diff --git a/SOURCES/0013-curl-7.29.0-665c160f.patch b/SOURCES/0013-curl-7.29.0-665c160f.patch
new file mode 100644
index 0000000..d7c2ddf
--- /dev/null
+++ b/SOURCES/0013-curl-7.29.0-665c160f.patch
@@ -0,0 +1,86 @@
+From 311a22b801693bf8b748169f35bde7bef744da8c Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 29 Jan 2014 12:55:36 +0100
+Subject: [PATCH 1/2] nss: do not fail if NSS does not implement a cipher
+
+... that the user does not ask for
+
+[upstream commit e15e73b741a2ddc88d166d2cec86d2bebb5d349e]
+---
+ lib/nss.c |    9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index a2c5c63..c4ffe7b 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -192,14 +192,13 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
+   PRBool cipher_state[NUM_OF_CIPHERS];
+   PRBool found;
+   char *cipher;
+-  SECStatus rv;
+ 
+   /* First disable all ciphers. This uses a different max value in case
+    * NSS adds more ciphers later we don't want them available by
+    * accident
+    */
+   for(i=0; i<SSL_NumImplementedCiphers; i++) {
+-    SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], SSL_NOT_ALLOWED);
++    SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], PR_FALSE);
+   }
+ 
+   /* Set every entry in our list to false */
+@@ -239,8 +238,10 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
+ 
+   /* Finally actually enable the selected ciphers */
+   for(i=0; i<NUM_OF_CIPHERS; i++) {
+-    rv = SSL_CipherPrefSet(model, cipherlist[i].num, cipher_state[i]);
+-    if(rv != SECSuccess) {
++    if(!cipher_state[i])
++      continue;
++
++    if(SSL_CipherPrefSet(model, cipherlist[i].num, PR_TRUE) != SECSuccess) {
+       failf(data, "cipher-suite not supported by NSS: %s", cipherlist[i].name);
+       return SECFailure;
+     }
+-- 
+1.7.1
+
+
+From 9fe38c72787ba6658456a30477d48fe7960947ed Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 29 Jan 2014 13:03:46 +0100
+Subject: [PATCH 2/2] nss: do not use the NSS_ENABLE_ECC define
+
+It is not provided by NSS public headers.
+
+Bug: https://bugzilla.redhat.com/1058776
+
+[upstream commit 665c160f0a4635565b44704ca281d2a03e715d6d]
+---
+ lib/nss.c |    2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index c4ffe7b..111982f 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -126,7 +126,6 @@ static const cipher_s cipherlist[] = {
+   /* AES ciphers. */
+   {"rsa_aes_128_sha",            TLS_RSA_WITH_AES_128_CBC_SHA},
+   {"rsa_aes_256_sha",            TLS_RSA_WITH_AES_256_CBC_SHA},
+-#ifdef NSS_ENABLE_ECC
+   /* ECC ciphers. */
+   {"ecdh_ecdsa_null_sha",        TLS_ECDH_ECDSA_WITH_NULL_SHA},
+   {"ecdh_ecdsa_rc4_128_sha",     TLS_ECDH_ECDSA_WITH_RC4_128_SHA},
+@@ -153,7 +152,6 @@ static const cipher_s cipherlist[] = {
+   {"ecdh_anon_3des_sha",         TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA},
+   {"ecdh_anon_aes_128_sha",      TLS_ECDH_anon_WITH_AES_128_CBC_SHA},
+   {"ecdh_anon_aes_256_sha",      TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
+-#endif
+ };
+ 
+ /* following ciphers are new in NSS 3.4 and not enabled by default, therefore
+-- 
+1.7.1
+
diff --git a/SOURCES/0014-curl-7.29.0-8ae35102.patch b/SOURCES/0014-curl-7.29.0-8ae35102.patch
new file mode 100644
index 0000000..9daa26d
--- /dev/null
+++ b/SOURCES/0014-curl-7.29.0-8ae35102.patch
@@ -0,0 +1,42 @@
+From 8683703ef3978983e61329801aecc554aec06055 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 7 Jan 2014 09:33:54 +0100
+Subject: [PATCH] ConnectionExists: fix NTLM check for new connection
+
+When the requested authentication bitmask includes NTLM, we cannot
+re-use a connection for another username/password as we then risk
+re-using NTLM (connection-based auth).
+
+This has the unfortunate downside that if you include NTLM as a possible
+auth, you cannot re-use connections for other usernames/passwords even
+if NTLM doesn't end up the auth type used.
+
+Reported-by: Paras S
+Patched-by: Paras S
+Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html
+
+[upstream commit 8ae35102c43d8d06572c3a1292eb6e27e663c78d]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index bddbd91..313ec3e 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2782,8 +2782,8 @@ ConnectionExists(struct SessionHandle *data,
+   struct connectdata *check;
+   struct connectdata *chosen = 0;
+   bool canPipeline = IsPipeliningPossible(data, needle);
+-  bool wantNTLM = (data->state.authhost.want==CURLAUTH_NTLM) ||
+-                  (data->state.authhost.want==CURLAUTH_NTLM_WB) ? TRUE : FALSE;
++  bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) ||
++    (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE;
+   struct connectbundle *bundle;
+ 
+   /* Look up the bundle with all the connections to this
+-- 
+1.7.1
+
diff --git a/SOURCES/0015-curl-7.29.0-7fc9325a.patch b/SOURCES/0015-curl-7.29.0-7fc9325a.patch
new file mode 100644
index 0000000..7b6c5fe
--- /dev/null
+++ b/SOURCES/0015-curl-7.29.0-7fc9325a.patch
@@ -0,0 +1,1090 @@
+From a7b1ea3537b30450ad82d2c64d31dcecaed60fca Mon Sep 17 00:00:00 2001
+From: Gergely Nagy <ngg@tresorit.com>
+Date: Thu, 19 Sep 2013 15:17:13 +0200
+Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely
+
+CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
+CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
+(CURL_SSLVERSION_TLSv1 means TLS 1.x).
+
+axTLS:
+axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
+of these should be used, so we don't allow the new enum values.
+
+darwinssl:
+Added support for the new enum values.
+
+SChannel:
+Added support for the new enum values.
+
+CyaSSL:
+Added support for the new enum values.
+Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
+did the same before this commit), because CyaSSL cannot be configured to
+use TLS 1.0-1.2.
+
+GSKit:
+GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
+those values.
+Bugfix: There was a typo that caused wrong SSL versions to be passed to
+GSKit.
+
+NSS:
+TLS minor version cannot be set, so we don't allow the new enum values.
+
+QsoSSL:
+TLS minor version cannot be set, so we don't allow the new enum values.
+
+OpenSSL:
+Added support for the new enum values.
+Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
+now it enables 1.0-1.2.
+
+Command-line tool:
+Added command line options for the new values.
