diff --git a/.nss.metadata b/.nss.metadata
index d4c0feb..ccb2c1e 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,11 +1,11 @@
+66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
 1a4738a7fcc0bca303b47e9a24739637a9ab6640 SOURCES/TestCA.ca.cert
 d63e287dc5d012993221373fe14a8e1dac5eaff7 SOURCES/TestUser51.cert
 d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
-69c70f63ccf23ca0761e77085fd1970211cdab1e SOURCES/nss-3.15.2.tar.bz2
 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
-59f95324bb4fad179498bf1ddce2ceb0ee245356 SOURCES/nss-pem-20130405.tar.bz2
 b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
 4019f0c1959c2b7102d470821e917e9c02551010 SOURCES/TestUser50.cert
 21774825dc4a9c54ce02b070928a2e72ce5878e7 SOURCES/PayPalEE.cert
+c164fac83fcbaff010786767e2a858ca23a89a5b SOURCES/nss-3.15.4.tar.gz
diff --git a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch
deleted file mode 100644
index 36fbd9d..0000000
--- a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch
+++ /dev/null
@@ -1,406 +0,0 @@
-From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
-From: Elio Maldonado <emaldona@redhat.com>
-Date: Sat, 9 Feb 2013 17:11:00 -0500
-Subject: [PATCH] Sync up with upstream softokn changes
-
-- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
-- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
-- It now compiles with the NSS_3_14_3_BETA1 source
----
- mozilla/security/nss/lib/ckfw/pem/rsawrapr.c |  338 +++++++-------------------
- 1 files changed, 82 insertions(+), 256 deletions(-)
-
-diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c
-index 5ac4f39..3780d30 100644
---- a/nss/lib/ckfw/pem/rsawrapr.c
-+++ b/nss/lib/ckfw/pem/rsawrapr.c
-@@ -46,6 +46,7 @@
- #include "sechash.h"
- #include "base.h"
- 
-+#include "lowkeyi.h"
- #include "secerr.h"
- 
- #define RSA_BLOCK_MIN_PAD_LEN		8
-@@ -54,9 +55,8 @@
- #define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
- #define RSA_BLOCK_AFTER_PAD_OCTET	0x00
- 
--#define OAEP_SALT_LEN		8
--#define OAEP_PAD_LEN		8
--#define OAEP_PAD_OCTET		0x00
-+/* Needed for RSA-PSS functions */
-+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
- 
- #define FLAT_BUFSIZE 512        /* bytes to hold flattened SHA1Context. */
- 
-@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
-     return 0;
- }
- 
--static SHA1Context *SHA1_CloneContext(SHA1Context * original)
--{
--    SHA1Context *clone = NULL;
--    unsigned char *pBuf;
--    int sha1ContextSize = SHA1_FlattenSize(original);
--    SECStatus frv;
--    unsigned char buf[FLAT_BUFSIZE];
--
--    PORT_Assert(sizeof buf >= sha1ContextSize);
--    if (sizeof buf >= sha1ContextSize) {
--        pBuf = buf;
--    } else {
--        pBuf = nss_ZAlloc(NULL, sha1ContextSize);
--        if (!pBuf)
--            goto done;
--    }
--
--    frv = SHA1_Flatten(original, pBuf);
--    if (frv == SECSuccess) {
--        clone = SHA1_Resurrect(pBuf, NULL);
--        memset(pBuf, 0, sha1ContextSize);
--    }
--  done:
--    if (pBuf != buf)
--        nss_ZFreeIf(pBuf);
--    return clone;
-+/* Constant time comparison of a single byte.
-+ * Returns 1 iff a == b, otherwise returns 0.
-+ * Note: For ranges of bytes, use constantTimeCompare.
-+ */
-+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
-+    unsigned char c = ~(a - b | b - a);
-+    c >>= 7;
-+    return c;
- }
- 
--/*
-- * Modify data by XORing it with a special hash of salt.
-+/* Constant time comparison of a range of bytes.
-+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
-+ * returns 0.
