From 9fc8a8444633f91f439850a92927987fde515835 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 21 Mar 2017 13:20:02 +0100
Subject: _gnutls_check_key_cert_match: allow broken sigs

That ensures that when loading a certificate pair with SHA1, when
SHA1 is disabled will not cause the server to fail to load.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/cert.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/cert.c b/lib/cert.c
index 825354509f..edcd413776 100644
--- a/lib/cert.c
+++ b/lib/cert.c
@@ -918,7 +918,7 @@ int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res)
 
 	ret = gnutls_pubkey_verify_data2(res->certs[res->ncerts - 1].cert_list[0].pubkey,
 		gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256),
-		0, &test, &sig);
+		GNUTLS_VERIFY_ALLOW_BROKEN, &test, &sig);
 
 	gnutls_free(sig.data);
 
-- 
cgit v1.2.1