple self-signed certificates.

Currently the product supports both RSA and EC based cipher suites. With OpenSSL we load both an RSA and EC certificate for a given context on the server end. Here is a code snippet:

    
     if (!SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
         !SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
     {
         tr_error("CRYPTO_WEBSSL: Error loading certificate files\n");
     }


     if (!SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
         !SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
     {
         tr_error("CRYPTO_WEBSSL: Error loading private key files\n");
     }

This has always worked but with wolfSSL in place the client fails to connect to the server due to a handshake failure. The problem goes away when I load only the RSA cert or the EC cert. Of course it means that in either case only a subset of the cipher suites work.

Is this expected with wolfSSL? Is only one certificate type supported per context? Is there a way around this?