diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
new file mode 100644
index 00000000..527b3126
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -0,0 +1,26 @@
+diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk
+--- nss/lib/ssl/config.mk.disableSSL2libssl 2017-01-04 15:24:24.000000000 +0100
++++ nss/lib/ssl/config.mk 2017-01-16 10:53:47.629894929 +0100
+@@ -69,3 +69,8 @@ endif
+ ifdef NSS_DISABLE_TLS_1_3
+ DEFINES += -DNSS_DISABLE_TLS_1_3
+ endif
++
++ifdef NSS_NO_SSL2
++DEFINES += -DNSS_NO_SSL2
++endif
++
+diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2017-01-16 10:53:47.615895344 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-16 10:54:16.088051233 +0100
+@@ -1221,6 +1221,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2
++ if (SSL_IS_SSL2_CIPHER(suite))
++ return PR_TRUE;
++#endif /* NSS_NO_SSL2 */
+ switch (suite) {
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
new file mode 100644
index 00000000..96569b24
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -0,0 +1,66 @@
+diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
+--- nss/tests/ssl/ssl.sh.disableSSL2tests 2018-03-05 16:58:32.000000000 +0100
++++ nss/tests/ssl/ssl.sh 2018-03-09 17:24:07.047568191 +0100
+@@ -68,9 +68,14 @@ ssl_init()
+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+ # Test case files
+- SSLCOV=${QADIR}/ssl/sslcov.txt
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++ else
++ SSLCOV=${QADIR}/ssl/sslcov.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ fi
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
+- SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+@@ -128,7 +133,11 @@ is_selfserv_alive()
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++ echo "No server to kill"
++ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
++ fi
+
+ echo "selfserv with PID ${PID} found at `date`"
+ }
+@@ -152,7 +161,11 @@ wait_for_selfserv()
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++ html_passed "Server never started"
++ else
+ html_failed "Waiting for Server"
++ fi
+ fi
+ fi
+ is_selfserv_alive
+@@ -275,7 +288,7 @@ ssl_cov()
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+- VMAX="tls1.1"
++ VMAX="tls1.2"
+
+ ignore_blank_lines ${SSLCOV} | \
+ while read ectype testmax param testname
+@@ -283,6 +296,12 @@ ssl_cov()
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
+
++ # skip export tests
++ if [ ${EXP} -eq 0 ]; then
++ echo "export test skipped"
++ continue
++ fi
++
+ if [ "$ectype" = "ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ else
diff --git a/SOURCES/PayPalEE.cert b/SOURCES/PayPalEE.cert
new file mode 100644
index 00000000..d71fbb50
Binary files /dev/null and b/SOURCES/PayPalEE.cert differ
diff --git a/SOURCES/PayPalICA.cert b/SOURCES/PayPalICA.cert
new file mode 100644
index 00000000..07e025de
Binary files /dev/null and b/SOURCES/PayPalICA.cert differ
diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert
new file mode 100644
index 00000000..dae01965
Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ
diff --git a/SOURCES/TestCA.ca.cert b/SOURCES/TestCA.ca.cert
new file mode 100644
index 00000000..929b793d
Binary files /dev/null and b/SOURCES/TestCA.ca.cert differ
diff --git a/SOURCES/TestOldCA.p12 b/SOURCES/TestOldCA.p12
new file mode 100644
index 00000000..40d5671b
Binary files /dev/null and b/SOURCES/TestOldCA.p12 differ
diff --git a/SOURCES/TestUser50.cert b/SOURCES/TestUser50.cert
new file mode 100644
index 00000000..ed71727f
Binary files /dev/null and b/SOURCES/TestUser50.cert differ
diff --git a/SOURCES/TestUser51.cert b/SOURCES/TestUser51.cert
new file mode 100644
index 00000000..1b45db28
Binary files /dev/null and b/SOURCES/TestUser51.cert differ
diff --git a/SOURCES/add-relro-linker-option.patch b/SOURCES/add-relro-linker-option.patch
new file mode 100644
index 00000000..7ab9db1f
--- /dev/null
+++ b/SOURCES/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS += -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+
diff --git a/SOURCES/blank-cert8.db b/SOURCES/blank-cert8.db
new file mode 100644
index 00000000..ac40a332
Binary files /dev/null and b/SOURCES/blank-cert8.db differ
diff --git a/SOURCES/blank-cert9.db b/SOURCES/blank-cert9.db
new file mode 100644
index 00000000..1763264e
Binary files /dev/null and b/SOURCES/blank-cert9.db differ
diff --git a/SOURCES/blank-key3.db b/SOURCES/blank-key3.db
new file mode 100644
index 00000000..31e39756
Binary files /dev/null and b/SOURCES/blank-key3.db differ
diff --git a/SOURCES/blank-key4.db b/SOURCES/blank-key4.db
new file mode 100644
index 00000000..6bd60cb0
Binary files /dev/null and b/SOURCES/blank-key4.db differ
diff --git a/SOURCES/blank-secmod.db b/SOURCES/blank-secmod.db
new file mode 100644
index 00000000..9a028078
Binary files /dev/null and b/SOURCES/blank-secmod.db differ
diff --git a/SOURCES/cert8.db.xml b/SOURCES/cert8.db.xml
new file mode 100644
index 00000000..e82948d1
--- /dev/null
+++ b/SOURCES/cert8.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ cert8.db
+ 5
+
+
+
+ cert8.db
+ Legacy NSS certificate database
+
+
+
+ Description
+ cert8.db is an NSS certificate database.
+ This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/cert8.db
+
+
+
+ See also
+ cert9.db(5), key4.db(5), pkcs11.txt(5),
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/cert9.db.xml b/SOURCES/cert9.db.xml
new file mode 100644
index 00000000..6cff889d
--- /dev/null
+++ b/SOURCES/cert9.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ cert9.db
+ 5
+
+
+
+ cert9.db
+ Legacy NSS certificate database
+
+
+
+ Description
+ cert9.db is an NSS certificate database.
