constraints_validator's check_policy is too strict
As mentioned a few months ago in the IRC channel, the check performed by check_policy in constrains_validator.c is too strict.
The example given back then was an end certificate containing a CPS while it's issuer didn't contain one. In that case, the constraints plugin aborts with "policy ... missing in issuing certificate".
Back then, Tobias mentioned the check should probably be removed (perhaps not his exact words).
#1 Updated by Martin Willi over 6 years ago
- Category set to libstrongswan
- Status changed from New to Closed
- Assignee set to Martin Willi
- Parent task set to #453
- Resolution set to Duplicate
Thanks for your report. Yes we are aware of the issue, and it is on my TODO list. It probably won't make it into 5.1.2, but hopefully into 5.1.3. To work around the issue, you may disable the constraints plugin.