DTLS handshake with mutual authentication with certficates and certificate matching


I’m trying to implement DTLS server on embedded device (and clients are on PC).
I want to use EC certificates.

Both server and client must authenticate with certificate to each other (=mutual authentication).

In addition to normal certificate check in DTLS handshake I would like to check that client certificate exists/is known by server (and client certificates/hashes/something like that) is stored before hand to server). So how to do this additional step properly using mbedTLS functionality?

It should go like this (server side)
mbedTLS does normal DTLS handshake and checks the client certificate validity and if it’s valid, then I want to do extra check that this certificate is known by server before hand. If yes, then DTLS handshake should proceed as normal, but if the certificate is not known by server (even if it’s valid), then handshake should be failed.
If I have understood correctly, after handshake I can get the client certificate from context, but I think it’s too late to break the connection at that point when thinkin security. It shows that certificate is valid (from server point-of-view), but it’s not stored to server. I think that this should be done similarly when certificate is not valid (from mbedTLS certificate point-of-view).

So how to do this in mbedTLS way?

Yes, of course I can add own code inside mbedTLS library, but I think that it’s not proper way to do this…