+ This certificate database is the sqlite-based shared databse with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/cert9.db
+
+
+
+ See also
+ pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
new file mode 100644
index 00000000..dde5dcbe
--- /dev/null
+++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
@@ -0,0 +1,79 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
++++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100
+@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar
+
+ mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
+ mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
++ /* if the system FIPS mode is enabled, force FIPS to be on */
++ if (SECMOD_GetSystemFIPSEnabled()) {
++ mod->isFIPS = PR_TRUE;
++ }
+ mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
+ slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
+ mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
+diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
++++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100
+@@ -95,6 +95,26 @@ SECMOD_Shutdown()
+ return SECSuccess;
+ }
+
++int SECMOD_GetSystemFIPSEnabled(void) {
++#ifdef LINUX
++ FILE *f;
++ char d;
++ size_t size;
++
++ f = fopen("/proc/sys/crypto/fips_enabled", "r");
++ if (!f)
++ return 0;
++
++ size = fread(&d, 1, 1, f);
++ fclose(f);
++ if (size != 1)
++ return 0;
++ if (d == '1')
++ return 1;
++#endif
++ return 0;
++}
++
+ /*
+ * retrieve the internal module
+ */
+@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char *
+ SECMODModuleList **mlpp;
+ SECStatus rv = SECFailure;
+
+- if (pendingModule) {
++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
+ PORT_SetError(SEC_ERROR_MODULE_STUCK);
+ return rv;
+ }
+@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void)
+ #ifdef NSS_FIPS_DISABLED
+ return PR_FALSE;
+ #else
+- return (PRBool)(pendingModule == NULL);
++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
+ #endif
+ }
+
+diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
+--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
++++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100
+@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
+ CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
+ SECItem **param, SECItem *pwd, PRBool faulty3DES);
+
++/* Get the state of the system FIPS mode */
++/* NSS uses this to force FIPS mode if the system bit is on. Applications which
++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
++ * from FIPS mode will automatically be told that they can't swith out of FIPS
++ * mode */
++int SECMOD_GetSystemFIPSEnabled();
++
+ extern void pk11sdr_Init(void);
+ extern void pk11sdr_Shutdown(void);
+
diff --git a/SOURCES/fix-min-library-version-in-SSLVersionRange.patch b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
new file mode 100644
index 00000000..00facbf7
--- /dev/null
+++ b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/ssl/sslsock.c.1171318 ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.1171318 2016-02-04 10:57:08.489310227 -0800
++++ ./lib/ssl/sslsock.c 2016-02-04 11:02:59.290818001 -0800
+@@ -92,7 +92,7 @@ static sslOptions ssl_defaults = {
+ * default range of enabled SSL/TLS protocols
+ */
+ static SSLVersionRange versions_defaults_stream = {
+- SSL_LIBRARY_VERSION_TLS_1_0,
++ SSL_LIBRARY_VERSION_3_0,
+ SSL_LIBRARY_VERSION_TLS_1_2
+ };
+
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 3d1aa60c..4908c008 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -1,17 +1,134 @@
-diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
---- nss/cmd/bltest/Makefile.iquote 2013-04-04 21:56:59.329249213 -0700
-+++ nss/cmd/bltest/Makefile 2013-04-04 21:57:47.583579084 -0700
-@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
+--- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
+--- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile
+--- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200
++++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
+--- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
+--- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
---- nss/coreconf/location.mk.iquote 2013-04-04 21:54:59.710477106 -0700
-+++ nss/coreconf/location.mk 2013-04-04 21:56:21.091163121 -0700
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
+--- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
+--- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
+--- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200
@@ -45,6 +45,10 @@ endif
ifdef NSS_INCLUDE_DIR
@@ -23,15 +140,89 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
endif
ifndef NSS_LIB_DIR
-diff -up ./nss/lib/softoken/Makefile.iquote ./nss/lib/softoken/Makefile
---- ./nss/lib/softoken/Makefile.iquote 2014-01-06 20:35:19.931937299 -0800
-+++ ./nss/lib/softoken/Makefile 2014-01-06 20:36:15.336390664 -0800
-@@ -42,6 +42,8 @@ ifdef NSS_DISABLE_DBM
- DIRS=
- endif
+diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
+--- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200
+@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
++INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
-+
+
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
+--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile
+--- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200
++++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
+
+
#######################################################################
diff --git a/SOURCES/key3.db.xml b/SOURCES/key3.db.xml
new file mode 100644
index 00000000..444d7aa9
--- /dev/null
+++ b/SOURCES/key3.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ key3.db
+ 5
+
+
+
+ key3.db
+ Legacy NSS certificate database
+
+
+
+ Description
+ key3.db is an NSS certificate database.
+ This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/key3.db
+
+
+
+ See also
+ cert9.db(5), key4.db(5), pkcs11.txt(5),
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/key4.db.xml b/SOURCES/key4.db.xml
new file mode 100644
index 00000000..9b65f418
--- /dev/null
+++ b/SOURCES/key4.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ key4.db
+ 5
+
+
+
+ key4.db
+ NSS certificate database
+
+
+
+ Description
+ key4.db is an NSS key database.
+ This key database is the sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/key4.db
+
+
+
+ See also
+ pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
new file mode 100644
index 00000000..3347ee9a
--- /dev/null
+++ b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
@@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
++++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
new file mode 100644
index 00000000..f5db0891
--- /dev/null
+++ b/SOURCES/nss-539183.patch
@@ -0,0 +1,44 @@
+diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200
+@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200
+@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
diff --git a/SOURCES/nss-check-policy-file.patch b/SOURCES/nss-check-policy-file.patch
new file mode 100644
index 00000000..898ffef1
--- /dev/null
+++ b/SOURCES/nss-check-policy-file.patch
@@ -0,0 +1,49 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-02-28 10:49:53.811343156 +0100
++++ nss/lib/pk11wrap/pk11pars.c 2017-02-28 10:59:41.178647490 +0100
+@@ -109,6 +109,7 @@ secmod_NewModule(void)
+ *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
+
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+ if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
+ flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+ }
++ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
++ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
++ }
+ /* additional moduleDB flags could be added here in the future */
+ mod->isModuleDB = (PRBool)flags;
+ }
+@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
+ }
+
+ PRBool
++secmod_PolicyOnly(SECMODModule *mod)
++{
++ char flags = (char) mod->isModuleDB;
++
++ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
++}
++
++PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+ char flags = (char)mod->internal;
+@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
+ if (!module) {
+ goto loser;
+ }
++
++ /* a policy only stanza doesn't actually get 'loaded'. policy has already
++ * been parsed as a side effect of the CreateModuleEx call */
++ if (secmod_PolicyOnly(module)) {
++ return module;
++ }
+ if (parent) {
+ module->parent = SECMOD_ReferenceModule(parent);
+ if (module->internal && secmod_IsInternalKeySlot(parent)) {
diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in
new file mode 100644
index 00000000..f8f893e7
--- /dev/null
+++ b/SOURCES/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-config.xml b/SOURCES/nss-config.xml
new file mode 100644
index 00000000..f9518c9e
--- /dev/null
+++ b/SOURCES/nss-config.xml
@@ -0,0 +1,132 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ nss-config
+ 1
+
+
+
+ nss-config
+ Return meta information about nss libraries
+
+
+
+
+ nss-config
+
+
+
+
+
+
+
+
+
+
+
+ Description
+
+ nss-config is a shell scrip
+ tool which can be used to obtain gcc options for building client pacakges of nspt.
+
+
+
+
+ Options
+
+
+
+
+ Returns the top level system directory under which the nss libraries are installed.
+
+
+
+
+ returns the top level system directory under which any nss binaries would be installed.
+
+
+
+ count
+ returns the path to the directory were the nss libraries are installed.
+
+
+
+
+ returns the upstream version of nss in the form major_version-minor_version-patch_version.
+
+
+
+
+ returns the compiler linking flags.
+
+
+
+
+ returns the compiler include flags.
+
+
+
+
+ returns the path to the directory were the nss libraries are installed.
+
+
+
+
+
+
+ Examples
+
+ The following example will query for both include path and linkage flags:
+
+
+ /usr/bin/nss-config --cflags --libs
+
+
+
+
+
+
+
+
+ Files
+
+ /usr/bin/nss-config
+
+
+
+
+ See also
+ pkg-config(1)
+
+
+
+ Authors
