diff -up nss/lib/ssl/ssl3con.c.old_pkcs11_num nss/lib/ssl/ssl3con.c
--- nss/lib/ssl/ssl3con.c.old_pkcs11_num 2017-01-04 15:24:24.000000000 +0100
+++ nss/lib/ssl/ssl3con.c 2017-01-16 10:42:14.993429316 +0100
@@ -11054,8 +11054,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s
tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
param.data = (unsigned char *)&tls_mac_params;
param.len = sizeof(tls_mac_params);
- prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN,
- spec->master_secret, ¶m);
+ /* RHEL 7.2 had the wrong number for CKM_TLS12_MACH instead of CKM_TLS_MAC. In the new scheme that
+ * number matches with CKM_TLS_KDF, so until softoken gets updated, use CKM_TLS_KDF on RHEL7 */
+ prf_context = PK11_CreateContextBySymKey(CKM_TLS_KDF, CKA_SIGN,
+ spec->master_secret, ¶m);
if (!prf_context)
return SECFailure;