blacklist unauthorized SSL certificates by Türktrust
This commit is contained in:
parent
b21e1f5472
commit
7ee6d03861
|
@ -0,0 +1,107 @@
|
|||
From 451462b1e0304e0cb6c2872e4f5688bc2e556dca Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hartmann <phartmann@rim.com>
|
||||
Date: Fri, 4 Jan 2013 11:06:14 +0100
|
||||
Subject: [PATCH 80/90] SSL certificates: blacklist mis-issued Turktrust
|
||||
certificates
|
||||
|
||||
Those certificates have erroneously set the CA attribute to true,
|
||||
meaning everybody in possesion of their keys can issue certificates on
|
||||
their own.
|
||||
|
||||
backport of bf5e7fb2652669599a508e049b46ebd5cd3206e5 from qtbase
|
||||
|
||||
Task-number: QTBUG-28937
|
||||
Change-Id: Iee57c6f983fee61c13c3b66ed874300ef8e80c23
|
||||
Reviewed-by: Richard J. Moore <rich@kde.org>
|
||||
---
|
||||
src/network/ssl/qsslcertificate.cpp | 3 +++
|
||||
...ted-turktrust-e-islem.kktcmerkezbankasi.org.pem | 24 +++++++++++++++++
|
||||
.../blacklisted-turktrust-ego.gov.tr.pem | 31 ++++++++++++++++++++++
|
||||
3 files changed, 58 insertions(+)
|
||||
create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
|
||||
create mode 100644 tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
|
||||
|
||||
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
|
||||
index 038187f..37799d1 100644
|
||||
--- a/src/network/ssl/qsslcertificate.cpp
|
||||
+++ b/src/network/ssl/qsslcertificate.cpp
|
||||
@@ -825,6 +825,9 @@ static const char *certificate_blacklist[] = {
|
||||
|
||||
"120001705", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
|
||||
"1276011370", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
|
||||
+
|
||||
+ "2087", "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate
|
||||
+ "2148", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
|
||||
0
|
||||
};
|
||||
|
||||
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
|
||||
new file mode 100644
|
||||
index 0000000..33f2ef4
|
||||
--- /dev/null
|
||||
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-e-islem.kktcmerkezbankasi.org.pem
|
||||
@@ -0,0 +1,24 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIID8DCCAtigAwIBAgICCGQwDQYJKoZIhvcNAQEFBQAwgawxPTA7BgNVBAMMNFTD
|
||||
+nFJLVFJVU1QgRWxla3Ryb25payBTdW51Y3UgU2VydGlmaWthc8SxIEhpem1ldGxl
|
||||
+cmkxCzAJBgNVBAYTAlRSMV4wXAYDVQQKDFVUw5xSS1RSVVNUIEJpbGdpIMSwbGV0
