From 54ed3779d66d3903c53f67607fc68d773c95222f Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 5 Mar 2009 04:35:49 +0000
Subject: [PATCH] ITS#5992 trust X509v1 CA certs

---
 libraries/libldap/tls_g.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 57731673b3..759c9b7621 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -349,6 +349,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		if ( rc < 0 ) return -1;
 		rc = 0;
 	}
+
+	/* FIXME: ITS#5992 - this should go be configurable,
+	 * and V1 CA certs should be phased out ASAP.
+	 */
+	gnutls_certificate_set_verify_flags( ctx->cred,
+		GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+
 	if ( is_server ) {
 		gnutls_dh_params_init(&ctx->dh_params);
 		gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
-- 
2.39.5