SSL_get0_verified_chain was exactly what I needed, thanks!
-----Original Message-----
From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Viktor
Dukhovni
Sent: Friday, October 25, 2019 11:55 AM
To: openssl-users@openssl.org
Subject: Re: Retrieve CA for client cert from SSL*
> On Oct 25, 2019, at 5:38 PM, Jan Just Keijser <janj...@nikhef.nl> wrote:
>
>> Is there a way to figure out which CA the server used to validate the client
>> certificate?
>
> on the server side? you would have to write your own verify callback to
> intercept the certificate stack as it is processed. That way, you can monitor
> which CA openssl selected for verification.
No, that's not necessary. After the completion of the handshake one can call
SSL_get0_verified_chain(3).
This chain is only available on full handshakes, when validation is successful
(SSL_get_verify_result(3) returns X509_V_OK). On resumption, only the leaf
certificate is available from the resumed session, via
SSL_get_peer_certificate(3).
Of course there might not be a client certificate at all.
--
Viktor.
