Clarify that SSL_get_peer_cert_chain returns the unverified chain.

This came up and I wasn't sure which it was without source-diving. Change-Id: Ie659096e0f42a7448f81dfb1006c125d292fd7fd Reviewed-on: https://boringssl-review.googlesource.com/6354 Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 02:38:02 -04:00 · 2015-10-27 02:38:02 -04:00 · e93ffa5da7
commit e93ffa5da7
parent 05ee4fda1c
1 changed files with 5 additions and 3 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -1212,9 +1212,11 @@ OPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl);
 OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);

 /* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if
- * unavailable or the peer did not use certificates. For historical reasons,
- * this may not be available if resuming a serialized |SSL_SESSION|. The caller
- * does not take ownership of the result.
+ * unavailable or the peer did not use certificates. This is the unverified
+ * list of certificates as sent by the peer, not the final chain built during
+ * verification. For historical reasons, this value may not be available if
+ * resuming a serialized |SSL_SESSION|. The caller does not take ownership of
+ * the result.
 *
 * WARNING: This function behaves differently between client and server. If
 * |ssl| is a server, the returned chain does not include the leaf certificate.