|
||||
+acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLiAo
|
||||
+YykgS2FzxLFtICAyMDA1MB4XDTExMDgwODA3MDc1MVoXDTIxMDgwNTA3MDc1MVow
|
||||
+gaMxCzAJBgNVBAYTAlRSMRAwDgYDVQQIEwdMZWZrb3NhMRAwDgYDVQQHEwdMZWZr
|
||||
+b3NhMRwwGgYDVQQKExNLS1RDIE1lcmtleiBCYW5rYXNpMSYwJAYDVQQDEx1lLWlz
|
||||
+bGVtLmtrdGNtZXJrZXpiYW5rYXNpLm9yZzEqMCgGCSqGSIb3DQEJARYbaWxldGlA
|
||||
+a2t0Y21lcmtlemJhbmthc2kub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
||||
+CgKCAQEAw1hUpuRFY67NsZ6C9rzRAPCb9RVpi4nZzJIA1TvIfr4hMPM0X5jseMf5
|
||||
+GvgJQ+cBMZtooDd7BbZNy2z7O5A+8PYFaMDdokCENx2ePIqAVuO6C5UAqM7J3n6R
|
||||
+rhjOvqiw6dTQMbtXhjFao+YMuBVvRuuhGHBDK3Je64T/KLzcmAUlRJEuy+ZMe7Aa
|
||||
+tUaSDr/jy5DMA5xEYOdsnS5Zo30lRG+9vqbxb8CQi+E97sNjY+W4lEgJKQWMNh5r
|
||||
+Cxo4Hinkm3CKyKX3PAS+DDVI3LQiCiIQUOMA2+1P5aTPTkpqlbjqhbWTWAPWOKCF
|
||||
+9d83p3RMXOYt5GahS8rg5u6+toEC1QIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYw
|
||||
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwjWz5tsUvYORVW8K
|
||||
+JSK/biHFrAnFotMtoTKEewRmnYaYjwXIr1IPaBqhjkGGviLN2eOH/v97Uli6HC4l
|
||||
+zhKHfMQUS9KF/f5nGcH8iQBy/gmFsfJQ1KDC6GNM4CfMGIzyxjYhP0VzdUtKX3PA
|
||||
+l5EqgMUcdqRDy6Ruz55+JkdvCL1nAC7xH+czJcZVwysTdGfLTCh6VtYPgIkeL6U8
|
||||
+3xQAyMuOHm72exJljYFqIsiNvGE0KufCqCuH1PD97IXMrLlwGmKKg5jP349lySBp
|
||||
+Jjm6RDqCTT+6dUl2jkVbeNmco99Y7AOdtLsOdXBMCo5x8lK8zwQWFrzEms0joHXC
|
||||
+pWfGWA==
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
|
||||
new file mode 100644
|
||||
index 0000000..e9d048f
|
||||
--- /dev/null
|
||||
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted-turktrust-ego.gov.tr.pem
|
||||
@@ -0,0 +1,31 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIFPTCCBCWgAwIBAgICCCcwDQYJKoZIhvcNAQEFBQAwgawxPTA7BgNVBAMMNFTD
|
||||
+nFJLVFJVU1QgRWxla3Ryb25payBTdW51Y3UgU2VydGlmaWthc8SxIEhpem1ldGxl
|
||||
+cmkxCzAJBgNVBAYTAlRSMV4wXAYDVQQKDFVUw5xSS1RSVVNUIEJpbGdpIMSwbGV0
|
||||
+acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLiAo
|
||||
+YykgS2FzxLFtICAyMDA1MB4XDTExMDgwODA3MDc1MVoXDTIxMDcwNjA3MDc1MVow
|
||||
+bjELMAkGA1UEBhMCVFIxDzANBgNVBAgMBkFOS0FSQTEPMA0GA1UEBwwGQU5LQVJB
|
||||
+MQwwCgYDVQQKDANFR08xGDAWBgNVBAsMD0VHTyBCSUxHSSBJU0xFTTEVMBMGA1UE
|
||||
+AwwMKi5FR08uR09WLlRSMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
|
||||
+v5zoj2Bpdl7R1M/zF6Qf4su2F8vDqISKvuTuyJhNAHhFGHCsHjaixGMHspuz0l3V
