During a handshake (or renegotiation) a server may request a certificate from the client. A client certificate must only be sent, when the server did send the request.
When a certificate was set using the SSL_CTX_use_certificate(3) family of functions, it will be sent to the server. The TLS standard requires that only a certificate is sent, if it matches the list of acceptable CAs sent by the server. This constraint is violated by the default behavior of the OpenSSL library. Using the callback function it is possible to implement a proper selection routine or to allow a user interaction to choose the certificate to be sent.
If a callback function is defined and no certificate was yet defined for the SSL object, the callback function will be called. If the callback function returns a certificate, the OpenSSL library will try to load the private key and certificate data into the SSL object using the SSL_use_certificate() and SSL_use_private_key() functions. Thus it will permanently install the certificate and key for this SSL object. It will not be reset by calling SSL_clear(3). If the callback returns no certificate, the OpenSSL library will not send a certificate.