diff --git a/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch b/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch
new file mode 100644
index 0000000..7815618
--- /dev/null
+++ b/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch
@@ -0,0 +1,34 @@
+From 23c1595b0297e6ca8f37559af6f0b8533aa1fd99 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 29 Aug 2017 17:03:30 +0100
+Subject: [PATCH] crypto: fix test cert generation to not use SHA1 algorithm
+
+GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.
+Unfortunately the gnutls_x509_crt_sign() method we are
+using to create certificates in the test suite is fixed
+to always use SHA1. We must switch to a different method
+and explicitly ask for SHA256.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ tests/crypto-tls-x509-helpers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
+index 64073d3bd3..173d4e28fb 100644
+--- a/tests/crypto-tls-x509-helpers.c
++++ b/tests/crypto-tls-x509-helpers.c
+@@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
+      * If no 'ca' is set then we are self signing
+      * the cert. This is done for the root CA certs
+      */
+-    err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);
++    err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,
++                                GNUTLS_DIG_SHA256, 0);
+     if (err < 0) {
+         g_critical("Failed to sign certificate %s",
+                    gnutls_strerror(err));
+-- 
+2.13.5
+
diff --git a/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch b/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch
new file mode 100644
index 0000000..536119d
--- /dev/null
+++ b/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch
@@ -0,0 +1,34 @@
+From 689ed13e73bdb5a5ca3366524475e3065fae854a Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 29 Aug 2017 17:04:52 +0100
+Subject: [PATCH] io: fix check for handshake completion in TLS test
+
+The TLS I/O channel test had mistakenly used && instead
+of || when checking for handshake completion. As a
+result it could terminate the handshake process before
+it had actually completed. This was harmless before but
+changes in GNUTLS 3.6.0 exposed this bug and caused the
+test suite to fail.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ tests/test-io-channel-tls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c
+index ff96877323..a210d01ba5 100644
+--- a/tests/test-io-channel-tls.c
++++ b/tests/test-io-channel-tls.c
+@@ -218,7 +218,7 @@ static void test_io_channel_tls(const void *opaque)
+     mainloop = g_main_context_default();
+     do {
+         g_main_context_iteration(mainloop, TRUE);
+-    } while (!clientHandshake.finished &&
++    } while (!clientHandshake.finished ||
+              !serverHandshake.finished);
+ 
+     g_assert(clientHandshake.failed == data->expectClientFail);
+-- 
+2.13.5
+
diff --git a/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch b/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch
new file mode 100644
index 0000000..d4718ea
--- /dev/null
+++ b/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch
@@ -0,0 +1,34 @@
+From d4adf9675801cd90e66ecfcd6a54ca1abc5a6698 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Fri, 21 Jul 2017 12:47:39 +0100
+Subject: [PATCH] io: fix temp directory used by test-io-channel-tls test
+
+The test-io-channel-tls test was mistakenly using two of the
+same directories as test-crypto-tlssession. This causes a
+sporadic failure when using make -j$BIGNUM.
+
+Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ tests/test-io-channel-tls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c
+index 8eaa208e1b..ff96877323 100644
+--- a/tests/test-io-channel-tls.c
++++ b/tests/test-io-channel-tls.c
+@@ -127,8 +127,8 @@ static void test_io_channel_tls(const void *opaque)
+     /* We'll use this for our fake client-server connection */
+     g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
+ 
+-#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
+-#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
++#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
++#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
+     mkdir(CLIENT_CERT_DIR, 0700);
+     mkdir(SERVER_CERT_DIR, 0700);
+ 
+-- 
+2.13.5
+
diff --git a/qemu.spec b/qemu.spec
index f2bdef4..ab5f7b6 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -157,6 +157,9 @@ Patch1012: 1012-scsi-file-posix-add-support-for-persistent-reservati.patch
 Patch1013: 1013-scsi-build-qemu-pr-helper.patch
 Patch1014: 1014-scsi-add-multipath-support-to-qemu-pr-helper.patch
 Patch1015: 1015-scsi-add-persistent-reservation-manager-using-qemu-p.patch
+Patch1016: 1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch
+Patch1017: 1017-io-fix-check-for-handshake-completion-in-TLS-test.patch
+Patch1018: 1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch
 
 # documentation deps
 BuildRequires: texinfo