TURBO2-1409: Allow extra intermediates in certificate chains
Some servers send extraneous intermediate certificates that aren't
used to validate the leaf certificate. The Pike implementation of this
was quite to the letter of RFC5280/5246, which does say that each cert
has to be signed by the next certificate in the chain.
Only require that the certificates are in order, but ignore extra
certificates we didn't need to verify the leaf certificate.