> On Oct 25, 2019, at 5:38 PM, Jan Just Keijser <[email protected]> wrote:
>
>> Is there a way to figure out which CA the server used to validate the client
>> certificate?
>
> on the server side? you would have to write your own verify callback to
> intercept the certificate stack as it is processed. That way, you can monitor
> which CA openssl selected for verification.
No, that's not necessary. After the completion of the
handshake one can call SSL_get0_verified_chain(3).
This chain is only available on full handshakes, when
validation is successful (SSL_get_verify_result(3)
returns X509_V_OK). On resumption, only the leaf
certificate is available from the resumed session,
via SSL_get_peer_certificate(3).
Of course there might not be a client certificate at all.
--
Viktor.
