Unable to use x509 Version 1 certificates

[bssstudio]

I am getting error LeafNotV3 when using certificates generated by default OpenSSL settings. After inspection I have noticed that OpenSSL generates x509 Version 1 by default and then the validations fail.

It happened to me when using http-conduit which internally uses http-client and http-client-tls that uses tls.

Is there a security or technical reason to enforce Version 3 leaf certificates by default? Other clients like curl do not mind getting v1 x509 certificates. I am not a security expert, but I am rather curious.

[debug-ito]

I also got curious about it when I tried to debug TSL connection with http-client-tls.

Besides, it's difficult to work around this problem (without disabling certificate validation altogether). I did the following to create a ClientParams.

import Data.Default.Class (Default(def))
import Network.TLS (ClientParams(..), Supported(..), Shared(..), ClientHooks(..), defaultParamsClient)
import Network.TLS.Extra (ciphersuite_all)
import Data.X509 (HashALG(HashSHA256))
import Data.X509.Validation (validate, ValidationChecks(checkLeafV3))
import System.X509 (getSystemCertificateStore)

clientParamsAllowingV1 :: IO ClientParams
clientParamsAllowingV1 = do
  system_ca <- getSystemCertificateStore
  return $ (defaultParamsClient mempty mempty) {
    clientSupported = def {
      supportedCiphers = ciphersuite_all
      },
    clientShared = def {
      sharedCAStore = system_ca
      },
    clientHooks = def {
      onServerCertificate = validate HashSHA256 def def {
         checkLeafV3 = False
         }
      }
    }

[ocheron]

Is there a security or technical reason to enforce Version 3 leaf certificates by default?

This is probably controversial. v1 certificates have no extension, so no indication of intended usage.

Some protocols make it clear that v1 should not be used anymore, i.e. TLS 1.2:

The certificate type MUST be X.509v3, unless explicitly negotiated otherwise (e.g., [TLSPGP]).