Hi all,

Version 3 of X.509 was published in 1997 and introduced extensions. However, in the years that followed, some implementations did generate certificates with extensions and a declared version less than 3. Such certs were never compliant and are rejected by default, however we have a compile-time option to no reject them for that reason: MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3

Since this is 2021 and pre-v3 certificates are unlikely to still be used, we'd like to remove this option in Mbed TLS 3.0. (It would remain in 2.16 and the upcoming 2.x LTS branch.)

As usual, more details can be found in the github issue: https://github.com/ARMmbed/mbedtls/issues/4386

If you need this option to still be available in Mbed TLS 3.0, please speak up now, here on on github!

Regards,
Manuel.