+
+[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b]
+---
+ docs/libcurl/curl_easy_setopt.3  |    8 +++++-
+ docs/libcurl/symbols-in-versions |    3 ++
+ include/curl/curl.h              |    5 +++-
+ lib/axtls.c                      |    3 +-
+ lib/curl_darwinssl.c             |   34 +++++++++++++++++++++++++
+ lib/curl_schannel.c              |    9 ++++++
+ lib/cyassl.c                     |   13 +++++++++-
+ lib/nss.c                        |    6 ++++
+ lib/qssl.c                       |    6 ++++
+ lib/ssluse.c                     |   51 +++++++++++++++++++++++++++----------
+ packages/OS400/curl.inc.in       |    6 ++++
+ src/tool_getparam.c              |   25 ++++++++++++++++--
+ src/tool_setopt.c                |    3 ++
+ 13 files changed, 151 insertions(+), 21 deletions(-)
+
+diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
+index 3d31aef..92db8f4 100644
+--- a/docs/libcurl/curl_easy_setopt.3
++++ b/docs/libcurl/curl_easy_setopt.3
+@@ -2219,11 +2219,17 @@ The default action. This will attempt to figure out the remote SSL protocol
+ version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
+ by default with 7.18.1).
+ .IP CURL_SSLVERSION_TLSv1
+-Force TLSv1
++Force TLSv1.x
+ .IP CURL_SSLVERSION_SSLv2
+ Force SSLv2
+ .IP CURL_SSLVERSION_SSLv3
+ Force SSLv3
++.IP CURL_SSLVERSION_TLSv1_0
++Force TLSv1.0
++.IP CURL_SSLVERSION_TLSv1_1
++Force TLSv1.1
++.IP CURL_SSLVERSION_TLSv1_2
++Force TLSv1.2
+ .RE
+ .IP CURLOPT_SSL_VERIFYPEER
+ Pass a long as parameter. By default, curl assumes a value of 1.
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 37b5e27..57fa6eb 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -678,6 +678,9 @@ CURL_SSLVERSION_DEFAULT         7.9.2
+ CURL_SSLVERSION_SSLv2           7.9.2
+ CURL_SSLVERSION_SSLv3           7.9.2
+ CURL_SSLVERSION_TLSv1           7.9.2
++CURL_SSLVERSION_TLSv1_0         7.33.0
++CURL_SSLVERSION_TLSv1_1         7.33.0
++CURL_SSLVERSION_TLSv1_2         7.33.0
+ CURL_TIMECOND_IFMODSINCE        7.9.7
+ CURL_TIMECOND_IFUNMODSINCE      7.9.7
+ CURL_TIMECOND_LASTMOD           7.9.7
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 80e4cf5..8e548e3 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -1625,9 +1625,12 @@ enum CURL_NETRC_OPTION {
+ 
+ enum {
+   CURL_SSLVERSION_DEFAULT,
+-  CURL_SSLVERSION_TLSv1,
++  CURL_SSLVERSION_TLSv1, /* TLS 1.x */
+   CURL_SSLVERSION_SSLv2,
+   CURL_SSLVERSION_SSLv3,
++  CURL_SSLVERSION_TLSv1_0,
++  CURL_SSLVERSION_TLSv1_1,
++  CURL_SSLVERSION_TLSv1_2,
+ 
+   CURL_SSLVERSION_LAST /* never use, keep last */
+ };
+diff --git a/lib/axtls.c b/lib/axtls.c
+index d512950..68794b5 100644
+--- a/lib/axtls.c
++++ b/lib/axtls.c
+@@ -169,7 +169,8 @@ Curl_axtls_connect(struct connectdata *conn,
+   case CURL_SSLVERSION_TLSv1:
+     break;
+   default:
+-    failf(data, "axTLS only supports TLSv1");
++    failf(data, "axTLS only supports TLS 1.0 and 1.1, "
++          "and it cannot be specified which one to use");
+     return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
+index 827c876..69eff8a 100644
+--- a/lib/curl_darwinssl.c
++++ b/lib/curl_darwinssl.c
+@@ -719,6 +719,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
+         (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
+         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
+         break;
++      case CURL_SSLVERSION_TLSv1_0:
++        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
++        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
++        break;
++      case CURL_SSLVERSION_TLSv1_1:
++        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
++        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
++        break;
++      case CURL_SSLVERSION_TLSv1_2:
++        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
++        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
++        break;
+       case CURL_SSLVERSION_SSLv3:
+         (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
+         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
+@@ -759,6 +771,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
+                                            kTLSProtocol12,
+                                            true);
+         break;
++      case CURL_SSLVERSION_TLSv1_0:
++        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
++                                           kTLSProtocol1,
++                                           true);
++        break;
++      case CURL_SSLVERSION_TLSv1_1:
++        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
++                                           kTLSProtocol11,
++                                           true);
++        break;
++      case CURL_SSLVERSION_TLSv1_2:
++        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
++                                           kTLSProtocol12,
++                                           true);
++        break;
+       case CURL_SSLVERSION_SSLv3:
+         (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                            kSSLProtocol3,
+@@ -785,10 +812,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
+                                          true);
+       break;
+     case CURL_SSLVERSION_TLSv1:
++    case CURL_SSLVERSION_TLSv1_0:
+       (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                          kTLSProtocol1,
+                                          true);
+       break;
++    case CURL_SSLVERSION_TLSv1_1:
++      failf(data, "Your version of the OS does not support TLSv1.1");
++      return CURLE_SSL_CONNECT_ERROR;
++    case CURL_SSLVERSION_TLSv1_2:
++      failf(data, "Your version of the OS does not support TLSv1.2");
++      return CURLE_SSL_CONNECT_ERROR;
+     case CURL_SSLVERSION_SSLv2:
+       (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                          kSSLProtocol2,
+diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c
+index a615f57..19b7f71 100644
+--- a/lib/curl_schannel.c
++++ b/lib/curl_schannel.c
+@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
+                                               SP_PROT_TLS1_1_CLIENT |
+                                               SP_PROT_TLS1_2_CLIENT;
+         break;
++      case CURL_SSLVERSION_TLSv1_0:
++        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT;
++        break;
++      case CURL_SSLVERSION_TLSv1_1:
++        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT;
++        break;
++      case CURL_SSLVERSION_TLSv1_2:
++        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
++        break;
+       case CURL_SSLVERSION_SSLv3:
+         schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
+         break;
+diff --git a/lib/cyassl.c b/lib/cyassl.c
+index 7c78464..ff11bdd 100644
+--- a/lib/cyassl.c
++++ b/lib/cyassl.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn,
+     req_method = SSLv23_client_method();
+     break;
+   case CURL_SSLVERSION_TLSv1:
++    infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