|
||||
+50kq/ECWbN8kKaeTrB112QOrWTU276iup1Gh+OlEOiR9vlQ4VAP00dWUjD6z9HQF
|
||||
+Ci8W3EsEtiiHiYOU9BcPpPkaUbECwP4nGVwR8aPwhB5PGBJc98romdvciYkUpSOO
|
||||
+wkuSRtooA7tRlLFu72QaNpXN1NueB36I3aajPk0YyiXy2w8XlgK7QI4PSSBnSq+Q
|
||||
+blFocWVmLhF94je7py6lCnllrIFXpR3FWZLD5GcI6HKlBS78AQ+IMBLFHhsEVw5N
|
||||
+Qj90chSZClfBWBZzIaV9RwIDAQABo4IBpDCCAaAwHwYDVR0jBBgwFoAUq042AzDS
|
||||
+29UKaL6HpVBs/PZwpSUwHQYDVR0OBBYEFGT7G4Y9uEryRIL5Vj3qJsD047M0MA4G
|
||||
+A1UdDwEB/wQEAwIBBjBFBgNVHSAEPjA8MDoGCWCGGAMAAwEBATAtMCsGCCsGAQUF
|
||||
+BwIBFh9odHRwOi8vd3d3LnR1cmt0cnVzdC5jb20udHIvc3VlMA8GA1UdEwEB/wQF
|
||||
+MAMBAf8wSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL3d3dy50dXJrdHJ1c3QuY29t
|
||||
+LnRyL3NpbC9UVVJLVFJVU1RfU1NMX1NJTF9zMi5jcmwwgaoGCCsGAQUFBwEBBIGd
|
||||
+MIGaMG4GCCsGAQUFBzAChmJodHRwOi8vd3d3LnR1cmt0cnVzdC5jb20udHIvc2Vy
|
||||
+dGlmaWthbGFyL1RVUktUUlVTVF9FbGVrdHJvbmlrX1N1bnVjdV9TZXJ0aWZpa2Fz
|
||||
+aV9IaXptZXRsZXJpX3MyLmNydDAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AudHVy
|
||||
+a3RydXN0LmNvbS50cjANBgkqhkiG9w0BAQUFAAOCAQEAj89QCCyoW0S20EcYDZAn
|
||||
+vFLFmougK97Bt68iV1OM622+Cyeyf4Sz+1LBk1f9ni3fGT0Q+RWZJYWq5YuSBiLV
|
||||
+gk3NLcxnwe3wmnvErUgq1QDtAaNlBWMEMklOlWGfJ0eWaillUskJbDd4KwgZHDEj
|
||||
+7g/jYEQqU1t0zoJdwM/zNsnLHkhwcWZ5PQnnbpff1Ct/1LH/8pdy2eRDmRmqniLU
|
||||
+h8r2lZfJeudVZG6yIbxsqP3t2JCq5c2P1jDhAGF3g9DiskH0CzsRdbVpoWdr+PY1
|
||||
+Xz/19G8XEpX9r+IBJhLdbkpVo0Qh0A10mzFP/GUk5f/8nho2HvLaVMhWv1qKcF8I
|
||||
+hQ==
|
||||
+-----END CERTIFICATE-----
|
||||
--
|
||||
1.8.1
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From 180bf94c241728dd6d6f100437914d3cb11cbc30 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Petersson <Martin.Petersson@nokia.com>
|
||||
Date: Wed, 7 Mar 2012 12:05:59 +0100
|
||||
Subject: [PATCH 90/90] QtNetwork: blacklist two more certificates
|
||||
|
||||
The comodogate 72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
|
||||
certificate is a test certificate and the MD5 Collisions was created
|
||||
as a proof of concept deliberately made to be expired at the time
|
||||
of it's creation.
|
||||
|
||||
Task-number: QTBUG-24654
|
||||
(cherry picked from commit 4c0df9feb2b44d0c4fcaa5076f00aa08fbc1dda5)
|
||||
|
||||
Signed-off-by: Peter Hartmann <phartmann@rim.com>
|
||||
|
||||
Apparently this commit was forgotten to cherry-pick to Qt 4.
