Script ssl-cert does not retrieve multiple certs from server

[git-blame]

I ran into a server that has multiple certs configured depending on the negotiated cipher suite. From RFC 5246#7.4.2:

If the server has multiple certificates, it chooses one of them based
on the above-mentioned criteria (in addition to other criteria, such
as transport layer endpoint, local configuration and preferences,
etc.).

ssl-cert uses the librarysslcert.lua's getCertificate() but there are some issues:

• Library assumes there is only 1 cert per host/port in the cache
• More importantly, I suspect the function socket:get_ssl_certificate() includes all cipher suites in the ClientHello. Its equivalent non-openssl function: handshake_cert() definitely does (by calling tls.client_hello() without options). So the server will always return the same one, probably the one associated with the most secure suite (or some other criteria).

However, if you debug print the cert retrieved by script ssl-enum-ciphers, which probes with multiple ClientHello with different/smaller set of cipher suites, you will see that there could be different certs on such a server.

It would be great if ssl-cert can enumerate all the certs configured on a server.