1 of 1 people found this helpful
The WICED BESL library currently does not support multiple server certificate/key pairs.
I think I found a solution:
In server mode I was able to swap the TLS identity after SSL state changes from SSL_CLIENT_HELLO to SSL_SERVER_HELLO.
Cipher has been selected at this point, planning on swapping EC and RSA TLS identity based on cipher chose.
Verified it works using two RSA key/certificates, swapping to the valid TLS identity at that point, handshake completed ok.
Will verify with EC TLS Identity when I get my EC key/certificate pair generated.
For EC we need to support secp224r1 key size. WICED defaults to secp256r1 key size.
I tried to change the elliptic curve to different values modifying the SDK at this location:
Still defaults to secp256r1, tried uECC_secp160r1_size and uECC_secp224r1_size.
Running as client the WICED device always responds with only curve secp256r1?
That is interesting. You were able to work around the limitation by swapping the TLS identity. Regarding the issue of WICED defaulting to secp256r1 key size, did you change the values of macros uECC_CURVE and uECC_BYTES in configuration.h?
#define uECC_CURVE uECC_secp224r1
#define uECC_BYTES uECC_secp224r1_size
Also which APIs did you use for this elliptic curve secp224r1? Can you share a small sample where you used those APIs?
With SDK 5.2 this is no longer an issue.