--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -692,8 +693,10 @@
       /* note that here we disable this V1 CA flag. So that no version 1
        * certificates can exist in a supplied chain.
        */
-      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
         flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+        flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+      }
       if ((ret =
            _gnutls_verify_certificate2(certificate_list[i - 1],
                &certificate_list[i], 1,