The code has a notion of a "strict mode", which indicates whether server name and CA thumbprint should be validated. These should always be validated, so the flag is not needed.
However, in removing this, I found that there is an inconsistency in the code how it handles TTLS-MSCHAPv2 and TTLS-(P)EAP-MSCHAPv2. The inconsistency is about validation of server names and CA in the inner authentication; this may not be necessary, and might not even be possible.
Please check this branch with both TTLS-MSCHAPv2 and TTLS-(P)EAP-MSCHAPv2.
The code has a notion of a "strict mode", which indicates whether server name and CA thumbprint should be validated. These should always be validated, so the flag is not needed.
However, in removing this, I found that there is an inconsistency in the code how it handles TTLS-MSCHAPv2 and TTLS-(P)EAP-MSCHAPv2. The inconsistency is about validation of server names and CA in the inner authentication; this may not be necessary, and might not even be possible.
Please check this branch with both TTLS-MSCHAPv2 and TTLS-(P)EAP-MSCHAPv2.