+ The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/nss-devslot-reinsert.patch b/SOURCES/nss-devslot-reinsert.patch
new file mode 100644
index 00000000..f68a81aa
--- /dev/null
+++ b/SOURCES/nss-devslot-reinsert.patch
@@ -0,0 +1,95 @@
+# HG changeset patch
+# User Daiki Ueno
+# Date 1521731296 -3600
+# Thu Mar 22 16:08:16 2018 +0100
+# Node ID 6ae3ab8a1e7b4161f3f8eee90db7a745acced408
+# Parent dedf5290c679153e5b3555ba9c711fe62323c156
+Bug 1447628, devslot: avoid deadlock when re-inserting a token, r=rrelyea
+
+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
+--- a/lib/dev/devslot.c
++++ b/lib/dev/devslot.c
+@@ -96,10 +96,16 @@ nssSlot_ResetDelay(
+ }
+
+ static PRBool
+-within_token_delay_period(const NSSSlot *slot)
++token_status_checked(const NSSSlot *slot)
+ {
+ PRIntervalTime time;
+ int lastPingState = slot->lastTokenPingState;
++ /* When called from the same thread, that means
++ * nssSlot_IsTokenPresent() is called recursively through
++ * nssSlot_Refresh(). Return immediately in that case. */
++ if (slot->isPresentThread == PR_GetCurrentThread()) {
++ return PR_TRUE;
++ }
+ /* Set the delay time for checking the token presence */
+ if (s_token_delay_time == 0) {
+ s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
+@@ -130,7 +136,7 @@ nssSlot_IsTokenPresent(
+
+ /* avoid repeated calls to check token status within set interval */
+ PZ_Lock(slot->isPresentLock);
+- if (within_token_delay_period(slot)) {
++ if (token_status_checked(slot)) {
+ CK_FLAGS ckFlags = slot->ckFlags;
+ PZ_Unlock(slot->isPresentLock);
+ return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
+@@ -146,12 +152,12 @@ nssSlot_IsTokenPresent(
+
+ /* set up condition so only one thread is active in this part of the code at a time */
+ PZ_Lock(slot->isPresentLock);
+- while (slot->inIsPresent) {
++ while (slot->isPresentThread) {
+ PR_WaitCondVar(slot->isPresentCondition, 0);
+ }
+ /* if we were one of multiple threads here, the first thread will have
+ * given us the answer, no need to make more queries of the token. */
+- if (within_token_delay_period(slot)) {
++ if (token_status_checked(slot)) {
+ CK_FLAGS ckFlags = slot->ckFlags;
+ PZ_Unlock(slot->isPresentLock);
+ return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
+@@ -159,7 +165,7 @@ nssSlot_IsTokenPresent(
+ /* this is the winning thread, block all others until we've determined
+ * if the token is present and that it needs initialization. */
+ slot->lastTokenPingState = nssSlotLastPingState_Update;
+- slot->inIsPresent = PR_TRUE;
++ slot->isPresentThread = PR_GetCurrentThread();
+
+ PZ_Unlock(slot->isPresentLock);
+
+@@ -257,7 +263,7 @@ done:
+ slot->lastTokenPingTime = PR_IntervalNow();
+ slot->lastTokenPingState = nssSlotLastPingState_Valid;
+ }
+- slot->inIsPresent = PR_FALSE;
++ slot->isPresentThread = NULL;
+ PR_NotifyAllCondVar(slot->isPresentCondition);
+ PZ_Unlock(slot->isPresentLock);
+ return isPresent;
+diff --git a/lib/dev/devt.h b/lib/dev/devt.h
+--- a/lib/dev/devt.h
++++ b/lib/dev/devt.h
+@@ -92,7 +92,7 @@ struct NSSSlotStr {
+ PK11SlotInfo *pk11slot;
+ PZLock *isPresentLock;
+ PRCondVar *isPresentCondition;
+- PRBool inIsPresent;
++ PRThread *isPresentThread;
+ };
+
+ struct nssSessionStr {
+diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c
+--- a/lib/pk11wrap/dev3hack.c
++++ b/lib/pk11wrap/dev3hack.c
+@@ -122,7 +122,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
+ rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
+ rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
+ rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
+- rvSlot->inIsPresent = PR_FALSE;
++ rvSlot->isPresentThread = NULL;
+ rvSlot->lastTokenPingState = nssSlotLastPingState_Reset;
+ return rvSlot;
+ }
diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch
new file mode 100644
index 00000000..b5934799
--- /dev/null
+++ b/SOURCES/nss-disable-cipher-suites.patch
@@ -0,0 +1,27 @@
+diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-04-26 11:53:57.980039632 +0200
++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:55:56.374264466 +0200
+@@ -97,7 +97,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -106,7 +109,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/SOURCES/nss-disable-tls13-gtests.patch b/SOURCES/nss-disable-tls13-gtests.patch
new file mode 100644
index 00000000..cc7b6613
--- /dev/null
+++ b/SOURCES/nss-disable-tls13-gtests.patch
@@ -0,0 +1,12 @@
+diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests 2017-10-16 17:13:51.798825185 +0200
++++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc 2017-10-16 17:14:08.238496409 +0200
+@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P(
+ INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+ TlsConnectTestBase::kTlsV11V12));
++#if 0
+ INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest,
+ TlsConnectTestBase::kTlsVariantsAll);
++#endif
+ } // namespace nss_test
diff --git a/SOURCES/nss-enable-cipher-suites.patch b/SOURCES/nss-enable-cipher-suites.patch
new file mode 100644
index 00000000..0e6aabd2
--- /dev/null
+++ b/SOURCES/nss-enable-cipher-suites.patch
@@ -0,0 +1,39 @@
+diff -up nss/lib/ssl/ssl3con.c.enable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.enable-cipher-suites 2017-02-20 16:32:39.464067010 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:37:00.506731989 +0100
+@@ -91,7 +91,7 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+ /* clang-format off */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -102,7 +102,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -113,7 +113,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -140,7 +140,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/SOURCES/nss-fix-deadlock-squash.patch b/SOURCES/nss-fix-deadlock-squash.patch
new file mode 100644
index 00000000..c8222c7b
--- /dev/null
+++ b/SOURCES/nss-fix-deadlock-squash.patch
@@ -0,0 +1,112 @@
+diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c
+--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100
++++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100
+@@ -374,13 +374,19 @@ struct token_cert_dtor {
+ PRUint32 numCerts, arrSize;
+ };
+
+-static void
+-remove_token_certs(const void *k, void *v, void *a)
++static void cert_iter(const void *k, void *v, void *a)
+ {
++ nssList *certList = (nssList *)a;
+ NSSCertificate *c = (NSSCertificate *)k;
++ nssList_Add(certList, nssCertificate_AddRef(c));
++}
++
++static void
++remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor)
++{
+ nssPKIObject *object = &c->object;
+- struct token_cert_dtor *dtor = a;
+ PRUint32 i;
++
+ nssPKIObject_AddRef(object);
+ nssPKIObject_Lock(object);
+ for (i = 0; i < object->numInstances; i++) {
+@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ NSSCertificate **certs;
+ PRUint32 i, arrSize = 10;
+ struct token_cert_dtor dtor;
++ nssList *certList;
++ PRStatus nspr_rv = PR_FAILURE;
++ nssListIterator *iter;
++ NSSCertificate *c;
++
+ certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
+ if (!certs) {
+ return PR_FAILURE;
+@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ dtor.certs = certs;
+ dtor.numCerts = 0;
+ dtor.arrSize = arrSize;
++
++ certList = nssList_Create(NULL, PR_FALSE);
++ if (!certList) {
++ goto loser;
++ }
++ /* fetch the list of certs in the cache */
++ PZ_Lock(td->cache->lock);
++ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
++ PZ_Unlock(td->cache->lock);
++
++ /* find the certs that match this token without olding the td cache lock */
++ iter=nssList_CreateIterator(certList);
++ if (!iter) {
++ goto loser;
++ }
++ for (c = (NSSCertificate *)nssListIterator_Start(iter);
++ c != (NSSCertificate *)NULL;
++ c = (NSSCertificate *)nssListIterator_Next(iter)) {
++ remove_token_certs( c, &dtor);
++ }
++ nssListIterator_Finish(iter);
++ nssListIterator_Destroy(iter);
++ nssList_Destroy(certList);
++ certList = NULL;
++
++ /* now remove theose certs attached to this token */
+ PZ_Lock(td->cache->lock);
+- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]->object.numInstances == 0) {
+ nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
+@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ }
+ }
+ PZ_Unlock(td->cache->lock);
++
++ /* clean up */
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]) {
+ STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+ nssCertificate_Destroy(dtor.certs[i]);
+ }
+ }
++
++ nspr_rv = PR_SUCCESS;
++loser:
++ if (certList) {
++ nssList_Destroy(certList);
++ }
+ nss_ZFreeIf(dtor.certs);
+- return PR_SUCCESS;
++ return nspr_rv;
+ }
+
+ NSS_IMPLEMENT PRStatus
+@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache(
+ return rvCert;
+ }
+
+-static void
+-cert_iter(const void *k, void *v, void *a)
+-{
+- nssList *certList = (nssList *)a;
+- NSSCertificate *c = (NSSCertificate *)k;
+- nssList_Add(certList, nssCertificate_AddRef(c));
+-}
+-
+ NSS_EXTERN NSSCertificate **
+ nssTrustDomain_GetCertsFromCache(
+ NSSTrustDomain *td,
diff --git a/SOURCES/nss-lockcert-api-change.patch b/SOURCES/nss-lockcert-api-change.patch
new file mode 100644
index 00000000..0eba9a41
--- /dev/null
+++ b/SOURCES/nss-lockcert-api-change.patch
@@ -0,0 +1,68 @@
+# HG changeset patch
+# User Franziskus Kiefer
+# Date 1486546862 -3600
+# Wed Feb 08 10:41:02 2017 +0100
+# Node ID 896e3eb3a79933a51886949c7adb67ef37b721c0
+# Parent a8d77070526320ad0edc7ba164ce97f10c4f7d94
+Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubert
+
+diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h
+--- a/lib/certdb/cert.h
++++ b/lib/certdb/cert.h
+@@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHand
+ void CERT_LockCertRefCount(CERTCertificate *cert);
+
+ /*
+- * Free the cert reference count lock
++ * Release the cert reference count lock
+ */
+ void CERT_UnlockCertRefCount(CERTCertificate *cert);
+
+ /*
+- * Acquire the cert trust lock
+- * There is currently one global lock for all certs, but I'm putting a cert
+- * arg here so that it will be easy to make it per-cert in the future if
+- * that turns out to be necessary.
