For a TLSv1.2 secured TCP server socket is there a way to support both ECC and RSA certificate/key pairs?
We are required to support all the following ciphers:
From my understanding TLS_ECDHE_ECDSA_xxxx ciphers will require a certificate signed by an ECC key, the others RSA.
The structure wiced_tls_context_t can only be assigned one wiced_tls_identity_t pointer which holds the certificate/key pair.
Currently have all ciphers except TLS_ECDHE_ECDSA_xxxx working on our platform:
SDK 5.0, module ISM43362_M3G_L44.
Solved! Go to Solution.
The WICED BESL library currently does not support multiple server certificate/key pairs.
I think I found a solution:
In server mode I was able to swap the TLS identity after SSL state changes from SSL_CLIENT_HELLO to SSL_SERVER_HELLO.
Cipher has been selected at this point, planning on swapping EC and RSA TLS identity based on cipher chose.
Verified it works using two RSA key/certificates, swapping to the valid TLS identity at that point, handshake completed ok.
Will verify with EC TLS Identity when I get my EC key/certificate pair generated.
For EC we need to support secp224r1 key size. WICED defaults to secp256r1 key size.
I tried to change the elliptic curve to different values modifying the SDK at this location:
Still defaults to secp256r1, tried uECC_secp160r1_size and uECC_secp224r1_size.
Running as client the WICED device always responds with only curve secp256r1?
That is interesting. You were able to work around the limitation by swapping the TLS identity. Regarding the issue of WICED defaulting to secp256r1 key size, did you change the values of macros uECC_CURVE and uECC_BYTES in configuration.h?
#define uECC_CURVE uECC_secp224r1
#define uECC_BYTES uECC_secp224r1_size
Also which APIs did you use for this elliptic curve secp224r1? Can you share a small sample where you used those APIs?