> In OpenSSL, SSL_get_peer_certificate().
..after getting the SSL* arg with
Which the manpage recommends not doing. At least
don't meddle with the SSL* more than you have to.
I presume Michael's case is one of the few in which the client would pay
enough attention to details when using such an option.
Whether a case like this deserves an OpenLDAP API is questionable, since
it is not an LDAP-specific issue, but rather a general SSL wrapping issue.
OTOH, as long as clever client design often needs it, I would not object
to adding such feature.
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano