diff --git a/.gitignore b/.gitignore
index fb97387..51984f5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 SOURCES/PayPalEE.cert
+SOURCES/PayPalICA.cert
 SOURCES/blank-cert8.db
 SOURCES/blank-cert9.db
 SOURCES/blank-key3.db
@@ -8,7 +9,7 @@ SOURCES/cert8.db.xml
 SOURCES/cert9.db.xml
 SOURCES/key3.db.xml
 SOURCES/key4.db.xml
-SOURCES/nss-3.16.2.3.tar.gz
+SOURCES/nss-3.18.0.tar.gz
 SOURCES/nss-config.xml
 SOURCES/nss-pem-20140125.tar.bz2
 SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index b2fbd5a..f1cb2d2 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,4 +1,5 @@
-084be8769682236828d8e9dc55901e53e8eb8432 SOURCES/PayPalEE.cert
+86cf4eb313dda4bd86a6d096ecc5aee07ee5e124 SOURCES/PayPalEE.cert
+a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert
 d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
 b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
@@ -8,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
 af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-264abc5af31eab16e2245e33a71f77cc7aae5c39 SOURCES/nss-3.16.2.3.tar.gz
+38889e39147cf4d6ccd46dbb28f24ee69b2033c1 SOURCES/nss-3.18.0.tar.gz
 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
index efbbfe8..07a7eb1 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -14,18 +14,18 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
 +DEFINES += -DNSS_NO_SSL2
 +endif
 +
+ # Allow build-time configuration of TLS 1.3 (Experimental)
+ ifdef NSS_ENABLE_TLS_1_3
+ DEFINES += -DNSS_ENABLE_TLS_1_3
+ endif
+ 
  ifdef NSS_NO_PKCS11_BYPASS
  DEFINES += -DNO_PKCS11_BYPASS
  else
- CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
- 
- EXTRA_LIBS += \
- 	$(CRYPTOLIB) \
- 	$(NULL)
 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
 --- a/lib/ssl/sslsock.c
 +++ b/lib/ssl/sslsock.c
-@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
          if (ss->cipherSpecs) {
              PORT_Free(ss->cipherSpecs);
              ss->cipherSpecs     = NULL;
@@ -39,8 +39,6 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
 +            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
 +            rv = SECFailure; /* not allowed */
 +        }
-+        break;
-+        ss->opt.enableSSL2      = on;
 +#else
          if (IS_DTLS(ss)) {
              if (on) {
@@ -50,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
              break;
          }
          ss->opt.enableSSL2       = on;
-@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
              ss->opt.v2CompatibleHello = on;
          }
          ss->preferredCipher     = NULL;
@@ -79,7 +77,6 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
 +        if (on) {
 +            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
 +            rv = SECFailure; /* not allowed */
-+            break;
 +        }
 +#else
          if (IS_DTLS(ss)) {
@@ -101,27 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
          break;
  
        case SSL_NO_STEP_DOWN:
-         ss->opt.noStepDown     = on;
-@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
- 
-     if (rv != SECSuccess) {
-         return rv;
-     }
- 
-     if (ssl_IsRemovedCipherSuite(which)) {
-         rv = SECSuccess;
-     } else if (SSL_IS_SSL2_CIPHER(which)) {
 +#ifdef NSS_NO_SSL2
-+        rv = SSL_ERROR_SSL2_DISABLED;
++        if (!on) {
++            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++            rv = SECFailure; /* not allowed */
++        }
 +#else
-         rv = ssl2_SetPolicy(which, policy);
+         ss->opt.noStepDown     = on;
+         if (on)
+             SSL_DisableExportCipherSuites(fd);
 +#endif /* NSS_NO_SSL2 */
-     } else {
-         rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+         break;
+ 
+       case SSL_BYPASS_PKCS11:
+         if (ss->handshakeBegun) {
+             PORT_SetError(PR_INVALID_STATE_ERROR);
+             rv = SECFailure;
+         } else {
+             if (PR_FALSE != on) {
+@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
      }
-     return rv;
+     return SECSuccess;
  }
  
- SECStatus
- SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
-
+ /* function tells us if the cipher suite is one that we no longer support. */
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2
++    /* both ssl2 and export cipher suites disabled */
++    if (SSL_IS_SSL2_CIPHER(suite))
++        return PR_TRUE;
++    if (SSL_IsExportCipherSuite(suite))
++      return PR_TRUE;
++#endif /* NSS_NO_SSL2_NO_EXPORT */
+     switch (suite) {
+     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+         return PR_TRUE;
+     default:
+         return PR_FALSE;
+     }
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
index c8a0ce0..6ed54ef 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,7 +1,7 @@
 diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
 --- a/tests/ssl/ssl.sh
 +++ b/tests/ssl/ssl.sh
-@@ -57,18 +57,23 @@ ssl_init()
+@@ -57,19 +57,23 @@ ssl_init()
    fi
  
    PORT=${PORT-8443}
@@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  
    # Test case files
 -  SSLCOV=${QADIR}/ssl/sslcov.txt
-+  SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
-+    && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
-+    || ${QADIR}/ssl/sslcov.txt
-   SSLAUTH=${QADIR}/ssl/sslauth.txt
-+  SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
-+    && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
-+    || ${QADIR}/ssl/sslstress.txt
-   SSLSTRESS=${QADIR}/ssl/sslstress.txt
+-  SSLAUTH=${QADIR}/ssl/sslauth.txt
+-  SSLSTRESS=${QADIR}/ssl/sslstress.txt
++  if [ "${NSS_NO_SSL2}" = "1" ]; then
++    SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++    SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++  else
++    SSLCOV=${QADIR}/ssl/sslcov.txt
++    SSLSTRESS=${QADIR}/ssl/sslstress.txt
++  fi
    REQUEST_FILE=${QADIR}/ssl/sslreq.dat
  
    #temparary files
@@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
    SERVERPID=${TMP}/tests_pid.$$
  
    R_SERVERPID=../tests_pid.$$
-@@ -115,17 +120,21 @@ is_selfserv_alive()
+ 
+@@ -115,17 +119,21 @@ is_selfserv_alive()
    if [ "${OS_ARCH}" = "WINNT" ] && \
       [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
        PID=${SHELL_SERVERPID}
@@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
    fi
  
    echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
-+  [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++  if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
 +  echo "No server to kill"
 +  else
    kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
@@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  # local shell function to wait until selfserver is running and initialized
