Topic: Loading multiple self-signed certificates on server

I am currently evaluating wolfSSL as a replacement for OpenSSL on one of my company's products. For the most part I have been making use of the OpenSSL compatibility layer and in general things are working as expected.

The one exception is loading multiple self-signed certificates.

Currently the product supports both RSA and EC based cipher suites. With OpenSSL we load both an RSA and EC certificate for a given context on the server end. Here is a code snippet:

    
     if (!SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
         !SSL_CTX_use_certificate_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
     {
         tr_error("CRYPTO_WEBSSL: Error loading certificate files\n");
     }


     if (!SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_EC_KEYS_FILE, SSL_FILETYPE_PEM) ||
         !SSL_CTX_use_PrivateKey_file(psWebsSslCtx, HOST_RSA_KEYS_FILE, SSL_FILETYPE_PEM))
     {
         tr_error("CRYPTO_WEBSSL: Error loading private key files\n");
     }

This has always worked but with wolfSSL in place the client fails to connect to the server due to a handshake failure. The problem goes away when I load only the RSA cert or the EC cert. Of course it means that in either case only a subset of the cipher suites work.

Is this expected with wolfSSL? Is only one certificate type supported per context? Is there a way around this?

Share

Re: Loading multiple self-signed certificates on server

Hi Martin,

Thanks for evaluating wolfSSL!

Loading two certs to the same ssl context with the same API is not possible since the second call replaces the first one.

I would consider this as an enhancement or a feature request. But it should be trivial and can be done in a couple of days or so.

We'd be more than happy to add this to our backlog.

If there is a timeline associated with having this port available, please let me know so we can expedite the request.

Share

Re: Loading multiple self-signed certificates on server

Thanks for your reply. I had a discussion with another engineer about this today. We came to the conclusion that there is no valid use case for our product to support both EC and RSA based cipher suites. We plan to go with one or the other. We'll most likely go with EC.

Thanks again,

Martin

Share