diff -Nru gnutls26-2.12.23/debian/changelog gnutls26-2.12.23/debian/changelog
--- gnutls26-2.12.23/debian/changelog	2017-06-12 13:35:23.000000000 +0000
+++ gnutls26-2.12.23/debian/changelog	2017-08-21 17:48:18.000000000 +0000
@@ -1,3 +1,13 @@
+gnutls26 (2.12.23-12ubuntu2.10) trusty; urgency=medium
+
+  * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
+    OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS
+    priority, which includes TLS1.2 support. (LP: #1709193)
+    - Add %VERIFY_ALLOW_SIGN_RSA_MD5 to avoid regressions with
+      RSA-MD5 signed roots (like CAcert.org). Only needed on Trusty.
+
+ -- Simon Deziel <simon.deziel@gmail.com>  Mon, 21 Aug 2017 17:44:59 +0000
+
 gnutls26 (2.12.23-12ubuntu2.8) trusty-security; urgency=medium
 
   * SECURITY UPDATE: DoS and possible code execution via OpenPGP
diff -Nru gnutls26-2.12.23/debian/patches/series gnutls26-2.12.23/debian/patches/series
--- gnutls26-2.12.23/debian/patches/series	2017-06-12 13:33:07.000000000 +0000
+++ gnutls26-2.12.23/debian/patches/series	2017-08-21 17:49:04.000000000 +0000
@@ -20,3 +20,4 @@
 CVE-2017-5337.patch
 CVE-2016-8610.patch
 CVE-2017-7869.patch
+use_normal_priority_for_openssl_sslv23.diff
diff -Nru gnutls26-2.12.23/debian/patches/use_normal_priority_for_openssl_sslv23.diff gnutls26-2.12.23/debian/patches/use_normal_priority_for_openssl_sslv23.diff
--- gnutls26-2.12.23/debian/patches/use_normal_priority_for_openssl_sslv23.diff	1970-01-01 00:00:00.000000000 +0000
+++ gnutls26-2.12.23/debian/patches/use_normal_priority_for_openssl_sslv23.diff	2017-08-21 17:49:09.000000000 +0000
@@ -0,0 +1,33 @@
+sdeziel> added %VERIFY_ALLOW_SIGN_RSA_MD5 to the priority string
+ to avoid a regression on Trusty. This was done on top of:
+
+Backport of:
+
+From 363056f7db6f61f818523888085638e85c6a81f7 Apr, 2 2017
+Description: Use NORMAL priority for SSLv23_*_method.  Instead of
+ enforcing TLS1.0/SSL3.0 use gnutls NORMAL priority for SSLv23_*_methods.
+Author: Andreas Metzler <ametzler@bebt.de>
+Last-Update: 2017-04-02
+Bug-Ubuntu: https://launchpad.net/bugs/1709193
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857436
+
+--- gnutls26-2.12.23.orig/libextra/gnutls_openssl.c	2012-01-06 19:06:24.000000000 +0000
++++ gnutls26-2.12.23/libextra/gnutls_openssl.c	2017-08-10 15:40:06.553323877 +0000
+@@ -516,7 +516,7 @@
+   if (!m)
+     return NULL;
+ 
+-  strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
++  strcpy(m->priority_string, "NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5");
+ 
+   m->connend = GNUTLS_CLIENT;
+ 
+@@ -531,7 +531,7 @@
+   if (!m)
+     return NULL;
+ 
+-  strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
++  strcpy(m->priority_string, "NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5");
+   m->connend = GNUTLS_SERVER;
+ 
+   return m;