These 2 #defines exist for SSL_CTX->extra_certs: SSL_CTX_add_extra_chain_cert SSL_CTX_get_extra_chain_certs SSL_CTX_clear_extra_chain_certs
In 1.0.2-dev, the #defines such as SSL_CTX_add0_chain_cert allow me to specify different chains for different certificate types, but AFAICT there are no associated get() or clear() functions.
I can't see a way to squeeze a standalone SSL_CTX_get_chain_certs function into SSL_CTX_ctrl(). There's only 1 pointer argument available, so I can't pass in an X509* (to indicate which cert I want the chain for) and get back a STACK_OF(X509)* (the chain).
One option would be to have another SSL_CTX_ctrl #define called SSL_CTX_get_cert_type, which would accept an X509* and return the index of that cert (i.e. SSL_CTX->CERT->pkeys[index]->x509), or -1 if not found. That index could then be passed to SSL_CTX_get_chain_certs in the larg argument. However, since the SSL_PKEY_* #defines are private (in ssl_locl.h), I'm unsure whether exposing these values in the public APIs would be acceptable.
The other option would be to write SSL_CTX_get_chain_certs() as a proper function (instead of a SSL_CTX_ctrl #define), but I'm unsure whether or not that would be better than the first option.
Any preference? Thanks. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List email@example.com Automated List Manager majord...@openssl.org