qt4: blacklist untrusted SSL certificates

- this blacklist wrong certificates https://bugreports.qt-project.org/browse/QTBUG-24654 https://bugreports.qt-project.org/browse/QTBUG-28937 - these patches will be in the next 4.8.5 release (From OE-Core rev: aafcf34aa8be3525ada517b770e43ad05de5a4b6) Signed-off-by: Eric Bénard <eric@eukrea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Eric Bénard <eric@eukrea.com> 2013-01-07 18:06:57 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-01-07 19:26:28 +0000
commit: a06958eefcfe4e5f5c8f0bbac24fd1b43821d0b0 (patch)
tree: 4e4ff98f451cac426433d4579ae863e54fcebb32
parent: 51ce14351d4a67a3c285be139a2c3af6610f2d70 (diff)
download: poky-a06958eefcfe4e5f5c8f0bbac24fd1b43821d0b0.tar.gz
5 files changed, 153 insertions, 2 deletions
diff --git a/meta/recipes-qt/qt4/qt4-4.8.4.inc b/meta/recipes-qt/qt4/qt4-4.8.4.inc
index 08173a1d14..0bc106251e 100644
--- a/meta/recipes-qt/qt4/qt4-4.8.4.inc
+++ b/meta/recipes-qt/qt4/qt4-4.8.4.inc
@@ -21,6 +21,8 @@ SRC_URI = "http://releases.qt-project.org/qt4/source/qt-everywhere-opensource-sr
           file://0018-configure-make-pulseaudio-a-configurable-option.patch \
           file://0019-Fixes-for-gcc-4.7.0-particularly-on-qemux86.patch \
           file://0020-webkit-disable-the-fuse-ld-gold-flag.patch \
+           file://0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch \
+           file://0023-qtnetwork-blacklist-two-more-certificates.patch \
           file://g++.conf \
           file://linux.conf \
           "
diff --git a/meta/recipes-qt/qt4/qt4-4.8.4/0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch b/meta/recipes-qt/qt4/qt4-4.8.4/0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch
new file mode 100644
index 0000000000..8caef97405
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.4/0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch
@@ -0,0 +1,108 @@
+From 451462b1e0304e0cb6c2872e4f5688bc2e556dca Mon Sep 17 00:00:00 2001
+From: Peter Hartmann <phartmann@rim.com>
+Date: Fri, 4 Jan 2013 11:06:14 +0100
+Subject: [PATCH] SSL certificates: blacklist mis-issued Turktrust certificates
+Those certificates have erroneously set the CA attribute to true,
+meaning everybody in possesion of their keys can issue certificates on
+their own.
+backport of bf5e7fb2652669599a508e049b46ebd5cd3206e5 from qtbase
+Task-number: QTBUG-28937
+Change-Id: Iee57c6f983fee61c13c3b66ed874300ef8e80c23
+Reviewed-by: Richard J. Moore <rich@kde.org>
+Upstream-Status: Accepted https://codereview.qt-project.org/#change,43968
+---
+ src/network/ssl/qsslcertificate.cpp                |    3 ++
+ ...ted-turktrust-e-islem.kktcmerkezbankasi.org.pem |   24 +++++++++++++++
+ .../blacklisted-turktrust-ego.gov.tr.pem           |   31 ++++++++++++++++++++
