It's years since I read the SSL spec, but I wouldn't be surprised if it says that the first cert in the list has to be a root "self-signed" cert.
Well, I think maybe there are two matters here: 1) the list of "authorities", which is basically a list of certificate signers that we're willing to accept as client authentication. These, of themselves, wouldn't be chains, but rather just a single cert signed by a "known" authority, the chain of which would presumably be specified elsewhere.
The second issue is that of how to verify what is provided by the client, which might or might not be a full chain leading to a self signed certificate.
Either way, you are correct, the root of the chain has to be self signed (otherwise it wouldn't be the root, would it? :)) Currently, there is no infrastructure at all for keeping a list of certificate authorities, so that will need to be added.
Once the infrastructure is present, and has some methods for examining and testing the relevent parts of certificates, it should be simple for us to have a default behavior as well as a callback that provides alternate behaviors (necessary for more complex applications).
Bill