mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
a4a128bd2f
Usually, the DNs of all loaded CA certificates are included in the CertificateRequest messages sent by the server. Alas, certain EAP-TLS clients fail to process this message if the list is too long, returning the fatal TLS alert 'illegal parameter'. This new option allows configuring whether CAs are included or an empty list is sent (TLS 1.2), or the certificate_authorities extension is omitted (TLS 1.3). The list only serves as hint/constraint for clients during certificate selection, they still have to provide a certificate but are free to select any one they have available. Closes strongswan/strongswan#187.