1 files changed, 53 insertions, 0 deletions

diff --git a/lib/libssl/man/SSL_get_peer_certificate.3 b/lib/libssl/man/SSL_get_peer_certificate.3
new file mode 100644
index 00000000000..f1b34dfa084
--- /dev/null
+++ b/lib/libssl/man/SSL_get_peer_certificate.3
@@ -0,0 +1,53 @@
+.\"
+.\"	$OpenBSD: SSL_get_peer_certificate.3,v 1.1 2016/11/05 15:32:20 schwarze Exp $
+.\"
+.Dd $Mdocdate: November 5 2016 $
+.Dt SSL_GET_PEER_CERTIFICATE 3
+.Os
+.Sh NAME
+.Nm SSL_get_peer_certificate
+.Nd get the X509 certificate of the peer
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft X509 *
+.Fn SSL_get_peer_certificate "const SSL *ssl"
+.Sh DESCRIPTION
+.Fn SSL_get_peer_certificate
+returns a pointer to the X509 certificate the peer presented.
+If the peer did not present a certificate,
+.Dv NULL
+is returned.
+.Sh NOTES
+Due to the protocol definition, a TLS/SSL server will always send a
+certificate, if present.
+A client will only send a certificate when explicitly requested to do so by the
+server (see
+.Xr SSL_CTX_set_verify 3 ) .
+If an anonymous cipher is used, no certificates are sent.
+.Pp
+That a certificate is returned does not indicate information about the
+verification state.
+Use
+.Xr SSL_get_verify_result 3
+to check the verification state.
+.Pp
+The reference count of the
+.Vt X509
+object is incremented by one, so that it will not be destroyed when the session
+containing the peer certificate is freed.
+The
+.Vt X509
+object must be explicitly freed using
+.Xr X509_free 3 .
+.Sh RETURN VALUES
+The following return values can occur:
+.Bl -tag -width Ds
+.It Dv NULL
+No certificate was presented by the peer or no connection was established.
+.It Pointer to an X509 certificate
+The return value points to the certificate presented by the peer.
+.El
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_set_verify 3 ,
+.Xr SSL_get_verify_result 3