-  */
--static SECStatus
--oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
--                 unsigned char *salt, unsigned int saltlen)
--{
--    SHA1Context *sha1cx;
--    unsigned char *dp, *dataend;
--    unsigned char end_octet;
--
--    sha1cx = SHA1_NewContext();
--    if (sha1cx == NULL) {
--        return SECFailure;
--    }
--
--    /*
--     * Get a hash of salt started; we will use it several times,
--     * adding in a different end octet (x00, x01, x02, ...).
--     */
--    SHA1_Begin(sha1cx);
--    SHA1_Update(sha1cx, salt, saltlen);
--    end_octet = 0;
--
--    dp = data;
--    dataend = data + datalen;
--
--    while (dp < dataend) {
--        SHA1Context *sha1cx_h1;
--        unsigned int sha1len, sha1off;
--        unsigned char sha1[SHA1_LENGTH];
--
--        /*
--         * Create hash of (salt || end_octet)
--         */
--        sha1cx_h1 = SHA1_CloneContext(sha1cx);
--        SHA1_Update(sha1cx_h1, &end_octet, 1);
--        SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
--        SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
--        PORT_Assert(sha1len == SHA1_LENGTH);
--
--        /*
--         * XOR that hash with the data.
--         * When we have fewer than SHA1_LENGTH octets of data
--         * left to xor, use just the low-order ones of the hash.
--         */
--        sha1off = 0;
--        if ((dataend - dp) < SHA1_LENGTH)
--            sha1off = SHA1_LENGTH - (dataend - dp);
--        while (sha1off < SHA1_LENGTH)
--            *dp++ ^= sha1[sha1off++];
--
--        /*
--         * Bump for next hash chunk.
--         */
--        end_octet++;
--    }
--
--    SHA1_DestroyContext(sha1cx, PR_TRUE);
--    return SECSuccess;
-+static unsigned char constantTimeCompare(const unsigned char *a,
-+                                         const unsigned char *b,
-+                                         unsigned int len) {
-+    unsigned char tmp = 0;
-+    unsigned int i;
-+    for (i = 0; i < len; ++i, ++a, ++b)
-+        tmp |= *a ^ *b;
-+    return constantTimeEQ8(0x00, tmp);
- }
- 
--/*
-- * Modify salt by XORing it with a special hash of data.
-+/* Constant time conditional.
-+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
-+ * not 0 or 1.
-  */
--static SECStatus
--oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
--                 unsigned char *data, unsigned int datalen)
-+static unsigned int constantTimeCondition(unsigned int c,
-+                                          unsigned int a,
-+                                          unsigned int b)
- {
--    unsigned char sha1[SHA1_LENGTH];
--    unsigned char *psalt, *psha1, *saltend;
--    SECStatus rv;
--
--    /*
--     * Create a hash of data.
--     */
--    rv = SHA1_HashBuf(sha1, data, datalen);
--    if (rv != SECSuccess) {
--        return rv;
--    }
--
--    /*
--     * XOR the low-order octets of that hash with salt.
--     */
--    PORT_Assert(saltlen <= SHA1_LENGTH);
--    saltend = salt + saltlen;
--    psalt = salt;
--    psha1 = sha1 + SHA1_LENGTH - saltlen;
--    while (psalt < saltend) {
--        *psalt++ ^= *psha1++;
--    }
--
--    return SECSuccess;
-+    return (~(c - 1) & a) | ((c - 1) & b);
- }
- 
- /*
-@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
-     unsigned char *block;
-     unsigned char *bp;
-     int padLen;
--    int i;
-+    int i, j;
-     SECStatus rv;
- 
-     block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
-@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
-          */
-     case RSA_BlockPublic:
- 
--        /*
--         * 0x00 || BT || Pad || 0x00 || ActualData
--         *   1      1   padLen    1      data->len
--         * Pad is all non-zero random bytes.
