Merge branch '4.7' of scm.dev.nokia.troll.no:qt/oslo-staging-1 into 4.7-integration

* '4.7' of scm.dev.nokia.troll.no:qt/oslo-staging-1:
  QSslSocket: add test for blacklisted certificates
  QSslSocket internals: abort on encountering blacklisted certificates
  QSslCertificate: fix test for blacklisted certs on Windows
  QSslCertificate: report fraudulent certificates as invalid
  FTP: Only read as much as the buffer size the user provided

17 files changed, 296 insertions, 9 deletions

diff --git a/src/network/access/qftp.cpp b/src/network/access/qftp.cpp
index ccc20e6..69e59d1 100644
--- a/src/network/access/qftp.cpp
+++ b/src/network/access/qftp.cpp
@@ -363,9 +363,9 @@ qint64 QFtpDTP::read(char *data, qint64 maxlen)
     if (socket && socket->state() == QTcpSocket::ConnectedState) {
         read = socket->read(data, maxlen);
     } else {
-        read = bytesFromSocket.size();
+        read = qMin(maxlen, qint64(bytesFromSocket.size()));
         memcpy(data, bytesFromSocket.data(), read);
-        bytesFromSocket.clear();
+        bytesFromSocket.remove(0, read);
     }
 
     bytesDone += read;
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
index 618ac79..a5cdf01 100644
--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
     Returns true if this certificate is valid; otherwise returns
     false.
 
-    Note: Currently, this function only checks that the current
+    Note: Currently, this function checks that the current
     data-time is within the date-time range during which the
-    certificate is considered valid. No other checks are
-    currently performed.
+    certificate is considered valid, and checks that the
+    certificate is not in a blacklist of fraudulent certificates.
 
     \sa isNull()
 */
 bool QSslCertificate::isValid() const
 {
     const QDateTime currentTime = QDateTime::currentDateTime();
-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
+    return currentTime >= d->notValidBefore &&
+            currentTime <= d->notValidAfter &&
+            ! QSslCertificatePrivate::isBlacklisted(*this);
 }
 
 /*!
@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
     return certificates;
 }
 
+// These certificates are known to be fraudulent and were created during the comodo
+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
+static const char *certificate_blacklist[] = {
+    "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
+    "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
+    "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
+    "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
+    "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
+    "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
+    "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
+    "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
+    "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
+    0
+};
+
+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
+{
+    for (int a = 0; certificate_blacklist[a] != 0; a++) {
+        if (certificate.serialNumber() == certificate_blacklist[a])
+            return true;
+    }
+    return false;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
 {
diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
index cdceb0f..1ce33d3 100644
--- a/src/network/ssl/qsslcertificate_p.h
+++ b/src/network/ssl/qsslcertificate_p.h
@@ -96,6 +96,7 @@ public:
     static QSslCertificate QSslCertificate_from_X509(X509 *x509);
     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
+    static bool isBlacklisted(const QSslCertificate &certificate);
 
     friend class QSslSocketBackendPrivate;
 
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 0866534..2427193 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
     X509 *x509 = q_SSL_get_peer_certificate(ssl);
     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
     q_X509_free(x509);
+    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
+        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
+        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
+        emit q->error(QAbstractSocket::SslHandshakeFailedError);
+        plainSocket->disconnectFromHost();
+        return false;
+    }
 
