diff --git a/.gitignore b/.gitignore
index 2e53166..1348edd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/nss-util-3.79.tar.gz
+SOURCES/nss-util-3.90.tar.gz
diff --git a/.nss-util.metadata b/.nss-util.metadata
index c6cd5fa..9995ff3 100644
--- a/.nss-util.metadata
+++ b/.nss-util.metadata
@@ -1 +1 @@
-d44dc17b9aa14ded8d35689b49223b4576af9a87 SOURCES/nss-util-3.79.tar.gz
+3da034265fae0aceb70113f02b56f17325a3ebbf SOURCES/nss-util-3.90.tar.gz
diff --git a/SOURCES/nss-util-3.79-fips.patch b/SOURCES/nss-util-3.79-fips.patch
new file mode 100644
index 0000000..6aae9d5
--- /dev/null
+++ b/SOURCES/nss-util-3.79-fips.patch
@@ -0,0 +1,22 @@
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
+@@ -58,16 +58,18 @@
+ /*
+  * NSS-defined certificate types
+  *
+  */
+ #define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
+ 
+ /* FAKE PKCS #11 defines */
+ #define CKA_DIGEST 0x81000000L
++#define CKA_NSS_GENERATE 0x81000001L
++#define CKA_NSS_GENERATE_KEY_PAIR 0x81000002L
+ #define CKA_NSS_MESSAGE 0x82000000L
+ #define CKA_NSS_MESSAGE_MASK 0xff000000L
+ #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */
+ 
+ /*
+  * NSS-defined object attributes
+  *
+  */
diff --git a/SOURCES/nss-util-3.90-add-ems-policy.patch b/SOURCES/nss-util-3.90-add-ems-policy.patch
new file mode 100644
index 0000000..ef6863e
--- /dev/null
+++ b/SOURCES/nss-util-3.90-add-ems-policy.patch
@@ -0,0 +1,37 @@
+diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
+--- ./lib/util/secoid.c.add_ems_policy	2023-06-12 15:37:49.293905422 -0700
++++ ./lib/util/secoid.c	2023-06-12 17:20:29.498142775 -0700
+@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
+        SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
+        "IPsec User",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
++
++    /* this will change upstream. for now apps shouldn't use it */
++    /* we need it for the policy code.  */
++    ODE(SEC_OID_PRIVATE_1,
++        "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+ };
+ 
+ /* PRIVATE EXTENDED SECOID Table
+@@ -2095,6 +2100,8 @@ SECOID_Init(void)
+ 
+     /* turn off NSS_USE_POLICY_IN_SSL by default */
+     xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
++    /* turn off TLS REQUIRE EMS by default */
++    xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
+ 
+     envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
+     if (envVal)
+diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
+--- ./lib/util/secoidt.h.add_ems_policy	2023-06-12 17:18:35.131938535 -0700
++++ ./lib/util/secoidt.h	2023-06-12 17:21:49.675987022 -0700
+@@ -501,6 +501,9 @@ typedef enum {
+     SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
+     SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
+     SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
++    /* this will change upstream. for now apps shouldn't use it */
++    /* give it an obscure name here */
++    SEC_OID_PRIVATE_1 = 372,
+ 
+     SEC_OID_TOTAL
+ } SECOidTag;
diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec
index ec33a82..541546b 100644
--- a/SPECS/nss-util.spec
+++ b/SPECS/nss-util.spec
@@ -1,7 +1,7 @@
-%global nspr_version 4.34.0
+%global nspr_version 4.35.0
 # adjust to the very latest build needed
 %global nspr_build_version -1
-%global nss_util_version 3.79.0
+%global nss_util_version 3.90.0
 
 # The upstream omits the trailing ".0", while we need it for
 # consistency with the pkg-config version:
@@ -57,6 +57,10 @@ Patch10: nss-util-disable-md5.patch
 # For compatibility reasons, we stick with the old PKCS #11 2.40
 # definition of CK_GCM_PARAMS:
 Patch11: nss-util-gcm-param-default-pkcs11v2.patch
+Patch60: nss-util-3.79-fips.patch
+#ems policy. needs to upstream
+Patch70: nss-util-3.90-add-ems-policy.patch
+
 
 
 %description
@@ -78,13 +82,15 @@ Header and library files for doing development with Network Security Services.
 
 %prep
 %setup -q -n %{name}-%{nss_util_archive_version}
-%patch2 -p0 -b .prtypes
-%patch7 -p0 -b .include_prtypes
-%patch8 -p1 -b .tls12_mechs
+%patch -P2 -p0 -b .prtypes
+%patch -P7 -p0 -b .include_prtypes
+%patch -P8 -p1 -b .tls12_mechs
 pushd nss
-%patch9 -p1 -R -b .sql-default
-%patch10 -p1 -b .disable-md5
-%patch11 -p1 -b .pkcs11v2
+%patch -P9 -p1 -R -b .sql-default
+%patch -P10 -p1 -b .disable-md5
+%patch -P11 -p1 -b .pkcs11v2
+%patch -P60 -p1 -b .fips
+%patch -P70 -p1 -b .ems
 popd
 
 
@@ -264,6 +270,10 @@ done
 %{_includedir}/nss3/templates/templates.c
 
 %changelog
+* Tue Jun 20 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
+- Rebase to NSS 3.90
+- Replace deprecate %patchN syntax
+
 * Thu Jun 2 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
 - Rebase to NSS 3.79