https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18 diff -Naurp gnutls-3.1.16/lib/x509/verify.c gnutls-3.1.16.oden/lib/x509/verify.c --- gnutls-3.1.16/lib/x509/verify.c 2013-05-21 20:27:20.000000000 +0200 +++ gnutls-3.1.16.oden/lib/x509/verify.c 2014-02-14 08:02:09.000000000 +0100 @@ -673,8 +673,10 @@ _gnutls_x509_verify_certificate (const g /* note that here we disable this V1 CA flag. So that no version 1 * certificates can exist in a supplied chain. */ - if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) { flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; + } if ((ret = _gnutls_verify_certificate2 (certificate_list[i - 1], &certificate_list[i], 1, flags,