Fix TLS tests with gnutls 3

When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

tests/virnettlscontexttest.c

@@ -873,6 +873,16 @@ mymain(void)
         false, false, NULL, NULL,
         0, 0,
     };
+
+    DO_CTX_TEST(true, cacert1req, servercertreq, false);
+    DO_CTX_TEST(true, cacert2req, servercertreq, false);
+# if 0
+    DO_CTX_TEST(true, cacert3req, servercertreq, false);
+# endif
+    DO_CTX_TEST(true, cacert4req, servercertreq, false);
+
+    /* Now some bad certs */
+
     /* Key usage:dig-sig:not-critical */
     static struct testTLSCertReq cacert5req = {
         NULL, NULL, "cacert5.pem", "UK",
@@ -882,17 +892,6 @@ mymain(void)
         false, false, NULL, NULL,
         0, 0,
     };
-
-    DO_CTX_TEST(true, cacert1req, servercertreq, false);
-    DO_CTX_TEST(true, cacert2req, servercertreq, false);
-# if 0
-    DO_CTX_TEST(true, cacert3req, servercertreq, false);
-# endif
-    DO_CTX_TEST(true, cacert4req, servercertreq, false);
-    DO_CTX_TEST(true, cacert5req, servercertreq, false);
-
-    /* Now some bad certs */
-
     /* no-basic */
     static struct testTLSCertReq cacert6req = {
         NULL, NULL, "cacert6.pem", "UK",
@@ -912,6 +911,12 @@ mymain(void)
         0, 0,
     };
 
+    /* Technically a CA cert with basic constraints
+     * key purpose == key signing + non-critical should
+     * be rejected. GNUTLS < 3 does not reject it and
+     * we don't anticipate them changing this behaviour
+     */
+    DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
     DO_CTX_TEST(true, cacert6req, servercertreq, true);
     DO_CTX_TEST(true, cacert7req, servercertreq, true);