diff --git a/.gitignore b/.gitignore
index 51984f5..55cb85a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,7 +9,7 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
-SOURCES/nss-3.18.0.tar.gz
+SOURCES/nss-3.19.1.tar.gz
SOURCES/nss-config.xml
SOURCES/nss-pem-20140125.tar.bz2
SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index f1cb2d2..07697ae 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-38889e39147cf4d6ccd46dbb28f24ee69b2033c1 SOURCES/nss-3.18.0.tar.gz
+9e20dee2137265e61ce8a70daaf44fe0315fdb81 SOURCES/nss-3.19.1.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/expired-cert.patch b/SOURCES/expired-cert.patch
deleted file mode 100644
index 2754190..0000000
--- a/SOURCES/expired-cert.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
---- a/tests/chains/scenarios/realcerts.cfg
-+++ b/tests/chains/scenarios/realcerts.cfg
-@@ -16,14 +16,14 @@ import BrAirWaysBadSig:x:
-
- verify TestUser50:x
- result pass
-
- verify TestUser51:x
- result pass
-
- verify PayPalEE:x
-- policy OID.2.16.840.1.113733.1.7.23.6
-+ policy OID.2.16.840.1.114412.1.1
- result pass
-
- verify BrAirWaysBadSig:x
- result fail
-
-diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
---- a/tests/libpkix/vfychain_test.lst
-+++ b/tests/libpkix/vfychain_test.lst
-@@ -1,4 +1,4 @@
- # Status | Leaf Cert | Policies | Others(undef)
- 0 TestUser50 undef
- 0 TestUser51 undef
--0 PayPalEE OID.2.16.840.1.113733.1.7.23.6
-+0 PayPalEE OID.2.16.840.1.114412.1.1
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 6e03b38..02f9de8 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -187,3 +187,14 @@ diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote 2015-06-05 15:42:16.661963153 -0700
++++ ./nss/lib/ssl/Makefile 2015-06-05 15:43:25.862697604 -0700
+@@ -49,6 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
+
+
+ #######################################################################
diff --git a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch
deleted file mode 100644
index 3e95d9b..0000000
--- a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch
+++ /dev/null
@@ -1,326 +0,0 @@
-diff -up ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 ./nss/lib/ckfw/builtins/certdata.txt
---- ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100
-+++ ./nss/lib/ckfw/builtins/certdata.txt 2015-04-23 18:49:24.536940322 +0200
-@@ -187,9 +187,9 @@ END
- CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \002\004\065\336\364\317
- END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
-@@ -17341,149 +17341,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- #
--# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
--#
--# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
--# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
--# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
--# Not Valid Before: Thu Jan 04 11:32:48 2007
--# Not Valid After : Wed Jan 04 11:32:48 2017
--# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
--# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
--\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
--\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
--\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
--\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
--\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
--\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
--\141\171\151\143\151\163\151
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
--\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
--\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
--\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
--\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
--\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
--\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
--\141\171\151\143\151\163\151
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
--\254\265
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\003\266\060\202\002\236\240\003\002\001\002\002\020\104
--\231\215\074\300\003\047\275\234\166\225\271\352\333\254\265\060
--\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\165
