+ /* If no suitable signature algorithm can't use certificate */
+ if (TLS1_get_version(s) >= TLS1_2_VERSION && !s->cert->key->digest)
+ return 0;
+ /* If strict mode check suitability of chain before using it.
+ * This also adjusts suite B digest if necessary.
+ */
+ if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
+ !tls1_check_chain(s, NULL, NULL, NULL, -2))
+ return 0;