mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
e3d1766aff
RFC3779 requires to validate the addrblocks of issuer certificates strictly, that is, they must contain the extension and the claimed addrblock, up to the root CA. When working with third party root CAs that do not have the extension, this makes using the plugin impossible. So add a depth setting that limits the number of issuer certificates to check bottom-up towards the root CA. A depth value of 0 disables any issuer check, the default value of -1 checks all issuers in the chain, keeping the existing behavior. Closes strongswan/strongswan#860