  ########################################################################
  wait_for_selfserv()
-@@ -138,17 +147,21 @@ wait_for_selfserv()
+@@ -138,17 +146,21 @@ wait_for_selfserv()
    if [ $? -ne 0 ]; then
        sleep 5
        echo "retrying to connect to selfserv at `date`"
@@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  ########################### kill_selfserv ##############################
  # local shell function to kill the selfserver after the tests are done
  ########################################################################
-@@ -273,16 +286,19 @@ ssl_cov()
+@@ -273,16 +285,19 @@ ssl_cov()
    exec < ${SSLCOV}
    while read ectype testmax param testname
    do
diff --git a/SOURCES/Bug-1174527-fixsegfault.patch b/SOURCES/Bug-1174527-fixsegfault.patch
deleted file mode 100644
index ff24334..0000000
--- a/SOURCES/Bug-1174527-fixsegfault.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
---- a/lib/pkcs12/p12local.c
-+++ b/lib/pkcs12/p12local.c
-@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre
- 	if(!arena) {
- 	    PORT_Free(dest->data);
- 	    dest->data = NULL;
- 	    dest->len = 0;
- 	}
- 	return PR_FALSE;
-     }
- 
--    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
-+    if ((dest->len >= 2) &&
-+	(dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
- 	if(dest->len + 2 > 3 * src->len) {
- 	    if(arena) {
- 		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
- 						     dest->data, dest->len,
- 						     dest->len + 2);
- 	    } else {
- 		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
- 							  dest->len + 2);
diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
deleted file mode 100644
index d3e0f21..0000000
--- a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
---- a/lib/pki/pki3hack.c
-+++ b/lib/pki/pki3hack.c
-@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat
- }
- 
- static CERTCertificate *
- stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
- {
-     nssDecodedCert *dc = NULL;
-     CERTCertificate *cc = NULL;
-     CERTCertTrust certTrust;
-+    nssPKIObject *object = &c->object;
- 
--    nssPKIObject_Lock(&c->object);
-+    /* make sure object does not go away until we finish */
-+    nssPKIObject_AddRef(object);
-+    nssPKIObject_Lock(object);
- 
-     dc = c->decoding;
-     if (!dc) {
- 	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
- 	if (!dc) {
-             goto loser;
-         }
- 	cc = (CERTCertificate *)dc->data;
-@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate *
-         trust = nssTrust_GetCERTCertTrustForCert(c, cc);
- 
-         CERT_LockCertTrust(cc);
-         cc->trust = trust;
-         CERT_UnlockCertTrust(cc);
-     }
- 
-   loser:
--    nssPKIObject_Unlock(&c->object);
-+    nssPKIObject_Unlock(object);
-+    nssPKIObject_Destroy(object);
-     return cc;
- }
- 
- NSS_IMPLEMENT CERTCertificate *
- STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
- {
-     if (c->decoding) {
- 	return stan_GetCERTCertificate(c, PR_TRUE);
-@@ -1265,16 +1269,17 @@ done:
- */
- static PRStatus
- DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
- {
-     int numNotDestroyed = 0;     /* the ones skipped plus the failures */
-     int failureCount = 0;        /* actual deletion failures by devices */
-     int index;
- 
-+    nssPKIObject_AddRef(tObject);
-     nssPKIObject_Lock(tObject);
-     /* Keep going even if a module fails to delete. */
-     for (index = 0; index < tObject->numInstances; index++) {
- 	nssCryptokiObject *instance = tObject->instances[index];
- 	if (!instance) {
- 	    continue;
- 	}
- 
-@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo
-     if (numNotDestroyed == 0) {
-     	nss_ZFreeIf(tObject->instances);
-     	tObject->numInstances = 0;
-     } else {
-     	tObject->numInstances = numNotDestroyed;
-     }
- 
-     nssPKIObject_Unlock(tObject);
-+    nssPKIObject_Destroy(tObject);
- 
-     return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
- }
- 
- /*
- ** Delete trust objects matching the slot of the given certificate.
- ** Returns an error if any device fails to delete. 
- */
-@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
-     int i;
- 
-     /* Iterate through the cert and trust object instances looking for
-      * those with matching pk11 slots to delete. Even if some device
-      * can't delete we keep going. Keeping a status variable for the
-      * loop so that once it's failed the other gets set.
-      */
-     NSSRWLock_LockRead(td->tokensLock);
-+    nssPKIObject_AddRef(cobject);
-     nssPKIObject_Lock(cobject);
-     for (i = 0; i < cobject->numInstances; i++) {
- 	nssCryptokiObject *cInstance = cobject->instances[i];
- 	if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
- 		PRStatus status;
- 	    if (!tobject->numInstances || !tobject->instances) continue;
- 	    status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
- 	    if (status == PR_FAILURE) {
- 	    	/* set the outer one but keep going */
- 	    	nssrv = PR_FAILURE;
- 	    }
- 	}
-     }
-     nssPKIObject_Unlock(cobject);
-+    nssPKIObject_Destroy(cobject);
-     NSSRWLock_UnlockRead(td->tokensLock);
-     return nssrv;
- }
- 
- /* CERT_TraversePermCertsForSubject */
- NSS_IMPLEMENT PRStatus
- nssTrustDomain_TraverseCertificatesBySubject (
-   NSSTrustDomain *td,
-diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
---- a/lib/pki/tdcache.c
-+++ b/lib/pki/tdcache.c
-@@ -386,16 +386,17 @@ struct token_cert_dtor {
- 
- static void 
- remove_token_certs(const void *k, void *v, void *a)
- {
-     NSSCertificate *c = (NSSCertificate *)k;
-     nssPKIObject *object = &c->object;
-     struct token_cert_dtor *dtor = a;
-     PRUint32 i;
-+    nssPKIObject_AddRef(object);
-     nssPKIObject_Lock(object);
-     for (i=0; i<object->numInstances; i++) {
- 	if (object->instances[i]->token == dtor->token) {
- 	    nssCryptokiObject_Destroy(object->instances[i]);
- 	    object->instances[i] = object->instances[object->numInstances-1];
- 	    object->instances[object->numInstances-1] = NULL;
- 	    object->numInstances--;
- 	    dtor->certs[dtor->numCerts++] = c;
-@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void *
- 		dtor->certs = nss_ZREALLOCARRAY(dtor->certs, 
- 		                                NSSCertificate *,
- 		                                dtor->arrSize);
- 	    }
- 	    break;
- 	}
-     }
-     nssPKIObject_Unlock(object);
-+    nssPKIObject_Destroy(object);
-     return;
- }
- 
- /* 
-  * Remove all certs for the given token from the cache.  This is
-  * needed if the token is removed. 