     // Start translating errors.
     QList<QSslError> errors;
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted1.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted1.pem
new file mode 100644
index 0000000..3945aea
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted1.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAnigAwIBAgIQBH7L6fylX3vQnq424QyuHjANBgkqhkiG9w0BAQUFADBf
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb20w
+HhcNMTEwMzI0MTMwNjI1WhcNMTEwNDIzMTMwNjI1WjBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAOeAGV2FbGnT4rLjTvCNEEDjj0/iIUATa6RT8WKF2PVaOzbE
+oceiODx6hTStvBnCgs+h/d3eVKgp+uAyBde5sW/HlOwHrNgKF3ZDvxegzIOEHaVI
+ndNtBpFS3UyOEkO0NxfioBatNRYpeTRU/DVmazu3yvzgrV1V2mDsrNngVWxJAgMB
+AAGjgcswgcgwHQYDVR0OBBYEFHcF1eqRpm7B78aY8ZjseN6zSYbvMIGYBgNVHSME
+gZAwgY2AFHcF1eqRpm7B78aY8ZjseN6zSYbvoWOkYTBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb22CEAR+y+n8pV970J6uNuEM
+rh4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBEb1iF+EbhAJli5Sj2
++iEdJ5xMP8R6FtgqAYknqXD8+tyEyXxJXdN186qdAWuTD9N22AUqi61BPWxUkufW
+xH8FYMEHdFCkitvYE0321+GT5pJz6ON/d5Co+wusumt7T5oSjzj8Ax9V+nmo3Nkb
+dSANM4/Lnc6moijcpJZq+GC1ng==
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted2.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted2.pem
new file mode 100644
index 0000000..4b8d059
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRAPXIavNhYvE6ZPVPbclYfAYwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20w
+HhcNMTEwMzI0MTMwNzExWhcNMTEwNDIzMTMwNzExWjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAy1fNDFl65Njfcd1EUJeaxvyiKln+JKlqUmk1x4mrE1BQoa0C
+QZaiXAF21rDhivWejZWBiEQ4IWbg3b12ANY74G1KqAfLC4BNKS9UP94hy18vezRA
+pFc+m/HAClwc8AdACpl8eZpQW8cMgdvnMBMZTrQkgV0JYykX+uDD9Tb+QNUCAwEA
+AaOByzCByDAdBgNVHQ4EFgQUSelG6IVRj2ZQbp049zkQ0X/Po9wwgZgGA1UdIwSB
+kDCBjYAUSelG6IVRj2ZQbp049zkQ0X/Po9yhYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tghEA9chq82Fi8Tpk9U9tyVh8
+BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALQyDC/AMQMNj2fa6E8L
+umILCklWJwG1K1p/1bUAgm0CB8zm94n1xrh/ZK4+HS+k2a9OQmvLRbFyJn8Wua8p
+3UU0267UNkCanA1FKHuO3Mo18wLvjMLWjjCQ4g1C9IvJx6P+8EFDQFG+MJBV/w2k
+gJXXVl3q1T1dvahIgfav9QBL
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted3.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted3.pem
new file mode 100644
index 0000000..e47ece6
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted3.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIRANdVj9r18RBbshMoK3B3KaMwDQYJKoZIhvcNAQEFBQAw
+XzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4ueWFob28uY29t
+MB4XDTExMDMyNDEzMDg0MloXDTExMDQyMzEzMDg0MlowXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCosFLKRvGtxjvdAjWdEAHYycFTa4VtdpXmCNhNHf2xbeLn
+xzde10KjEe44pQxNI+UUD1rJkyuH6wUfloyefn0D2Mu+MvusmvOEzFosa4EDbK9s
