tls-extra: certificate validation does not check Basic Constraints

tls-extra does not check the Basic Constraints extension of a
certificate in certificate chain processing. Any certificate is
treated as a CA certificate. As a consequence, anyone who has a
valid certificate can use it to sign another one (with an arbitrary
subject DN/domain name embedded into it) and have it accepted by
tls. This allows MITM attacks on TLS connections.