-  */
- NSS_IMPLEMENT PRStatus
diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert
new file mode 100644
index 0000000..dae0196
Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ
diff --git a/SOURCES/certutil-man-supply-missing-options.patch b/SOURCES/certutil-man-supply-missing-options.patch
deleted file mode 100644
index 14bf738..0000000
--- a/SOURCES/certutil-man-supply-missing-options.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-diff -up ./nss/doc/certutil.xml.missing_options ./nss/doc/certutil.xml
---- ./nss/doc/certutil.xml.missing_options	2014-11-25 10:14:22.068846717 -0800
-+++ ./nss/doc/certutil.xml	2014-11-25 10:17:49.810974243 -0800
-@@ -204,6 +204,11 @@ If this option is not used, the validity
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--dump-ext-val OID </term>
-+        <listitem><para>For single cert, print binary DER encoding of extension OID.</para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-e </term>
-         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
-       </varlistentry>
-@@ -214,6 +219,26 @@ If this option is not used, the validity
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </term>
-+        <listitem>
-+          <para>
-+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
-+           </para>
-+	<itemizedlist>
-+	<listitem>
-+<para>OID (example): 1.2.3.4</para>
-+	</listitem>
-+	<listitem>
-+<para>critical-flag: critical or not-critical</para>
-+	</listitem>
-+	<listitem>
-+<para>filename: full path to a file containing an encoded extension</para>
-+	</listitem>
-+	</itemizedlist>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-f password-file</term>
-         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
-  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
-@@ -376,6 +401,15 @@ of the attribute codes:
- <para><command>V</command> (as an SSL server)</para>
- 	</listitem>
- 	<listitem>
-+<para><command>L</command> (as an SSL CA)</para>
-+	</listitem>
-+	<listitem>
-+<para><command>A</command> (as Any CA)</para>
-+	</listitem>
-+	<listitem>
-+<para><command>Y</command> (Verify CA)</para>
-+	</listitem>
-+	<listitem>
- <para><command>S</command> (as an email signer)</para>
- 	</listitem>
- 	<listitem>
-@@ -649,6 +683,17 @@ of the attribute codes:
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--extSAN type:name[,type:name]...</term>
-+        <listitem><para>
-+Create a Subject Alt Name extension with one or multiple names.
-+          </para>
-+          <para>
-+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
-+        </para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>--empty-password</term>
-         <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
-       </varlistentry>
diff --git a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
deleted file mode 100644
index ec7d6c8..0000000
--- a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
---- ./nss/lib/certdb/certi.h.1034409	2014-01-03 11:59:10.000000000 -0800
-+++ ./nss/lib/certdb/certi.h	2014-02-20 08:46:10.345136599 -0800
-@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
- #else
-     PRLock* lock;
- #endif
--    CERTCertificate* issuer;    /* issuer cert
--                                   XXX there may be multiple issuer certs,
--                                       with different validity dates. Also
--                                       need to deal with SKID/AKID . See
--                                       bugzilla 217387, 233118 */
-+    SECItem *issuerDERCert;    /* issuer DER cert. Don't hold a reference
-+				  to the actual cert so the trust can be
-+				  updated on the cert automatically.
-+				  XXX there may be multiple issuer certs,
-+				  with different validity dates. Also
-+				  need to deal with SKID/AKID . See
-+				  bugzilla 217387, 233118 */
-+
-+    CERTCertDBHandle *dbHandle;
-+
-     SECItem* subject;           /* DER of issuer subject */
-     SECItem* distributionPoint; /* DER of distribution point. This may be
-                                    NULL when distribution points aren't
-@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
-     NSSRWLock* lock;
-     CRLDPCache** dps;
-     PLHashTable* distributionpoints;
--    CERTCertificate* issuer;
-+    CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
- #endif
- };
- 
-diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
---- ./nss/lib/certdb/crl.c.1034409	2014-01-03 11:59:10.000000000 -0800
-+++ ./nss/lib/certdb/crl.c	2014-02-20 08:49:30.835466687 -0800
-@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
- 	PORT_Free(cache->crls);
-     }
-     /* destroy the cert */
--    if (cache->issuer)
-+    if (cache->issuerDERCert)
-     {
--        CERT_DestroyCertificate(cache->issuer);
-+        SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
-     }
-     /* free the subject */
-     if (cache->subject)
-@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
-     else
-     {
-         SECStatus signstatus = SECFailure;
--        if (cache->issuer)
-+        if (cache->issuerDERCert)
-         {
--            signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
-+	    CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
-+		cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
-+
-+	    if (issuer) {
-+                signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
-                                         wincx);
-+		CERT_DestroyCertificate(issuer);
-+	    }
-         }
-         if (SECSuccess != signstatus)
-         {
--            if (!cache->issuer)
-+            if (!cache->issuerDERCert)
-             {
-                 /* we tried to verify without an issuer cert . This is
-                    because this CRL came through a call to SEC_FindCrlByName.
-@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
-     }
- 
-     /* add issuer certificate if it was previously unavailable */
--    if (issuer && (NULL == cache->issuer) &&
-+    if (issuer && (NULL == cache->issuerDERCert) &&
-         (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
-     {
-         /* if we didn't have a valid issuer cert yet, but we do now. add it */
-         DPCache_LockWrite();
--        if (!cache->issuer)
-+        if (!cache->issuerDERCert)
-         {
-             dirty = PR_TRUE;
--            cache->issuer = CERT_DupCertificate(issuer);    
-+	    cache->dbHandle = issuer->dbhandle;
-+    	    cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
-         }
-         DPCache_UnlockWrite();
-     }
-@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
-        SEC_FindCrlByName, or through manual insertion, rather than through a
-        certificate verification (CERT_CheckCRL) */
- 
--    if (cache->issuer && vfdate )
-+    if (cache->issuerDERCert && vfdate )
-     {
- 	mustunlock = PR_FALSE;
-         /* re-process all unverified CRLs */
-@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
-     }
-     if (issuer)
-     {
--        cache->issuer = CERT_DupCertificate(issuer);
-+	cache->dbHandle = issuer->dbhandle;
-+    	cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
-     }
-     cache->distributionPoint = SECITEM_DupItem(dp);
-     cache->subject = SECITEM_DupItem(subject);
-diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
---- ./nss/tests/chains/chains.sh.1034409	2014-02-20 08:16:34.867686934 -0800
-+++ ./nss/tests/chains/chains.sh	2014-02-20 08:34:35.149603340 -0800
-@@ -974,6 +974,7 @@ check_ocsp()
-     OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
-     OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
- 
-+    echo "Cert = ${CERT_NICK}.cert"
-     echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
-     tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
-     return $?