+BAAlsSiyJgrp/GgbEPq/XOl4XJRBIVP1WC6LllduNbskFCipDqS+HQwifXmmwQID
+AQABo4HMMIHJMB0GA1UdDgQWBBSEgWnsoYtd5GEx/MGJvKxuIuROJzCBmQYDVR0j
+BIGRMIGOgBSEgWnsoYtd5GEx/MGJvKxuIuROJ6FjpGEwXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4ueWFob28uY29tghEA11WP2vXxEFuyEygr
+cHcpozAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKNpIrzTOxIykKZt
+EE6HU2nW1lrWUkIMjwjL8ntw7QI4JLMDN1ADVIxWaGTeQ+U/eXFou6dDNAYVAijK
+ONDXgOItxW2YvSw0wOZsZj6INX2x88/0yRH+19TqaL/r+Y1D1h/0zefkHgfXufnY
+Ex7BHju/rGBTp6R1mr+Tlh1tewva
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted4.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted4.pem
new file mode 100644
index 0000000..64c7d41
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted4.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAnigAwIBAgIQOSpDTw4H3x+KowXeNODCKTANBgkqhkiG9w0BAQUFADBf
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20w
+HhcNMTEwMzI0MTMwOTE1WhcNMTEwNDIzMTMwOTE1WjBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANO2gz9x2H92xz5OvZSEul9gHxqqd+kdjeoS2exyvjC9wzqb
+gYXqNmAsbtNp4WmieEQFd0riCAEkIAn8JpHTCsMHN4rHhS+W+4D5a/drI2jfnZEF
+orNYJG1PHSQV/rvh6d7wkVdT+0SYOjrFTAA2biGWaK3W9ztf2yX577w+uQtBAgMB
+AAGjgcswgcgwHQYDVR0OBBYEFJjDp8Prs7oReRmskIeFixp0vDkGMIGYBgNVHSME
+gZAwgY2AFJjDp8Prs7oReRmskIeFixp0vDkGoWOkYTBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb22CEDkqQ08OB98fiqMF3jTg
+wikwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAZyo0Q3leeM1+lxeCd
+Wp0ZYHMSW11ANc6nuMWOmJC+nIQGlyGiP3IqeUvIfekwboV638bahVPwcl2HYWsS
+/l01Bgyd25Zn6VTQBfMK01dILyxscjVwdHuojzYBN05sl+qkVoqQr5EroQQbgDc9
+6I88p6Kjajv3IusCwfK6wlqISw==
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted5.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted5.pem
new file mode 100644
index 0000000..c7ddbf2
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted5.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAnigAwIBAgIQPnXO1GtpMCEhiDCuhqgqcTANBgkqhkiG9w0BAQUFADBf
+MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20w
+HhcNMTEwMzI0MTMwOTQ4WhcNMTEwNDIzMTMwOTQ4WjBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALkiHG9TgTw/00CMW8D23NBDAa3331AL5kTkAaXbAWg2R/1o
+yKQfXq3hgHbyWGPccUT+tU6FmaBf3bIndLK7iGx81RGzGgXeoQ5mpgnJ50iCeW73
+G99VlVwutPia7d9qqui84YdcG9t+P2Fuxv+xRqAB6lKOaa4qTPIbH50PgwOvAgMB
+AAGjgcswgcgwHQYDVR0OBBYEFBWJrs8bnZ5fikfaLbTxK0ssj69MMIGYBgNVHSME
+gZAwgY2AFBWJrs8bnZ5fikfaLbTxK0ssj69MoWOkYTBfMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb22CED51ztRraTAhIYgwroao
+KnEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCIfqqs1a7RzdmV8U00
+v/xAsxscKvQvmu6BK+HwvY5iL2pSwXTYgRLJLoj5QGOd3mmgOFsyW3BPSCP1+fVE
+M1ROhU2u8wHub+hGGds18Fx6F4yZjdh8pNUoOUR9A0Ym+VDJr2p50oUNTTy0RbH8
+9ns/gbemx84cjF9DD2G5stQhYg==
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted6.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted6.pem