+ 3 files changed, 58 insertions(+), 0 deletions(-)
+ create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
+ create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
+diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
+index 038187f..37799d1 100644
+--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
+@@ -825,6 +825,9 @@ static const char *certificate_blacklist[] = {
+ 
+     "120001705", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
+     "1276011370", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
+
+    "2087",                                            "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate
+    "2148",                                            "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
+     0
+ };
+ 
+diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
+new file mode 100644
+index 0000000..33f2ef4
+--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
+@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgICCGQwDQYJKoZIhvcNAQEFBQAwgawxPTA7BgNVBAMMNFTD
+nFJLVFJVU1QgRWxla3Ryb25payBTdW51Y3UgU2VydGlmaWthc8SxIEhpem1ldGxl
+cmkxCzAJBgNVBAYTAlRSMV4wXAYDVQQKDFVUw5xSS1RSVVNUIEJpbGdpIMSwbGV0
+acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLiAo
+YykgS2FzxLFtICAyMDA1MB4XDTExMDgwODA3MDc1MVoXDTIxMDgwNTA3MDc1MVow
+gaMxCzAJBgNVBAYTAlRSMRAwDgYDVQQIEwdMZWZrb3NhMRAwDgYDVQQHEwdMZWZr
+b3NhMRwwGgYDVQQKExNLS1RDIE1lcmtleiBCYW5rYXNpMSYwJAYDVQQDEx1lLWlz
+bGVtLmtrdGNtZXJrZXpiYW5rYXNpLm9yZzEqMCgGCSqGSIb3DQEJARYbaWxldGlA
+a2t0Y21lcmtlemJhbmthc2kub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAw1hUpuRFY67NsZ6C9rzRAPCb9RVpi4nZzJIA1TvIfr4hMPM0X5jseMf5
+GvgJQ+cBMZtooDd7BbZNy2z7O5A+8PYFaMDdokCENx2ePIqAVuO6C5UAqM7J3n6R
+rhjOvqiw6dTQMbtXhjFao+YMuBVvRuuhGHBDK3Je64T/KLzcmAUlRJEuy+ZMe7Aa
+tUaSDr/jy5DMA5xEYOdsnS5Zo30lRG+9vqbxb8CQi+E97sNjY+W4lEgJKQWMNh5r
+Cxo4Hinkm3CKyKX3PAS+DDVI3LQiCiIQUOMA2+1P5aTPTkpqlbjqhbWTWAPWOKCF
+9d83p3RMXOYt5GahS8rg5u6+toEC1QIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwjWz5tsUvYORVW8K
+JSK/biHFrAnFotMtoTKEewRmnYaYjwXIr1IPaBqhjkGGviLN2eOH/v97Uli6HC4l
+zhKHfMQUS9KF/f5nGcH8iQBy/gmFsfJQ1KDC6GNM4CfMGIzyxjYhP0VzdUtKX3PA
+l5EqgMUcdqRDy6Ruz55+JkdvCL1nAC7xH+czJcZVwysTdGfLTCh6VtYPgIkeL6U8
+3xQAyMuOHm72exJljYFqIsiNvGE0KufCqCuH1PD97IXMrLlwGmKKg5jP349lySBp
+Jjm6RDqCTT+6dUl2jkVbeNmco99Y7AOdtLsOdXBMCo5x8lK8zwQWFrzEms0joHXC
+pWfGWA==
+-----END CERTIFICATE-----
+diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
+new file mode 100644
+index 0000000..e9d048f
+--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
+@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFPTCCBCWgAwIBAgICCCcwDQYJKoZIhvcNAQEFBQAwgawxPTA7BgNVBAMMNFTD
+nFJLVFJVU1QgRWxla3Ryb25payBTdW51Y3UgU2VydGlmaWthc8SxIEhpem1ldGxl
+cmkxCzAJBgNVBAYTAlRSMV4wXAYDVQQKDFVUw5xSS1RSVVNUIEJpbGdpIMSwbGV0
+acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLiAo
+YykgS2FzxLFtICAyMDA1MB4XDTExMDgwODA3MDc1MVoXDTIxMDcwNjA3MDc1MVow
+bjELMAkGA1UEBhMCVFIxDzANBgNVBAgMBkFOS0FSQTEPMA0GA1UEBwwGQU5LQVJB
+MQwwCgYDVQQKDANFR08xGDAWBgNVBAsMD0VHTyBCSUxHSSBJU0xFTTEVMBMGA1UE
+AwwMKi5FR08uR09WLlRSMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+v5zoj2Bpdl7R1M/zF6Qf4su2F8vDqISKvuTuyJhNAHhFGHCsHjaixGMHspuz0l3V
+50kq/ECWbN8kKaeTrB112QOrWTU276iup1Gh+OlEOiR9vlQ4VAP00dWUjD6z9HQF
+Ci8W3EsEtiiHiYOU9BcPpPkaUbECwP4nGVwR8aPwhB5PGBJc98romdvciYkUpSOO
+wkuSRtooA7tRlLFu72QaNpXN1NueB36I3aajPk0YyiXy2w8XlgK7QI4PSSBnSq+Q
+blFocWVmLhF94je7py6lCnllrIFXpR3FWZLD5GcI6HKlBS78AQ+IMBLFHhsEVw5N
+Qj90chSZClfBWBZzIaV9RwIDAQABo4IBpDCCAaAwHwYDVR0jBBgwFoAUq042AzDS
+29UKaL6HpVBs/PZwpSUwHQYDVR0OBBYEFGT7G4Y9uEryRIL5Vj3qJsD047M0MA4G
+A1UdDwEB/wQEAwIBBjBFBgNVHSAEPjA8MDoGCWCGGAMAAwEBATAtMCsGCCsGAQUF
+BwIBFh9odHRwOi8vd3d3LnR1cmt0cnVzdC5jb20udHIvc3VlMA8GA1UdEwEB/wQF
+MAMBAf8wSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL3d3dy50dXJrdHJ1c3QuY29t
+LnRyL3NpbC9UVVJLVFJVU1RfU1NMX1NJTF9zMi5jcmwwgaoGCCsGAQUFBwEBBIGd
+MIGaMG4GCCsGAQUFBzAChmJodHRwOi8vd3d3LnR1cmt0cnVzdC5jb20udHIvc2Vy
+dGlmaWthbGFyL1RVUktUUlVTVF9FbGVrdHJvbmlrX1N1bnVjdV9TZXJ0aWZpa2Fz
+aV9IaXptZXRsZXJpX3MyLmNydDAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AudHVy
+a3RydXN0LmNvbS50cjANBgkqhkiG9w0BAQUFAAOCAQEAj89QCCyoW0S20EcYDZAn
+vFLFmougK97Bt68iV1OM622+Cyeyf4Sz+1LBk1f9ni3fGT0Q+RWZJYWq5YuSBiLV
+gk3NLcxnwe3wmnvErUgq1QDtAaNlBWMEMklOlWGfJ0eWaillUskJbDd4KwgZHDEj
+7g/jYEQqU1t0zoJdwM/zNsnLHkhwcWZ5PQnnbpff1Ct/1LH/8pdy2eRDmRmqniLU
+h8r2lZfJeudVZG6yIbxsqP3t2JCq5c2P1jDhAGF3g9DiskH0CzsRdbVpoWdr+PY1
+Xz/19G8XEpX9r+IBJhLdbkpVo0Qh0A10mzFP/GUk5f/8nho2HvLaVMhWv1qKcF8I
+hQ==
+-----END CERTIFICATE-----
+-- 
+1.7.1
diff --git a/meta/recipes-qt/qt4/qt4-4.8.4/0023-qtnetwork-blacklist-two-more-certificates.patch b/meta/recipes-qt/qt4/qt4-4.8.4/0023-qtnetwork-blacklist-two-more-certificates.patch
new file mode 100644
index 0000000000..54171f7647
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.4/0023-qtnetwork-blacklist-two-more-certificates.patch
@@ -0,0 +1,41 @@
+From 180bf94c241728dd6d6f100437914d3cb11cbc30 Mon Sep 17 00:00:00 2001
+From: Martin Petersson <Martin.Petersson@nokia.com>
+Date: Wed, 7 Mar 2012 12:05:59 +0100
+Subject: [PATCH] QtNetwork: blacklist two more certificates
+The comodogate 72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
+certificate is a test certificate and the MD5 Collisions was created
+as a proof of concept deliberately made to be expired at the time
+of it's creation.
+Task-number: QTBUG-24654
+(cherry picked from commit 4c0df9feb2b44d0c4fcaa5076f00aa08fbc1dda5)
+Signed-off-by: Peter Hartmann <phartmann@rim.com>
+Apparently this commit was forgotten to cherry-pick to Qt 4.