--         */
--        padLen = modulusLen - data->len - 3;
--        PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
--        if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
--            nss_ZFreeIf(block);
--            return NULL;
--        }
--        for (i = 0; i < padLen; i++) {
--            /* Pad with non-zero random data. */
--            do {
--                rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
--            } while (rv == SECSuccess
--                     && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
--            if (rv != SECSuccess) {
--                nss_ZFreeIf(block);
--                return NULL;
--            }
--        }
--        bp += padLen;
--        *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
--        nsslibc_memcpy(bp, data->data, data->len);
--
--        break;
--
--        /*
--         * Blocks intended for public-key operation, using
--         * Optimal Asymmetric Encryption Padding (OAEP).
--         */
--    case RSA_BlockOAEP:
--        /*
--         * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
--         *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
--         *
--         * where:
--         *   PaddedData is "Pad1 || ActualData [|| Pad2]"
--         *   Salt is random data.
--         *   Pad1 is all zeros.
--         *   Pad2, if present, is random data.
--         *   (The "modified" fields are all the same length as the original
--         * unmodified values; they are just xor'd with other values.)
--         *
--         *   Modified1 is an XOR of PaddedData with a special octet
--         * string constructed of iterated hashing of Salt (see below).
--         *   Modified2 is an XOR of Salt with the low-order octets of
--         * the hash of Modified1 (see farther below ;-).
--         *
--         * Whew!
--         */
--
--
--        /*
--         * Salt
--         */
--        rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
--        if (rv != SECSuccess) {
--            nss_ZFreeIf(block);
--            return NULL;
--        }
--        bp += OAEP_SALT_LEN;
--
--        /*
--         * Pad1
--         */
--        nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
--        bp += OAEP_PAD_LEN;
--
--        /*
--         * Data
--         */
--        nsslibc_memcpy(bp, data->data, data->len);
--        bp += data->len;
--
--        /*
--         * Pad2
--         */
--        if (bp < (block + modulusLen)) {
--            rv = RNG_GenerateGlobalRandomBytes(bp,
--                                               block - bp + modulusLen);
--            if (rv != SECSuccess) {
--                nss_ZFreeIf(block);
--                return NULL;
--            }
--        }
--
--        /*
--         * Now we have the following:
--         * 0x00 || BT || Salt || PaddedData
--         * (From this point on, "Pad1 || Data [|| Pad2]" is treated
--         * as the one entity PaddedData.)
--         *
--         * We need to turn PaddedData into Modified1.
--         */
--        if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
--                             modulusLen - 2 - OAEP_SALT_LEN,
--                             block + 2, OAEP_SALT_LEN) != SECSuccess) {
--            nss_ZFreeIf(block);
--            return NULL;
--        }
--
--        /*
--         * Now we have:
--         * 0x00 || BT || Salt || Modified1(PaddedData)
--         *
--         * The remaining task is to turn Salt into Modified2.
--         */
--        if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
--                             block + 2 + OAEP_SALT_LEN,
--                             modulusLen - 2 - OAEP_SALT_LEN) !=
--            SECSuccess) {
--            nss_ZFreeIf(block);
--            return NULL;
--        }
--
--        break;
-+	/*
-+	 * 0x00 || BT || Pad || 0x00 || ActualData
-+	 *   1      1   padLen    1      data->len
-+	 * Pad is all non-zero random bytes.
-+	 *
-+	 * Build the block left to right.
-+	 * Fill the entire block from Pad to the end with random bytes.
-+	 * Use the bytes after Pad as a supply of extra random bytes from 
-+	 * which to find replacements for the zero bytes in Pad.
-+	 * If we need more than that, refill the bytes after Pad with 
-+	 * new random bytes as necessary.
