]>
Commit | Line | Data |
---|---|---|
4759abc5 RL |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
696178ed DSH |
5 | SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate |
6 | chain of the peer | |
4759abc5 RL |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
10 | #include <openssl/ssl.h> | |
11 | ||
e5676b83 | 12 | STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); |
696178ed | 13 | STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl); |
4759abc5 RL |
14 | |
15 | =head1 DESCRIPTION | |
16 | ||
e5676b83 | 17 | SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates |
696178ed | 18 | forming the certificate chain sent by the peer. If called on the client side, |
4759abc5 | 19 | the stack also contains the peer's certificate; if called on the server |
52d160d8 | 20 | side, the peer's certificate must be obtained separately using |
9b86974e | 21 | L<SSL_get_peer_certificate(3)>. |
4759abc5 RL |
22 | If the peer did not present a certificate, NULL is returned. |
23 | ||
1f164c6f | 24 | NB: SSL_get_peer_cert_chain() returns the peer chain as sent by the peer: it |
696178ed DSH |
25 | only consists of certificates the peer has sent (in the order the peer |
26 | has sent them) it is B<not> a verified chain. | |
27 | ||
28 | SSL_get0_verified_chain() returns the B<verified> certificate chain | |
29 | of the peer including the peer's end entity certificate. It must be called | |
30 | after a session has been successfully established. If peer verification was | |
31 | not successful (as indicated by SSL_get_verify_result() not returning | |
32 | X509_V_OK) the chain may be incomplete or invalid. | |
33 | ||
4759abc5 RL |
34 | =head1 NOTES |
35 | ||
99978d51 DSH |
36 | If the session is resumed peers do not send certificates so a NULL pointer |
37 | is returned by these functions. Applications can call SSL_session_reused() | |
38 | to determine whether a session is resumed. | |
4759abc5 | 39 | |
696178ed DSH |
40 | The reference count of each certificate in the returned STACK_OF(X509) object |
41 | is not incremented and the returned stack may be invalidated by renegotiation. | |
42 | If applications wish to use any certificates in the returned chain | |
43 | indefinitely they must increase the reference counts using X509_up_ref() or | |
44 | obtain a copy of the whole chain with X509_chain_up_ref(). | |
4759abc5 RL |
45 | |
46 | =head1 RETURN VALUES | |
47 | ||
48 | The following return values can occur: | |
49 | ||
50 | =over 4 | |
51 | ||
52 | =item NULL | |
53 | ||
54 | No certificate was presented by the peer or no connection was established | |
55 | or the certificate chain is no longer available when a session is reused. | |
56 | ||
e5676b83 | 57 | =item Pointer to a STACK_OF(X509) |
4759abc5 RL |
58 | |
59 | The return value points to the certificate chain presented by the peer. | |
60 | ||
61 | =back | |
62 | ||
63 | =head1 SEE ALSO | |
64 | ||
b97fdb57 | 65 | L<ssl(7)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>, |
696178ed | 66 | L<X509_chain_up_ref(3)> |
4759abc5 | 67 | |
e2f92610 RS |
68 | =head1 COPYRIGHT |
69 | ||
70 | Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. | |
71 | ||
4746f25a | 72 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
73 | this file except in compliance with the License. You can obtain a copy |
74 | in the file LICENSE in the source distribution or at | |
75 | L<https://www.openssl.org/source/license.html>. | |
76 | ||
77 | =cut |