diff --git a/SOURCES/expired-cert.patch b/SOURCES/expired-cert.patch
new file mode 100644
index 0000000..2754190
--- /dev/null
+++ b/SOURCES/expired-cert.patch
@@ -0,0 +1,28 @@
+diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
+--- a/tests/chains/scenarios/realcerts.cfg
++++ b/tests/chains/scenarios/realcerts.cfg
+@@ -16,14 +16,14 @@ import BrAirWaysBadSig:x:
+ 
+ verify TestUser50:x
+   result pass
+ 
+ verify TestUser51:x
+   result pass
+ 
+ verify PayPalEE:x
+-  policy OID.2.16.840.1.113733.1.7.23.6 
++  policy OID.2.16.840.1.114412.1.1 
+   result pass
+ 
+ verify BrAirWaysBadSig:x
+   result fail
+ 
+diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
+--- a/tests/libpkix/vfychain_test.lst
++++ b/tests/libpkix/vfychain_test.lst
+@@ -1,4 +1,4 @@
+ # Status | Leaf Cert | Policies | Others(undef)
+ 0 TestUser50 undef
+ 0 TestUser51 undef
+-0 PayPalEE OID.2.16.840.1.113733.1.7.23.6
++0 PayPalEE OID.2.16.840.1.114412.1.1
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index ba9cb71..6e03b38 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -9,6 +9,18 @@ diff -up ./nss/cmd/bltest/Makefile.iquote ./nss/cmd/bltest/Makefile
  
  
  #######################################################################
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote	2015-03-25 15:52:30.276938803 -0700
++++ ./nss/cmd/certutil/Makefile	2015-03-25 15:53:53.044536721 -0700
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ 
+ #######################################################################
 diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
 --- ./nss/cmd/httpserv/Makefile.iquote	2014-01-18 11:33:15.058108851 -0800
 +++ ./nss/cmd/httpserv/Makefile	2014-01-18 11:34:08.913478276 -0800
diff --git a/SOURCES/nss-3.16-tcache-race.patch b/SOURCES/nss-3.16-tcache-race.patch
deleted file mode 100644
index 8bbb329..0000000
--- a/SOURCES/nss-3.16-tcache-race.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -up ./nss/lib/pki/tdcache.c.race ./nss/lib/pki/tdcache.c
---- ./nss/lib/pki/tdcache.c.race	2014-12-18 15:39:42.975354956 -0800
-+++ ./nss/lib/pki/tdcache.c	2014-12-18 15:42:33.934201074 -0800
-@@ -399,6 +399,8 @@ remove_token_certs(const void *k, void *
- 	    object->instances[i] = object->instances[object->numInstances-1];
- 	    object->instances[object->numInstances-1] = NULL;
- 	    object->numInstances--;
-+	    /* make sure id doesn't disappear on us before we finish */
-+	    nssPKIObject_AddRef(object);
- 	    dtor->certs[dtor->numCerts++] = c;
- 	    if (dtor->numCerts == dtor->arrSize) {
- 		dtor->arrSize *= 2;
-@@ -441,13 +443,15 @@ nssTrustDomain_RemoveTokenCertsFromCache
-     for (i=0; i<dtor.numCerts; i++) {
- 	if (dtor.certs[i]->object.numInstances == 0) {
- 	    nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
-+	    nssPKIObject_Destroy(&dtor.certs[i]->object);
- 	    dtor.certs[i] = NULL;  /* skip this cert in the second for loop */
--	}
-+	} 
-     }
-     PZ_Unlock(td->cache->lock);
-     for (i=0; i<dtor.numCerts; i++) {
- 	if (dtor.certs[i]) {
- 	    STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
-+	    nssPKIObject_Destroy(&dtor.certs[i]->object);
- 	}
-     }
-     nss_ZFreeIf(dtor.certs);
diff --git a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch
new file mode 100644
index 0000000..3e95d9b
--- /dev/null
+++ b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch
@@ -0,0 +1,326 @@
+diff -up ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 ./nss/lib/ckfw/builtins/certdata.txt
+--- ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4	2015-03-17 00:03:37.000000000 +0100
++++ ./nss/lib/ckfw/builtins/certdata.txt	2015-04-23 18:49:24.536940322 +0200
+@@ -187,9 +187,9 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\004\065\336\364\317
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
+@@ -17341,149 +17341,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-#
+-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
+-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Not Valid Before: Thu Jan 04 11:32:48 2007
+-# Not Valid After : Wed Jan 04 11:32:48 2017
+-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
+-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
+-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
+-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
+-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
+-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
+-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
+-\141\171\151\143\151\163\151
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
+-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
+-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
+-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
+-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
+-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
+-\141\171\151\143\151\163\151
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
+-\254\265
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\003\266\060\202\002\236\240\003\002\001\002\002\020\104
+-\231\215\074\300\003\047\275\234\166\225\271\352\333\254\265\060
+-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\165
+-\061\013\060\011\006\003\125\004\006\023\002\124\122\061\050\060
+-\046\006\003\125\004\012\023\037\105\154\145\153\164\162\157\156
+-\151\153\040\102\151\154\147\151\040\107\165\166\145\156\154\151
+-\147\151\040\101\056\123\056\061\074\060\072\006\003\125\004\003
+-\023\063\145\055\107\165\166\145\156\040\113\157\153\040\105\154
+-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
+-\153\141\040\110\151\172\155\145\164\040\123\141\147\154\141\171
+-\151\143\151\163\151\060\036\027\015\060\067\060\061\060\064\061
+-\061\063\062\064\070\132\027\015\061\067\060\061\060\064\061\061
+-\063\062\064\070\132\060\165\061\013\060\011\006\003\125\004\006
+-\023\002\124\122\061\050\060\046\006\003\125\004\012\023\037\105
+-\154\145\153\164\162\157\156\151\153\040\102\151\154\147\151\040
+-\107\165\166\145\156\154\151\147\151\040\101\056\123\056\061\074
+-\060\072\006\003\125\004\003\023\063\145\055\107\165\166\145\156
+-\040\113\157\153\040\105\154\145\153\164\162\157\156\151\153\040
+-\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145\164