++          "TLS 1.0 is used exclusively\n");
+     req_method = TLSv1_client_method();
+     break;
++  case CURL_SSLVERSION_TLSv1_0:
++    req_method = TLSv1_client_method();
++    break;
++  case CURL_SSLVERSION_TLSv1_1:
++    req_method = TLSv1_1_client_method();
++    break;
++  case CURL_SSLVERSION_TLSv1_2:
++    req_method = TLSv1_2_client_method();
++    break;
+   case CURL_SSLVERSION_SSLv3:
+     req_method = SSLv3_client_method();
+     break;
+diff --git a/lib/nss.c b/lib/nss.c
+index 111982f..ff93a38 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1266,6 +1266,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   case CURL_SSLVERSION_SSLv3:
+     ssl3 = PR_TRUE;
+     break;
++  case CURL_SSLVERSION_TLSv1_0:
++  case CURL_SSLVERSION_TLSv1_1:
++  case CURL_SSLVERSION_TLSv1_2:
++    failf(data, "TLS minor version cannot be set\n");
++    curlerr = CURLE_SSL_CONNECT_ERROR;
++    goto error;
+   }
+ 
+   if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
+diff --git a/lib/qssl.c b/lib/qssl.c
+index 8ef6fec..8b5e499 100644
+--- a/lib/qssl.c
++++ b/lib/qssl.c
+@@ -206,6 +206,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
+   case CURL_SSLVERSION_SSLv3:
+     h->protocol = SSL_VERSION_3;
+     break;
++
++  case CURL_SSLVERSION_TLSv1_0:
++  case CURL_SSLVERSION_TLSv1_1:
++  case CURL_SSLVERSION_TLSv1_2:
++    failf(data, "TLS minor version cannot be set");
++    return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+   rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT);
+diff --git a/lib/ssluse.c b/lib/ssluse.c
+index 4a0dba7..dd99435 100644
+--- a/lib/ssluse.c
++++ b/lib/ssluse.c
+@@ -1389,19 +1389,12 @@ ossl_connect_step1(struct connectdata *conn,
+   switch(data->set.ssl.version) {
+   default:
+   case CURL_SSLVERSION_DEFAULT:
+-#ifdef USE_TLS_SRP
+-    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+-      infof(data, "Set version TLSv1 for SRP authorisation\n");
+-      req_method = TLSv1_client_method() ;
+-    }
+-    else
+-#endif
+-    /* we try to figure out version */
+-    req_method = SSLv23_client_method();
+-    use_sni(TRUE);
+-    break;
+   case CURL_SSLVERSION_TLSv1:
+-    req_method = TLSv1_client_method();
++  case CURL_SSLVERSION_TLSv1_0:
++  case CURL_SSLVERSION_TLSv1_1:
++  case CURL_SSLVERSION_TLSv1_2:
++    /* it will be handled later with the context options */
++    req_method = SSLv23_client_method();
+     use_sni(TRUE);
+     break;
+   case CURL_SSLVERSION_SSLv2:
+@@ -1514,9 +1507,39 @@ ossl_connect_step1(struct connectdata *conn,
+     ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ #endif
+ 
+-  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+-  if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
++  switch(data->set.ssl.version) {
++  case CURL_SSLVERSION_DEFAULT:
++    ctx_options |= SSL_OP_NO_SSLv2;
++#ifdef USE_TLS_SRP
++    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
++      infof(data, "Set version TLSv1.x for SRP authorisation\n");
++      ctx_options |= SSL_OP_NO_SSLv3;
++    }
++#endif
++    break;
++  case CURL_SSLVERSION_TLSv1:
++    ctx_options |= SSL_OP_NO_SSLv2;
++    ctx_options |= SSL_OP_NO_SSLv3;
++    break;
++  case CURL_SSLVERSION_TLSv1_0:
+     ctx_options |= SSL_OP_NO_SSLv2;
++    ctx_options |= SSL_OP_NO_SSLv3;
++    ctx_options |= SSL_OP_NO_TLSv1_1;
++    ctx_options |= SSL_OP_NO_TLSv1_2;
++    break;
++  case CURL_SSLVERSION_TLSv1_1:
++    ctx_options |= SSL_OP_NO_SSLv2;
++    ctx_options |= SSL_OP_NO_SSLv3;
++    ctx_options |= SSL_OP_NO_TLSv1;
++    ctx_options |= SSL_OP_NO_TLSv1_2;
++    break;
++  case CURL_SSLVERSION_TLSv1_2:
++    ctx_options |= SSL_OP_NO_SSLv2;
++    ctx_options |= SSL_OP_NO_SSLv3;
++    ctx_options |= SSL_OP_NO_TLSv1;
++    ctx_options |= SSL_OP_NO_TLSv1_1;
++    break;
++  }
+ 
+   SSL_CTX_set_options(connssl->ctx, ctx_options);
+ 
+diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
+index 33ca12a..22a5511 100644
+--- a/packages/OS400/curl.inc.in
++++ b/packages/OS400/curl.inc.in
+@@ -226,6 +226,12 @@
+      d                 c                   2
+      d CURL_SSLVERSION_SSLv3...
+      d                 c                   3
++     d CURL_SSLVERSION_TLSv1_0...
++     d                 c                   4
++     d CURL_SSLVERSION_TLSv1_1...
++     d                 c                   5
++     d CURL_SSLVERSION_TLSv1_2...
++     d                 c                   6
+       *
+      d CURL_TLSAUTH_NONE...
+      d                 c                   0
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 297b986..98d53a7 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -175,6 +175,9 @@ static const struct LongShort aliases[]= {
+   {"$J", "metalink",                 FALSE},
+   {"0",  "http1.0",                  FALSE},
+   {"1",  "tlsv1",                    FALSE},
++  {"10",  "tlsv1.0",                 FALSE},
++  {"11",  "tlsv1.1",                 FALSE},
++  {"12",  "tlsv1.2",                 FALSE},
+   {"2",  "sslv2",                    FALSE},
+   {"3",  "sslv3",                    FALSE},
+   {"4",  "ipv4",                     FALSE},
+@@ -873,9 +876,25 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
+       /* HTTP version 1.0 */
+       config->httpversion = CURL_HTTP_VERSION_1_0;
+       break;
+-    case '1':
+-      /* TLS version 1 */
+-      config->ssl_version = CURL_SSLVERSION_TLSv1;
++    case '1': /* --tlsv1* options */
++      switch(subletter) {
++      case '\0':
++        /* TLS version 1.x */
++        config->ssl_version = CURL_SSLVERSION_TLSv1;
++        break;
++      case '0':
++        /* TLS version 1.0 */
++        config->ssl_version = CURL_SSLVERSION_TLSv1_0;
++        break;
++      case '1':
++        /* TLS version 1.1 */
++        config->ssl_version = CURL_SSLVERSION_TLSv1_1;
++        break;
++      case '2':
++        /* TLS version 1.2 */
++        config->ssl_version = CURL_SSLVERSION_TLSv1_2;
++        break;
++      }
+       break;
+     case '2':
+       /* SSL version 2 */
+diff --git a/src/tool_setopt.c b/src/tool_setopt.c
+index 4014177..9860117 100644
+--- a/src/tool_setopt.c
++++ b/src/tool_setopt.c
+@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
+   NV(CURL_SSLVERSION_TLSv1),
+   NV(CURL_SSLVERSION_SSLv2),
+   NV(CURL_SSLVERSION_SSLv3),
++  NV(CURL_SSLVERSION_TLSv1_0),
++  NV(CURL_SSLVERSION_TLSv1_1),
++  NV(CURL_SSLVERSION_TLSv1_2),
+   NVEND,
+ };
+ 
+-- 
+1.7.1
+
+
+From 350765306d7e2946fc8295fa2bfc2fe0c14651fc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 15 Oct 2013 20:31:04 +0200
+Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options
+
+[upstream commit 076726f1412205622414abd908723c4b33ca12cb]
+---
+ docs/curl.1 |   20 ++++++++++++++++----
+ 1 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index b350865..53b378c 100644
+--- a/docs/curl.1
++++ b/docs/curl.1
+@@ -1419,14 +1419,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP",
+ for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are
+ specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP".