+- */
+-void CERT_LockCertTrust(const CERTCertificate *cert);
+-
+-/*
+- * Free the cert trust lock
+- */
+-void CERT_UnlockCertTrust(const CERTCertificate *cert);
+-
+-/*
+ * Digest the cert's subject public key using the specified algorithm.
+ * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
+ * the tag, length, and number of unused bits) rather than the whole
+diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h
+--- a/lib/certdb/certi.h
++++ b/lib/certdb/certi.h
+@@ -378,14 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGener
+ SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage,
+ unsigned int* failedFlags, PRBool* isTrusted);
+
+ /*
+ * Acquire the cert temp/perm lock
+ */
+ void CERT_LockCertTempPerm(const CERTCertificate* cert);
+
+ /*
+ * Release the temp/perm lock
+ */
+ void CERT_UnlockCertTempPerm(const CERTCertificate* cert);
+
++/*
++ * Acquire the cert trust lock
++ * There is currently one global lock for all certs, but I'm putting a cert
++ * arg here so that it will be easy to make it per-cert in the future if
++ * that turns out to be necessary.
++ */
++void CERT_LockCertTrust(const CERTCertificate* cert);
++
++/*
++ * Release the cert trust lock
++ */
++void CERT_UnlockCertTrust(const CERTCertificate* cert);
++
+ #endif /* _CERTI_H_ */
diff --git a/SOURCES/nss-modutil-skip-changepw-fips.patch b/SOURCES/nss-modutil-skip-changepw-fips.patch
new file mode 100644
index 00000000..9ed2983e
--- /dev/null
+++ b/SOURCES/nss-modutil-skip-changepw-fips.patch
@@ -0,0 +1,22 @@
+# HG changeset patch
+# User Daiki Ueno
+# Date 1523546409 -7200
+# Thu Apr 12 17:20:09 2018 +0200
+# Node ID 919e116728f29263c17ec31716ac2bd04c10e9ca
+# Parent 2eefd697d661efb82a77c84d893e6fbceefdf458
+Bug 1453408, modutil -changepw fails in FIPS mode if password is an empty string
+
+diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
+--- a/cmd/modutil/pk11.c
++++ b/cmd/modutil/pk11.c
+@@ -764,6 +764,10 @@ ChangePW(char *tokenName, char *pwFile,
+ ret = CHANGEPW_FAILED_ERR;
+ goto loser;
+ }
++ } else if (PK11_IsFIPS() && *newpw == '\0' && PK11_CheckUserPassword(slot, newpw) == SECSuccess) {
++ /* Workaround to suppress harmless error in FIPS mode:
++ * When explicitly setting empty password while the old
++ * password is also empty, skip */
+ } else {
+ if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
+ PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
diff --git a/SOURCES/nss-pkcs12-iterations-limit.patch b/SOURCES/nss-pkcs12-iterations-limit.patch
new file mode 100644
index 00000000..8b035b80
--- /dev/null
+++ b/SOURCES/nss-pkcs12-iterations-limit.patch
@@ -0,0 +1,24 @@
+# HG changeset patch
+# User J.C. Jones
+# Date 1521824312 25200
+# Fri Mar 23 09:58:32 2018 -0700
+# Branch NSS_3_36_BRANCH
+# Node ID ba3f1cc8a8e644ee6f8a763624d97e987816304d
+# Parent 2355c9e3bba477c947a09a2fe8b1ed8971fab1cb
+Bug 1278071 - Limit iterations for PKCS #12 export for Windows r=kaie
+
+Per Bug 1436873, Windows is limited on importing PKCS12 files of 600k rounds
+or less. So for compatibility's sake, let's limit there, too.
+
+diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
+--- a/lib/pkcs7/p7create.c
++++ b/lib/pkcs7/p7create.c
+@@ -22,7 +22,7 @@ const int NSS_PBE_DEFAULT_ITERATION_COUN
+ #ifdef DEBUG
+ 10000
+ #else
+- 1000000
++ 600000
+ #endif
+ ;
+
diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch
new file mode 100644
index 00000000..0675959f
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch
@@ -0,0 +1,47 @@
+diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2018-03-05 16:58:32.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2018-03-09 17:29:32.985313219 +0100
+@@ -231,7 +231,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
+ // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
+ // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
+ // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
+- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM.
++ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) {
+ return ssl_grp_ec_secp384r1;
+ }
+ return ssl_grp_ec_curve25519;
+@@ -870,20 +872,24 @@ INSTANTIATE_TEST_CASE_P(
+ ::testing::Values(TlsAgent::kServerEcdsa256),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM, and that causes the following
++ // 3 TLS 1.2 tests to fail.
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa521),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
++#if 0
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+@@ -892,4 +898,5 @@ INSTANTIATE_TEST_CASE_P(
+ TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_sha1)));
++#endif
+ } // namespace nss_test
diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch
new file mode 100644
index 00000000..98061908
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites.patch
@@ -0,0 +1,234 @@
+diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2017-04-26 11:47:33.690047402 +0200
++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:51:51.103013632 +0200
+@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+ /* clang-format off */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+- /* Special TLS 1.3 suites. */
+- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+-
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+- * bug 946147.
+- */
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* RSA */
+- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+- /* 56-bit DES "domestic" cipher suites */
+ { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* ciphersuites with no encryption */
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+ };
+ /* clang-format on */
+
+diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c
+--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2017-04-26 11:46:50.215066457 +0200
++++ nss/lib/ssl/sslenum.c 2017-04-26 11:47:09.362617638 +0200
+@@ -55,53 +55,44 @@
+ * the third one.
+ */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+- TLS_AES_128_GCM_SHA256,
+- TLS_CHACHA20_POLY1305_SHA256,
+- TLS_AES_256_GCM_SHA384,
+-
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+- */
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+-
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
+-
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+-
+- TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_RSA_WITH_AES_128_CBC_SHA,
+- TLS_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_RSA_WITH_AES_128_CBC_SHA,
++ TLS_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_RC4_128_SHA,
+ TLS_RSA_WITH_RC4_128_MD5,
+-
+- /* 56-bit DES "domestic" cipher suites */
+ TLS_DHE_RSA_WITH_DES_CBC_SHA,
+ TLS_DHE_DSS_WITH_DES_CBC_SHA,
+ TLS_RSA_WITH_DES_CBC_SHA,
+-
+- /* ciphersuites with no encryption */
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDH_RSA_WITH_NULL_SHA,
+@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_RSA_WITH_NULL_SHA,
+ TLS_RSA_WITH_NULL_SHA256,
+ TLS_RSA_WITH_NULL_MD5,
++ TLS_AES_128_GCM_SHA256,
++ TLS_CHACHA20_POLY1305_SHA256,
++ TLS_AES_256_GCM_SHA384,
+
+ 0
+ };
diff --git a/SOURCES/nss-rhel7.config b/SOURCES/nss-rhel7.config
new file mode 100644
index 00000000..be6d690f
--- /dev/null
+++ b/SOURCES/nss-rhel7.config
@@ -0,0 +1,7 @@
+# To re-enable legacy algorithms, edit this file
+# Note that the last empty line in this file must be preserved
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+
diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch
new file mode 100644
index 00000000..7d55d10c
--- /dev/null
+++ b/SOURCES/nss-skip-bltest-and-fipstest.patch
@@ -0,0 +1,15 @@
+diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
+--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100
++++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
++SHLIBSIGN_SRCDIR = shlibsign
++else
+ SHLIBSIGN_SRCDIR =
++endif
+ else
+ BLTEST_SRCDIR = bltest
+ ECPERF_SRCDIR = ecperf
diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch
new file mode 100644
index 00000000..02bf308c
--- /dev/null
+++ b/SOURCES/nss-skip-util-gtest.patch
@@ -0,0 +1,33 @@
+diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/manifest.mn 2017-10-19 11:02:27.773910909 +0200
+@@ -32,6 +32,5 @@ endif
+
+ DIRS = \
+ $(LIB_SRCDIRS) \
+- $(UTIL_SRCDIRS) \
+ $(NSS_SRCDIRS) \
+ $(NULL)
+diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
+--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/ssl_gtest/manifest.mn 2017-10-19 11:02:27.773910909 +0200
+@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest
+ EXTRA_LIBS += \
+ $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
++ -lsoftokn3
+ $(NULL)
+
+ USE_STATIC_LIBS = 1
+diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh
+--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/tests/gtests/gtests.sh 2017-10-19 11:03:57.473976538 +0200
+@@ -83,7 +83,7 @@ gtest_cleanup()
+ }
+
+ ################## main #################################################
+-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest"
++GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest"
+ SOURCE_DIR="$PWD"/../..