+-\040\123\141\147\154\141\171\151\143\151\163\151\060\202\001\042
+-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+-\202\001\017\000\060\202\001\012\002\202\001\001\000\303\022\040
+-\236\260\136\000\145\215\116\106\273\200\134\351\054\006\227\325
+-\363\162\311\160\271\347\113\145\200\301\113\276\176\074\327\124
+-\061\224\336\325\022\272\123\026\002\352\130\143\357\133\330\363
+-\355\052\032\252\161\110\243\334\020\055\137\137\353\134\113\234
+-\226\010\102\045\050\021\314\212\132\142\001\120\325\353\011\123
+-\057\370\303\217\376\263\374\375\235\242\343\137\175\276\355\013
+-\340\140\353\151\354\063\355\330\215\373\022\111\203\000\311\213
+-\227\214\073\163\052\062\263\022\367\271\115\362\364\115\155\307
+-\346\326\046\067\010\362\331\375\153\134\243\345\110\134\130\274
+-\102\276\003\132\201\272\034\065\014\000\323\365\043\176\161\060
+-\010\046\070\334\045\021\107\055\363\272\043\020\245\277\274\002
+-\367\103\136\307\376\260\067\120\231\173\017\223\316\346\103\054
+-\303\176\015\362\034\103\146\140\313\141\061\107\207\243\117\256
+-\275\126\154\114\274\274\370\005\312\144\364\351\064\241\054\265
+-\163\341\302\076\350\310\311\064\045\010\134\363\355\246\307\224
+-\237\255\210\103\045\327\341\071\140\376\254\071\131\002\003\001
+-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
+-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
+-\004\024\237\356\104\263\224\325\372\221\117\056\331\125\232\004
+-\126\333\055\304\333\245\060\015\006\011\052\206\110\206\367\015
+-\001\001\005\005\000\003\202\001\001\000\177\137\271\123\133\143
+-\075\165\062\347\372\304\164\032\313\106\337\106\151\034\122\317
+-\252\117\302\150\353\377\200\251\121\350\075\142\167\211\075\012
+-\165\071\361\156\135\027\207\157\150\005\301\224\154\331\135\337
+-\332\262\131\313\245\020\212\312\314\071\315\237\353\116\336\122
+-\377\014\360\364\222\251\362\154\123\253\233\322\107\240\037\164
+-\367\233\232\361\057\025\237\172\144\060\030\007\074\052\017\147
+-\312\374\017\211\141\235\145\245\074\345\274\023\133\010\333\343
+-\377\355\273\006\273\152\006\261\172\117\145\306\202\375\036\234
+-\213\265\015\356\110\273\270\275\252\010\264\373\243\174\313\237
+-\315\220\166\134\206\226\170\127\012\146\371\130\032\235\375\227
+-\051\140\336\021\246\220\034\031\034\356\001\226\042\064\064\056
+-\221\371\267\304\047\321\173\346\277\373\200\104\132\026\345\353
+-\340\324\012\070\274\344\221\343\325\353\134\301\254\337\033\152
+-\174\236\345\165\322\266\227\207\333\314\207\053\103\072\204\010
+-\257\253\074\333\367\074\146\061\206\260\235\123\171\355\370\043
+-\336\102\343\055\202\361\017\345\372\227
+-END
+-
+-# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
+-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Not Valid Before: Thu Jan 04 11:32:48 2007
+-# Not Valid After : Wed Jan 04 11:32:48 2017
+-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
+-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\335\341\322\251\001\200\056\035\207\136\204\263\200\176\113\261
+-\375\231\101\064
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\075\101\051\313\036\252\021\164\315\135\260\142\257\260\103\133
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
+-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
+-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
+-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
+-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
+-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
+-\141\171\151\143\151\163\151
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
+-\254\265
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "GlobalSign Root CA - R3"
+ #
+ # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+@@ -31590,3 +31447,146 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_T
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Explicitly Distrusted MCSHOLDING CA"
++#
++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Serial Number: 1228079246 (0x4933008e)
++# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG
++# Not Valid Before: Thu Mar 19 06:20:09 2015
++# Not Valid After : Fri Apr 03 06:20:09 2015
++# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61
++# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\074\061\013\060\011\006\003\125\004\006\023\002\105\107\061
++\023\060\021\006\003\125\004\012\014\012\115\103\123\110\117\114
++\104\111\116\107\061\030\060\026\006\003\125\004\003\014\017\115
++\103\123\110\117\114\104\111\116\107\040\124\105\123\124
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
++\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
++\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\111\063\000\216
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\222\060\202\003\172\240\003\002\001\002\002\004\111
++\063\000\216\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103
++\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111
++\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111
++\103\040\122\117\117\124\060\036\027\015\061\065\060\063\061\071
++\060\066\062\060\060\071\132\027\015\061\065\060\064\060\063\060
++\066\062\060\060\071\132\060\074\061\013\060\011\006\003\125\004
++\006\023\002\105\107\061\023\060\021\006\003\125\004\012\014\012
++\115\103\123\110\117\114\104\111\116\107\061\030\060\026\006\003
++\125\004\003\014\017\115\103\123\110\117\114\104\111\116\107\040
++\124\105\123\124\060\202\001\042\060\015\006\011\052\206\110\206
++\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
++\002\202\001\001\000\245\371\165\014\006\256\356\014\021\315\226
++\063\115\153\316\300\112\014\075\135\353\322\113\011\177\347\107
++\054\254\161\000\371\010\257\064\361\243\152\307\374\346\253\316
++\320\276\312\315\052\230\230\271\320\216\063\111\007\141\040\321
++\132\064\316\203\024\006\171\216\032\277\333\344\240\070\072\356
++\224\271\243\240\130\072\211\024\254\140\076\003\324\307\315\073
++\034\260\232\210\032\111\020\251\260\262\375\345\350\341\004\342
++\352\202\155\376\014\121\105\221\255\165\042\256\377\117\220\013
++\300\123\145\167\076\036\302\126\265\066\306\326\205\314\016\203
++\032\063\037\166\231\133\053\227\053\213\327\321\024\025\114\235
++\131\327\200\057\244\242\205\325\210\066\002\140\125\312\130\337
++\223\374\112\142\007\226\323\304\372\277\215\001\047\227\057\246