-+	 */
-+	padLen = modulusLen - (data->len + 3);
-+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-+	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
-+	    nss_ZFreeIf (block);
-+	    return NULL;
-+	}
-+	j = modulusLen - 2;
-+	rv = RNG_GenerateGlobalRandomBytes(bp, j);
-+	if (rv == SECSuccess) {
-+	    for (i = 0; i < padLen; ) {
-+		unsigned char repl;
-+		/* Pad with non-zero random data. */
-+		if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
-+		    ++i;
-+		    continue;
-+		}
-+		if (j <= padLen) {
-+		    rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
-+					  modulusLen - (2 + padLen));
-+		    if (rv != SECSuccess)
-+		    	break;
-+		    j = modulusLen - 2;
-+		}
-+		do {
-+		    repl = bp[--j];
-+		} while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
-+		if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
-+		    bp[i++] = repl;
-+		}
-+	    }
-+	}
-+	if (rv != SECSuccess) {
-+	    /*sftk_fatalError = PR_TRUE;*/
-+	    nss_ZFreeIf (block);
-+	    return NULL;
-+	}
-+	bp += padLen;
-+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-+	nsslibc_memcpy(bp, data->data, data->len);
-+	break;
- 
-     default:
-         PORT_Assert(0);
-@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
- 
-         break;
- 
--    case RSA_BlockOAEP:
--        /*
--         * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
--         *
--         * The "2" below is the first octet + the second octet.
--         * (The other fields do not contain the clear values, but are
--         * the same length as the clear values.)
--         */
--        PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
--                                                + OAEP_PAD_LEN)));
--
--        result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
--        if (result->data == NULL) {
--            result->len = 0;
--            return SECFailure;
--        }
--        result->len = modulusLen;
--
--        break;
--
-     case RSA_BlockRaw:
-         /*
-          * Pad || ActualData
--- 
-1.7.1
-
diff --git a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
deleted file mode 100644
index 6f0e88c..0000000
--- a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
+++ /dev/null
@@ -1,44 +0,0 @@
---- nss/lib/ckfw/pem/psession.c
-+++ nss/lib/ckfw/pem/psession.c
-@@ -230,6 +230,7 @@ pem_mdSession_Login
-     unsigned int len = 0;
-     NSSLOWKEYPrivateKey *lpk = NULL;
-     PLArenaPool *arena;
-+    SECItem plain;
-     int i;
- 
-     fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
-@@ -306,23 +321,27 @@ pem_mdSession_Login
-     lpk->keyType = NSSLOWKEYRSAKey;
-     prepare_low_rsa_priv_key_for_asn1(lpk);
- 
--    nss_ZFreeIf(io->u.key.key.privateKey->data);
--    io->u.key.key.privateKey->len = len - output[len - 1];
--    io->u.key.key.privateKey->data =
--        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
--    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
- 
-     /* Decode the resulting blob and see if it is a decodable DER that fits
-      * our private key template. If so we declare success and move on. If not
-      * then we return an error.
-      */
-+    memset(&plain, 0, sizeof(plain));
-+    plain.data = output;
-+    plain.len = len - output[len - 1];
-     rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
--                                io->u.key.key.privateKey);
-+                                &plain);
-     pem_DestroyPrivateKey(lpk);
-     arena = NULL;
-     if (rv != SECSuccess)
-         goto loser;
- 
-+    nss_ZFreeIf(io->u.key.key.privateKey->data);
-+    io->u.key.key.privateKey->len = len - output[len - 1];
-+    io->u.key.key.privateKey->data =
-+        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
-+    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
-+
-     rv = CKR_OK;
- 
-   loser:
diff --git a/SOURCES/disable-ocsp-stapling-tests.patch b/SOURCES/disable-ocsp-stapling-tests.patch
deleted file mode 100644
index df27c0e..0000000
--- a/SOURCES/disable-ocsp-stapling-tests.patch
+++ /dev/null