+ (Added in 7.21.4)
+-.IP "--tlsuser <user>"
+-Set username for use with the TLS authentication method specified with
+-\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set.  (Added in
+-7.21.4)
+ .IP "--tlspassword <password>"
+ Set password for use with the TLS authentication method specified with
+ \fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set.  (Added in
+ 7.21.4)
++.IP "--tlsuser <user>"
++Set username for use with the TLS authentication method specified with
++\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set.  (Added in
++7.21.4)
++.IP "--tlsv1.0"
++(SSL)
++Forces curl to use TLS version 1.0 when negotiating with a remote TLS server.
++(Added in 7.34.0)
++.IP "--tlsv1.1"
++(SSL)
++Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
++(Added in 7.34.0)
++.IP "--tlsv1.2"
++(SSL)
++Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
++(Added in 7.34.0)
+ .IP "--tr-encoding"
+ (HTTP) Request a compressed Transfer-Encoding response using one of the
+ algorithms curl supports, and uncompress the data while receiving it.
+-- 
+1.7.1
+
+
+From ba2b4e87b396faab9ccb5a3ca9aca935a7a78a1b Mon Sep 17 00:00:00 2001
+From: Steve Holme <steve_holme@hotmail.com>
+Date: Wed, 16 Oct 2013 20:06:23 +0100
+Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f
+
+[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d]
+---
+ docs/libcurl/symbols-in-versions |    6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 57fa6eb..b275900 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -678,9 +678,9 @@ CURL_SSLVERSION_DEFAULT         7.9.2
+ CURL_SSLVERSION_SSLv2           7.9.2
+ CURL_SSLVERSION_SSLv3           7.9.2
+ CURL_SSLVERSION_TLSv1           7.9.2
+-CURL_SSLVERSION_TLSv1_0         7.33.0
+-CURL_SSLVERSION_TLSv1_1         7.33.0
+-CURL_SSLVERSION_TLSv1_2         7.33.0
++CURL_SSLVERSION_TLSv1_0         7.34.0
++CURL_SSLVERSION_TLSv1_1         7.34.0
++CURL_SSLVERSION_TLSv1_2         7.34.0
+ CURL_TIMECOND_IFMODSINCE        7.9.7
+ CURL_TIMECOND_IFUNMODSINCE      7.9.7
+ CURL_TIMECOND_LASTMOD           7.9.7
+-- 
+1.7.1
+
+
+From 5f908139b4e56c969bf6ef06c115a0a12353c827 Mon Sep 17 00:00:00 2001
+From: Steve Holme <steve_holme@hotmail.com>
+Date: Wed, 16 Oct 2013 20:18:15 +0100
+Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION
+
+[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70]
+---
+ docs/libcurl/curl_easy_setopt.3 |    8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
+index 92db8f4..d73b664 100644
+--- a/docs/libcurl/curl_easy_setopt.3
++++ b/docs/libcurl/curl_easy_setopt.3
+@@ -2212,6 +2212,8 @@ Even though this option doesn't need any parameter, in some configurations
+ arguments. Therefore, it's recommended to pass 1 as parameter to this option.
+ .IP CURLOPT_SSLVERSION
+ Pass a long as parameter to control what version of SSL/TLS to attempt to use.
++(Added in 7.9.2)
++
+ The available options are:
+ .RS
+ .IP CURL_SSLVERSION_DEFAULT
+@@ -2225,11 +2227,11 @@ Force SSLv2
+ .IP CURL_SSLVERSION_SSLv3
+ Force SSLv3
+ .IP CURL_SSLVERSION_TLSv1_0
+-Force TLSv1.0
++Force TLSv1.0 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_1
+-Force TLSv1.1
++Force TLSv1.1 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_2
+-Force TLSv1.2
++Force TLSv1.2 (Added in 7.34.0)
+ .RE
+ .IP CURLOPT_SSL_VERIFYPEER
+ Pass a long as parameter. By default, curl assumes a value of 1.
+-- 
+1.7.1
+
+
+From 7940044fc233f626b912b5f51a7a0111a4c145d3 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 25 Nov 2013 16:03:52 +0100
+Subject: [PATCH 5/9] nss: use a better API for controlling SSL version
+
+This change introduces a dependency on NSS 3.14+.
+
+[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f]
+---
+ configure      |   20 ++++++++++----------
+ configure.ac   |    4 ++--
+ docs/INTERNALS |    2 +-
+ lib/nss.c      |   40 +++++++++++++++++++---------------------
+ 4 files changed, 32 insertions(+), 34 deletions(-)
+
+diff --git a/configure b/configure
+index 2496b3c..ebde78a 100755
+--- a/configure
++++ b/configure
+@@ -23641,9 +23641,9 @@ $as_echo "found" >&6; }
+          CPPFLAGS="$CPPFLAGS $addcflags"
+       fi
+ 
+-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5
+-$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; }
+-if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then :
++            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5
++$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; }
++if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then :
+   $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+@@ -23655,26 +23655,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ #ifdef __cplusplus
+ extern "C"
+ #endif
+-char PK11_CreateGenericObject ();
++char SSL_VersionRangeSet ();
+ int main (void)
+ {
+-return PK11_CreateGenericObject ();
++return SSL_VersionRangeSet ();
+  ;
+  return 0;
+ }
+ _ACEOF
+ if ac_fn_c_try_link "$LINENO"; then :
+-  ac_cv_lib_nss3_PK11_CreateGenericObject=yes
++  ac_cv_lib_nss3_SSL_VersionRangeSet=yes
+ else
+-  ac_cv_lib_nss3_PK11_CreateGenericObject=no
++  ac_cv_lib_nss3_SSL_VersionRangeSet=no
+ fi
+ rm -f core conftest.err conftest.$ac_objext \
+     conftest$ac_exeext conftest.$ac_ext
+ LIBS=$ac_check_lib_save_LIBS
+ fi
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5
+-$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; }
+-if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then :
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5
++$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; }
++if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then :
+ 
+ 
+ $as_echo "#define USE_NSS 1" >>confdefs.h
+diff --git a/configure.ac b/configure.ac
+index 5970188..c81c879 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2194,8 +2194,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+          CPPFLAGS="$CPPFLAGS $addcflags"
+       fi
+ 
+-      dnl The function PK11_CreateGenericObject is needed to load libnsspem.so
+-      AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
++      dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
++      AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
+        [
+        AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
+        AC_SUBST(USE_NSS, [1])
+diff --git a/docs/INTERNALS b/docs/INTERNALS
+index 03839c3..581b22d 100644
+--- a/docs/INTERNALS
++++ b/docs/INTERNALS
+@@ -43,7 +43,7 @@ Portability
+  openldap     2.0
+  MIT krb5 lib 1.2.4
+  qsossl       V5R2M0
+- NSS          3.12.x
++ NSS          3.14.x
+  axTLS        1.2.7
+  Heimdal      ?