new file mode 100644
index 0000000..bc2be2a
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted6.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIRAOkCi5V45BXcGnEKK4gVREcwDQYJKoZIhvcNAQEFBQAw
+XzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4uc2t5cGUuY29t
+MB4XDTExMDMyNDEzMTAxNloXDTExMDQyMzEzMTAxNlowXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4uc2t5cGUuY29tMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDFq06qqRl86pP7GRX3m7FMMSaSU6zlNGAo+WPoRfYAzB6x
+5KpvlfxMCo3T/nWtInX3Bw9TBWCZSweQ2GEjggO0irjw5UX3MiToLxK+rwzWztm9
+H3LBxTWR0cOOa78kRFvNQ1onvNHbs8fJzXjG7b2IJDOIwG1HAT1LK80oPXZc1wID
+AQABo4HMMIHJMB0GA1UdDgQWBBTiGNxw0ImW/wfW0mD3eA65PY5CAzCBmQYDVR0j
+BIGRMIGOgBTiGNxw0ImW/wfW0mD3eA65PY5CA6FjpGEwXzELMAkGA1UEBhMCQVUx
+EzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEYMBYGA1UEAxMPbG9naW4uc2t5cGUuY29tghEA6QKLlXjkFdwacQor
+iBVERzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHdb1QY/oxuro/4x
+GX9jbm930ysoeXkWZSKVtVxoxrPIferu8jVpb1SLRjGcMnmjJoNWNFpvnbZgoYei
+f3wdSWun7ndyQBh61k8eM7UABDOUXUHOsHuHj7s1koMKtet4gykmMfd6VxBkwBvN
+ZXOll4X+TKe8nrxbnGUByIwQaRM+
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted7.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted7.pem
new file mode 100644
index 0000000..19d4353
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted7.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGjCCAoOgAwIBAgIRAJI51TSPQNFpWnRUcOHyP0MwDQYJKoZIhvcNAQEFBQAw
+YjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEu
+b3JnMB4XDTExMDMyNDEzMTA0NFoXDTExMDQyMzEzMTA0NFowYjELMAkGA1UEBhMC
+QVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEub3JnMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC1lsoAcZTwF8Pf0E9do5avLdobB/O7EhhrCMs2
+/EMO07aIlrLwl3UP/Fmu/cAkKuX8Mx+Eif9x+XT3ZqGKGYKiqPTJcNfeZvgwbn0j
+wXDtEo4DuURrwtBU9okS+v4dF6F4RtHQKAGcsXoOjhR7ah71kve+PG2GG0sJ167V
+klK1xwIDAQABo4HPMIHMMB0GA1UdDgQWBBRgGDJ4Qp0WFyLIzm4Nz5wgqDSSxjCB
+nAYDVR0jBIGUMIGRgBRgGDJ4Qp0WFyLIzm4Nz5wgqDSSxqFmpGQwYjELMAkGA1UE
+BhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
+ZGdpdHMgUHR5IEx0ZDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEub3JnghEAkjnV
+NI9A0WladFRw4fI/QzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACeE
+DHMQ+LWEuoa/6z2EgrgM1k9rvBbUtCR+rjTuyzVW4OLXdpiVwZPOAiKphpq7q8Sb
+TQ3zwsCoPLLJk5VolwcPfcD8Y2/tYK3NCYl+HzGxxnzPDFVaZM5Jh8RI861Hc00D
+hVoQaptPK/V/lr0KEevqjhusAdFZbwlWA923zASa
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted8.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted8.pem
new file mode 100644
index 0000000..aedf3f7
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted8.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRALC3Ez7Qlvm1b66RyHS9OsAwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMObG9naW4ubGl2ZS5jb20w