@@ -1,9 +0,0 @@
-diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh
---- nss/tests/ocsp/ocsp.sh.skipoutbound	2013-04-24 18:04:30.203307355 -0700
-+++ nss/tests/ocsp/ocsp.sh	2013-04-24 18:06:27.967176794 -0700
-@@ -115,4 +115,4 @@ ocsp_stapling()
- ################## main #################################################
- ocsp_init
- ocsp_iopr_run
--ocsp_stapling
-+#ocsp_stapling
diff --git a/SOURCES/document-certutil-email-option.patch b/SOURCES/document-certutil-email-option.patch
deleted file mode 100644
index b9ca7e1..0000000
--- a/SOURCES/document-certutil-email-option.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/doc/certutil.xml b/doc/certutil.xml
---- a/doc/certutil.xml
-+++ b/doc/certutil.xml
-@@ -204,16 +204,21 @@ If this option is not used, the validity
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-e </term>
-         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--email email-address</term>
-+        <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-f password-file</term>
-         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
-  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
-  unauthorized access to this file.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-g keysize</term>
diff --git a/SOURCES/dont-disable-internal-module.patch b/SOURCES/dont-disable-internal-module.patch
new file mode 100644
index 0000000..5d71643
--- /dev/null
+++ b/SOURCES/dont-disable-internal-module.patch
@@ -0,0 +1,39 @@
+diff -up ./nss/cmd/modutil/pk11.c.1056036 ./nss/cmd/modutil/pk11.c
+--- ./nss/cmd/modutil/pk11.c.1056036	2014-02-24 15:49:00.802754246 -0800
++++ ./nss/cmd/modutil/pk11.c	2014-02-24 15:49:00.806754285 -0800
+@@ -826,6 +826,12 @@ EnableModule(char *moduleName, char *slo
+ 		    PK11_GetSlotName(slot), "enabled");
+ 	    }
+ 	} else {
++	    if (module->internal) {
++		PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
++		    "disable", PK11_GetSlotName(slot));
++		rv = ENABLE_FAILED_ERR;
++		goto loser;
++	    }
+ 	    if(! PK11_UserDisableSlot(slot)) {
+ 		PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
+ 		    "disable", PK11_GetSlotName(slot));
+diff -up ./nss/doc/modutil.xml.1056036 ./nss/doc/modutil.xml
+--- ./nss/doc/modutil.xml.1056036	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/doc/modutil.xml	2014-02-24 15:49:00.806754285 -0800
+@@ -86,7 +86,7 @@
+ 
+       <varlistentry>
+         <term>-disable modulename</term>
+-	  <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para></listitem>
++	  <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para><para>The internal NSS PKCS #11 module cannot be disabled.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+diff -up ./nss/lib/dev/devtoken.c.1056036 ./nss/lib/dev/devtoken.c
+--- ./nss/lib/dev/devtoken.c.1056036	2014-02-24 15:55:16.687529925 -0800
++++ ./nss/lib/dev/devtoken.c	2014-02-24 15:56:15.720143547 -0800
+@@ -1438,6 +1438,7 @@ nssToken_IsPresent (
+   NSSToken *token
+ )
+ {
++    if (token == NULL) return PR_FALSE;
+     return nssSlot_IsTokenPresent(token->slot);
+ }
+ 
diff --git a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
new file mode 100644
index 0000000..ec7d6c8
--- /dev/null
+++ b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
@@ -0,0 +1,123 @@
+diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
+--- ./nss/lib/certdb/certi.h.1034409	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/certdb/certi.h	2014-02-20 08:46:10.345136599 -0800
+@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
+ #else
+     PRLock* lock;
+ #endif
+-    CERTCertificate* issuer;    /* issuer cert
+-                                   XXX there may be multiple issuer certs,
+-                                       with different validity dates. Also
+-                                       need to deal with SKID/AKID . See
+-                                       bugzilla 217387, 233118 */
++    SECItem *issuerDERCert;    /* issuer DER cert. Don't hold a reference
++				  to the actual cert so the trust can be
++				  updated on the cert automatically.
