Currently, in most of the cases the function returns only match/not-match status, but does not return a clue why a cert was rejected.
This enhancement is needed for PKIX_ValidateChain only. Should not be targeted to be fixed in 3.12.
Alexei, please add more explanation of what is wanted here, and where it is
needed (what other code would be changed to use it).
Fixed by patch to bug 420991