Test X509 certificates with a non-empty EKU section that does not
contain serverAuth or clientAuth. This generates an error for NSS
up to at least 3.40. Using a patched nss with IPsec profiles support
or using nss 3.41 or newer passes this test.

console output is based on the patched nss with certificateUsageIPsec
support and a build of libreswan with USE_NSS_IPSEC_PROFILE=true

It might take a few weeks for these changes to make it into the
various testing systems.