I'm thinking about adding a callback called during certificate chain validation thats called when the CA certificate is not found on the internal list. This would allow all, or most, common CA certs to be stored say in SPIFFS and then only the one needed to validate a specific connections can be loaded on the fly without have to specify it ahead of time. Would that be an acceptable change? Any other ideas on how this could be done?

Update: After some more looking, if I don't treat SSL_CTX as opaque then this can be handled in the Arduino layer....

Update: strike the above - really should stay opaque. Now thinking to add a function to return the name CA) on the last certificate in the chain. That can be called before validateChain() to make sure the correct CA cert is loaded and added to the context.

N/A with bearssl integration.