++				  XXX there may be multiple issuer certs,
++				  with different validity dates. Also
++				  need to deal with SKID/AKID . See
++				  bugzilla 217387, 233118 */
++
++    CERTCertDBHandle *dbHandle;
++
+     SECItem* subject;           /* DER of issuer subject */
+     SECItem* distributionPoint; /* DER of distribution point. This may be
+                                    NULL when distribution points aren't
+@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
+     NSSRWLock* lock;
+     CRLDPCache** dps;
+     PLHashTable* distributionpoints;
+-    CERTCertificate* issuer;
++    CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
+ #endif
+ };
+ 
+diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
+--- ./nss/lib/certdb/crl.c.1034409	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/certdb/crl.c	2014-02-20 08:49:30.835466687 -0800
+@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
+ 	PORT_Free(cache->crls);
+     }
+     /* destroy the cert */
+-    if (cache->issuer)
++    if (cache->issuerDERCert)
+     {
+-        CERT_DestroyCertificate(cache->issuer);
++        SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
+     }
+     /* free the subject */
+     if (cache->subject)
+@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
+     else
+     {
+         SECStatus signstatus = SECFailure;
+-        if (cache->issuer)
++        if (cache->issuerDERCert)
+         {
+-            signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
++	    CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
++		cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
++
++	    if (issuer) {
++                signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
+                                         wincx);
++		CERT_DestroyCertificate(issuer);
++	    }
+         }
+         if (SECSuccess != signstatus)
+         {
+-            if (!cache->issuer)
++            if (!cache->issuerDERCert)
+             {
+                 /* we tried to verify without an issuer cert . This is
+                    because this CRL came through a call to SEC_FindCrlByName.
+@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
+     }
+ 
+     /* add issuer certificate if it was previously unavailable */
+-    if (issuer && (NULL == cache->issuer) &&
++    if (issuer && (NULL == cache->issuerDERCert) &&
+         (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
+     {
+         /* if we didn't have a valid issuer cert yet, but we do now. add it */
+         DPCache_LockWrite();
+-        if (!cache->issuer)
++        if (!cache->issuerDERCert)
+         {
+             dirty = PR_TRUE;
+-            cache->issuer = CERT_DupCertificate(issuer);    
++	    cache->dbHandle = issuer->dbhandle;
++    	    cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
+         }
+         DPCache_UnlockWrite();
+     }
+@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
+        SEC_FindCrlByName, or through manual insertion, rather than through a
+        certificate verification (CERT_CheckCRL) */
+ 
+-    if (cache->issuer && vfdate )
++    if (cache->issuerDERCert && vfdate )
+     {
+ 	mustunlock = PR_FALSE;
+         /* re-process all unverified CRLs */
+@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
+     }
+     if (issuer)
+     {
+-        cache->issuer = CERT_DupCertificate(issuer);
++	cache->dbHandle = issuer->dbhandle;
++    	cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
+     }
+     cache->distributionPoint = SECITEM_DupItem(dp);
+     cache->subject = SECITEM_DupItem(subject);
+diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
+--- ./nss/tests/chains/chains.sh.1034409	2014-02-20 08:16:34.867686934 -0800
++++ ./nss/tests/chains/chains.sh	2014-02-20 08:34:35.149603340 -0800
+@@ -974,6 +974,7 @@ check_ocsp()
+     OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+     OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+ 
++    echo "Cert = ${CERT_NICK}.cert"
+     echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+     tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+     return $?
