diff -up ./gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/ssl_auth_unittest.cc

--- ./gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests	2021-05-28 02:50:43.000000000 -0700

+++ ./gtests/ssl_gtest/ssl_auth_unittest.cc	2021-06-03 17:01:27.530383629 -0700

@@ -1036,7 +1036,9 @@ static SSLNamedGroup NamedGroupForEcdsa3

   // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and

   // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so

   // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.

-  if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {

+  // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

+  // a higher priority than AES-128 GCM.

+  if (version <= SSL_LIBRARY_VERSION_TLS_1_2) {

     return ssl_grp_ec_secp384r1;

   }

   return ssl_grp_ec_curve25519;

@@ -1831,27 +1833,31 @@ INSTANTIATE_TEST_SUITE_P(

                        ::testing::Values(TlsAgent::kServerRsa),

                        ::testing::Values(ssl_auth_rsa_sign),

                        ::testing::Values(ssl_sig_rsa_pkcs1_sha1)));

+// FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

+// a higher priority than AES-128 GCM, and that causes the following

+// 4 TLS 1.2 tests to fail.

 INSTANTIATE_TEST_SUITE_P(

     SignatureSchemeEcdsaP256, TlsSignatureSchemeConfiguration,

     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,

-                       TlsConnectTestBase::kTlsV12Plus,

+                       TlsConnectTestBase::kTlsV13,

                        ::testing::Values(TlsAgent::kServerEcdsa256),

                        ::testing::Values(ssl_auth_ecdsa),

                        ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));

 INSTANTIATE_TEST_SUITE_P(

     SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,

     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,

-                       TlsConnectTestBase::kTlsV12Plus,

+                       TlsConnectTestBase::kTlsV13,

                        ::testing::Values(TlsAgent::kServerEcdsa384),

                        ::testing::Values(ssl_auth_ecdsa),

                        ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));

 INSTANTIATE_TEST_SUITE_P(

     SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,

     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,

-                       TlsConnectTestBase::kTlsV12Plus,

+                       TlsConnectTestBase::kTlsV13,

                        ::testing::Values(TlsAgent::kServerEcdsa521),

                        ::testing::Values(ssl_auth_ecdsa),

                        ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));

+#if 0

 INSTANTIATE_TEST_SUITE_P(

     SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,

     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,

@@ -1860,4 +1866,5 @@ INSTANTIATE_TEST_SUITE_P(

                                          TlsAgent::kServerEcdsa384),

                        ::testing::Values(ssl_auth_ecdsa),

                        ::testing::Values(ssl_sig_ecdsa_sha1)));

+#endif

 }  // namespace nss_test

diff -up ./gtests/ssl_gtest/ssl_recordsize_unittest.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/ssl_recordsize_unittest.cc

--- ./gtests/ssl_gtest/ssl_recordsize_unittest.cc.reorder-cipher-suites-gtests	2021-05-28 02:50:43.000000000 -0700

+++ ./gtests/ssl_gtest/ssl_recordsize_unittest.cc	2021-06-03 16:47:23.130301387 -0700

@@ -72,11 +72,13 @@ void CheckRecordSizes(const std::shared_

       break;

     case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:

+    case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:

       expansion = 16;

       iv = 8;

       break;

     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:

+    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:

       // Expansion is 20 for the MAC.  Maximum block padding is 16.  Maximum

       // padding is added when the input plus the MAC is an exact multiple of

       // the block size.

diff -up ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc

--- ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc.reorder-cipher-suites-gtests	2021-05-28 02:50:43.000000000 -0700

+++ ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc	2021-06-03 16:47:23.130301387 -0700

@@ -133,7 +133,19 @@ TEST_P(TlsConnectGenericPre13, TooLargeR

 TEST_P(TlsConnectGeneric, ServerAuthBiggestRsa) {

   Reset(TlsAgent::kRsa8192);

   Connect();

-  CheckKeys();

+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {

+    CheckKeys();

+  } else {

+    // in TLS 1.2 or TLS 1.1, AES-256 is selected by default, which

+    // needs a different kea setup

+    SSLSignatureScheme scheme;

+    if (version_ >= SSL_LIBRARY_VERSION_TLS_1_2) {

+        scheme = ssl_sig_rsa_pss_rsae_sha256;

+    } else {

+        scheme = ssl_sig_rsa_pkcs1_sha256;

+    }

+    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp521r1, ssl_auth_rsa_sign, scheme);

+  }

 }

 }  // namespace nss_test

diff -up ./gtests/ssl_gtest/tls_agent.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/tls_agent.cc

--- ./gtests/ssl_gtest/tls_agent.cc.reorder-cipher-suites-gtests	2021-05-28 02:50:43.000000000 -0700

+++ ./gtests/ssl_gtest/tls_agent.cc	2021-06-03 16:47:23.130301387 -0700

@@ -603,6 +603,9 @@ void TlsAgent::CheckKEA(SSLKEAType kea,

       case ssl_grp_ec_secp384r1:

         kea_size = 384;

         break;

+      case ssl_grp_ec_secp521r1:

+        kea_size = 521;

+        break;

       case ssl_grp_ffdhe_2048:

         kea_size = 2048;

         break;