+ gtest_init $0
+ gtest_start
diff --git a/SOURCES/nss-sni-c-v-fix.patch b/SOURCES/nss-sni-c-v-fix.patch
new file mode 100644
index 00000000..cc52515f
--- /dev/null
+++ b/SOURCES/nss-sni-c-v-fix.patch
@@ -0,0 +1,21 @@
+diff -up nss/tests/ssl/sslauth.txt.sni_c_v_fix nss/tests/ssl/sslauth.txt
+--- nss/tests/ssl/sslauth.txt.sni_c_v_fix 2017-04-05 14:23:56.000000000 +0200
++++ nss/tests/ssl/sslauth.txt 2017-06-02 10:22:27.457072785 +0200
+@@ -64,13 +64,13 @@
+ #
+ # SNI Tests
+ #
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff --git a/SOURCES/nss-sql-default.patch b/SOURCES/nss-sql-default.patch
new file mode 100644
index 00000000..fd397788
--- /dev/null
+++ b/SOURCES/nss-sql-default.patch
@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Kai Engert
+# Date 1511548994 -3600
+# Fri Nov 24 19:43:14 2017 +0100
+# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
+# Parent 807662e6ba57db5be05036511ac8634466ed473f
+Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
+
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -111,6 +111,8 @@ RUN_FIPS=""
+ ########################################################################
+ run_tests()
+ {
++ echo "Running test cycle: ${TEST_MODE} ----------------------"
++ echo "List of tests that will be executed: ${TESTS}"
+ for TEST in ${TESTS}
+ do
+ # NOTE: the spaces are important. If you don't include
+@@ -172,8 +174,9 @@ run_cycle_pkix()
+ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+ export -n NSS_SSL_RUN
+
+- # use the default format
++ # use the default format. (unset for the shell, export -n for binaries)
+ export -n NSS_DEFAULT_DB_TYPE
++ unset NSS_DEFAULT_DB_TYPE
+
+ run_tests
+ }
+diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
+--- a/tests/merge/merge.sh
++++ b/tests/merge/merge.sh
+@@ -98,7 +98,7 @@ merge_init()
+ # are dbm databases.
+ if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ save=${NSS_DEFAULT_DB_TYPE}
+- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
++ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
+ fi
+
+ certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
diff --git a/SOURCES/nss-sysinit-getenv.patch b/SOURCES/nss-sysinit-getenv.patch
new file mode 100644
index 00000000..d3f47bc5
--- /dev/null
+++ b/SOURCES/nss-sysinit-getenv.patch
@@ -0,0 +1,57 @@
+diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
+--- a/lib/sysinit/nsssysinit.c
++++ b/lib/sysinit/nsssysinit.c
+@@ -1,11 +1,15 @@
+ /* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#define _GNU_SOURCE 1
++#include
++
+ #include "seccomon.h"
+ #include "prio.h"
+ #include "prprf.h"
+ #include "plhash.h"
+ #include "prenv.h"
+
+ /*
+ * The following provides a default example for operating systems to set up
+@@ -37,17 +41,17 @@ testdir(char *dir)
+ return S_ISDIR(buf.st_mode);
+ }
+
+ #define NSS_USER_PATH1 "/.pki"
+ #define NSS_USER_PATH2 "/nssdb"
+ static char *
+ getUserDB(void)
+ {
+- char *userdir = PR_GetEnvSecure("HOME");
++ char *userdir = secure_getenv("HOME");
+ char *nssdir = NULL;
+
+ if (userdir == NULL) {
+ return NULL;
+ }
+
+ nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
+ if (nssdir == NULL) {
+@@ -129,17 +133,17 @@ userCanModifySystemDB()
+ #else
+ #error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
+ #endif
+ #endif
+
+ static PRBool
+ getFIPSEnv(void)
+ {
+- char *fipsEnv = PR_GetEnvSecure("NSS_FIPS");
++ char *fipsEnv = secure_getenv("NSS_FIPS");
+ if (!fipsEnv) {
+ return PR_FALSE;
+ }
+ if ((strcasecmp(fipsEnv, "fips") == 0) ||
+ (strcasecmp(fipsEnv, "true") == 0) ||
+ (strcasecmp(fipsEnv, "on") == 0) ||
+ (strcasecmp(fipsEnv, "1") == 0)) {
+ return PR_TRUE;
diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in
new file mode 100644
index 00000000..69823cb3
--- /dev/null
+++ b/SOURCES/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch
new file mode 100644
index 00000000..7334c803
--- /dev/null
+++ b/SOURCES/p-ignore-setpolicy.patch
@@ -0,0 +1,25 @@
+diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100
+@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
+ SECStatus
+ NSS_SetDomesticPolicy(void)
+ {
+- SECStatus status = SECSuccess;
+ const PRUint16 *cipher;
+ SECStatus rv;
+ PRUint32 policy;
+@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void)
+ }
+
+ for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
+- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
+- if (status != SECSuccess)
+- break;
++ (void) SSL_SetPolicy(*cipher, SSL_ALLOWED);
+ }
+- return status;
++ return SECSuccess;
+ }
+
+ SECStatus
diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml
new file mode 100644
index 00000000..d30e4690
--- /dev/null
+++ b/SOURCES/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ pkcs11.txt
+ 5
+
+
+
+ pkcs11.txt
+ NSS PKCS #11 module configuration file
+
+
+
+ Description
+
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+
+
+For full documentation visit PKCS #11 Module Specs.
+
+
+
+
+ Files
+ /etc/pki/nssdb/pkcs11.txt
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch
new file mode 100644
index 00000000..5e3dbc75
--- /dev/null
+++ b/SOURCES/renegotiate-transitional.patch
@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 17:21:52.593560971 +0100
++++ nss/lib/ssl/sslsock.c 2018-03-09 17:22:21.096926523 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+ .noLocks = PR_FALSE,
+ .enableSessionTickets = PR_FALSE,
+ .enableDeflate = PR_FALSE,
+- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+ .requireSafeNegotiation = PR_FALSE,
+ .enableFalseStart = PR_FALSE,
+ .cbcRandomIV = PR_TRUE,
diff --git a/SOURCES/secmod.db.xml b/SOURCES/secmod.db.xml
new file mode 100644
index 00000000..afc9dcec
--- /dev/null
+++ b/SOURCES/secmod.db.xml
@@ -0,0 +1,63 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ secmod.db
+ 5
+
+
+
+ secmod.db
+ Legacy NSS security modules database
+
+
+
+ Description
+ secmod.db is an NSS security modules database.
+ The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
+
+ The command line utility modutil is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
+
+ For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
+
+
+
+
+ Files
+ /etc/pki/nssdb/secmod.db
+
+
+
+ See also
+ modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh
new file mode 100755
index 00000000..8e1f5f7d
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml
new file mode 100755
index 00000000..5b9827f4
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.xml
@@ -0,0 +1,106 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ setup-nsssysinit
+ 1
+
+
+
+ setup-nsssysinit
+ Query or enable the nss-sysinit module
+
+
+
+
+ setup-nsssysinit
+
+
+
+
+
+
+
+ Description
+ setup-nsssysinit is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it.
+ Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+
+
+
+
+ Options
+
+
+
+
+ Turn on nss-sysinit.
+
+
+
+
+ Turn on nss-sysinit.
+
+
+
+
+ returns whether nss-syinit is enabled or not.