+Change-Id: I86949eaa3c02483b0b66b4a620bfa88aaa9aa99b
+Reviewed-by: Richard J. Moore <rich@kde.org>
+Upstream-Status: Accepted https://codereview.qt-project.org/#change,43992
+---
+ src/network/ssl/qsslcertificate.cpp |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
+index 37799d1..300a261 100644
+--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
+@@ -825,6 +825,8 @@ static const char *certificate_blacklist[] = {
+ 
+     "120001705", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
+     "1276011370", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
+    "72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0", "UTN-USERFirst-Hardware", // comodogate test certificate
+    "41",                                              "MD5 Collisions Inc. (http://www.phreedom.org/md5)", // http://www.phreedom.org/research/rogue-ca/
+ 
+     "2087",                                            "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate
+     "2148",                                            "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
+-- 
+1.7.1
diff --git a/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb b/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb
index 187de7394f..5a3dc6537a 100644
--- a/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb
+++ b/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb
@@ -1,7 +1,7 @@
 require qt4-${PV}.inc
 require qt4-embedded.inc
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
 QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
diff --git a/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb b/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb
index bedd201350..9b03ff2f57 100644
--- a/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb
+++ b/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb
@@ -1,7 +1,7 @@
 require qt4-x11-free.inc
 require qt4-${PV}.inc
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
 QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
author	Eric Bénard <eric@eukrea.com>	2013-01-07 18:06:57 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-01-07 19:26:28 +0000
commit	a06958eefcfe4e5f5c8f0bbac24fd1b43821d0b0 (patch)
tree	4e4ff98f451cac426433d4579ae863e54fcebb32
parent	51ce14351d4a67a3c285be139a2c3af6610f2d70 (diff)
download	poky-a06958eefcfe4e5f5c8f0bbac24fd1b43821d0b0.tar.gz

diff --git a/meta/recipes-qt/qt4/qt4-4.8.4.inc b/meta/recipes-qt/qt4/qt4-4.8.4.inc index 08173a1d14..0bc106251e 100644 --- a/meta/recipes-qt/qt4/qt4-4.8.4.inc +++ b/meta/recipes-qt/qt4/qt4-4.8.4.inc
@@ -21,6 +21,8 @@ SRC_URI = "http://releases.qt-project.org/qt4/source/qt-everywhere-opensource-sr
21	file://0018-configure-make-pulseaudio-a-configurable-option.patch \	21	file://0018-configure-make-pulseaudio-a-configurable-option.patch \
22	file://0019-Fixes-for-gcc-4.7.0-particularly-on-qemux86.patch \	22	file://0019-Fixes-for-gcc-4.7.0-particularly-on-qemux86.patch \
23	file://0020-webkit-disable-the-fuse-ld-gold-flag.patch \	23	file://0020-webkit-disable-the-fuse-ld-gold-flag.patch \
		24	file://0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch \
		25	file://0023-qtnetwork-blacklist-two-more-certificates.patch \
24	file://g++.conf \	26	file://g++.conf \
25	file://linux.conf \	27	file://linux.conf \
26	"	28	"


diff --git a/meta/recipes-qt/qt4/qt4-4.8.4/0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch b/meta/recipes-qt/qt4/qt4-4.8.4/0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch new file mode 100644 index 0000000000..8caef97405 --- /dev/null +++ b/meta/recipes-qt/qt4/qt4-4.8.4/0022-ssl-certificates-blacklist-mis-issued-turktrust-certificates.patch
@@ -0,0 +1,108 @@
		1	From 451462b1e0304e0cb6c2872e4f5688bc2e556dca Mon Sep 17 00:00:00 2001
		2	From: Peter Hartmann <phartmann@rim.com>
		3	Date: Fri, 4 Jan 2013 11:06:14 +0100
		4	Subject: [PATCH] SSL certificates: blacklist mis-issued Turktrust certificates
		5
		6	Those certificates have erroneously set the CA attribute to true,
		7	meaning everybody in possesion of their keys can issue certificates on
		8	their own.