|
||||
|
||||
Change-Id: I86949eaa3c02483b0b66b4a620bfa88aaa9aa99b
|
||||
Reviewed-by: Richard J. Moore <rich@kde.org>
|
||||
---
|
||||
src/network/ssl/qsslcertificate.cpp | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
|
||||
index 37799d1..300a261 100644
|
||||
--- a/src/network/ssl/qsslcertificate.cpp
|
||||
+++ b/src/network/ssl/qsslcertificate.cpp
|
||||
@@ -825,6 +825,8 @@ static const char *certificate_blacklist[] = {
|
||||
|
||||
"120001705", "Digisign Server ID (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Verizon CyberTrust
|
||||
"1276011370", "Digisign Server ID - (Enrich)", // (Malaysian) Digicert Sdn. Bhd. cross-signed by Entrust
|
||||
+ "72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0", "UTN-USERFirst-Hardware", // comodogate test certificate
|
||||
+ "41", "MD5 Collisions Inc. (http://www.phreedom.org/md5)", // http://www.phreedom.org/research/rogue-ca/
|
||||
|
||||
"2087", "*.EGO.GOV.TR", // Turktrust mis-issued intermediate certificate
|
||||
"2148", "e-islem.kktcmerkezbankasi.org", // Turktrust mis-issued intermediate certificate
|
||||
--
|
||||
1.8.1
|
||||
|
24
qt.spec
24
qt.spec
|
@ -16,7 +16,7 @@ Summary: Qt toolkit
|
|||
Name: qt
|
||||
Epoch: 1
|
||||
Version: 4.8.4
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||
|
@ -116,15 +116,19 @@ Patch83: qt-4.8-poll.patch
|
|||
# upstream patches
|
||||
# http://codereview.qt-project.org/#change,22006
|
||||
Patch100: qt-everywhere-opensource-src-4.8.1-qtgahandle.patch
|
||||
# QSslSocket may report incorrect errors when certificate verification fails
|
||||
# https://codereview.qt-project.org/#change,42461
|
||||
Patch101: 0054-Fix-binary-incompatibility-between-openssl-versions.patch
|
||||
# backported from Qt5 (essentially)
|
||||
# http://bugzilla.redhat.com/702493
|
||||
# https://bugreports.qt-project.org/browse/QTBUG-5545
|
||||
Patch102: qt-everywhere-opensource-src-4.8.4-qgtkstyle_disable_gtk_theme_check.patch
|
||||
# workaround for a MOC issue with Boost 1.48 headers (#756395)
|
||||
Patch103: 0013-Fix-moc-from-choking-on-boost-headers.patch
|
||||
Patch113: 0013-Fix-moc-from-choking-on-boost-headers.patch
|
||||
# QSslSocket may report incorrect errors when certificate verification fails
|
||||
# https://codereview.qt-project.org/#change,42461
|
||||
Patch154: 0054-Fix-binary-incompatibility-between-openssl-versions.patch
|
||||
# http://lists.qt-project.org/pipermail/announce/2013-January/000021.html
|
||||
Patch180: 0080-SSL-certificates-blacklist-mis-issued-Turktrust-cert.patch
|
||||
# another set similar to 0080
|
||||
Patch190: 0090-QtNetwork-blacklist-two-more-certificates.patch
|
||||
|
||||
# security patches
|
||||
# CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code
|
||||
|
@ -468,10 +472,11 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
|
|||
|
||||
# upstream patches
|
||||
%patch100 -p1 -b .QTgaHandler
|
||||
%patch101 -p1 -b .0054
|
||||
%patch102 -p1 -b .qgtkstyle_disable_gtk_theme_check
|
||||
%patch103 -p1 -b .moc-boost148
|
||||
|
||||
%patch113 -p1 -b .moc-boost148
|
||||
%patch154 -p1 -b .0054
|
||||
%patch180 -p1 -b .0080
|
||||
%patch190 -p1 -b .0090
|
||||
|
||||
# security fixes
|
||||
%patch200 -p1 -b .CVE-2011-3922
|
||||
|
@ -1114,6 +1119,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Jan 07 2013 Rex Dieter <rdieter@fedoraproject.org> 4.8.4-6
|
||||
- blacklist unauthorized SSL certificates by Türktrust
|
||||
|
||||
* Fri Jan 04 2013 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.4-5
|
||||
- QGtkStyle was unable to detect the current GTK+ theme (#702493, QTBUG-5545))
|
||||
|
||||
|
|
Loading…
Reference in New Issue