From e93ffa5da79cdc4b6a1f4ea6320464b406126e87 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 27 Oct 2015 02:38:02 -0400 Subject: [PATCH] Clarify that SSL_get_peer_cert_chain returns the unverified chain. This came up and I wasn't sure which it was without source-diving. Change-Id: Ie659096e0f42a7448f81dfb1006c125d292fd7fd Reviewed-on: https://boringssl-review.googlesource.com/6354 Reviewed-by: Adam Langley --- include/openssl/ssl.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ae40437d..dbf87057 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1212,9 +1212,11 @@ OPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl); OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl); /* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if - * unavailable or the peer did not use certificates. For historical reasons, - * this may not be available if resuming a serialized |SSL_SESSION|. The caller - * does not take ownership of the result. + * unavailable or the peer did not use certificates. This is the unverified + * list of certificates as sent by the peer, not the final chain built during + * verification. For historical reasons, this value may not be available if + * resuming a serialized |SSL_SESSION|. The caller does not take ownership of + * the result. * * WARNING: This function behaves differently between client and server. If * |ssl| is a server, the returned chain does not include the leaf certificate.