Question about using Post Handshake Authentication (SSL_VERIFY_POST_HANDSHAKE) and SSL_get_peer_certificate

Shah, Amul Amul.Shah at
Wed Sep 20 19:39:19 UTC 2023

We have a service that uses TLS. Prior to SSL_VERIFY_POST_HANDSHAKE, we knew we would have a certificate after the handshake when using SSL_VERIFY_PEER:SSL_VERIFY_FAIL_IF_NO_PEER_CERT. We would call
SSL_get_peer_certificate after the handshake completed and dump some information about the client certificate into our logs. After adding SSL_VERIFY_POST_HANDSHAKE to the mix, I’m trying to figure out when to check for the client certificate.
The options that I see are:
* Repeatedly call SSL_get_peer_certificate, or if OpenSSL 3.0 use SSL_get0_peer_certificate
* Implement a client certificate callback function
* Use SSL_get_state, but I’m not sure how to work out the states. It looks like either TLS_ST_SR_FINISHED/TLS_ST_SW_FINISHED are what I need to wait for
Any pointers on how to know when the client certificate has been received and processed?
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list