On Wed, Sep 25, 2019 at 07:05:59PM +0000, Michael Wojcik wrote: > Simon may correct me on this, and it may not be useful anyway; but if > memory serves, it's currently being used to set the issuer on one invocation > of the callback, so that on subsequent invocations for the same certificate > the callback will see the desired issuer. The "verify callback" is called for each error during chain construction that does not cause immediate failure, and then, once the chain is built, for each layer in the chain starting with the trust-anchor reporting success or any signature or expiration issues. This final pass sets the current issuer for inspection. I would not expect the "verify callback" to construct an alternate chain, for that, with SSL one would need to instead use SSL_CTX_set_cert_verify_callback(3), which side-steps the entirety of the built-in chain construction and verification process. With that you do whatever you want, but if you then want to also run the normal verify callbacks from your own chain construction code, then perhaps you might need an accessor to set the (read-only from the perspective of those callbacks) issuer_cert. -- Viktor.