++\134\164\361\072\102\156\135\171\024\060\061\032\074\331\262\127
++\115\340\270\077\017\151\061\242\235\145\231\331\326\061\207\265
++\230\046\337\360\313\273\025\300\044\023\142\122\032\153\313\105
++\007\227\343\304\224\136\311\015\107\054\351\317\351\364\217\376
++\065\341\062\347\061\002\003\001\000\001\243\202\001\244\060\202
++\001\240\060\166\006\010\053\006\001\005\005\007\001\001\004\152
++\060\150\060\051\006\010\053\006\001\005\005\007\060\001\206\035
++\150\164\164\160\072\057\057\157\143\163\160\143\156\156\151\143
++\162\157\157\164\056\143\156\156\151\143\056\143\156\060\073\006
++\010\053\006\001\005\005\007\060\002\206\057\150\164\164\160\072
++\057\057\167\167\167\056\143\156\156\151\143\056\143\156\057\144
++\157\167\156\154\157\141\144\057\143\145\162\164\057\103\116\116
++\111\103\122\117\117\124\056\143\145\162\060\037\006\003\125\035
++\043\004\030\060\026\200\024\145\362\061\255\052\367\367\335\122
++\226\012\307\002\301\016\357\246\325\073\021\060\017\006\003\125
++\035\023\001\001\377\004\005\060\003\001\001\377\060\077\006\003
++\125\035\040\004\070\060\066\060\064\006\012\053\006\001\004\001
++\201\351\014\001\006\060\046\060\044\006\010\053\006\001\005\005
++\007\002\001\026\030\150\164\164\160\072\057\057\167\167\167\056
++\143\156\156\151\143\056\143\156\057\143\160\163\057\060\201\206
++\006\003\125\035\037\004\177\060\175\060\102\240\100\240\076\244
++\074\060\072\061\013\060\011\006\003\125\004\006\023\002\103\116
++\061\016\060\014\006\003\125\004\012\014\005\103\116\116\111\103
++\061\014\060\012\006\003\125\004\013\014\003\143\162\154\061\015
++\060\013\006\003\125\004\003\014\004\143\162\154\061\060\067\240
++\065\240\063\206\061\150\164\164\160\072\057\057\143\162\154\056
++\143\156\156\151\143\056\143\156\057\144\157\167\156\154\157\141
++\144\057\162\157\157\164\163\150\141\062\143\162\154\057\103\122
++\114\061\056\143\162\154\060\013\006\003\125\035\017\004\004\003
++\002\001\006\060\035\006\003\125\035\016\004\026\004\024\104\244
++\211\253\024\137\075\157\040\074\252\174\372\031\256\364\110\140
++\005\265\060\015\006\011\052\206\110\206\367\015\001\001\013\005
++\000\003\202\001\001\000\134\264\365\123\233\117\271\340\204\211
++\061\276\236\056\352\236\041\113\245\217\155\241\246\363\057\110
++\353\351\333\255\036\061\200\320\171\073\020\357\232\044\367\223
++\033\065\363\032\302\307\302\054\012\177\157\133\361\137\163\221
++\004\373\015\171\015\351\032\006\326\203\375\116\140\235\154\222
++\103\114\352\144\230\104\253\327\373\107\320\257\037\144\114\342
++\335\167\150\026\302\054\241\240\201\227\000\102\037\176\040\170
++\350\306\120\035\013\177\025\223\131\130\100\024\204\360\247\220
++\153\066\005\147\352\177\042\155\273\321\245\046\115\263\060\244
++\130\324\133\265\032\214\120\214\270\015\341\240\007\263\017\130
++\316\327\005\265\175\065\171\157\242\333\014\000\052\150\044\214
++\176\234\301\166\111\272\174\146\021\336\362\107\316\376\320\316
++\125\276\010\332\362\171\046\052\025\071\316\153\030\246\337\330
++\207\050\231\224\016\055\150\241\232\316\122\066\234\053\354\264
++\150\263\154\025\254\313\160\102\362\304\101\245\310\374\041\170
++\123\167\062\040\251\041\114\162\342\323\262\311\166\033\030\130
++\102\013\102\222\263\344
++END
++
++# Distrust "Explicitly Distrusted MCSHOLDING CA"
++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Serial Number: 1228079246 (0x4933008e)
++# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG
++# Not Valid Before: Thu Mar 19 06:20:09 2015
++# Not Valid After : Fri Apr 03 06:20:09 2015
++# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61
++# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\341\363\131\036\166\230\145\304\344\107\254\303\176\257\311\342
++\277\344\305\166
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\366\212\253\024\076\326\060\045\267\111\015\167\205\160\231\313
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
++\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
++\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\111\063\000\216
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff -up ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 ./nss/lib/ckfw/builtins/nssckbi.h
+--- ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4	2015-03-17 00:03:37.000000000 +0100
++++ ./nss/lib/ckfw/builtins/nssckbi.h	2015-04-23 18:49:24.575939481 +0200
+@@ -45,8 +45,8 @@
+  * of the comment in the CK_VERSION type definition.
+  */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.3"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4
++#define NSS_BUILTINS_LIBRARY_VERSION "2.4"
+ 
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/SOURCES/nss-646045.patch b/SOURCES/nss-646045.patch
index 33b80fe..765f25e 100644
--- a/SOURCES/nss-646045.patch
+++ b/SOURCES/nss-646045.patch
@@ -1,34 +1,34 @@
-diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh
---- nss/tests/dbtests/dbtests.sh.646045	2013-04-04 13:31:55.000000000 -0700
-+++ nss/tests/dbtests/dbtests.sh	2013-04-04 15:57:46.298127149 -0700
-@@ -168,6 +168,9 @@ dbtest_main()
+diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
+--- a/tests/dbtests/dbtests.sh
++++ b/tests/dbtests/dbtests.sh
+@@ -165,28 +165,28 @@ dbtest_main()
+     # opens immediately see the files are readonly.  As a
+     # workaround we open the files once first.  (Bug 185074)
+     if [ "${OS_ARCH}" = "Darwin" ]; then
          cat $RONLY_DIR/* > /dev/null
      fi
  
-+    # skipping the next two tests when user is root,
-+    # otherwise they would fail due to rooty powers
-+    if [[ $EUID -ne 0 ]] then
-     ${BINDIR}/dbtest -d $RONLY_DIR
+     # skipping the next two tests when user is root,
+     # otherwise they would fail due to rooty powers
+-    if [ $UID -ne 0 ]; then
++    if [[ $UID -ne 0 ]]; then
+       ${BINDIR}/dbtest -d $RONLY_DIR
      ret=$?
      if [ $ret -ne 46 ]; then
-@@ -175,6 +178,10 @@ dbtest_main()
+       html_failed "Dbtest r/w succeeded in a readonly directory $ret"
      else
        html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
      fi
-+    else
-+      html_passed "Skipping Dbtest r/w in a readonly dir because user is root" 
-+    fi
-+    if [[ $EUID -ne 0 ]] then
-     ${BINDIR}/certutil -D -n "TestUser" -d .
