> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Viktor Dukhovni > Sent: Monday, 20 October, 2014 17:48 > To: openssl-users@openssl.org > Subject: Re: Order of certs returned by SSL_get_peer_cert_chain() > > Last time I read the code, I concluded that SSL_get_peer_cert_chain > returns the certificate chain exactly as sent by the remote server > in its TLS/SSL server HELLO message. The internally constructed > chain used in certificate validation is not (AFAIK/IIRC) available.
If memory serves, the chain constructed by OpenSSL is available to the certificate callback function, in the final invocation of the callback for a given certificate exchange. That is, if you're in the callback, and X509_STORE_CTX_get_error_depth(store) returns 0, then X509_STORE_CTX_get_chain(store) should give you the chain constructed by OpenSSL. This is the callback the application can set with SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, [callback]). So if you want access to that chain later in processing, you could write a callback that saves it somewhere (e.g. in session external data, with SSL_set_ex_data etc) when invoked for the final check, and just returns preverifyOk. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org