From 5ce283806c8385bca9bfc23e2e577d16f9aa28eb Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Fri, 20 Sep 2019 09:00:04 +0200
Subject: [PATCH] Restore leniance in certificate key usage violations

It was removed in 256d8e2 because the purpose was unclear. It turns
out that the automatically generated self signed certificates will
have Key Encipherment and Data Encipherment set as key usage, but
the required ones are Digital Signature and Key Encipherment. A
proper certificate generally doesn't have this issue, but connecting
to stand alone machines without a proper certificate is common.

Unfortunately the %COMPAT flag is the only thing that makes GnuTLS
tolerate this bug, but that flag also allows a lot of other protocol
violations.
---
 tcp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tcp.c b/tcp.c
index e85eb96..948d44b 100644
--- a/tcp.c
+++ b/tcp.c
@@ -55,7 +55,10 @@
 #define INADDR_NONE ((unsigned long) -1)
 #endif
 
-#define GNUTLS_PRIORITY "NORMAL"
+/* Windows' self signed certificates omit the required Digital
+   Signature key usage flag, and only %COMPAT makes GnuTLS ignore
+   that violation. */
+#define GNUTLS_PRIORITY "NORMAL:%COMPAT"
 
 #ifdef IPv6
 static struct addrinfo *g_server_address = NULL;