Add configuration option to remove peer CRT after handshake

2025-07-29 11:41:15 +03:00 · 2019-02-05 17:04:00 +00:00
parent 4a82c1ccb4
commit bb278f52ca
2 changed files with 28 additions and 2 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -2982,8 +2982,12 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
 * \param  ssl     The SSL context to use. This must be initialized and setup.
 *
 * \return         The current peer certificate, or \c NULL if
- *                 none is available. It is owned by the SSL context
- *                 and valid only until the next call to the SSL API.
+ *                 none is available, which might be because the chosen
+ *                 ciphersuite does not use peer certificates, or because
+ *                 #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled.
+ *                 If this functions does not return \c NULL, the returned
+ *                 certificate is owned by the SSL context and valid only
+ *                 until the next call to the SSL API.
 *
 * \note           For one-time inspection of the peer's certificate during
 *                 the handshake, consider registering an X.509 CRT verification