--\061\013\060\011\006\003\125\004\006\023\002\124\122\061\050\060
--\046\006\003\125\004\012\023\037\105\154\145\153\164\162\157\156
--\151\153\040\102\151\154\147\151\040\107\165\166\145\156\154\151
--\147\151\040\101\056\123\056\061\074\060\072\006\003\125\004\003
--\023\063\145\055\107\165\166\145\156\040\113\157\153\040\105\154
--\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
--\153\141\040\110\151\172\155\145\164\040\123\141\147\154\141\171
--\151\143\151\163\151\060\036\027\015\060\067\060\061\060\064\061
--\061\063\062\064\070\132\027\015\061\067\060\061\060\064\061\061
--\063\062\064\070\132\060\165\061\013\060\011\006\003\125\004\006
--\023\002\124\122\061\050\060\046\006\003\125\004\012\023\037\105
--\154\145\153\164\162\157\156\151\153\040\102\151\154\147\151\040
--\107\165\166\145\156\154\151\147\151\040\101\056\123\056\061\074
--\060\072\006\003\125\004\003\023\063\145\055\107\165\166\145\156
--\040\113\157\153\040\105\154\145\153\164\162\157\156\151\153\040
--\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145\164
--\040\123\141\147\154\141\171\151\143\151\163\151\060\202\001\042
--\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
--\202\001\017\000\060\202\001\012\002\202\001\001\000\303\022\040
--\236\260\136\000\145\215\116\106\273\200\134\351\054\006\227\325
--\363\162\311\160\271\347\113\145\200\301\113\276\176\074\327\124
--\061\224\336\325\022\272\123\026\002\352\130\143\357\133\330\363
--\355\052\032\252\161\110\243\334\020\055\137\137\353\134\113\234
--\226\010\102\045\050\021\314\212\132\142\001\120\325\353\011\123
--\057\370\303\217\376\263\374\375\235\242\343\137\175\276\355\013
--\340\140\353\151\354\063\355\330\215\373\022\111\203\000\311\213
--\227\214\073\163\052\062\263\022\367\271\115\362\364\115\155\307
--\346\326\046\067\010\362\331\375\153\134\243\345\110\134\130\274
--\102\276\003\132\201\272\034\065\014\000\323\365\043\176\161\060
--\010\046\070\334\045\021\107\055\363\272\043\020\245\277\274\002
--\367\103\136\307\376\260\067\120\231\173\017\223\316\346\103\054
--\303\176\015\362\034\103\146\140\313\141\061\107\207\243\117\256
--\275\126\154\114\274\274\370\005\312\144\364\351\064\241\054\265
--\163\341\302\076\350\310\311\064\045\010\134\363\355\246\307\224
--\237\255\210\103\045\327\341\071\140\376\254\071\131\002\003\001
--\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
--\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
--\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
--\004\024\237\356\104\263\224\325\372\221\117\056\331\125\232\004
--\126\333\055\304\333\245\060\015\006\011\052\206\110\206\367\015
--\001\001\005\005\000\003\202\001\001\000\177\137\271\123\133\143
--\075\165\062\347\372\304\164\032\313\106\337\106\151\034\122\317
--\252\117\302\150\353\377\200\251\121\350\075\142\167\211\075\012
--\165\071\361\156\135\027\207\157\150\005\301\224\154\331\135\337
--\332\262\131\313\245\020\212\312\314\071\315\237\353\116\336\122
--\377\014\360\364\222\251\362\154\123\253\233\322\107\240\037\164
--\367\233\232\361\057\025\237\172\144\060\030\007\074\052\017\147
--\312\374\017\211\141\235\145\245\074\345\274\023\133\010\333\343
--\377\355\273\006\273\152\006\261\172\117\145\306\202\375\036\234
--\213\265\015\356\110\273\270\275\252\010\264\373\243\174\313\237
--\315\220\166\134\206\226\170\127\012\146\371\130\032\235\375\227
--\051\140\336\021\246\220\034\031\034\356\001\226\042\064\064\056
--\221\371\267\304\047\321\173\346\277\373\200\104\132\026\345\353
--\340\324\012\070\274\344\221\343\325\353\134\301\254\337\033\152
--\174\236\345\165\322\266\227\207\333\314\207\053\103\072\204\010
--\257\253\074\333\367\074\146\061\206\260\235\123\171\355\370\043
--\336\102\343\055\202\361\017\345\372\227
--END
--
--# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
--# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
--# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
--# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
--# Not Valid Before: Thu Jan 04 11:32:48 2007
--# Not Valid After : Wed Jan 04 11:32:48 2017
--# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
--# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\335\341\322\251\001\200\056\035\207\136\204\263\200\176\113\261
--\375\231\101\064
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\075\101\051\313\036\252\021\164\315\135\260\142\257\260\103\133
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
--\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
--\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
--\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
--\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
--\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
--\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
--\141\171\151\143\151\163\151
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
--\254\265
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "GlobalSign Root CA - R3"
- #
- # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
-@@ -31590,3 +31447,146 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_T
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "Explicitly Distrusted MCSHOLDING CA"
-+#
-+# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
-+# Serial Number: 1228079246 (0x4933008e)
-+# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG
-+# Not Valid Before: Thu Mar 19 06:20:09 2015
-+# Not Valid After : Fri Apr 03 06:20:09 2015
-+# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61
-+# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA"
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\074\061\013\060\011\006\003\125\004\006\023\002\105\107\061
-+\023\060\021\006\003\125\004\012\014\012\115\103\123\110\117\114
-+\104\111\116\107\061\030\060\026\006\003\125\004\003\014\017\115
-+\103\123\110\117\114\104\111\116\107\040\124\105\123\124
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-+\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-+\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-+\122\117\117\124
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\004\111\063\000\216
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\004\222\060\202\003\172\240\003\002\001\002\002\004\111
-+\063\000\216\060\015\006\011\052\206\110\206\367\015\001\001\013
-+\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103
-+\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111
-+\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111
-+\103\040\122\117\117\124\060\036\027\015\061\065\060\063\061\071
-+\060\066\062\060\060\071\132\027\015\061\065\060\064\060\063\060
-+\066\062\060\060\071\132\060\074\061\013\060\011\006\003\125\004
-+\006\023\002\105\107\061\023\060\021\006\003\125\004\012\014\012
-+\115\103\123\110\117\114\104\111\116\107\061\030\060\026\006\003
-+\125\004\003\014\017\115\103\123\110\117\114\104\111\116\107\040
-+\124\105\123\124\060\202\001\042\060\015\006\011\052\206\110\206
-+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-+\002\202\001\001\000\245\371\165\014\006\256\356\014\021\315\226
-+\063\115\153\316\300\112\014\075\135\353\322\113\011\177\347\107
-+\054\254\161\000\371\010\257\064\361\243\152\307\374\346\253\316
-+\320\276\312\315\052\230\230\271\320\216\063\111\007\141\040\321
-+\132\064\316\203\024\006\171\216\032\277\333\344\240\070\072\356
-+\224\271\243\240\130\072\211\024\254\140\076\003\324\307\315\073
-+\034\260\232\210\032\111\020\251\260\262\375\345\350\341\004\342
-+\352\202\155\376\014\121\105\221\255\165\042\256\377\117\220\013
-+\300\123\145\167\076\036\302\126\265\066\306\326\205\314\016\203
-+\032\063\037\166\231\133\053\227\053\213\327\321\024\025\114\235
-+\131\327\200\057\244\242\205\325\210\066\002\140\125\312\130\337
-+\223\374\112\142\007\226\323\304\372\277\215\001\047\227\057\246
-+\134\164\361\072\102\156\135\171\024\060\061\032\074\331\262\127
-+\115\340\270\077\017\151\061\242\235\145\231\331\326\061\207\265
-+\230\046\337\360\313\273\025\300\044\023\142\122\032\153\313\105
-+\007\227\343\304\224\136\311\015\107\054\351\317\351\364\217\376
-+\065\341\062\347\061\002\003\001\000\001\243\202\001\244\060\202
-+\001\240\060\166\006\010\053\006\001\005\005\007\001\001\004\152