		9
		10	backport of bf5e7fb2652669599a508e049b46ebd5cd3206e5 from qtbase
		11
		12	Task-number: QTBUG-28937
		13	Change-Id: Iee57c6f983fee61c13c3b66ed874300ef8e80c23
		14	Reviewed-by: Richard J. Moore <rich@kde.org>
		15
		16	Upstream-Status: Accepted https://codereview.qt-project.org/#change,43968
		17	---
		18	src/network/ssl/qsslcertificate.cpp \| 3 ++
		19	...ted-turktrust-e-islem.kktcmerkezbankasi.org.pem \| 24 +++++++++++++++
		20	.../blacklisted-turktrust-ego.gov.tr.pem \| 31 ++++++++++++++++++++
		21	3 files changed, 58 insertions(+), 0 deletions(-)
		22	create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
		23	create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
		24
		25	diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
		26	index 038187f..37799d1 100644
		27	--- a/src/network/ssl/qsslcertificate.cpp
		28	+++ b/src/network/ssl/qsslcertificate.cpp
		29	@@ -825,6 +825,9 @@ static const char *certificate_blacklist[] = {
		30
		31	"120001705", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
		32	"1276011370", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
		33	+
		34	+ "2087", "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate
		35	+ "2148", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
		36	0
		37	};
		38
		39	diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
		40	new file mode 100644
		41	index 0000000..33f2ef4
		42	--- /dev/null
		43	+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
		44	@@ -0,0 +1,24 @@
		45	+-----BEGIN CERTIFICATE-----
		46	+MIID8DCCAtigAwIBAgICCGQwDQYJKoZIhvcNAQEFBQAwgawxPTA7BgNVBAMMNFTD
		47	+nFJLVFJVU1QgRWxla3Ryb25payBTdW51Y3UgU2VydGlmaWthc8SxIEhpem1ldGxl
		48	+cmkxCzAJBgNVBAYTAlRSMV4wXAYDVQQKDFVUw5xSS1RSVVNUIEJpbGdpIMSwbGV0
		49	+acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLiAo
		50	+YykgS2FzxLFtICAyMDA1MB4XDTExMDgwODA3MDc1MVoXDTIxMDgwNTA3MDc1MVow
		51	+gaMxCzAJBgNVBAYTAlRSMRAwDgYDVQQIEwdMZWZrb3NhMRAwDgYDVQQHEwdMZWZr
		52	+b3NhMRwwGgYDVQQKExNLS1RDIE1lcmtleiBCYW5rYXNpMSYwJAYDVQQDEx1lLWlz
		53	+bGVtLmtrdGNtZXJrZXpiYW5rYXNpLm9yZzEqMCgGCSqGSIb3DQEJARYbaWxldGlA
		54	+a2t0Y21lcmtlemJhbmthc2kub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
		55	+CgKCAQEAw1hUpuRFY67NsZ6C9rzRAPCb9RVpi4nZzJIA1TvIfr4hMPM0X5jseMf5
		56	+GvgJQ+cBMZtooDd7BbZNy2z7O5A+8PYFaMDdokCENx2ePIqAVuO6C5UAqM7J3n6R
		57	+rhjOvqiw6dTQMbtXhjFao+YMuBVvRuuhGHBDK3Je64T/KLzcmAUlRJEuy+ZMe7Aa
		58	+tUaSDr/jy5DMA5xEYOdsnS5Zo30lRG+9vqbxb8CQi+E97sNjY+W4lEgJKQWMNh5r
		59	+Cxo4Hinkm3CKyKX3PAS+DDVI3LQiCiIQUOMA2+1P5aTPTkpqlbjqhbWTWAPWOKCF
		60	+9d83p3RMXOYt5GahS8rg5u6+toEC1QIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYw
		61	+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwjWz5tsUvYORVW8K
		62	+JSK/biHFrAnFotMtoTKEewRmnYaYjwXIr1IPaBqhjkGGviLN2eOH/v97Uli6HC4l
		63	+zhKHfMQUS9KF/f5nGcH8iQBy/gmFsfJQ1KDC6GNM4CfMGIzyxjYhP0VzdUtKX3PA
		64	+l5EqgMUcdqRDy6Ruz55+JkdvCL1nAC7xH+czJcZVwysTdGfLTCh6VtYPgIkeL6U8
