--- a/lib/x509/verify.c | |
+++ b/lib/x509/verify.c | |
@@ -692,8 +693,10 @@ | |
/* note that here we disable this V1 CA flag. So that no version 1 | |
* certificates can exist in a supplied chain. | |
*/ | |
- if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) | |
+ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { | |
flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); | |
+ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; | |
+ } | |
if ((ret = | |
_gnutls_verify_certificate2(certificate_list[i - 1], | |
&certificate_list[i], 1, |