-+\060\150\060\051\006\010\053\006\001\005\005\007\060\001\206\035
-+\150\164\164\160\072\057\057\157\143\163\160\143\156\156\151\143
-+\162\157\157\164\056\143\156\156\151\143\056\143\156\060\073\006
-+\010\053\006\001\005\005\007\060\002\206\057\150\164\164\160\072
-+\057\057\167\167\167\056\143\156\156\151\143\056\143\156\057\144
-+\157\167\156\154\157\141\144\057\143\145\162\164\057\103\116\116
-+\111\103\122\117\117\124\056\143\145\162\060\037\006\003\125\035
-+\043\004\030\060\026\200\024\145\362\061\255\052\367\367\335\122
-+\226\012\307\002\301\016\357\246\325\073\021\060\017\006\003\125
-+\035\023\001\001\377\004\005\060\003\001\001\377\060\077\006\003
-+\125\035\040\004\070\060\066\060\064\006\012\053\006\001\004\001
-+\201\351\014\001\006\060\046\060\044\006\010\053\006\001\005\005
-+\007\002\001\026\030\150\164\164\160\072\057\057\167\167\167\056
-+\143\156\156\151\143\056\143\156\057\143\160\163\057\060\201\206
-+\006\003\125\035\037\004\177\060\175\060\102\240\100\240\076\244
-+\074\060\072\061\013\060\011\006\003\125\004\006\023\002\103\116
-+\061\016\060\014\006\003\125\004\012\014\005\103\116\116\111\103
-+\061\014\060\012\006\003\125\004\013\014\003\143\162\154\061\015
-+\060\013\006\003\125\004\003\014\004\143\162\154\061\060\067\240
-+\065\240\063\206\061\150\164\164\160\072\057\057\143\162\154\056
-+\143\156\156\151\143\056\143\156\057\144\157\167\156\154\157\141
-+\144\057\162\157\157\164\163\150\141\062\143\162\154\057\103\122
-+\114\061\056\143\162\154\060\013\006\003\125\035\017\004\004\003
-+\002\001\006\060\035\006\003\125\035\016\004\026\004\024\104\244
-+\211\253\024\137\075\157\040\074\252\174\372\031\256\364\110\140
-+\005\265\060\015\006\011\052\206\110\206\367\015\001\001\013\005
-+\000\003\202\001\001\000\134\264\365\123\233\117\271\340\204\211
-+\061\276\236\056\352\236\041\113\245\217\155\241\246\363\057\110
-+\353\351\333\255\036\061\200\320\171\073\020\357\232\044\367\223
-+\033\065\363\032\302\307\302\054\012\177\157\133\361\137\163\221
-+\004\373\015\171\015\351\032\006\326\203\375\116\140\235\154\222
-+\103\114\352\144\230\104\253\327\373\107\320\257\037\144\114\342
-+\335\167\150\026\302\054\241\240\201\227\000\102\037\176\040\170
-+\350\306\120\035\013\177\025\223\131\130\100\024\204\360\247\220
-+\153\066\005\147\352\177\042\155\273\321\245\046\115\263\060\244
-+\130\324\133\265\032\214\120\214\270\015\341\240\007\263\017\130
-+\316\327\005\265\175\065\171\157\242\333\014\000\052\150\044\214
-+\176\234\301\166\111\272\174\146\021\336\362\107\316\376\320\316
-+\125\276\010\332\362\171\046\052\025\071\316\153\030\246\337\330
-+\207\050\231\224\016\055\150\241\232\316\122\066\234\053\354\264
-+\150\263\154\025\254\313\160\102\362\304\101\245\310\374\041\170
-+\123\167\062\040\251\041\114\162\342\323\262\311\166\033\030\130
-+\102\013\102\222\263\344
-+END
-+
-+# Distrust "Explicitly Distrusted MCSHOLDING CA"
-+# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
-+# Serial Number: 1228079246 (0x4933008e)
-+# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG
-+# Not Valid Before: Thu Mar 19 06:20:09 2015
-+# Not Valid After : Fri Apr 03 06:20:09 2015
-+# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61
-+# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA"
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\341\363\131\036\166\230\145\304\344\107\254\303\176\257\311\342
-+\277\344\305\166
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\366\212\253\024\076\326\060\045\267\111\015\167\205\160\231\313
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-+\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-+\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-+\122\117\117\124
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\004\111\063\000\216
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-diff -up ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 ./nss/lib/ckfw/builtins/nssckbi.h
---- ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100
-+++ ./nss/lib/ckfw/builtins/nssckbi.h 2015-04-23 18:49:24.575939481 +0200
-@@ -45,8 +45,8 @@
- * of the comment in the CK_VERSION type definition.