+     else
+       html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+     fi
+-    if [ $UID -ne 0 ]; then
++    if [[ $UID -ne 0 ]]; then
+       ${BINDIR}/certutil -D -n "TestUser" -d .
      ret=$?
      if [ $ret -ne 255 ]; then
-@@ -182,6 +189,9 @@ dbtest_main()
+       html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret"
      else
-         html_passed "Certutil didn't work in an readonly dir $ret"
+       html_passed "Certutil didn't work in an readonly dir $ret"
      fi
-+    else
-+      html_passed "Skipping Certutil delete cert in an readonly directory test because user is root" 
-+    fi
-     
-     Echo "test opening the database ronly in a readonly directory"
- 
+     else
diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch
new file mode 100644
index 0000000..f24e91c
--- /dev/null
+++ b/SOURCES/nss-revert-tls-version-defaults.patch
@@ -0,0 +1,37 @@
+
+# HG changeset patch
+# User Martin Thomson <martin.thomson@gmail.com>
+# Date 1425582301 -3600
+# Node ID 3c8e2b57803654f9cc74a37132d72fd0b8a59db5
+# Parent  ad602a80ac1013dcd8b7508e0f8474d81e447d4a
+Bug 1083900, Enable TLS 1.2 in the default NSS configuration, r=rrelyea
+
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
+     PR_FALSE    /* enableFallbackSCSV */
+ };
+ 
+ /*
+  * default range of enabled SSL/TLS protocols
+  */
+ static SSLVersionRange versions_defaults_stream = {
+     SSL_LIBRARY_VERSION_3_0,
+-    SSL_LIBRARY_VERSION_TLS_1_0
++    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ static SSLVersionRange versions_defaults_datagram = {
+     SSL_LIBRARY_VERSION_TLS_1_1,
+-    SSL_LIBRARY_VERSION_TLS_1_1
++    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ #define VERSIONS_DEFAULTS(variant) \
+     (variant == ssl_variant_stream ? &versions_defaults_stream : \
+                                      &versions_defaults_datagram)
+ 
+ sslSessionIDLookupFunc  ssl_sid_lookup;
+ sslSessionIDCacheFunc   ssl_sid_cache;
+
diff --git a/SOURCES/p-1083360.patch b/SOURCES/p-1083360.patch
deleted file mode 100644
index ed8c3d4..0000000
--- a/SOURCES/p-1083360.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c
---- a/cmd/ssltap/ssltap.c
-+++ b/cmd/ssltap/ssltap.c
-@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
-   case 0x000098:    cs_str = "TLS/DH-RSA/SEED-CBC/SHA";		break;      
-   case 0x000099:    cs_str = "TLS/DHE-DSS/SEED-CBC/SHA";	break;     
-   case 0x00009A:    cs_str = "TLS/DHE-RSA/SEED-CBC/SHA";	break;     
-   case 0x00009B:    cs_str = "TLS/DH-ANON/SEED-CBC/SHA";	break;     
-   case 0x00009C:    cs_str = "TLS/RSA/AES128-GCM/SHA256";	break;     
-   case 0x00009E:    cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256";	break;     
- 
-   case 0x0000FF:    cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
-+  case 0x005600:    cs_str = "TLS_FALLBACK_SCSV"; break;
- 
-   case 0x00C001:    cs_str = "TLS/ECDH-ECDSA/NULL/SHA";         break;
-   case 0x00C002:    cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA";      break;
-   case 0x00C003:    cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
-   case 0x00C004:    cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA";   break;
-   case 0x00C005:    cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA";   break;
-   case 0x00C006:    cs_str = "TLS/ECDHE-ECDSA/NULL/SHA";        break;
-   case 0x00C007:    cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA";     break;
-diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
---- a/cmd/tstclnt/tstclnt.c
-+++ b/cmd/tstclnt/tstclnt.c
-@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void *
-     }
- }
- 
- static void PrintUsageHeader(const char *progName)
- {
-     fprintf(stderr, 
- "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
-                     "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
--                    "[-V [min-version]:[max-version]] [-T]\n"
-+                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
-                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
-             progName);
- }
- 
- static void PrintParameterUsage(void)
- {
-     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
-                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
-@@ -201,16 +201,17 @@ static void PrintParameterUsage(void)
-     fprintf(stderr, 
-             "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
-     fprintf(stderr, 
-             "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
-             "%-20s All versions are enabled by default.\n"
-             "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
-             "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
-             "-V [min]:[max]", "", "", "");
-+    fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
-     fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
-     fprintf(stderr, "%-20s Client speaks first. \n", "-f");
-     fprintf(stderr, "%-20s Use synchronous certificate validation "
-                     "(required for SSL2)\n", "-O");
-     fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
-     fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
-     fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
-     fprintf(stderr, "%-20s Use export policy.\n", "-x");
-@@ -802,16 +803,17 @@ int main(int argc, char **argv)
-     PRBool             enableSSL2 = PR_TRUE;
-     int                bypassPKCS11 = 0;
-     int                disableLocking = 0;
-     int                useExportPolicy = 0;
-     int                enableSessionTickets = 0;
-     int                enableCompression = 0;
-     int                enableFalseStart = 0;
-     int                enableCertStatus = 0;
-+    int                forceFallbackSCSV = 0;
-     PRSocketOptionData opt;
-     PRNetAddr          addr;
-     PRPollDesc         pollset[2];
-     PRBool             allowIPv4 = PR_TRUE;
-     PRBool             allowIPv6 = PR_TRUE;
-     PRBool             pingServerFirst = PR_FALSE;
-     int                pingTimeoutSeconds = -1;
-     PRBool             clientSpeaksFirst = PR_FALSE;
-@@ -847,17 +849,17 @@ int main(int argc, char **argv)
-        if (sec > 0) {
-            maxInterval = PR_SecondsToInterval(sec);
-        }
-     }
- 
-     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
- 
-     optstate = PL_CreateOptState(argc, argv,
--                                 "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
-+                                 "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
-     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
- 	switch (optstate->option) {
- 	  case '?':
- 	  default : Usage(progName); 			break;
- 
-           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
-           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
- 
-@@ -869,16 +871,18 @@ int main(int argc, char **argv)
