OpenSSL 1.0.2 will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle.
OpenSSL 1.0.2 will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle.
https://bugzilla.redhat.com/show_bug.cgi?id=1970201 https://github.com/openssl/openssl/issues/5236