- */
- #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
--#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3
--#define NSS_BUILTINS_LIBRARY_VERSION "2.3"
-+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4
-+#define NSS_BUILTINS_LIBRARY_VERSION "2.4"
-
- /* These version numbers detail the semantic changes to the ckfw engine. */
- #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch
index f24e91c..ab0b10a 100644
--- a/SOURCES/nss-revert-tls-version-defaults.patch
+++ b/SOURCES/nss-revert-tls-version-defaults.patch
@@ -1,37 +1,20 @@
-
-# HG changeset patch
-# User Martin Thomson <martin.thomson@gmail.com>
-# Date 1425582301 -3600
-# Node ID 3c8e2b57803654f9cc74a37132d72fd0b8a59db5
-# Parent ad602a80ac1013dcd8b7508e0f8474d81e447d4a
-Bug 1083900, Enable TLS 1.2 in the default NSS configuration, r=rrelyea
-
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
- PR_FALSE /* enableFallbackSCSV */
- };
-
- /*
+diff -up nss/lib/ssl/sslsock.c.keep_tls_default nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.keep_tls_default 2015-06-05 15:23:25.816895506 -0700
++++ nss/lib/ssl/sslsock.c 2015-06-05 15:24:05.343176138 -0700
+@@ -89,13 +89,13 @@ static sslOptions ssl_defaults = {
* default range of enabled SSL/TLS protocols
*/
static SSLVersionRange versions_defaults_stream = {
- SSL_LIBRARY_VERSION_3_0,
-- SSL_LIBRARY_VERSION_TLS_1_0
-+ SSL_LIBRARY_VERSION_TLS_1_2
+- SSL_LIBRARY_VERSION_TLS_1_0,
+- SSL_LIBRARY_VERSION_TLS_1_2
++ SSL_LIBRARY_VERSION_3_0,
++ SSL_LIBRARY_VERSION_TLS_1_0
};
static SSLVersionRange versions_defaults_datagram = {
SSL_LIBRARY_VERSION_TLS_1_1,
-- SSL_LIBRARY_VERSION_TLS_1_1
-+ SSL_LIBRARY_VERSION_TLS_1_2
+- SSL_LIBRARY_VERSION_TLS_1_2
++ SSL_LIBRARY_VERSION_TLS_1_1
};
#define VERSIONS_DEFAULTS(variant) \
- (variant == ssl_variant_stream ? &versions_defaults_stream : \
- &versions_defaults_datagram)
-
- sslSessionIDLookupFunc ssl_sid_lookup;
- sslSessionIDCacheFunc ssl_sid_cache;
-
diff --git a/SOURCES/ssl-server-min-key-sizes.patch b/SOURCES/ssl-server-min-key-sizes.patch
new file mode 100644
index 0000000..1ed9a82
--- /dev/null
+++ b/SOURCES/ssl-server-min-key-sizes.patch
@@ -0,0 +1,47 @@
+diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.min_key_sizes 2015-06-08 11:38:41.154472496 -0700
++++ nss/lib/ssl/ssl3con.c 2015-06-08 11:43:45.538294127 -0700
+@@ -6743,7 +6743,7 @@ ssl3_HandleServerKeyExchange(sslSocket *
+ goto loser; /* malformed. */
+ }
+ dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
+- if (dh_p_bits < DH_MIN_P_BITS) {
++ if (dh_p_bits < SSL_DH_MIN_P_BITS) {
+ errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
+ goto alert_loser;
+ }
+@@ -10056,9 +10056,12 @@ ssl3_AuthCertificate(sslSocket *ss)
+ /* We aren't checking EC here on the understanding that we only
+ * support curves we like, a decision that might need revisiting. */
+ if (((pubKeyType == rsaKey || pubKeyType == rsaPssKey ||
+- pubKeyType == rsaOaepKey) && ss->sec.authKeyBits < 1023) ||
+- (pubKeyType == dsaKey && ss->sec.authKeyBits < DSA_MIN_P_BITS) ||
+- (pubKeyType == dhKey && ss->sec.authKeyBits < DH_MIN_P_BITS)) {
++ pubKeyType == rsaOaepKey) &&
++ ss->sec.authKeyBits < SSL_RSA_MIN_MODULUS_BITS) ||
++ (pubKeyType == dsaKey &&
++ ss->sec.authKeyBits < SSL_DSA_MIN_P_BITS) ||
++ (pubKeyType == dhKey &&
++ ss->sec.authKeyBits < SSL_DH_MIN_P_BITS)) {
+ PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY);
+ (void)SSL3_SendAlert(ss, alert_fatal,
+ ss->version >= SSL_LIBRARY_VERSION_TLS_1_0
+diff -up nss/lib/ssl/sslimpl.h.min_key_sizes nss/lib/ssl/sslimpl.h
+--- nss/lib/ssl/sslimpl.h.min_key_sizes 2015-06-08 11:39:30.287475197 -0700
++++ nss/lib/ssl/sslimpl.h 2015-06-08 11:46:14.262275334 -0700
+@@ -153,6 +153,15 @@ typedef enum { SSLAppOpRead = 0,
+
+ #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
+
++/* The minimum server key sizes accepted by the clients.
