Thanks for your reply, Maxim! I'll work out an alternative then.

Re. session resumption, I read in the OpenSSL docs (https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html) that OpenSSL is willing to store the chain longer than a single request, but only if the implementing application (nginx) is managing freeing it at the proper time (eg. when the session times out):
> If applications wish to use any certificates in the returned chain indefinitely they must increase the reference counts using X509_up_ref() or obtain a copy of the whole chain with X509_chain_up_ref().

ps. I now see that HAProxy is also discussing it: https://www.mail-archive.com/haproxy@formilux.org/msg35607.html