1Security 2 * With TLS 1.3, when a server enables optional authentication of the 3 client, if the client-provided certificate does not have appropriate values 4 in keyUsage or extKeyUsage extensions, then the return value of 5 mbedtls_ssl_get_verify_result() would incorrectly have the 6 MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits 7 clear. As a result, an attacker that had a certificate valid for uses other 8 than TLS client authentication could be able to use it for TLS client 9 authentication anyway. Only TLS 1.3 servers were affected, and only with 10 optional authentication (required would abort the handshake with a fatal 11 alert). 12