++ * Not 1024 to be conservative. */
++#define SSL_RSA_MIN_MODULUS_BITS 1023
++/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
++ * only 1023 bits and similar. We don't have good data on whether this
++ * happens because NSS used to count bit lengths incorrectly. */
++#define SSL_DH_MIN_P_BITS 768
++#define SSL_DSA_MIN_P_BITS 1023
++
+ #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/
+ #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */
+ #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
diff --git a/SOURCES/syntaxfix.patch b/SOURCES/syntaxfix.patch
deleted file mode 100644
index 91603a4..0000000
--- a/SOURCES/syntaxfix.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/tests/all.sh b/tests/all.sh
---- a/tests/all.sh
-+++ b/tests/all.sh
-@@ -297,17 +297,17 @@ fi
-
- # NOTE:
- # Since in make at the top level, modutil is the last file
- # created, we check for modutil to know whether the build
- # is complete. If a new file is created after that, the
- # following test for modutil should check for that instead.
- # Exception: when building softoken only, shlibsign is the
- # last file created.
--if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
-+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
- LAST_FILE_BUILT=shlibsign
- else
- LAST_FILE_BUILT=modutil
- fi
-
- if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
- echo "Build Incomplete. Aborting test." >> ${LOGFILE}
- html_head "Testing Initialization"
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index e7ec2d8..6447fc5 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,8 +1,10 @@
%global nspr_version 4.10.8
-%global nss_util_version 3.18.0
+%global nss_util_version 3.19.1
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.16.2
%global nss_softokn_version 3.16.2.3
+%global required_softokn_build_version -9
+
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -20,15 +22,15 @@
Summary: Network Security Services
Name: nss
-Version: 3.18.0
-Release: 2.2%{?dist}
+Version: 3.19.1
+Release: 3%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_util_version}
# TODO: revert to same version as nss once we are done with the merge
-Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
+Requires: nss-softokn%{_isa} >= %{nss_softokn_version}%{required_softokn_build_version}
Requires: nss-system-init
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
@@ -36,7 +38,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: nspr-devel >= %{nspr_version}
# TODO: revert to same version as nss once we are done with the merge
# Using '>=' but on RHEL the requires should be '='
-BuildRequires: nss-softokn-devel >= %{nss_softokn_version}
+BuildRequires: nss-softokn-devel >= %{nss_softokn_version}%{required_softokn_build_version}
BuildRequires: nss-util-devel >= %{nss_util_version}
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
@@ -100,14 +102,9 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
-# Update the root CA list to 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
-Patch91: nss-3.18.1-ca-2.3-to-2.4.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037
-Patch95: expired-cert.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1153994
-Patch96: syntaxfix.patch
# Patch to keep the TLS protocol versions that are enabled by default
Patch98: nss-revert-tls-version-defaults.patch
+Patch99: ssl-server-min-key-sizes.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -205,13 +202,8 @@ pushd nss
popd
%patch55 -p0 -b .852023
%patch56 -p0 -b .1026677
-%patch91 -p1 -b .pre-ca-2.4
-pushd nss
-%patch95 -p1 -b .renewed_paypal_cert
-%patch96 -p1 -b .syntax_fix
-# attention, reverting patch98, keep -R
-%patch98 -p1 -R -b .keep_tls_default
-popd
+%patch98 -p0 -b .keep_tls_default
+%patch99 -p0 -b .min_key_sizes
#########################################################
# Higher-level libraries and test tools need access to
@@ -224,7 +216,7 @@ for file in ${pemNeedsFromSoftoken}; do
%{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
done
-# Copying these header util the upstream bug is accepted
+# Copying these header until the upstream bug is accepted
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
@@ -792,6 +784,18 @@ fi
%changelog
+* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-3
+- Reenable a patch that had been mistakenly disabled
+- Resolves: Bug 1224451
+
+* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-2
+- Build against nss-softokn-3.16.2.3-9
+- Resolves: Bug 1224451
+
+* Fri Jun 05 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1
+- Rebase to nss-3.19.1
+- Resolves: Bug 1224451
+
* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.2
- On RHEL 7.1 keep the TLS version defaults unchanged.