+
+
+
+
+
+
+ Examples
+
+ The following example will query for the status of nss-sysinit:
+
+ /usr/bin/setup-nsssysinit status
+
+
+
+ The following example, when run as superuser, will turn on nss-sysinit:
+
+ /usr/bin/setup-nsssysinit on
+
+
+
+
+
+
+ Files
+ /usr/bin/setup-nsssysinit
+
+
+
+ See also
+ pkg-config(1)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt
new file mode 100644
index 00000000..c2f5704f
--- /dev/null
+++ b/SOURCES/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/SOURCES/utilwrap-include-templates.patch b/SOURCES/utilwrap-include-templates.patch
new file mode 100644
index 00000000..649b5484
--- /dev/null
+++ b/SOURCES/utilwrap-include-templates.patch
@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
old mode 100755
new mode 100644
index d0f8af9a..984a6fe6
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,15 +1,13 @@
-%global optflags -m64
-
-%global nspr_version 4.11.0
-%global nss_util_version 3.21.0
-%global nss_util_build -2.2
+%global nspr_version 4.19.0
+%global nss_util_version 3.36.0
+%global nss_util_build -1
# adjust to the version that gets submitted for FIPS validation
-%global nss_softokn_fips_version 3.16.2
-%global nss_softokn_version 3.16.2.3
+%global nss_softokn_fips_version 3.36.0
+%global nss_softokn_version 3.36.0
# Attention: Separate softokn versions for build and runtime.
-%global runtime_required_softokn_build_version -14.2
-# Building NSS doesn't require the softokn -13 build.
-%global build_required_softokn_build_version -13
+%global runtime_required_softokn_build_version -1
+# Building NSS doesn't require the same version of softokn built for runtime.
+%global build_required_softokn_build_version -1
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -28,8 +26,8 @@
Summary: Network Security Services
Name: nss
-Version: 3.21.0
-Release: 9%{?dist}
+Version: 3.36.0
+Release: 5%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -53,8 +51,17 @@ BuildRequires: gawk
BuildRequires: psmisc
BuildRequires: perl
-%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
-%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
+# nss-pem used to be bundled with the nss package on Fedora -- make sure that
+# programs relying on that continue to work until they are fixed to require
+# nss-pem instead. Once all of them are fixed, the following line can be
+# removed. See https://bugzilla.redhat.com/1346806 for details.
+Requires: nss-pem%{?_isa}
+
+%if %{defined nss_ckbi_suffix}
+%define full_nss_version %{version}%{nss_ckbi_suffix}
+%else
+%define full_nss_version %{version}
+%endif
Source0: %{name}-%{full_nss_version}.tar.gz
Source1: nss.pc.in
@@ -67,7 +74,6 @@ Source7: blank-key4.db
Source8: system-pkcs11.txt
Source9: setup-nsssysinit.sh
Source10: PayPalEE.cert
-Source12: %{name}-pem-20140125.tar.bz2
Source17: TestCA.ca.cert
Source18: TestUser50.cert
Source19: TestUser51.cert
@@ -81,15 +87,12 @@ Source26: key4.db.xml
Source27: secmod.db.xml
Source30: PayPalRootCA.cert
Source31: PayPalICA.cert
+Source32: nss-rhel7.config
+Source33: TestOldCA.p12
Patch2: add-relro-linker-option.patch
Patch3: renegotiate-transitional.patch
-Patch6: nss-enable-pem.patch
Patch16: nss-539183.patch
-Patch18: nss-646045.patch
-# must statically link pem against the freebl in the buildroot
-# Needed only when sources on tree have new APIS
-Patch25: nsspem-use-system-freebl.patch
# TODO: Remove this patch when the ocsp test are fixed
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
@@ -103,60 +106,38 @@ Patch49: nss-skip-bltest-and-fipstest.patch
# headers are older. Such is the case when starting an update with API changes or even private export changes.
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
Patch50: iquote.patch
-# As of nss-3.21 we compile NSS with -Werror.
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
-# This requires a cleanup of the PEM module as we have it here.
-# TODO: submit a patch to the interim nss-pem upstream project
-# The submission will be very different from this patch as
-# cleanup there is already in progress there.
-Patch51: pem-compile-with-Werror.patch
Patch52: Bug-1001841-disable-sslv2-libssl.patch
Patch53: Bug-1001841-disable-sslv2-tests.patch
-Patch54: sslauth-no-v2.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
Patch62: nss-fix-deadlock-squash.patch
-# Two patches from from rhel6.8 that are also needed for rhel-7
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
-Patch74: race.patch
-Patch94: nss-3.16-token-init-race.patch
-Patch99: ssl-server-min-key-sizes.patch
Patch100: fix-min-library-version-in-SSLVersionRange.patch
-# Add support for sha384 tls cipher suites, dss cipher suites, and
-# server-side dhe key exchange
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-Patch101: dhe-sha384-dss-support.patch
-# TODO: From upstream review: For the client authentication case, should
-# probably drop our hack of swapping between sha256 and sha384 and plan
-# on implementing the fix we already have a patch for. What is that fix?
-Patch102: client_auth_for_sha384_prf_support.patch
-Patch103: nss-fix-client-auth-init-hashes.patch
-Patch104: nss-map-oid-to-hashalg.patch
-Patch105: nss-remove-bogus-assert.patch
-Patch106: nss-old-pkcs11-num.patch
-Patch107: nss-enable-384-cipher-tests.patch
Patch108: nss-sni-c-v-fix.patch
-Patch109: nss-fix-signature-and-hash.patch
-Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch
-
-# Enable by default two additional ciphers and fix order of two tables
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1211403
-Patch112: rh1238290.patch
-# Local: keep as long nss-softokn lacks support
-Patch113: disable-extended-master-secret-with-old-softoken.patch
-# extra tests needed
-Patch114: tests-extra.patch
-Patch115: nss-prevent-abi-issue.patch
-Patch116: nss-tests-prevent-abi-issue.patch
-Patch117: fix-nss-test-filtering.patch
-Patch118: fix-allowed-sig-alg.patch
-Patch119: nss-ssl-ssl3con-delete-duplicates.patch
+Patch123: nss-skip-util-gtest.patch
+Patch126: nss-reorder-cipher-suites.patch
+Patch127: nss-disable-cipher-suites.patch
+Patch128: nss-enable-cipher-suites.patch
+Patch130: nss-reorder-cipher-suites-gtests.patch
+Patch131: nss-disable-tls13-gtests.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch135: nss-check-policy-file.patch
+# To revert the change in:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1377940
+Patch136: nss-sql-default.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1278071
+Patch137: nss-pkcs12-iterations-limit.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1447628
+Patch138: nss-devslot-reinsert.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1453408
+Patch139: nss-modutil-skip-changepw-fips.patch
+# Work around for yum
+# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
+Patch141: nss-sysinit-getenv.patch
+# To revert the change in:
+# https://hg.mozilla.org/projects/nss/rev/896e3eb3a799
+Patch142: nss-lockcert-api-change.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -233,54 +214,40 @@ low level services.