		65	+3xQAyMuOHm72exJljYFqIsiNvGE0KufCqCuH1PD97IXMrLlwGmKKg5jP349lySBp
		66	+Jjm6RDqCTT+6dUl2jkVbeNmco99Y7AOdtLsOdXBMCo5x8lK8zwQWFrzEms0joHXC
		67	+pWfGWA==
		68	+-----END CERTIFICATE-----
		69	diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
		70	new file mode 100644
		71	index 0000000..e9d048f
		72	--- /dev/null
		73	+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
		74	@@ -0,0 +1,31 @@
		75	+-----BEGIN CERTIFICATE-----
		76	+MIIFPTCCBCWgAwIBAgICCCcwDQYJKoZIhvcNAQEFBQAwgawxPTA7BgNVBAMMNFTD
		77	+nFJLVFJVU1QgRWxla3Ryb25payBTdW51Y3UgU2VydGlmaWthc8SxIEhpem1ldGxl
		78	+cmkxCzAJBgNVBAYTAlRSMV4wXAYDVQQKDFVUw5xSS1RSVVNUIEJpbGdpIMSwbGV0
		79	+acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLiAo
		80	+YykgS2FzxLFtICAyMDA1MB4XDTExMDgwODA3MDc1MVoXDTIxMDcwNjA3MDc1MVow
		81	+bjELMAkGA1UEBhMCVFIxDzANBgNVBAgMBkFOS0FSQTEPMA0GA1UEBwwGQU5LQVJB
		82	+MQwwCgYDVQQKDANFR08xGDAWBgNVBAsMD0VHTyBCSUxHSSBJU0xFTTEVMBMGA1UE
		83	+AwwMKi5FR08uR09WLlRSMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
		84	+v5zoj2Bpdl7R1M/zF6Qf4su2F8vDqISKvuTuyJhNAHhFGHCsHjaixGMHspuz0l3V
		85	+50kq/ECWbN8kKaeTrB112QOrWTU276iup1Gh+OlEOiR9vlQ4VAP00dWUjD6z9HQF
		86	+Ci8W3EsEtiiHiYOU9BcPpPkaUbECwP4nGVwR8aPwhB5PGBJc98romdvciYkUpSOO
		87	+wkuSRtooA7tRlLFu72QaNpXN1NueB36I3aajPk0YyiXy2w8XlgK7QI4PSSBnSq+Q
		88	+blFocWVmLhF94je7py6lCnllrIFXpR3FWZLD5GcI6HKlBS78AQ+IMBLFHhsEVw5N
		89	+Qj90chSZClfBWBZzIaV9RwIDAQABo4IBpDCCAaAwHwYDVR0jBBgwFoAUq042AzDS
		90	+29UKaL6HpVBs/PZwpSUwHQYDVR0OBBYEFGT7G4Y9uEryRIL5Vj3qJsD047M0MA4G
		91	+A1UdDwEB/wQEAwIBBjBFBgNVHSAEPjA8MDoGCWCGGAMAAwEBATAtMCsGCCsGAQUF
		92	+BwIBFh9odHRwOi8vd3d3LnR1cmt0cnVzdC5jb20udHIvc3VlMA8GA1UdEwEB/wQF
		93	+MAMBAf8wSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL3d3dy50dXJrdHJ1c3QuY29t
		94	+LnRyL3NpbC9UVVJLVFJVU1RfU1NMX1NJTF9zMi5jcmwwgaoGCCsGAQUFBwEBBIGd
		95	+MIGaMG4GCCsGAQUFBzAChmJodHRwOi8vd3d3LnR1cmt0cnVzdC5jb20udHIvc2Vy
		96	+dGlmaWthbGFyL1RVUktUUlVTVF9FbGVrdHJvbmlrX1N1bnVjdV9TZXJ0aWZpa2Fz
		97	+aV9IaXptZXRsZXJpX3MyLmNydDAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AudHVy
		98	+a3RydXN0LmNvbS50cjANBgkqhkiG9w0BAQUFAAOCAQEAj89QCCyoW0S20EcYDZAn
		99	+vFLFmougK97Bt68iV1OM622+Cyeyf4Sz+1LBk1f9ni3fGT0Q+RWZJYWq5YuSBiLV
		100	+gk3NLcxnwe3wmnvErUgq1QDtAaNlBWMEMklOlWGfJ0eWaillUskJbDd4KwgZHDEj
		101	+7g/jYEQqU1t0zoJdwM/zNsnLHkhwcWZ5PQnnbpff1Ct/1LH/8pdy2eRDmRmqniLU
		102	+h8r2lZfJeudVZG6yIbxsqP3t2JCq5c2P1jDhAGF3g9DiskH0CzsRdbVpoWdr+PY1
		103	+Xz/19G8XEpX9r+IBJhLdbkpVo0Qh0A10mzFP/GUk5f/8nho2HvLaVMhWv1qKcF8I
		104	+hQ==
		105	+-----END CERTIFICATE-----
		106	--
		107	1.7.1
		108


diff --git a/meta/recipes-qt/qt4/qt4-4.8.4/0023-qtnetwork-blacklist-two-more-certificates.patch b/meta/recipes-qt/qt4/qt4-4.8.4/0023-qtnetwork-blacklist-two-more-certificates.patch new file mode 100644 index 0000000000..54171f7647 --- /dev/null +++ b/meta/recipes-qt/qt4/qt4-4.8.4/0023-qtnetwork-blacklist-two-more-certificates.patch
@@ -0,0 +1,41 @@