+HhcNMTEwMzI0MTMxMTA2WhcNMTEwNDIzMTMxMTA2WjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw5sb2dpbi5saXZlLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA3OVNj9ijzMewvDeZYzgCWoKtyjclyIHxrQfHZpcexaKbxUap
+1MtF6L0ayjtRWpiBYuPteUSy/Ja4Oh6zZz8K6z5rVgXhmy3xPIYuOoWaTKEOhb0Z
+oHTBtGh8aWWai1XWw37HIm2FP8cmfgdH4lZwVvpTZIUxYidsyqyjB9IrhiMCAwEA
+AaOByzCByDAdBgNVHQ4EFgQU4CcQcIvEhJC0tqHlNFMkv6MlDN4wgZgGA1UdIwSB
+kDCBjYAU4CcQcIvEhJC0tqHlNFMkv6MlDN6hYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDmxvZ2luLmxpdmUuY29tghEAsLcTPtCW+bVvrpHIdL06
+wDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMNzIStXDNSNQ8ayxrcj
+4RrUMsHWUG/6XPrgfYqCP5TfPGAa5qBfNb9LfUbiS4b0flJVN1RlHVwwRo0yf9v4
+LGg0dSuPQAOWlLeUR1GminO1jHZw7E4dYfR7QEmiiOgaQU+CbxLsf5vCaKInN9Gu
+jv/5xytVCbMoLoZ4EBVb0tka
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/more-certificates/blacklisted9.pem b/tests/auto/qsslcertificate/more-certificates/blacklisted9.pem
new file mode 100644
index 0000000..d179b29
--- /dev/null
+++ b/tests/auto/qsslcertificate/more-certificates/blacklisted9.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRANjzX063hystqwaS4xU4L7AwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMOZ2xvYmFsIHRydXN0ZWUw
+HhcNMTEwMzI0MTMxMTM3WhcNMTEwNDIzMTMxMTM3WjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw5nbG9iYWwgdHJ1c3RlZTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEArHCVym7AEZDBhDkrUSG3Q94a+caNcCk5fE6ltZHiZHv096xr
+cixHYvSGvms780bkI+oot2xI/e9awwkV+7VjWNvr0HrajzBWeimwk+myjP+3ddMY
+Kmr0eI6bmvmPHtOFJE5Ar8/62FwD0wlLogRIx56JtXcCpkiUQktJVPz2gtMCAwEA
+AaOByzCByDAdBgNVHQ4EFgQUUJwC/qSGBmcB+DVrd43ovRLdLmQwgZgGA1UdIwSB
+kDCBjYAUUJwC/qSGBmcB+DVrd43ovRLdLmShYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDmdsb2JhbCB0cnVzdGVlghEA2PNfTreHKy2rBpLjFTgv
+sDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACAYxI+r3+JNelL6SBB0
+Pda3LkbCm+schP64NBYDdGl2Kus2b2QZ83T7xENBFEhyNoXvc6pRI4/Oh6JDxmG1
+7WmqOVStS/4JeAu6ygiyI1ImRKq2/MvJx/kaKh6IiXanB5nW1U+fhDV6kMOEfpwV
+i6FBibpHboPQoqzPPRe7qHSL
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp
index 1e3a8dd..57f2fa8 100644
--- a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp
+++ b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp
@@ -111,6 +111,8 @@ private slots:
     void nulInSan();
     void largeSerialNumber();
     void largeExpirationDate();
+    void blacklistedCertificates();
+
 // ### add tests for certificate bundles (multiple certificates concatenated into a single
 //     structure); both PEM and DER formatted
 #endif
@@ -817,6 +819,15 @@ void tst_QSslCertificate::largeExpirationDate() // QTBUG-12489
     QCOMPARE(cert.expiryDate().toUTC(), QDateTime(QDate(2051, 8, 29), QTime(9, 53, 41), Qt::UTC));
 }
 