%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
-%setup -q -T -D -n %{name}-%{version} -a 12
+%{__cp} %{SOURCE33} -f ./nss/tests/tools
+%setup -q -T -D -n %{name}-%{version}
%patch2 -p0 -b .relro
%patch3 -p0 -b .transitional
-%patch6 -p0 -b .libpem
%patch16 -p0 -b .539183
-pushd nss
-%patch18 -p1 -b .646045
-popd
-# link pem against buildroot's freebl, essential when mixing and matching
-%patch25 -p0 -b .systemfreebl
%patch40 -p0 -b .noocsptest
%patch47 -p0 -b .templates
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
-%patch51 -p1 -b -Werror
pushd nss
%patch52 -p1 -b .disableSSL2libssl
%patch53 -p1 -b .disableSSL2tests
-%patch54 -p1 -b .sslauth-no-v2
%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
%patch56 -p1 -b .1026677_ignore_set_policy
%patch62 -p1 -b .fix_deadlock
-%patch99 -p1 -b .min_key_sizes
%patch100 -p0 -b .1171318
-%patch101 -p1 -b .dhe_and_sha384
-%patch102 -p1 -b .client_auth_prf
-%patch112 -p1 -b .1238290
-%patch113 -p1 -b .disable-ems
-%patch114 -p1 -b .extra
-%patch115 -p1 -b .abi_lib
-%patch116 -p1 -b .abi_tests
-%patch117 -p1 -b .test-filtering
-%patch74 -p1 -b .race
popd
-%patch94 -p0 -b .init-token-race
-%patch103 -p0 -b .fix_client_auth_crash
-%patch104 -p0 -b .use_oids
-%patch105 -p0 -b .remove_bogus_assert
-%patch106 -p0 -b .old_pkcs11_num
-%patch107 -p0 -b .enable_384_cipher_tests
%patch108 -p0 -b .sni_c_v_fix
-%patch109 -p0 -b .fix_signature_and_hash
-%patch110 -p0 -b .no_ssl2
pushd nss
-%patch118 -p1 -b .allowed-sig-alg
+%patch123 -p1 -b .skip-util-gtests
+%patch126 -p1 -b .reorder-cipher-suites
+%patch127 -p1 -b .disable-cipher-suites
+%patch128 -p1 -b .enable-cipher-suites
+%patch130 -p1 -b .reorder-cipher-suites-gtests
+%patch131 -p1 -b .disable-tls13-gtests
+%patch135 -p1 -b .check_policy_file
+%patch136 -p1 -R -b .sql-default
+%patch137 -p1 -b .pkcs12-iterations-limit
+%patch138 -p1 -b .devslot-reinsert
+%patch139 -p1 -b .modutil-skip-changepw-fips
+%patch141 -p1 -b .sysinit-getenv
+%patch142 -p1 -R -b .lockcert-api-change
popd
-%patch119 -p0 -b .delete_duplicates
#########################################################
# Higher-level libraries and test tools need access to
@@ -288,11 +255,6 @@ popd
# until fixed upstream we must copy some headers locally
#########################################################
-pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
-for file in ${pemNeedsFromSoftoken}; do
- %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
-done
-
# Copying these header until the upstream bug is accepted
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
@@ -324,9 +286,6 @@ popd
export NSS_NO_SSL2=1
-NSS_NO_PKCS11_BYPASS=1
-export NSS_NO_PKCS11_BYPASS
-
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@@ -334,11 +293,12 @@ export FREEBL_NO_DEPEND
export BUILD_OPT=1
# Uncomment to disable optimizations
-#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
-#export RPM_OPT_FLAGS
+# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'`
+# export RPM_OPT_FLAGS
# Generate symbolic info for debuggers
XCFLAGS=$RPM_OPT_FLAGS
+
export XCFLAGS
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
@@ -376,6 +336,8 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
%ifnarch noarch
%if 0%{__isa_bits} == 64
USE_64=1
@@ -387,16 +349,21 @@ export USE_64
export IN_TREE_FREEBL_HEADERS_FIRST=1
##### phase 2: build the rest of nss
-# nss supports pluggable ecc
-NSS_ENABLE_ECC=1
-export NSS_ENABLE_ECC
-NSS_ECC_MORE_THAN_SUITE_B=1
-export NSS_ECC_MORE_THAN_SUITE_B
-
export NSS_BLTEST_NOT_AVAILABLE=1
+
+export NSS_DISABLE_TLS_1_3=1
+
+export NSS_FORCE_FIPS=1
+
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss-rhel7.config"
+# location of the policy file
+export POLICY_PATH="/etc/pki/nss-legacy"
+
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/lib/util/verref.h which is exported privately,
# copy the one we saved during prep so it they can find it.
@@ -499,6 +466,10 @@ export USE_64
export NSS_BLTEST_NOT_AVAILABLE=1
+export NSS_DISABLE_TLS_1_3=1
+
+export NSS_FORCE_FIPS=1
+
# needed for the fips mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
@@ -545,7 +516,7 @@ pushd ./nss/tests/
# don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb
-%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress
#
@@ -574,8 +545,11 @@ TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log)
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
else
-# test suite is failing on arm and has for a while let's run the test suite but make it non fatal on arm
-%ifnarch %{arm}
+ %ifarch %{arm}
+ :
+ # do nothing on arm where the test suite is failing and has been
+ # for while, do run the test suite but make it non fatal on arm
+ %else
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
# while a situation in which grep return status is 0 and it doesn't output
# anything shouldn't happen, set the default to something that is
@@ -615,7 +589,7 @@ touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
# Copy the binary libraries we want
-for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
do
%{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
@@ -687,6 +661,9 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done
+%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy
+%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
+
%clean
%{__rm} -rf $RPM_BUILD_ROOT
@@ -725,24 +702,6 @@ else
fi
/sbin/ldconfig
-%posttrans
-# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
-# (The incorrect %%postun always called "update-alternatives --remove",
-# because it incorrectly assumed that test -f returns false for symbolic links.)
-# The only possible remedy to fix the mistake that "always removes on upgrade"
-# made by the older %%postun script, is to repair it in %%posttrans of the new package.
-# Strategy:
-# %%posttrans is never called when uninstalling.
-# %%posttrans is only called when installing or upgrading a package.
-# Because %%posttrans is the very last action of a package install,
-# %%{_libdir}/libnssckbi.so must exist.
-# If it does not, it's the result of the incorrect removal from a broken %%postun.
-# In this case, we repeat installation of the alternatives link.
-if ! test -e %{_libdir}/libnssckbi.so; then
- %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
- %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
-fi
-
%files
%defattr(-,root,root)
@@ -751,7 +710,6 @@ fi
%{_libdir}/libsmime3.so
%ghost %{_libdir}/libnssckbi.so
%{_libdir}/nss/libnssckbi.so
-%{_libdir}/libnsspem.so
%dir %{_sysconfdir}/pki/nssdb
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
@@ -765,6 +723,8 @@ fi
%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%dir %{_sysconfdir}/pki/nss-legacy
+%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
%files sysinit
%defattr(-,root,root)
@@ -842,7 +802,6 @@ fi
%{_includedir}/nss3/keythi.h
%{_includedir}/nss3/nss.h
%{_includedir}/nss3/nssckbi.h
-%{_includedir}/nss3/nsspem.h
%{_includedir}/nss3/ocsp.h
%{_includedir}/nss3/ocspt.h
%{_includedir}/nss3/p12.h
@@ -865,6 +824,7 @@ fi
%{_includedir}/nss3/smime.h
%{_includedir}/nss3/ssl.h
%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
%{_includedir}/nss3/sslproto.h
%{_includedir}/nss3/sslt.h
@@ -887,6 +847,198 @@ fi
%changelog
+* Wed Apr 18 2018 Daiki Ueno - 3.36.0-5
+- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h
+
+* Fri Apr 13 2018 Daiki Ueno - 3.36.0-4
+- Work around modutil -changepw error if the old and new passwords are
+ both empty in FIPS mode
+
+* Tue Mar 27 2018 Daiki Ueno - 3.36.0-3
+- Decrease the iteration count of PKCS#12 for compatibility with Windows
+- Fix deadlock when a token is re-inserted while a client process is running
+
+* Mon Mar 12 2018 Daiki Ueno - 3.36.0-2
+- Set NSS_FORCE_FIPS=1 in %%build
+- Revert the changes to tests assuming the default DB type
+
+* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1
+- Rebase to NSS 3.36
+
+* Mon Jan 15 2018 Daiki Ueno - 3.34.0-4
+- Re-enable nss-is-token-present-race.patch
+
+* Fri Jan 5 2018 Daiki Ueno - 3.34.0-3
+- Temporarily disable nss-is-token-present-race.patch
+
+* Thu Jan 4 2018 Daiki Ueno - 3.34.0-2
+- Backport necessary changes from 3.35
+
+* Fri Nov 24 2017 Daiki Ueno - 3.34.0-1
+- Rebase to NSS 3.34
+
+* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1
+- Rebase to NSS 3.34.BETA1
+
+* Wed Oct 25 2017 Daiki Ueno - 3.33.0-3
+- Disable TLS 1.3
+
+* Wed Oct 18 2017 Daiki Ueno - 3.33.0-2
+- Enable TLS 1.3
+
+* Mon Oct 16 2017 Daiki Ueno - 3.33.0-1
+- Rebase to NSS 3.33
+- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants)
+- Temporarily disable race.patch and nss-3.16-token-init-race.patch,
+ which causes a deadlock in newly added test cases
+- Remove upstreamed patches: moz-1320932.patch,
+ nss-tstclnt-optspec.patch,
+ nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch,
+ nss-tools-sha256-default.patch, nss-is-token-present-race.patch,
+ nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch
+
+* Mon Oct 16 2017 Daiki Ueno - 3.28.4-14
+- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption
+
+* Mon Oct 16 2017 Daiki Ueno - 3.28.4-13
+- Update iquote.patch to prefer nss.h from the source
+
+* Mon Oct 16 2017 Daiki Ueno - 3.28.4-12
+- Add backward compatibility to pk12util regarding password encoding
+
+* Thu Aug 10 2017 Daiki Ueno - 3.28.4-11
+- Backport patch to simplify transcript calculation for CertificateVerify
+- Enable TLS 1.3 and RSA-PSS
+- Disable some upstream tests failing due to downstream ciphersuites changes
+
+* Thu Jul 13 2017 Daiki Ueno - 3.28.4-10
+- Work around yum crash due to new NSPR symbol being used in nss-sysinit,
+ patch by Kai Engert
+
+* Fri Jun 2 2017 Daiki Ueno - 3.28.4-9
+- Fix typo in nss-sni-c-v-fix.patch
+
+* Fri May 5 2017 Kai Engert - 3.28.4-8
+- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5
+
+* Fri May 5 2017 Daiki Ueno - 3.28.4-7
+- Update nss-pk12util.patch to include fix from mozbz#1353724.
