1 files changed, 33 insertions, 12 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index 1feee4265c..a6d869b335 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,5 +1,5 @@
-.\"     $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.5 2018/03/23 05:50:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.6 2019/04/05 18:29:43 schwarze Exp $
-.\"     OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000
+.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
 .\" Dr. Stephen Henson <steve@openssl.org>.
@@ -50,18 +50,21 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: April 5 2019 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_add_extra_chain_cert ,
+.Nm SSL_CTX_get_extra_chain_certs ,
 .Nm SSL_CTX_clear_extra_chain_certs
-.Nd add or clear extra chain certificates
+.Nd add, retrieve, and clear extra chain certificates
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
 .Ft long
+.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs"
+.Ft long
 .Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
 .Sh DESCRIPTION
 .Fn SSL_CTX_add_extra_chain_cert
@@ -71,6 +74,11 @@ to the extra chain certificates associated with
 .Fa ctx .
 Several certificates can be added one after another.
 .Pp
+.Fn SSL_CTX_get_extra_chain_certs
+retrieves an internal pointer to the stack of extra chain certificates
+associated with
+.Fa ctx .
+.Pp
 .Fn SSL_CTX_clear_extra_chain_certs
 clears all extra chain certificates associated with
 .Fa ctx .
@@ -91,14 +99,16 @@ will be freed by the library when the
 is destroyed.
 An application should not free the
 .Fa x509
-object.
+object, nor the
+.Pf * Fa certs
+object retrieved by
+.Fn SSL_CTX_get_extra_chain_certs .
 .Sh RETURN VALUES
-.Fn SSL_CTX_add_extra_chain_cert
+These functions return 1 on success or 0 for failure.
-and
-.Fn SSL_CTX_clear_extra_chain_certs
-return 1 on success or 0 for failure.
 Check out the error stack to find out the reason for failure.
 .Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add1_chain_cert 3 ,
 .Xr SSL_CTX_ctrl 3 ,
 .Xr SSL_CTX_load_verify_locations 3 ,
 .Xr SSL_CTX_set_client_cert_cb 3 ,
@@ -108,15 +118,26 @@ Check out the error stack to find out the reason for failure.
 first appeared in SSLeay 0.9.1 and has been available since
 .Ox 2.6 .
 .Pp
+.Fn SSL_CTX_get_extra_chain_certs
+and
 .Fn SSL_CTX_clear_extra_chain_certs
-first appeared in OpenSSL 1.0.1 and has been available since
+first appeared in OpenSSL 1.0.1 and have been available since
 .Ox 5.3 .
 .Sh CAVEATS
+Certificates added with
+.Fn SSL_CTX_add_extra_chain_cert
+are ignored when certificates are also available that have been
+added using the functions documented in
+.Xr SSL_CTX_set1_chain 3 .
+.Pp
 Only one set of extra chain certificates can be specified per
 .Vt SSL_CTX
-structure.
+structure using
+.Fn SSL_CTX_add_extra_chain_cert .
 Different chains for different certificates (for example if both
 RSA and DSA certificates are specified by the same server) or
 different SSL structures with the same parent
 .Vt SSL_CTX
-cannot be specified using this function.
+require using the functions documented in
+.Xr SSL_CTX_set1_chain 3
+instead.