Better document the callbacks around client certificates.

Deprecate the client_cert_cb variant since you can't really configure
intermediates with it. (You might be able to by configuring the
intermediates without the leaf or key and leaving the SSL stack to
configure those, but that's really weird. cert_cb is simpler.)

Also document the two functions the callbacks may use to query the
CertificateRequest on the client.

Change-Id: Iad6076266fd798cd74ea4e09978e7f5df5c8a670
Reviewed-by: Adam Langley <>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 559db72..0bc9df1 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2189,12 +2189,11 @@
   return ret;
-int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) {
-  int i = 0;
-  if (s->ctx->client_cert_cb) {
-    i = s->ctx->client_cert_cb(s, px509, ppkey);
+int ssl_do_client_cert_cb(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey) {
+  if (ssl->ctx->client_cert_cb == NULL) {
+    return 0;
-  return i;
+  return ssl->ctx->client_cert_cb(ssl, out_x509, out_pkey);
 int ssl3_verify_server_cert(SSL *s) {