From 8885539a95fdef96c59b74ff4edb99bd193be2f8 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 12 Feb 2014 16:41:33 +0100
Subject: [PATCH 1/2] Fixed bug that prevented the rejection of v1
 intermediate CA certificates. (cherry picked from
 commit 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e)

---
 lib/x509/verify.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index f336633..1ab1357 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -689,7 +689,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
        * certificates can exist in a supplied chain.
        */
       if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
-        flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+        {
+          flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+          flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+        }
       if ((ret =
            _gnutls_verify_certificate2 (certificate_list[i - 1],
                                         &certificate_list[i], 1, flags,
-- 
1.7.10