		1	From 180bf94c241728dd6d6f100437914d3cb11cbc30 Mon Sep 17 00:00:00 2001
		2	From: Martin Petersson <Martin.Petersson@nokia.com>
		3	Date: Wed, 7 Mar 2012 12:05:59 +0100
		4	Subject: [PATCH] QtNetwork: blacklist two more certificates
		5
		6	The comodogate 72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
		7	certificate is a test certificate and the MD5 Collisions was created
		8	as a proof of concept deliberately made to be expired at the time
		9	of it's creation.
		10
		11	Task-number: QTBUG-24654
		12	(cherry picked from commit 4c0df9feb2b44d0c4fcaa5076f00aa08fbc1dda5)
		13
		14	Signed-off-by: Peter Hartmann <phartmann@rim.com>
		15
		16	Apparently this commit was forgotten to cherry-pick to Qt 4.
		17
		18	Change-Id: I86949eaa3c02483b0b66b4a620bfa88aaa9aa99b
		19	Reviewed-by: Richard J. Moore <rich@kde.org>
		20
		21	Upstream-Status: Accepted https://codereview.qt-project.org/#change,43992
		22	---
		23	src/network/ssl/qsslcertificate.cpp \| 2 ++
		24	1 files changed, 2 insertions(+), 0 deletions(-)
		25
		26	diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
		27	index 37799d1..300a261 100644
		28	--- a/src/network/ssl/qsslcertificate.cpp
		29	+++ b/src/network/ssl/qsslcertificate.cpp
		30	@@ -825,6 +825,8 @@ static const char *certificate_blacklist[] = {
		31
		32	"120001705", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
		33	"1276011370", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
		34	+ "72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0", "UTN-USERFirst-Hardware", // comodogate test certificate
		35	+ "41", "MD5 Collisions Inc. (http://www.phreedom.org/md5)", // http://www.phreedom.org/research/rogue-ca/
		36
		37	"2087", "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate
		38	"2148", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
		39	--
		40	1.7.1
		41


diff --git a/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb b/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb index 187de7394f..5a3dc6537a 100644 --- a/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb +++ b/meta/recipes-qt/qt4/qt4-embedded_4.8.4.bb
@@ -1,7 +1,7 @@
1	require qt4-${PV}.inc	1	require qt4-${PV}.inc
2	require qt4-embedded.inc	2	require qt4-embedded.inc
3		3
4	PR = "${INC_PR}.0"	4	PR = "${INC_PR}.1"
5		5
6	QT_CONFIG_FLAGS_append_armv6 = " -no-neon "	6	QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
7		7


diff --git a/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb b/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb index bedd201350..9b03ff2f57 100644 --- a/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb +++ b/meta/recipes-qt/qt4/qt4-x11-free_4.8.4.bb
@@ -1,7 +1,7 @@
1	require qt4-x11-free.inc	1	require qt4-x11-free.inc
2	require qt4-${PV}.inc	2	require qt4-${PV}.inc
3		3
4	PR = "${INC_PR}.0"	4	PR = "${INC_PR}.1"
5		5
6	QT_CONFIG_FLAGS_append_armv6 = " -no-neon "	6	QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
7		7