]>
Commit | Line | Data |
---|---|---|
4759abc5 RL |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
696178ed DSH |
5 | SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate |
6 | chain of the peer | |
4759abc5 RL |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
10 | #include <openssl/ssl.h> | |
11 | ||
e5676b83 | 12 | STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); |
696178ed | 13 | STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl); |
4759abc5 RL |
14 | |
15 | =head1 DESCRIPTION | |
16 | ||
e5676b83 | 17 | SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates |
696178ed | 18 | forming the certificate chain sent by the peer. If called on the client side, |
4759abc5 | 19 | the stack also contains the peer's certificate; if called on the server |
52d160d8 | 20 | side, the peer's certificate must be obtained separately using |
9b86974e | 21 | L<SSL_get_peer_certificate(3)>. |
4759abc5 RL |
22 | If the peer did not present a certificate, NULL is returned. |
23 | ||
696178ed DSH |
24 | NB: SSL_get_peer_chain() returns the peer chain as sent by the peer: it |
25 | only consists of certificates the peer has sent (in the order the peer | |
26 | has sent them) it is B<not> a verified chain. | |
27 | ||
28 | SSL_get0_verified_chain() returns the B<verified> certificate chain | |
29 | of the peer including the peer's end entity certificate. It must be called | |
30 | after a session has been successfully established. If peer verification was | |
31 | not successful (as indicated by SSL_get_verify_result() not returning | |
32 | X509_V_OK) the chain may be incomplete or invalid. | |
33 | ||
4759abc5 RL |
34 | =head1 NOTES |
35 | ||
36 | The peer certificate chain is not necessarily available after reusing | |
37 | a session, in which case a NULL pointer is returned. | |
38 | ||
696178ed DSH |
39 | The reference count of each certificate in the returned STACK_OF(X509) object |
40 | is not incremented and the returned stack may be invalidated by renegotiation. | |
41 | If applications wish to use any certificates in the returned chain | |
42 | indefinitely they must increase the reference counts using X509_up_ref() or | |
43 | obtain a copy of the whole chain with X509_chain_up_ref(). | |
4759abc5 RL |
44 | |
45 | =head1 RETURN VALUES | |
46 | ||
47 | The following return values can occur: | |
48 | ||
49 | =over 4 | |
50 | ||
51 | =item NULL | |
52 | ||
53 | No certificate was presented by the peer or no connection was established | |
54 | or the certificate chain is no longer available when a session is reused. | |
55 | ||
e5676b83 | 56 | =item Pointer to a STACK_OF(X509) |
4759abc5 RL |
57 | |
58 | The return value points to the certificate chain presented by the peer. | |
59 | ||
60 | =back | |
61 | ||
62 | =head1 SEE ALSO | |
63 | ||
696178ed DSH |
64 | L<ssl(3)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>, |
65 | L<X509_chain_up_ref(3)> | |
4759abc5 RL |
66 | |
67 | =cut |