-                     }
-                     serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
-                     break;
- 
- 	  case 'I': /* reserved for OCSP multi-stapling */ break;
- 
-           case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
- 
-+          case 'K': forceFallbackSCSV = PR_TRUE; break;
-+
-           case 'M': switch (atoi(optstate->value)) {
-                       case 1:
-                           serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
-                           serverCertAuth.allowCRLSideChannelData = PR_FALSE;
-                           break;
-                       case 2:
-                           serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
-                           serverCertAuth.allowCRLSideChannelData = PR_TRUE;
-@@ -1213,16 +1216,24 @@ int main(int argc, char **argv)
- 
-     /* enable false start. */
-     rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
-     if (rv != SECSuccess) {
- 	SECU_PrintError(progName, "error enabling false start");
- 	return 1;
-     }
- 
-+    if (forceFallbackSCSV) {
-+        rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
-+        if (rv != SECSuccess) {
-+            SECU_PrintError(progName, "error forcing fallback scsv");
-+            return 1;
-+        }
-+    }
-+
-     /* enable cert status (OCSP stapling). */
-     rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
-     if (rv != SECSuccess) {
-         SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
-         return 1;
-     }
- 
-     SSL_SetPKCS11PinArg(s, &pwdata);
diff --git a/SOURCES/syntaxfix.patch b/SOURCES/syntaxfix.patch
new file mode 100644
index 0000000..91603a4
--- /dev/null
+++ b/SOURCES/syntaxfix.patch
@@ -0,0 +1,22 @@
+diff --git a/tests/all.sh b/tests/all.sh
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -297,17 +297,17 @@ fi
+ 
+ # NOTE:
+ # Since in make at the top level, modutil is the last file
+ # created, we check for modutil to know whether the build
+ # is complete. If a new file is created after that, the 
+ # following test for modutil should check for that instead.
+ # Exception: when building softoken only, shlibsign is the
+ # last file created.
+-if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
+   LAST_FILE_BUILT=shlibsign
+ else
+   LAST_FILE_BUILT=modutil
+ fi
+ 
+ if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
+     echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+     html_head "Testing Initialization"
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 0a233c4..e7ec2d8 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,5 +1,5 @@
-%global nspr_version 4.10.6
-%global nss_util_version 3.16.2.3
+%global nspr_version 4.10.8
+%global nss_util_version 3.18.0
 # adjust to the version that gets submitted for FIPS validation
 %global nss_softokn_fips_version 3.16.2
 %global nss_softokn_version 3.16.2.3
@@ -20,8 +20,8 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.16.2.3
-Release:          5%{?dist}
+Version:          3.18.0
+Release:          2.2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -71,6 +71,8 @@ Source24:         cert9.db.xml
 Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
+Source30:         PayPalRootCA.cert
+Source31:         PayPalICA.cert
 
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
@@ -98,18 +100,14 @@ Patch53:          Bug-1001841-disable-sslv2-tests.patch
 Patch55:          enable-fips-when-system-is-in-fips-mode.patch
 # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
 Patch56:          p-ignore-setpolicy.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
-Patch62:          dont-hold-issuer-cert-handles-in-crl-cache.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
-Patch64: Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083360
-# support TLS_FALLBACK_SCSV in tstclnt and ssltap
-Patch88:          p-1083360.patch
-Patch89: certutil-man-supply-missing-options.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1111901
-Patch90:          Bug-1174527-fixsegfault.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
-Patch91:          nss-3.16-tcache-race.patch
+# Update the root CA list to 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
+Patch91: nss-3.18.1-ca-2.3-to-2.4.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037
+Patch95: expired-cert.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1153994
+Patch96: syntaxfix.patch
+# Patch to keep the TLS protocol versions that are enabled by default
+Patch98: nss-revert-tls-version-defaults.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -184,13 +182,17 @@ low level services.
 %{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
 %{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
 %{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
 %setup -q -T -D -n %{name}-%{version} -a 12
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
 %patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
-%patch18 -p0 -b .646045
+pushd nss
+%patch18 -p1 -b .646045
+popd
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
 %patch40 -p0 -b .noocsptest
@@ -203,16 +205,13 @@ pushd nss
 popd
 %patch55 -p0 -b .852023
 %patch56 -p0 -b .1026677
-%patch62 -p0 -b .1034409
+%patch91 -p1 -b .pre-ca-2.4
 pushd nss
-%patch64 -p1 -b .1094468
-%patch88 -p1 -b .support_tls_fallback_scsv
+%patch95 -p1 -b .renewed_paypal_cert
+%patch96 -p1 -b .syntax_fix
+# attention, reverting patch98, keep -R
+%patch98 -p1 -R -b .keep_tls_default
 popd
-%patch89 -p0 -b .missing_options
- pushd nss
-%patch90 -p1 -b .1174527
-popd
-%patch91 -p0 -b .race 
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -457,7 +456,7 @@ pushd ./nss/tests/
 
 #  don't need to run all the tests when testing packaging
 #  nss_cycles: standard pkix upgradedb sharedb
-nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 #  nss_ssl_run: cov auth stress
 #
@@ -537,7 +536,7 @@ done
 %{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
 %{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
 %{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
-     
+
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
@@ -793,6 +792,21 @@ fi
 
 
 %changelog
+* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.2
+- On RHEL 7.1 keep the TLS version defaults unchanged.
+
+* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.1
+- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
+
+* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
+- Update and reenable nss-646045.patch on account of the rebase
+- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+- Fix shell syntax error on nss/tests/all.sh
+- Replace expired PayPal test certificate that breaks the build
+
 * Mon Jan 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-5
 - Reverse the sense of a test in patch to fix pk12util segfault
 - Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files