+void tst_QSslCertificate::blacklistedCertificates()
+{
+    QList<QSslCertificate> blacklistedCerts = QSslCertificate::fromPath("more-certificates/blacklisted*.pem", QSsl::Pem, QRegExp::Wildcard);
+    QVERIFY2(blacklistedCerts.count() > 0, "Please run this test from the source directory");
+    for (int a = 0; a < blacklistedCerts.count(); a++) {
+        QVERIFY(! blacklistedCerts.at(a).isValid());
+    }
+}
+
 #endif // QT_NO_OPENSSL
 
 QTEST_MAIN(tst_QSslCertificate)
diff --git a/tests/auto/qsslsocket/certs/fake-login.live.com.key b/tests/auto/qsslsocket/certs/fake-login.live.com.key
new file mode 100644
index 0000000..692a7bd
--- /dev/null
+++ b/tests/auto/qsslsocket/certs/fake-login.live.com.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDOtxdvMa0VHUQYG5q7Tsi1Jj4qKEJppyZEkmuRXOi0fDbd1SwE
+bwHrLGMvDO6OMrYBbq3WDNrtnIfF9CvzUOEch+gjr4hEVQqecU5fb45Wor7yNel3
+/C/gxfbzuXHrsj/gUjNghL2i10+c2NW+hUo/sWO6OusaBT6d6s7ee+YBcQIDAQAB
+AoGAb8cVhu0HuLkgjyCuJMbPRRUu3ED02Iin6sB6JhplQuNAD+grayJTmUVhRJnr
+jTziqhedLHe7Em1oBaSo92MutfMpXvWiccSlbNygI61VgmrJpVB+qIN5H9cQc9ql
+Zymc+nIPa1+i5rsrOzlpUytTh7AsbZ27QG4tQXR/kQejEiECQQD6BgTxBeT8D7x9
+DuukoBaSCkLwx7U7P1NXx15EI3lA1nO51t6UHfvk/jGPp8Sl4wv4alJ7AQxr5uQ/
+vC3kzA/1AkEA06gNu10se8pe3n8qL2RRt+FmVjHkQdD9Mm2Dx9oWCs2A4wOSOrlo
+6/nKYF1CaQNYn9HgsNbHVEUpnICVO18qDQJBALEw/uOJ1+TDikPfBSWgxx4s45Ad
+GNWqZXh6NNZ5hX9r/IwiOZAjR9fcRmeW8IjYRi2BvH6sGY+HDRAWXzgdXtkCQCma
+dOiJTf8fLjqp4E7kdzOfuI/kyqstOze4Uxjrgz2oW1dEEnA8laUcumzqp+0gXUE8
+7d+UuCWWWrGKjMrYz9kCQQDh5E5+b6Djn082Jo6gvyuXWC5eXju6IdmihlJ2SMzD
+s2y3IDjOUtTeQQRDymLneteMz0ha79KeUp6VnAvZCOVe
+-----END RSA PRIVATE KEY-----
diff --git a/tests/auto/qsslsocket/certs/fake-login.live.com.pem b/tests/auto/qsslsocket/certs/fake-login.live.com.pem
new file mode 100644
index 0000000..429f951
--- /dev/null
+++ b/tests/auto/qsslsocket/certs/fake-login.live.com.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAnegAwIBAgIRALC3Ez7Qlvm1b66RyHS9OsAwDQYJKoZIhvcNAQEFBQAw
+XjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMObG9naW4ubGl2ZS5jb20w
+HhcNMTEwMzI1MTMyODUwWhcNMTEwNDI0MTMyODUwWjBeMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRcwFQYDVQQDEw5sb2dpbi5saXZlLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAzrcXbzGtFR1EGBuau07ItSY+KihCaacmRJJrkVzotHw23dUs
+BG8B6yxjLwzujjK2AW6t1gza7ZyHxfQr81DhHIfoI6+IRFUKnnFOX2+OVqK+8jXp
+d/wv4MX287lx67I/4FIzYIS9otdPnNjVvoVKP7FjujrrGgU+nerO3nvmAXECAwEA
+AaOByzCByDAdBgNVHQ4EFgQUpSOEcmtkQITvBdM2IDfcXnJ0FCAwgZgGA1UdIwSB
+kDCBjYAUpSOEcmtkQITvBdM2IDfcXnJ0FCChYqRgMF4xCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
+eSBMdGQxFzAVBgNVBAMTDmxvZ2luLmxpdmUuY29tghEAsLcTPtCW+bVvrpHIdL06
+wDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAD+2HT4GSHHKCdbl9VkX
+zsl+D+drMm2b0ksxz9SgPihP7aW50EEIJDEEihNMTa27mhpeOXHc/sLqDi4ECUao
+/0Ns/5uoVuAIrAKCydmtPsonVFh9XWjyrfUzPOHAc9p2bmJ1i9a3kTsLB6jlrVDO
+VufGzsowHlHZ0TtKf5omojU5
+-----END CERTIFICATE-----
diff --git a/tests/auto/qsslsocket/tst_qsslsocket.cpp b/tests/auto/qsslsocket/tst_qsslsocket.cpp
index 8177d29..bf7dae5 100644
--- a/tests/auto/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/qsslsocket/tst_qsslsocket.cpp
@@ -183,6 +183,7 @@ private slots:
     void ignoreSslErrorsListWithSlot();
     void readFromClosedSocket();
     void writeBigChunk();
+    void blacklist();
     void setEmptyDefaultConfiguration();
 