+ 
+diff --git a/lib/nss.c b/lib/nss.c
+index ff93a38..14a0b0c 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1175,9 +1175,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ {
+   PRErrorCode err = 0;
+   PRFileDesc *model = NULL;
+-  PRBool ssl2 = PR_FALSE;
+-  PRBool ssl3 = PR_FALSE;
+-  PRBool tlsv1 = PR_FALSE;
++  SSLVersionRange sslver;
+   PRBool ssl_no_cache;
+   PRBool ssl_cbc_random_iv;
+   struct SessionHandle *data = conn->data;
+@@ -1251,20 +1249,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   switch (data->set.ssl.version) {
+   default:
+   case CURL_SSLVERSION_DEFAULT:
+-    ssl3 = PR_TRUE;
+-    if(data->state.ssl_connect_retry)
++    sslver.min = SSL_LIBRARY_VERSION_3_0;
++    if(data->state.ssl_connect_retry) {
+       infof(data, "TLS disabled due to previous handshake failure\n");
++      sslver.max = SSL_LIBRARY_VERSION_3_0;
++    }
+     else
+-      tlsv1 = PR_TRUE;
++      sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
+     break;
+   case CURL_SSLVERSION_TLSv1:
+-    tlsv1 = PR_TRUE;
++    sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
++    sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
+     break;
+   case CURL_SSLVERSION_SSLv2:
+-    ssl2 = PR_TRUE;
++    sslver.min = SSL_LIBRARY_VERSION_2;
++    sslver.max = SSL_LIBRARY_VERSION_2;
+     break;
+   case CURL_SSLVERSION_SSLv3:
+-    ssl3 = PR_TRUE;
++    sslver.min = SSL_LIBRARY_VERSION_3_0;
++    sslver.max = SSL_LIBRARY_VERSION_3_0;
+     break;
+   case CURL_SSLVERSION_TLSv1_0:
+   case CURL_SSLVERSION_TLSv1_1:
+@@ -1274,14 +1277,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+     goto error;
+   }
+ 
+-  if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
+-    goto error;
+-  if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
+-    goto error;
+-  if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
+-    goto error;
+-
+-  if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
++  if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
+     goto error;
+ 
+   ssl_cbc_random_iv = !data->set.ssl_enable_beast;
+@@ -1467,11 +1463,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   if(model)
+     PR_Close(model);
+ 
+-    /* cleanup on connection failure */
+-    Curl_llist_destroy(connssl->obj_list, NULL);
+-    connssl->obj_list = NULL;
++  /* cleanup on connection failure */
++  Curl_llist_destroy(connssl->obj_list, NULL);
++  connssl->obj_list = NULL;
+ 
+-  if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
++  if((sslver.min == SSL_LIBRARY_VERSION_3_0)
++      && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
++      && isTLSIntoleranceError(err)) {
+     /* schedule reconnect through Curl_retry_request() */
+     data->state.ssl_connect_retry = TRUE;
+     infof(data, "Error in TLS handshake, trying SSLv3...\n");
+-- 
+1.7.1
+
+
+From 08398e7a8a8ba4e6fef1557392e3c0104cc3550f Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 25 Nov 2013 16:14:55 +0100
+Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc
+
+[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d]
+---
+ lib/nss.c |   72 +++++++++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 42 insertions(+), 30 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 14a0b0c..2e2240b 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1171,6 +1171,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
+   return CURLE_OK;
+ }
+ 
++static CURLcode nss_init_sslver(SSLVersionRange *sslver,
++                                struct SessionHandle *data)
++{
++  switch (data->set.ssl.version) {
++  default:
++  case CURL_SSLVERSION_DEFAULT:
++    sslver->min = SSL_LIBRARY_VERSION_3_0;
++    if(data->state.ssl_connect_retry) {
++      infof(data, "TLS disabled due to previous handshake failure\n");
++      sslver->max = SSL_LIBRARY_VERSION_3_0;
++    }
++    else
++      sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
++    return CURLE_OK;
++
++  case CURL_SSLVERSION_TLSv1:
++    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
++    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
++    return CURLE_OK;
++
++  case CURL_SSLVERSION_SSLv2:
++    sslver->min = SSL_LIBRARY_VERSION_2;
++    sslver->max = SSL_LIBRARY_VERSION_2;
++    return CURLE_OK;
++
++  case CURL_SSLVERSION_SSLv3:
++    sslver->min = SSL_LIBRARY_VERSION_3_0;
++    sslver->max = SSL_LIBRARY_VERSION_3_0;
++    return CURLE_OK;
++
++  case CURL_SSLVERSION_TLSv1_0:
++  case CURL_SSLVERSION_TLSv1_1:
++  case CURL_SSLVERSION_TLSv1_2:
++    break;
++  }
++
++  failf(data, "TLS minor version cannot be set");
++  return CURLE_SSL_CONNECT_ERROR;
++}
++
+ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ {
+   PRErrorCode err = 0;
+@@ -1246,37 +1286,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
+     goto error;
+ 
+-  switch (data->set.ssl.version) {
+-  default:
+-  case CURL_SSLVERSION_DEFAULT:
+-    sslver.min = SSL_LIBRARY_VERSION_3_0;
+-    if(data->state.ssl_connect_retry) {
+-      infof(data, "TLS disabled due to previous handshake failure\n");
+-      sslver.max = SSL_LIBRARY_VERSION_3_0;
+-    }
+-    else
+-      sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
+-    break;
+-  case CURL_SSLVERSION_TLSv1:
+-    sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
+-    sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
+-    break;
+-  case CURL_SSLVERSION_SSLv2:
+-    sslver.min = SSL_LIBRARY_VERSION_2;
+-    sslver.max = SSL_LIBRARY_VERSION_2;
+-    break;
+-  case CURL_SSLVERSION_SSLv3:
+-    sslver.min = SSL_LIBRARY_VERSION_3_0;
+-    sslver.max = SSL_LIBRARY_VERSION_3_0;
+-    break;
+-  case CURL_SSLVERSION_TLSv1_0:
+-  case CURL_SSLVERSION_TLSv1_1:
+-  case CURL_SSLVERSION_TLSv1_2:
+-    failf(data, "TLS minor version cannot be set\n");
+-    curlerr = CURLE_SSL_CONNECT_ERROR;
++  /* enable/disable the requested SSL version(s) */
++  if(nss_init_sslver(&sslver, data) != CURLE_OK)
+     goto error;
+-  }
+-
+   if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
+     goto error;
+ 
+-- 
+1.7.1
+
+
+From 91a3d58fc48f0d08ab81f1e013b2d58a7ccd7146 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 25 Nov 2013 16:25:15 +0100
+Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS
+
+Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html
+
+[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0]
+---
+ lib/nss.c |   22 ++++++++++++++++++++++
+ 1 files changed, 22 insertions(+), 0 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 2e2240b..5cd33d8 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1188,7 +1188,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ 
+   case CURL_SSLVERSION_TLSv1:
+     sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
++#ifdef SSL_LIBRARY_VERSION_TLS_1_2
++    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
++#elif defined SSL_LIBRARY_VERSION_TLS_1_1
++    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
++#else
+     sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
++#endif
+     return CURLE_OK;
+ 
+   case CURL_SSLVERSION_SSLv2:
+@@ -1202,8 +1208,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+     return CURLE_OK;
