We have a service that uses TLS. Prior to SSL_VERIFY_POST_HANDSHAKE, we knew we would have a certificate after the handshake when using SSL_VERIFY_PEER:SSL_VERIFY_FAIL_IF_NO_PEER_CERT. We would call SSL_get_peer_certificate after the handshake completed and dump some information about the client certificate into our logs. After adding SSL_VERIFY_POST_HANDSHAKE to the mix, I’m trying to figure out when to check for the client certificate. The options that I see are: * Repeatedly call SSL_get_peer_certificate, or if OpenSSL 3.0 use SSL_get0_peer_certificate * Implement a client certificate callback function * Use SSL_get_state, but I’m not sure how to work out the states. It looks like either TLS_ST_SR_FINISHED/TLS_ST_SW_FINISHED are what I need to wait for Any pointers on how to know when the client certificate has been received and processed? Thanks, Amul |