     static void exitLoop()
@@ -868,8 +869,13 @@ class SslServer : public QTcpServer
 {
     Q_OBJECT
 public:
-    SslServer() : socket(0) { }
+    SslServer(const QString &keyFile = SRCDIR "certs/fluke.key", const QString &certFile = SRCDIR "certs/fluke.cert")
+        : socket(0),
+          m_keyFile(keyFile),
+          m_certFile(certFile) { }
     QSslSocket *socket;
+    QString m_keyFile;
+    QString m_certFile;
 
 protected:
     void incomingConnection(int socketDescriptor)
@@ -877,13 +883,13 @@ protected:
         socket = new QSslSocket(this);
         connect(socket, SIGNAL(sslErrors(const QList<QSslError> &)), this, SLOT(ignoreErrorSlot()));
 
-        QFile file(SRCDIR "certs/fluke.key");
+        QFile file(m_keyFile);
         QVERIFY(file.open(QIODevice::ReadOnly));
         QSslKey key(file.readAll(), QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey);
         QVERIFY(!key.isNull());
         socket->setPrivateKey(key);
 
-        QList<QSslCertificate> localCert = QSslCertificate::fromPath(SRCDIR "certs/fluke.cert");
+        QList<QSslCertificate> localCert = QSslCertificate::fromPath(m_certFile);
         QVERIFY(!localCert.isEmpty());
         QVERIFY(localCert.first().handle());
         socket->setLocalCertificate(localCert.first());
@@ -1837,6 +1843,37 @@ void tst_QSslSocket::writeBigChunk()
     socket->close();
 }
 
+void tst_QSslSocket::blacklist()
+{
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        return;
+
+    SslServer server(SRCDIR "certs/fake-login.live.com.key", SRCDIR "certs/fake-login.live.com.pem");
+    QSslSocket *receiver = new QSslSocket(this);
+    connect(receiver, SIGNAL(readyRead()), SLOT(exitLoop()));
+
+    // connect two sockets to each other:
+    QVERIFY(server.listen(QHostAddress::LocalHost));
+    receiver->connectToHost("127.0.0.1", server.serverPort());
+    QVERIFY(receiver->waitForConnected(5000));
+    QVERIFY(server.waitForNewConnection(0));
+
+    QSslSocket *sender = server.socket;
+    QVERIFY(sender);
+    QVERIFY(sender->state() == QAbstractSocket::ConnectedState);
+    receiver->setObjectName("receiver");
+    sender->setObjectName("sender");
+    receiver->ignoreSslErrors();
+    receiver->startClientEncryption();
+
+    connect(receiver, SIGNAL(error(QAbstractSocket::SocketError)), SLOT(exitLoop()));
+    connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop()));
+    enterLoop(1);
+    QCOMPARE(receiver->error(), QAbstractSocket::SslHandshakeFailedError);
+    QCOMPARE(receiver->errorString(), QString("The peer certificate is blacklisted"));
+}
+
 void tst_QSslSocket::setEmptyDefaultConfiguration()
 {
     // used to produce a crash in QSslConfigurationPrivate::deepCopyDefaultConfiguration, QTBUG-13265