+ 
+   case CURL_SSLVERSION_TLSv1_0:
++    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
++    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
++    return CURLE_OK;
++
+   case CURL_SSLVERSION_TLSv1_1:
++#ifdef SSL_LIBRARY_VERSION_TLS_1_1
++    sslver->min = SSL_LIBRARY_VERSION_TLS_1_1;
++    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
++    return CURLE_OK;
++#endif
++    break;
++
+   case CURL_SSLVERSION_TLSv1_2:
++#ifdef SSL_LIBRARY_VERSION_TLS_1_2
++    sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
++    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
++    return CURLE_OK;
++#endif
+     break;
+   }
+ 
+-- 
+1.7.1
+
+
+From 404492a5a815b83fab58ce60434c01c270b6bc73 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 2 Dec 2013 14:25:07 +0100
+Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext()
+
+... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway
+
+[upstream commit 865666afca926faa1c721020fc54364540caf734]
+---
+ configure    |   12 ------------
+ configure.ac |    8 --------
+ lib/nss.c    |   26 --------------------------
+ 3 files changed, 0 insertions(+), 46 deletions(-)
+
+diff --git a/configure b/configure
+index ebde78a..8741e21 100755
+--- a/configure
++++ b/configure
+@@ -23697,18 +23697,6 @@ fi
+         { $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5
+ $as_echo "$as_me: detected NSS version $version" >&6;}
+ 
+-                        ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext"
+-if test "x$ac_cv_func_NSS_InitContext" = xyes; then :
+-
+-
+-$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h
+-
+-          HAVE_NSS_INITCONTEXT=1
+-
+-
+-fi
+-
+-
+                                         if test "x$cross_compiling" != "xyes"; then
+           LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff"
+           export LD_LIBRARY_PATH
+diff --git a/configure.ac b/configure.ac
+index c81c879..70ef0b7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2211,14 +2211,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
+       if test "x$USE_NSS" = "xyes"; then
+         AC_MSG_NOTICE([detected NSS version $version])
+ 
+-        dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent
+-        dnl collisions on NSS initialization/shutdown with other libraries
+-        AC_CHECK_FUNC(NSS_InitContext,
+-        [
+-          AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function])
+-          AC_SUBST(HAVE_NSS_INITCONTEXT, [1])
+-        ])
+-
+         dnl when shared libs were found in a path that the run-time
+         dnl linker doesn't search through, we need to add it to
+         dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+diff --git a/lib/nss.c b/lib/nss.c
+index 5cd33d8..7b49c20 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
+ 
+ PRLock * nss_initlock = NULL;
+ PRLock * nss_crllock = NULL;
+-#ifdef HAVE_NSS_INITCONTEXT
+ NSSInitContext * nss_context = NULL;
+-#endif
+ 
+ volatile int initialized = 0;
+ 
+@@ -853,7 +851,6 @@ isTLSIntoleranceError(PRInt32 err)
+ 
+ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
+ {
+-#ifdef HAVE_NSS_INITCONTEXT
+   NSSInitParameters initparams;
+ 
+   if(nss_context != NULL)
+@@ -861,12 +858,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
+ 
+   memset((void *) &initparams, '\0', sizeof(initparams));
+   initparams.length = sizeof(initparams);
+-#else /* HAVE_NSS_INITCONTEXT */
+-  SECStatus rv;
+-
+-  if(NSS_IsInitialized())
+-    return CURLE_OK;
+-#endif
+ 
+   if(cert_dir) {
+     const bool use_sql = NSS_VersionCheck("3.12.0");
+@@ -875,35 +866,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
+       return CURLE_OUT_OF_MEMORY;
+ 
+     infof(data, "Initializing NSS with certpath: %s\n", certpath);
+-#ifdef HAVE_NSS_INITCONTEXT
+     nss_context = NSS_InitContext(certpath, "", "", "", &initparams,
+             NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
+     free(certpath);
+ 
+     if(nss_context != NULL)
+       return CURLE_OK;
+-#else /* HAVE_NSS_INITCONTEXT */
+-    rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
+-    free(certpath);
+-
+-    if(rv == SECSuccess)
+-      return CURLE_OK;
+-#endif
+ 
+     infof(data, "Unable to initialize NSS database\n");
+   }
+ 
+   infof(data, "Initializing NSS with certpath: none\n");
+-#ifdef HAVE_NSS_INITCONTEXT
+   nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY
+          | NSS_INIT_NOCERTDB   | NSS_INIT_NOMODDB       | NSS_INIT_FORCEOPEN
+          | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
+   if(nss_context != NULL)
+     return CURLE_OK;
+-#else /* HAVE_NSS_INITCONTEXT */
+-  if(NSS_NoDB_Init(NULL) == SECSuccess)
+-    return CURLE_OK;
+-#endif
+ 
+   infof(data, "Unable to initialize NSS\n");
+   return CURLE_SSL_CACERT_BADFILE;
+@@ -999,12 +977,8 @@ void Curl_nss_cleanup(void)
+       SECMOD_DestroyModule(mod);
+       mod = NULL;
+     }
+-#ifdef HAVE_NSS_INITCONTEXT
+     NSS_ShutdownContext(nss_context);
+     nss_context = NULL;
+-#else /* HAVE_NSS_INITCONTEXT */
+-    NSS_Shutdown();
+-#endif
+   }
+   PR_Unlock(nss_initlock);
+ 
+-- 
+1.7.1
+
+
+From a643c75662b6909a5be1bed8273ed1273ab2b3f4 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 2 Dec 2013 16:09:12 +0100
+Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized
+
+[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab]
+---
+ lib/nss.c |    9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 7b49c20..abc8a91 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1151,13 +1151,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+   switch (data->set.ssl.version) {
+   default:
+   case CURL_SSLVERSION_DEFAULT:
+-    sslver->min = SSL_LIBRARY_VERSION_3_0;
+     if(data->state.ssl_connect_retry) {
+       infof(data, "TLS disabled due to previous handshake failure\n");
+       sslver->max = SSL_LIBRARY_VERSION_3_0;
+     }
+-    else
+-      sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+     return CURLE_OK;
+ 
+   case CURL_SSLVERSION_TLSv1:
+@@ -1211,7 +1208,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ {
+   PRErrorCode err = 0;
+   PRFileDesc *model = NULL;
+-  SSLVersionRange sslver;
+   PRBool ssl_no_cache;
+   PRBool ssl_cbc_random_iv;
+   struct SessionHandle *data = conn->data;
+@@ -1223,6 +1219,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   long time_left;
+   PRUint32 timeout;
+ 
++  SSLVersionRange sslver = {
++    SSL_LIBRARY_VERSION_3_0,      /* min */
++    SSL_LIBRARY_VERSION_TLS_1_0   /* max */
++  };
++
+   if(connssl->state == ssl_connection_complete)
+     return CURLE_OK;
+ 
+-- 
+1.7.1
+
diff --git a/SOURCES/0016-curl-7.29.0-1cf71bd7.patch b/SOURCES/0016-curl-7.29.0-1cf71bd7.patch
new file mode 100644
index 0000000..31c4e08
--- /dev/null
+++ b/SOURCES/0016-curl-7.29.0-1cf71bd7.patch
@@ -0,0 +1,27 @@
+From cf8b6a21f1e9af984cfef417e83ca06b64565215 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 20 Jan 2014 20:24:05 +0100
+Subject: [PATCH] Curl_is_connected: use proxy name in error message when proxy is used
+
+Backport of upstream commit 1cf71bd76e4a330e5b7824014c2605e4bfe1a0a5.
