3 files changed, 14 insertions, 3 deletions

diff --git a/lib/auto-verify.c b/lib/auto-verify.c
index 1cf5f55dfa..179fb1066f 100644
--- a/lib/auto-verify.c
+++ b/lib/auto-verify.c
@@ -91,8 +91,9 @@ void gnutls_session_set_verify_cert(gnutls_session_t session,
 		session->internals.vc_elements = 0;
 	}
 
-	if (flags)
-		session->internals.additional_verify_flags |= flags;
+	if (flags) {
+		ADD_PROFILE_VFLAGS(session, flags);
+	}
 
 	gnutls_session_set_verify_function(session, auto_verify_cb);
 }
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index f9160fc7ca..1be2bf3b82 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1030,6 +1030,16 @@ typedef struct {
 	unsigned vc_status;
 	unsigned int additional_verify_flags; /* may be set by priorities or the vc functions */
 
+	/* we append the verify flags because these can be set,
+	 * either by this function or by gnutls_session_set_verify_cert().
+	 * However, we ensure that a single profile is set. */
+#define ADD_PROFILE_VFLAGS(session, vflags) \
+	if ((session->internals.additional_verify_flags & GNUTLS_VFLAGS_PROFILE_MASK) && \
+	    (vflags & GNUTLS_VFLAGS_PROFILE_MASK)) { \
+		session->internals.additional_verify_flags &= ~GNUTLS_VFLAGS_PROFILE_MASK; \
+		session->internals.additional_verify_flags |= vflags; \
+	}
+
 	/* the SHA256 hash of the peer's certificate */
 	uint8_t cert_hash[32];
 	bool cert_hash_set;
diff --git a/lib/priority.c b/lib/priority.c
index 15de4b6883..94454f4981 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -575,7 +575,7 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
 	    session->internals.priorities.compression.algorithms == 0)
 		return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
-	session->internals.additional_verify_flags |= priority->additional_verify_flags;
+	ADD_PROFILE_VFLAGS(session, priority->additional_verify_flags);
 
 	return 0;
 }