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 3df4927..9fb7772 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -1,6 +1,6 @@
-diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
---- nss/cmd/bltest/Makefile.iquote	2013-06-27 10:58:08.000000000 -0700
-+++ nss/cmd/bltest/Makefile	2013-07-02 15:02:26.656643246 -0700
+diff -up ./nss/cmd/bltest/Makefile.iquote ./nss/cmd/bltest/Makefile
+--- ./nss/cmd/bltest/Makefile.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/cmd/bltest/Makefile	2014-01-18 11:31:32.277404478 -0800
 @@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (6) Execute "component" rules. (OPTIONAL)                           #
  #######################################################################
@@ -9,9 +9,22 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
  
  
  #######################################################################
-diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
---- nss/cmd/lib/Makefile.iquote	2013-07-02 15:07:47.260622471 -0700
-+++ nss/cmd/lib/Makefile	2013-07-02 15:08:47.219179157 -0700
+diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
+--- ./nss/cmd/httpserv/Makefile.iquote	2014-01-18 11:33:15.058108851 -0800
++++ ./nss/cmd/httpserv/Makefile	2014-01-18 11:34:08.913478276 -0800
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/cmd/lib/Makefile	2014-01-18 11:31:32.309404697 -0800
 @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (6) Execute "component" rules. (OPTIONAL)                           #
  #######################################################################
@@ -22,9 +35,9 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
---- nss/coreconf/location.mk.iquote	2013-06-27 10:58:08.000000000 -0700
-+++ nss/coreconf/location.mk	2013-07-02 15:02:26.656643246 -0700
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/coreconf/location.mk	2014-01-18 11:31:32.309404697 -0800
 @@ -45,6 +45,10 @@ endif
  
  ifdef NSS_INCLUDE_DIR
@@ -36,9 +49,9 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
  endif
  
  ifndef NSS_LIB_DIR
-diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
---- nss/lib/certhigh/Makefile.iquote	2013-09-27 11:13:55.158689314 -0700
-+++ nss/lib/certhigh/Makefile	2013-09-27 11:14:38.181042336 -0700
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/certhigh/Makefile	2014-01-18 11:31:32.310404704 -0800
 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (6) Execute "component" rules. (OPTIONAL)                           #
  #######################################################################
@@ -48,9 +61,9 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
---- nss/lib/cryptohi/Makefile.iquote	2013-09-27 11:11:30.117494489 -0700
-+++ nss/lib/cryptohi/Makefile	2013-09-27 11:12:54.704194915 -0700
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/cryptohi/Makefile	2014-01-18 11:31:32.310404704 -0800
 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (6) Execute "component" rules. (OPTIONAL)                           #
  #######################################################################
@@ -60,3 +73,29 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
+--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/libpkix/pkix/checker/Makefile	2014-01-18 11:31:32.310404704 -0800
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote	2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/nss/Makefile	2014-01-18 11:31:32.310404704 -0800
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
diff --git a/SOURCES/nss-ecc-list-3.15.3.patch b/SOURCES/nss-ecc-list-3.15.3.patch
new file mode 100644
index 0000000..6f86258
--- /dev/null
+++ b/SOURCES/nss-ecc-list-3.15.3.patch
@@ -0,0 +1,239 @@
+diff -up ./nss/cmd/modutil/pk11.c.ecc-lists ./nss/cmd/modutil/pk11.c
+--- ./nss/cmd/modutil/pk11.c.ecc-lists	2013-11-09 09:23:30.000000000 -0800
++++ ./nss/cmd/modutil/pk11.c	2013-12-20 10:29:01.540726233 -0800
+@@ -7,12 +7,9 @@
+  */
+ 
+ #include "modutil.h"
+-/* #include "secmodti.h"  */
++#include "secmodi.h"
+ #include "pk11func.h"
+ 
+-static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