+---
+ lib/connect.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 0afb1ee..ba9ab92 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -758,7 +758,8 @@ CURLcode Curl_is_connected(struct connectdata *conn,
+     error = SOCKERRNO;
+     data->state.os_errno = error;
+     failf(data, "Failed connect to %s:%ld; %s",
+-          conn->host.name, conn->port, Curl_strerror(conn, error));
++          conn->bits.proxy?conn->proxy.name:conn->host.name,
++          conn->port, Curl_strerror(conn, error));
+   }
+ 
+   return code;
+-- 
+1.7.1
+
diff --git a/SOURCES/0017-curl-7.29.0-ffb8a21d.patch b/SOURCES/0017-curl-7.29.0-ffb8a21d.patch
new file mode 100644
index 0000000..5f35a9a
--- /dev/null
+++ b/SOURCES/0017-curl-7.29.0-ffb8a21d.patch
@@ -0,0 +1,36 @@
+From 93b06606d7ee483567770deda967985e8377debb Mon Sep 17 00:00:00 2001
+From: Steve Holme <steve_holme@hotmail.com>
+Date: Sun, 2 Feb 2014 11:01:10 +0000
+Subject: [PATCH] tests: Fixed test172 cookie expiry
+
+The test contains a cookie jar file where one of the cookies has an
+expiry date of 1391252187 -- Sat, 1 Feb 2014 10:56:27 GMT which has
+now expired. Updated to Wed, 14 Oct 2037 16:36:33 GMT as per test
+179.
+
+Reported-by: Adam Sampson
+Bug: http://curl.haxx.se/bug/view.cgi?id=1330
+
+[upstream commit ffb8a21d85bde8b626e5dc52ce25f0447ee49f89]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test172 |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/tests/data/test172 b/tests/data/test172
+index b3efae9..3d53418 100644
+--- a/tests/data/test172
++++ b/tests/data/test172
+@@ -36,7 +36,7 @@ http://%HOSTIP:%HTTPPORT/we/want/172 -b log/jar172.txt -b "tool=curl; name=fool"
+ 
+ .%HOSTIP	TRUE	/silly/	FALSE	0	ismatch	this
+ .%HOSTIP	TRUE	/	FALSE	0	partmatch	present
+-%HOSTIP	FALSE	/we/want/	FALSE	1391252187	nodomain	value
++%HOSTIP	FALSE	/we/want/	FALSE	2139150993	nodomain	value
+ </file>
+ </client>
+ 
+-- 
+1.7.1
+
diff --git a/SOURCES/0018-curl-7.29.0-03c28820.patch b/SOURCES/0018-curl-7.29.0-03c28820.patch
new file mode 100644
index 0000000..09a7391
--- /dev/null
+++ b/SOURCES/0018-curl-7.29.0-03c28820.patch
@@ -0,0 +1,67 @@
+From fbbbf6a3daa7949cfb0fbd9731a80649ce717e6d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 7 Feb 2014 20:28:53 +0100
+Subject: [PATCH 1/2] --help: add missing --tlsv1.x options
+
+[upstream commit 67d14ab98f8b819ee6f5e6a4a2770d311c6bf13b]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_help.c |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/src/tool_help.c b/src/tool_help.c
+index 124f640..f7cd618 100644
+--- a/src/tool_help.c
++++ b/src/tool_help.c
+@@ -199,7 +199,10 @@ static const char *const helptext[] = {
+   " -t, --telnet-option OPT=VAL  Set telnet option",
+   "     --tftp-blksize VALUE  Set TFTP BLKSIZE option (must be >512)",
+   " -z, --time-cond TIME  Transfer based on a time condition",
+-  " -1, --tlsv1         Use TLSv1 (SSL)",
++  " -1, --tlsv1         Use => TLSv1 (SSL)",
++  "     --tlsv1.0       Use TLSv1.0 (SSL)",
++  "     --tlsv1.1       Use TLSv1.1 (SSL)",
++  "     --tlsv1.2       Use TLSv1.2 (SSL)",
+   "     --trace FILE    Write a debug trace to the given file",
+   "     --trace-ascii FILE  Like --trace but without the hex output",
+   "     --trace-time    Add time stamps to trace/verbose output",
+-- 
+1.7.1
+
+
+From cc28ee70fcc2222646eef4f2b2ab3cc207c6112a Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 17 Feb 2014 16:55:10 +0100
+Subject: [PATCH 2/2] curl.1: update the description of --tlsv1
+
+... and mention the --tlsv1.[0-2] options in the --tslv1 entry
+
+Reported-by: Hubert Kario
+
+[upstream commit 03c288202ed159a2a9e953f59e58f69a86eda79b]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/curl.1 |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index 53b378c..7f3571b 100644
+--- a/docs/curl.1
++++ b/docs/curl.1
+@@ -117,7 +117,10 @@ more informational, meter.
+ internally preferred: HTTP 1.1.
+ .IP "-1, --tlsv1"
+ (SSL)
+-Forces curl to use TLS version 1 when negotiating with a remote TLS server.
++Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
++You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
++control the TLS version more precisely (if the SSL backend in use supports such
++a level of control).
+ .IP "-2, --sslv2"
+ (SSL)
+ Forces curl to use SSL version 2 when negotiating with a remote SSL server.
+-- 
+1.7.1
+
diff --git a/SOURCES/0018-curl-7.29.0-517b06d6.patch b/SOURCES/0018-curl-7.29.0-517b06d6.patch
new file mode 100644
index 0000000..b56875e
--- /dev/null
+++ b/SOURCES/0018-curl-7.29.0-517b06d6.patch
@@ -0,0 +1,68 @@
+From 46e85fee025964dd9a8ce2d615bc5f8ece530519 Mon Sep 17 00:00:00 2001
+From: Steve Holme <steve_holme@hotmail.com>
+Date: Thu, 20 Feb 2014 23:51:36 +0000
+Subject: [PATCH] url: Fixed connection re-use when using different log-in credentials
+
+In addition to FTP, other connection based protocols such as IMAP, POP3,
+SMTP, SCP, SFTP and LDAP require a new connection when different log-in
+credentials are specified. Fixed the detection logic to include these
+other protocols.
+
+Bug: http://curl.haxx.se/docs/adv_20140326A.html
+
+[upstream commit 517b06d657aceb11a234b05cc891170c367ab80d]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http.c    |    2 +-
+ lib/url.c     |    6 +++---
+ lib/urldata.h |    2 ++
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index f4b7a48..c78036b 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -142,7 +142,7 @@ const struct Curl_handler Curl_handler_https = {
+   ZERO_NULL,                            /* readwrite */
+   PORT_HTTPS,                           /* defport */
+   CURLPROTO_HTTP | CURLPROTO_HTTPS,     /* protocol */
+-  PROTOPT_SSL                           /* flags */
++  PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */
+ };
+ #endif
+ 
+diff --git a/lib/url.c b/lib/url.c
+index 9690dfa..0174ff4 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2961,10 +2961,10 @@ ConnectionExists(struct SessionHandle *data,
+               continue;
+             }
+           }
+-          if((needle->handler->protocol & CURLPROTO_FTP) ||
++          if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+              ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
+-            /* This is FTP or HTTP+NTLM, verify that we're using the same name
+-               and password as well */
++            /* This protocol requires credentials per connection or is HTTP+NTLM,
++               so verify that we're using the same name and password as well */
+             if(!strequal(needle->user, check->user) ||
+                !strequal(needle->passwd, check->passwd)) {
+               /* one of them was different */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index d597c67..cbf4102 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -755,6 +755,8 @@ struct Curl_handler {
+                                       gets a default */
+ #define PROTOPT_NOURLQUERY (1<<6)   /* protocol can't handle
+                                         url query strings (?foo=bar) ! */
++#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request
++                                          as opposed to per connection */
+ 
+ 
+ /* return the count of bytes sent, or -1 on error */
+-- 
+1.7.1
+
diff --git a/SOURCES/0105-curl-7.32.0-scp-upload.patch b/SOURCES/0105-curl-7.32.0-scp-upload.patch
index 73c8aee..c0fb0bf 100644
--- a/SOURCES/0105-curl-7.32.0-scp-upload.patch
+++ b/SOURCES/0105-curl-7.32.0-scp-upload.patch
@@ -6,7 +6,7 @@ Subject: [PATCH] ssh: improve the logic for detecting blocking direction
 This fixes a regression introduced by commit 0feeab78 limiting the speed
 of SCP upload to 16384 B/s on a fast connection (such as localhost).
 
-http://thread.gmane.org/gmane.comp.web.curl.library/40551/focus=40561
+[upstream commit d015f4ccac627852869cb45e31ccdc9fbd97dc47]
 ---
  lib/ssh.c |    8 +++++---
  1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 968364d..e7c93e2 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.29.0
-Release: 12%{?dist}
+Release: 19%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -43,6 +43,27 @@ Patch11: 0011-curl-7.29.0-0feeab78.patch
 # avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686)
 Patch12: 0012-curl-7.29.0-c639d725.patch
 
+# allow to use ECC ciphers if NSS implements them (#1058776)
+Patch13: 0013-curl-7.29.0-665c160f.patch
+
+# re-use of wrong HTTP NTLM connection in libcurl (CVE-2014-0015)
+Patch14: 0014-curl-7.29.0-8ae35102.patch
+
+# allow to use TLS > 1.0 if built against recent NSS (#1036789)
+Patch15: 0015-curl-7.29.0-7fc9325a.patch
+
+# use proxy name in error message when proxy is used (#1042831)
+Patch16: 0016-curl-7.29.0-1cf71bd7.patch
+
+# refresh expired cookie in test172 from upstream test-suite (#1063693)
+Patch17: 0017-curl-7.29.0-ffb8a21d.patch
+
+# fix documentation of curl's options --tlsv1.[0-2] (#1066364)
+Patch18: 0018-curl-7.29.0-03c28820.patch
+
+# fix connection re-use when using different log-in credentials (CVE-2014-0138)
+Patch19: 0018-curl-7.29.0-517b06d6.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.29.0-multilib.patch
 
@@ -80,6 +101,21 @@ BuildRequires: pkgconfig
 BuildRequires: stunnel
 BuildRequires: zlib-devel
 
+# perl modules used in the test suite
+BuildRequires: perl(Cwd)
+BuildRequires: perl(Digest::MD5)
+BuildRequires: perl(Exporter)
+BuildRequires: perl(File::Basename)
+BuildRequires: perl(File::Copy)
+BuildRequires: perl(File::Spec)
+BuildRequires: perl(IPC::Open2)
+BuildRequires: perl(MIME::Base64)
+BuildRequires: perl(strict)
+BuildRequires: perl(Time::Local)
+BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(warnings)
+BuildRequires: perl(vars)
+
 # require valgrind to boost test coverage on i386 and x86_64
 %ifarch %{ix86} x86_64
 BuildRequires: valgrind
@@ -151,9 +187,14 @@ documentation of the library, too.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
-
-# patches not yet upstream
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
 %patch105 -p1
+%patch19 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -271,6 +312,30 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Wed Mar 26 2014 Kamil Dudka <kdudka@redhat.com> 7.29.0-19
+- fix connection re-use when using different log-in credentials (CVE-2014-0138)
+
+* Mon Mar 17 2014 Paul Howarth <paul@city-fan.org> 7.29.0-18
+- add all perl build requirements for the test suite, in a portable way
+
+* Tue Feb 18 2014 Kamil Dudka <kdudka@redhat.com> 7.29.0-17
+- fix documentation of curl's options --tlsv1.[0-2] (#1066364)
+
+* Tue Feb 11 2014 Kamil Dudka <kdudka@redhat.com> 7.29.0-16
+- allow to use TLS > 1.0 if built against recent NSS (#1036789)
+- use proxy name in error message when proxy is used (#1042831)
+- refresh expired cookie in test172 from upstream test-suite (#1063693)
+
+* Fri Jan 31 2014 Kamil Dudka <kdudka@redhat.com> 7.29.0-15
+- allow to use ECC ciphers if NSS implements them (#1058776)
+- re-use of wrong HTTP NTLM connection in libcurl (CVE-2014-0015)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 7.29.0-14
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 7.29.0-13
+- Mass rebuild 2013-12-27
+
 * Fri Oct 11 2013 Kamil Dudka <kdudka@redhat.com> 7.29.0-12
 - do not limit the speed of SCP upload on a fast connection (#1014928)