Hi,
One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?
I don't think that's necessary: for client cert validation, you don't need private keys and can already use the _dir option if you have more than one CA. So you just put roots of all variety into one directory, and tell FR to validate incoming certs from that directory. So long as the matching root (and intermediates maybe) is in there at all, a chain leading to it can be found. It's the standard and working since a decade way of handling multi roots. So I'd rather not have new code if there's a way without. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66