Retrieve CA for client cert from SSL*

Viktor Dukhovni openssl-users at
Fri Oct 25 15:54:40 UTC 2019

> On Oct 25, 2019, at 5:38 PM, Jan Just Keijser <janjust at> wrote:
>> Is there a way to figure out which CA the server used to validate the client certificate?
> on the server side?  you would have to write your own verify callback to intercept the certificate stack as it is processed. That way, you can monitor which CA openssl selected for verification.

No, that's not necessary.  After the completion of the
handshake one can call SSL_get0_verified_chain(3).

This chain is only available on full handshakes, when
validation is successful (SSL_get_verify_result(3) 
returns X509_V_OK).  On resumption, only the leaf
certificate is available from the resumed session,
via SSL_get_peer_certificate(3).

Of course there might not be a client certificate at all.


More information about the openssl-users mailing list