SSL_get0_verified_chain was exactly what I needed, thanks! -----Original Message----- From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Viktor Dukhovni Sent: Friday, October 25, 2019 11:55 AM To: openssl-users@openssl.org Subject: Re: Retrieve CA for client cert from SSL*
> On Oct 25, 2019, at 5:38 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: > >> Is there a way to figure out which CA the server used to validate the client >> certificate? > > on the server side? you would have to write your own verify callback to > intercept the certificate stack as it is processed. That way, you can monitor > which CA openssl selected for verification. No, that's not necessary. After the completion of the handshake one can call SSL_get0_verified_chain(3). This chain is only available on full handshakes, when validation is successful (SSL_get_verify_result(3) returns X509_V_OK). On resumption, only the leaf certificate is available from the resumed session, via SSL_get_peer_certificate(3). Of course there might not be a client certificate at all. -- Viktor.