Finally going in to fix the TS_SSL_VERIFY_CLIENT_HOOK and TS_SSL_VERIFY_SERVER_HOOK and needed to add a call to get access to the X509_STORE_CTX object to the plugin as pointed out by CrendKing in https://github.com/apache/trafficserver/issues/4569
I propose adding the following API. I will put up a PR shortly with an implementation, documentation and test. TSSslVerifyCTX TSVConnSslVerifyCTXGet(TSVConn sslp); Get the TSSslVerifyCTX object that corresponds to the peers certificates being verified for the SSL connection corresponding to the sslp argument; This value is only meaningful during the peer certificate verification callbacks, specifically during callbacks invoked from the TS_SSL_VERIFY_SERVER_HOOK and TS_SSL_VERIFY_CLIENT_HOOK. The SSL object that corresponds to the peer certificates being verified. This is an opaque type that can be cast to the appropriate implementation type (X509_STORE_CTX * for the OpenSSL library).