diff --git a/0001-crypto-ensure-we-use-a-predictable-TLS-priority-sett.patch b/0001-crypto-ensure-we-use-a-predictable-TLS-priority-sett.patch
new file mode 100644
index 0000000..69e19e1
--- /dev/null
+++ b/0001-crypto-ensure-we-use-a-predictable-TLS-priority-sett.patch
@@ -0,0 +1,48 @@
+From 11e1a77f98b2663a6fb0b640bff2ceedc6fc79f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 28 Feb 2018 14:04:38 +0000
+Subject: [PATCH] crypto: ensure we use a predictable TLS priority setting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The TLS test cert generation relies on a fixed set of algorithms that are
+only usable under GNUTLS' default priority setting. When building QEMU
+with a custom distro specific priority setting, this can cause the TLS
+tests to fail. By forcing the tests to always use "NORMAL" priority we
+can make them more robust.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ tests/test-crypto-tlssession.c | 1 +
+ tests/test-io-channel-tls.c    | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/tests/test-crypto-tlssession.c b/tests/test-crypto-tlssession.c
+index 1a4a066d76..82f21c27f2 100644
+--- a/tests/test-crypto-tlssession.c
++++ b/tests/test-crypto-tlssession.c
+@@ -75,6 +75,7 @@ static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
+                      "server" : "client"),
+         "dir", certdir,
+         "verify-peer", "yes",
++        "priority", "NORMAL",
+         /* We skip initial sanity checks here because we
+          * want to make sure that problems are being
+          * detected at the TLS session validation stage,
+diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c
+index a210d01ba5..47ba603e8d 100644
+--- a/tests/test-io-channel-tls.c
++++ b/tests/test-io-channel-tls.c
+@@ -78,6 +78,7 @@ static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
+                      "server" : "client"),
+         "dir", certdir,
+         "verify-peer", "yes",
++        "priority", "NORMAL",
+         /* We skip initial sanity checks here because we
+          * want to make sure that problems are being
+          * detected at the TLS session validation stage,
+-- 
+2.14.3
+
diff --git a/qemu.spec b/qemu.spec
index 3156741..aef2776 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -148,6 +148,9 @@ Patch0002: 0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch
 # Non-deterministic python hash iterator sort ordering
 Patch0003: 0001-qapi-ensure-stable-sort-ordering-when-checking-QAPI-.patch
 
+# Avoid breakage in tests due to stricter crypto policies
+Patch0004: 0001-crypto-ensure-we-use-a-predictable-TLS-priority-sett.patch
+
 # documentation deps
 BuildRequires: texinfo
 # For /usr/bin/pod2man
@@ -1985,6 +1988,7 @@ getent passwd qemu >/dev/null || \
 - Honour CC/LD flags for ksmctl
 - Fix non-deterministic test failure
 - Use explicit "python2" binary to avoid "python" brokeness (rhbz#1550010)
+- Avoid breakage in TLS tests due to stricter crypto policies
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.11.0-4.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild