diff --git a/lib/libswan/Makefile b/lib/libswan/Makefile

index 510148ad1..0f5c26228 100644

--- a/lib/libswan/Makefile

+++ b/lib/libswan/Makefile

@@ -200,10 +200,6 @@ CFLAGS+=-I${LIBRESWANSRCDIR}/include ${PORTINCLUDE}

 CFLAGS+=$(USERLAND_CFLAGS)

 CFLAGS+=${CROSSFLAGS}

-ifeq ($(NSS_REQ_AVA_COPY),true)

-CFLAGS+=-DNSS_REQ_AVA_COPY

-endif

-

 OBJS += $(abs_builddir)/version.o

 include $(top_srcdir)/mk/library.mk

diff --git a/mk/config.mk b/mk/config.mk

index 3f2bd55c1..fcdabd1fb 100644

--- a/mk/config.mk

+++ b/mk/config.mk

@@ -242,6 +242,17 @@ NSPR_LDFLAGS ?= -lnspr4

 # Use nss copy for CERT_CompareAVA

 # See https://bugzilla.mozilla.org/show_bug.cgi?id=1336487

 NSS_REQ_AVA_COPY?=true

+ifeq ($(NSS_REQ_AVA_COPY),true)

+NSSFLAGS+=-DNSS_REQ_AVA_COPY

+endif

+

+# Use nss IPsec profile for X509 validation. This is less restrictive

+# ok EKU's. This is not yet in upstream nss.

+# See https://bugzilla.mozilla.org/show_bug.cgi?id=1252891

+NSS_HAS_IPSEC_PROFILE?=false

+ifeq ($(NSS_HAS_IPSEC_PROFILE),true)

+NSSFLAGS+=-DNSS_IPSEC_PROFILE

+endif

 # Use a local copy of xfrm.h. This can be needed on older systems

 # that do not ship linux/xfrm.h, or when the shipped version is too

diff --git a/programs/pluto/nss_cert_verify.c b/programs/pluto/nss_cert_verify.c

index 95c637f53..7d458ac2a 100644

--- a/programs/pluto/nss_cert_verify.c

+++ b/programs/pluto/nss_cert_verify.c

@@ -299,6 +299,28 @@ static int vfy_chain_pkix(CERTCertificate **chain, int chain_len,

 	cvout[1].value.pointer.chain = NULL;

 	cvout[2].type = cert_po_end;

+	int fin;

+

+#ifdef NSS_IPSEC_PROFILE

+	SECStatus rv = CERT_PKIXVerifyCert(end_cert, certificateUsageIPsec,

+						cvin, cvout, NULL);

+	if (rv != SECSuccess || cur_log->count > 0) {

+		if (cur_log->count > 0 && cur_log->head != NULL) {

+			fin = nss_err_to_revfail(cur_log->head);

+		} else {

+			/*

+			 * An rv != SECSuccess without CERTVerifyLog

+			 * results should not * happen, but catch it anyway

+			 */

+			loglog(RC_LOG_SERIOUS, "X509: unspecified NSS verification failure");

+			fin = VERIFY_RET_FAIL;

+		}

+	} else {

+		DBG(DBG_X509, DBG_log("certificate is valid"));

+		*end_out = end_cert;

+		fin = VERIFY_RET_OK;

+	}

+#else

 	/* kludge alert!!

 	 * verification may be performed twice: once with the

 	 * 'client' usage and once with 'server', which is an NSS

@@ -307,12 +329,10 @@ static int vfy_chain_pkix(CERTCertificate **chain, int chain_len,

 	 * KU/EKU combinations

 	 */

-	int fin;

 	SECCertificateUsage usage;

 	for (usage = certificateUsageSSLClient; ; usage = certificateUsageSSLServer) {

 		SECStatus rv = CERT_PKIXVerifyCert(end_cert, usage, cvin, cvout, NULL);

-

 		if (rv != SECSuccess || cur_log->count > 0) {

 			if (cur_log->count > 0 && cur_log->head != NULL) {

 				if (usage == certificateUsageSSLClient &&

@@ -346,6 +366,7 @@ static int vfy_chain_pkix(CERTCertificate **chain, int chain_len,

 		}

 		break;

 	}

+#endif

 	pexpect(fin != 0);

 	CERT_DestroyCertList(trustcl);

diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c

index 50582822d..007d73f45 100644

--- a/programs/pluto/plutomain.c

+++ b/programs/pluto/plutomain.c

@@ -180,6 +180,12 @@ static const char compile_time_interop_options[] = ""

 	" BROKEN_POPEN"

 #endif

 	" NSS"

+#ifdef NSS_REQ_AVA_COPY

+	" (AVA copy)"

+#endif

+#ifdef NSS_IPSEC_PROFILE

+	" (IPsec profile)"

+#endif

 #ifdef USE_DNSSEC

 	" DNSSEC"

 #endif