While trying to get my SSL server NIST compliant, I stumbled upon section 3.4.1 - Mandatory TLS Extensions, and there is only one option I cannot find where to configure on my end: Extended Master Secret. This extension is documented on RFC7627. Most modern browsers are supporting this by default.
While checking on the Internet, it seems CAs do enable this; all my searches of certificates issued by LE returned “Extended master secret: no”, which matches my own experience.
I haven’t found anything on either Apache HTTP or OpenSSL documentation/mailing lists though.
Is this by design a disabled feature on Let’s Encrypt backend? Any way I can manually turn this on from a CSR?