[thirdparty/openssl.git] / doc / man3 / SSL_get_peer_cert_chain.pod

=pod

=head1 NAME

SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate
chain of the peer

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl);

=head1 DESCRIPTION

SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
forming the certificate chain sent by the peer. If called on the client side,
the stack also contains the peer's certificate; if called on the server
side, the peer's certificate must be obtained separately using
L<SSL_get_peer_certificate(3)>.
If the peer did not present a certificate, NULL is returned.

NB: SSL_get_peer_cert_chain() returns the peer chain as sent by the peer: it
only consists of certificates the peer has sent (in the order the peer
has sent them) it is B<not> a verified chain.

SSL_get0_verified_chain() returns the B<verified> certificate chain
of the peer including the peer's end entity certificate. It must be called
after a session has been successfully established. If peer verification was
not successful (as indicated by SSL_get_verify_result() not returning
X509_V_OK) the chain may be incomplete or invalid.

=head1 NOTES

If the session is resumed peers do not send certificates so a NULL pointer
is returned by these functions. Applications can call SSL_session_reused()
to determine whether a session is resumed.

The reference count of each certificate in the returned STACK_OF(X509) object
is not incremented and the returned stack may be invalidated by renegotiation.
If applications wish to use any certificates in the returned chain
indefinitely they must increase the reference counts using X509_up_ref() or
obtain a copy of the whole chain with X509_chain_up_ref().

=head1 RETURN VALUES

The following return values can occur:

=over 4

=item NULL

No certificate was presented by the peer or no connection was established
or the certificate chain is no longer available when a session is reused.

=item Pointer to a STACK_OF(X509)

The return value points to the certificate chain presented by the peer.

=back

=head1 SEE ALSO

L<ssl(7)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>,
L<X509_chain_up_ref(3)>

=head1 COPYRIGHT

Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
4759abc5 RL	1	=pod
	2
	3	=head1 NAME
	4
696178ed DSH	5	SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate
696178ed DSH	6	chain of the peer
4759abc5 RL	7
	8	=head1 SYNOPSIS
	9
	10	#include <openssl/ssl.h>
	11
e5676b83	12	STACK_OF(X509) SSL_get_peer_cert_chain(const SSL ssl);
696178ed	13	STACK_OF(X509) SSL_get0_verified_chain(const SSL ssl);
4759abc5 RL	14
	15	=head1 DESCRIPTION
	16
e5676b83	17	SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
696178ed	18	forming the certificate chain sent by the peer. If called on the client side,
4759abc5	19	the stack also contains the peer's certificate; if called on the server
52d160d8	20	side, the peer's certificate must be obtained separately using
9b86974e	21	L<SSL_get_peer_certificate(3)>.
4759abc5 RL	22	If the peer did not present a certificate, NULL is returned.
4759abc5 RL	23
1f164c6f	24	NB: SSL_get_peer_cert_chain() returns the peer chain as sent by the peer: it
696178ed DSH	25	only consists of certificates the peer has sent (in the order the peer
	26	has sent them) it is B<not> a verified chain.
	27
	28	SSL_get0_verified_chain() returns the B<verified> certificate chain
	29	of the peer including the peer's end entity certificate. It must be called
	30	after a session has been successfully established. If peer verification was
	31	not successful (as indicated by SSL_get_verify_result() not returning
	32	X509_V_OK) the chain may be incomplete or invalid.
	33
4759abc5 RL	34	=head1 NOTES
4759abc5 RL	35
99978d51 DSH	36	If the session is resumed peers do not send certificates so a NULL pointer
	37	is returned by these functions. Applications can call SSL_session_reused()
	38	to determine whether a session is resumed.
4759abc5	39
696178ed DSH	40	The reference count of each certificate in the returned STACK_OF(X509) object
	41	is not incremented and the returned stack may be invalidated by renegotiation.
	42	If applications wish to use any certificates in the returned chain
	43	indefinitely they must increase the reference counts using X509_up_ref() or
	44	obtain a copy of the whole chain with X509_chain_up_ref().
4759abc5 RL	45
	46	=head1 RETURN VALUES
	47
	48	The following return values can occur:
	49
	50	=over 4
	51
	52	=item NULL
	53
	54	No certificate was presented by the peer or no connection was established
	55	or the certificate chain is no longer available when a session is reused.
	56
e5676b83	57	=item Pointer to a STACK_OF(X509)
4759abc5 RL	58
	59	The return value points to the certificate chain presented by the peer.
	60
	61	=back
	62
	63	=head1 SEE ALSO
	64
b97fdb57	65	L<ssl(7)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>,
696178ed	66	L<X509_chain_up_ref(3)>
4759abc5	67
e2f92610 RS	68	=head1 COPYRIGHT
	69
	70	Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
	71
4746f25a	72	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	73	this file except in compliance with the License. You can obtain a copy
	74	in the file LICENSE in the source distribution or at
	75	L<https://www.openssl.org/source/license.html>.
	76
	77	=cut