+diff -up gnutls-1.4.1/lib/x509/verify.c.chain-verify gnutls-1.4.1/lib/x509/verify.c
+--- gnutls-1.4.1/lib/x509/verify.c.chain-verify 2008-11-11 10:55:19.000000000 +0100
++++ gnutls-1.4.1/lib/x509/verify.c 2008-11-11 10:58:54.000000000 +0100
+@@ -379,6 +379,17 @@ _gnutls_x509_verify_certificate (const g
+ int i = 0, ret;
+ unsigned int status = 0, output;
+
++ /* Check if the last certificate in the path is self signed.
++ * In that case ignore it (a certificate is trusted only if it
++ * leads to a trusted party by us, not the server's).
++ */
++ if (clist_size > 1 &&
++ gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
++ certificate_list[clist_size - 1]) > 0)
++ {
++ clist_size--;
++ }
++
+ /* Verify the last certificate in the certificate path
+ * against the trusted CA certificate list.
+ *
+@@ -417,17 +428,6 @@ _gnutls_x509_verify_certificate (const g
+ }
+ #endif
+
+- /* Check if the last certificate in the path is self signed.
+- * In that case ignore it (a certificate is trusted only if it
+- * leads to a trusted party by us, not the server's).
+- */
+- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+- certificate_list[clist_size - 1]) > 0
+- && clist_size > 0)
+- {
+- clist_size--;
+- }
+-
+ /* Verify the certificate path (chain)
+ */
+ for (i = clist_size - 1; i > 0; i--)