+
+* Wed May 3 2017 Daiki Ueno - 3.28.4-6
+- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207.
+
+* Fri Apr 28 2017 Daiki Ueno - 3.28.4-5
+- Fix zero-length record treatment for stream ciphers and SSLv2
+
+* Thu Apr 27 2017 Daiki Ueno - 3.28.4-4
+- Correctly set policy file location when building
+
+* Wed Apr 26 2017 Daiki Ueno - 3.28.4-3
+- Reorder ChaCha20-Poly1305 cipher suites, as suggested in:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9
+
+* Thu Apr 20 2017 Daiki Ueno - 3.28.4-2
+- Rebase to NSS 3.28.4
+- Update nss-pk12util.patch with backport of mozbz#1353325
+
+* Thu Mar 16 2017 Daiki Ueno - 3.28.3-5
+- Switch default hash algorithm used by tools from SHA-1 to SHA-256
+- Avoid race condition in nssSlot_IsTokenPresent()
+- Enable SHA-2 and AES in pk12util
+- Disable RSA-PSS for now
+
+* Fri Mar 10 2017 Daiki Ueno - 3.28.3-4
+- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert
+- Backport changes adding SSL alert callbacks from upstream
+- Add nss-check-policy-file.patch from Fedora
+- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config
+
+* Mon Mar 6 2017 Daiki Ueno - 3.28.3-3
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+ multlib environment, patch by Kamil Dudka
+- Enable new algorithms supported by the new nss-softokn
+
+* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2
+- Rebase to NSS 3.28.3
+- Bump required version of nss-softokn
+
+* Wed Feb 15 2017 Daiki Ueno - 3.28.2-3
+- Remove %%nss_cycles setting, which was also mistakenly added
+- Re-enable BUILD_OPT, mistakenly disabled in the previous build
+- Prevent ABI incompatibilty of SECKEYECPublicKey
+- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
+- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
+ patch in the previous release
+- Fix crash with tstclnt -W
+- Always enable gtests for supported features
+- Add patch to fix bash syntax error in tests/ssl.sh
+- Build with support for SSLKEYLOGFILE
+- Disable the use of RSA-PSS with SSL/TLS
+
+* Tue Feb 14 2017 Daiki Ueno - 3.28.2-2
+- Decouple nss-pem from the nss package
+- Resolves: #1316546
+
+* Mon Feb 13 2017 Daiki Ueno - 3.28.2-1.1
+- Remove mistakenly added R: nss-pem
+
+* Fri Feb 10 2017 Daiki Ueno - 3.28.2-1.0
+- Rebase to NSS 3.28.2
+- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which
+ is no-op now
+- Enable gtests when requested
+- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are
+ not necessary
+- Remove sslauth-no-v2.patch and
+ nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is
+ already disabled in upstream
+- Remove ssl-server-min-key-sizes.patch, as we decided to support DH
+ key size greater than 1023 bits
+- Remove local patches for SHA384 cipher suites (now supported in
+ upstream): dhe-sha384-dss-support.patch,
+ client_auth_for_sha384_prf_support.patch,
+ nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch,
+ nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch,
+ fix-allowed-sig-alg.patch, tests-extra.patch
+- Remove upstreamed patches: rh1238290.patch,
+ fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch,
+ call-restartmodules-in-nssinit.patch
+
+* Wed Oct 26 2016 Daiki Ueno - 3.21.3-1
+- Rebase to NSS 3.21.3
+- Resolves: #1383887
+
+* Thu Jun 30 2016 Kai Engert - 3.21.0-17
+- remove additional false duplicates from sha384 downstream patches
+
+* Tue Jun 28 2016 Kai Engert - 3.21.0-16
+- enable ssl_gtests (without extended master secret tests), Bug 1298692
+- call SECMOD_RestartModules in nss_Init, Bug 1317691
+
+* Fri Jun 17 2016 Kai Engert - 3.21.0-15
+- escape all percent characters in all changelog comments
+
+* Fri Jun 17 2016 Kai Engert - 3.21.0-14
+- Support TLS 1.2 certificate_verify hashes other than PRF,
+ backported fix from NSS 3.25 (upstream bug 1179338).
+
+* Mon May 23 2016 Elio Maldonado - 3.21.0-13
+- Fix reuse of session cache entry
+- Resolves: Bug 1241172 - Certificate verification fails with multiple https urls
+
+* Wed Apr 20 2016 Elio Maldonado - 3.21.0-12
+- Fix a flaw in %%check for nss not building on arm
+- Resolves: Bug 1200856
+
+* Wed Apr 20 2016 Elio Maldonado - 3.21.0-11
+- Cleanup: Remove unnecessary %%posttrans script from nss.spec
+- Resolves: Bug 1174201
+
+* Wed Apr 20 2016 Elio Maldonado - 3.21.0-10
+- Merge fixes from the rhel-7.2 branch
+- Fix a bogus %%changelog entry
+- Resolves: Bug 1297941
+
* Fri Apr 15 2016 Kai Engert - 3.21.0-9
- Rebuild to require the latest nss-util build and nss-softokn build.
@@ -900,22 +1052,22 @@ fi
- Fix missing support for sha384/dsa in certificate_request
* Wed Mar 23 2016 Kai Engert - 3.21.0-5
+- Merge fixes from the rhel-7.2 branch
- Fix the SigAlgs sent in certificate_request
-
-* Tue Mar 22 2016 Elio Maldonado - 3.21.0-4
- Ensure all ssl.sh tests are executed
- Update sslauth test patch to run additional tests
-* Thu Feb 25 2016 Elio Maldonado - 3.21.0-2
+* Fri Feb 26 2016 Elio Maldonado - 3.21.0-2
- Fix sha384 support and testing patches
-* Mon Feb 22 2016 Elio Maldonado - 3.21.0-1
+* Wed Feb 17 2016 Elio Maldonado - 3.21.0-1
- Rebase to NSS-3.21
-- Resolves: Bug 1310581
* Tue Dec 15 2015 Elio Maldonado - 3.19.1-19
- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol
-- Resolves: Bug 1289883
+- Fix a mockbuild reported bad %%if condition when using the __isa_bits macro instead of list of 64-bit architectures
+- Change the test to %%if 0%%{__isa_bits} == 64 as required for building the srpm which is noarch
+- Resolves: Bug 1289884
* Wed Oct 21 2015 Kai Engert - 3.19.1-18
- Rebuild against updated NSPR
@@ -1533,7 +1685,7 @@ fi
- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)
* Tue Oct 05 2010 Elio Maldonado - 3.12.8-4
-- Fix invalid %postun scriptlet (#639248)
+- Fix invalid %%postun scriptlet (#639248)
* Wed Sep 29 2010 Elio Maldonado - 3.12.8-3
- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)