Please don't underestimate this problem. openssl creates bad certificates here without telling. It is *highly* annoying if you are affected by a bad root certificate you already used for setting up a private PKI and then detect the problem on a platform with a better ssl implementation.
I would highly appreciate if you could fix this for Stretch. Thanx Harri