+-static int pk11_DefaultArraySize = 0;
+-
+ /*************************************************************************
+  *
+  * F i p s M o d e
+@@ -110,32 +107,11 @@ ChkFipsMode(char *arg)
+ 
+ typedef struct {
+     const char *name;
+-    const unsigned long mask;
++    unsigned long mask;
+ } MaskString;
+ 
+-static const MaskString mechanismStrings[] = {
+-    {"RSA", PUBLIC_MECH_RSA_FLAG},
+-    {"DSA", PUBLIC_MECH_DSA_FLAG},
+-    {"RC2", PUBLIC_MECH_RC2_FLAG},
+-    {"RC4", PUBLIC_MECH_RC4_FLAG},
+-    {"RC5", PUBLIC_MECH_RC5_FLAG},
+-    {"DES", PUBLIC_MECH_DES_FLAG},
+-    {"DH", PUBLIC_MECH_DH_FLAG},
+-    {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG},
+-    {"SHA1", PUBLIC_MECH_SHA1_FLAG},
+-    {"MD5", PUBLIC_MECH_MD5_FLAG},
+-    {"MD2", PUBLIC_MECH_MD2_FLAG},
+-    {"SSL", PUBLIC_MECH_SSL_FLAG},
+-    {"TLS", PUBLIC_MECH_TLS_FLAG},
+-    {"AES", PUBLIC_MECH_AES_FLAG},
+-    {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG},
+-    {"SHA256", PUBLIC_MECH_SHA256_FLAG},
+-    {"SHA512", PUBLIC_MECH_SHA512_FLAG},
+-    {"RANDOM", PUBLIC_MECH_RANDOM_FLAG},
+-    {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG}
+-};
+-static const int numMechanismStrings =
+-    sizeof(mechanismStrings) / sizeof(mechanismStrings[0]);
++static MaskString *mechanismStrings =  NULL;
++static int numMechanismStrings = 0;
+ 
+ static const MaskString cipherStrings[] = {
+     {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG}
+@@ -143,10 +119,83 @@ static const MaskString cipherStrings[]
+ static const int numCipherStrings =
+     sizeof(cipherStrings) / sizeof(cipherStrings[0]);
+ 
++static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
++static int pk11_DefaultArraySize = 0;
++
++
+ /* Maximum length of a colon-separated list of all the strings in an 
+  * array. */
+ #define MAX_STRING_LIST_LEN 240    /* or less */
+ 
++/* 
++** The same as SECMOD_InternaltoPubMechFlags 
++** from nss/lib/pk11wrap/pk11util.c wich is a
++** private export and not visible to us
++*/
++static unsigned long 
++InternaltoPubMechFlags(unsigned long internalFlags) 
++{
++    unsigned long publicFlags = internalFlags;
++
++    if (internalFlags & SECMOD_RANDOM_FLAG) {
++        publicFlags &= ~SECMOD_RANDOM_FLAG;
++        publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
++    }
++    return publicFlags;
++}
++
++
++Error
++loadMechanismList(void)
++{
++    int i;
++
++    if (pk11_DefaultArray == NULL) {
++        pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
++        if (pk11_DefaultArray == NULL) {
++            /* should assert. This shouldn't happen */
++            return UNSPECIFIED_ERR;
++        }
++    }
++    if (mechanismStrings != NULL) {
++	PR_Free(mechanismStrings);
++    }
++
++    /* build the mechanismStrings array */
++    mechanismStrings = PR_Malloc( pk11_DefaultArraySize*sizeof(MaskString) );
++    if (mechanismStrings == NULL) {
++	return OUT_OF_MEM_ERR;
++    }
++    numMechanismStrings = pk11_DefaultArraySize;
++    for (i = 0; i < numMechanismStrings; i++) {
++	char *name = pk11_DefaultArray[i].name;
++	unsigned long flag = pk11_DefaultArray[i].flag;
++	/* map new name to old */
++	switch (flag) {
++	case SECMOD_FORTEZZA_FLAG:
++	    name = "FORTEZZA";
++	    break;
++	case SECMOD_SHA1_FLAG:
++	    name = "SHA1";
++	    break;
++	case SECMOD_CAMELLIA_FLAG:
++	    name = "CAMELLIA";
++	    break;
++	case SECMOD_RANDOM_FLAG:
++	    name = "RANDOM";
++	    break;
++	case SECMOD_FRIENDLY_FLAG:
++	    name = "FRIENDLY";
++	    break;
++	default:
++	    break;
++	}
++	mechanismStrings[i].name = name;
++	mechanismStrings[i].mask = InternaltoPubMechFlags(flag);
++    }
++    return SUCCESS;
++}
++
+ /************************************************************************
+  * 
+  * g e t F l a g s F r o m S t r i n g
+@@ -244,6 +293,12 @@ AddModule(char *moduleName, char *libFil
+     unsigned long ciphers;
+     unsigned long mechanisms;
+     SECStatus status;
++    Error rv;
++
++    rv = loadMechanismList();
++    if (rv != SUCCESS) {
++	return rv;
++    }
+ 
+     mechanisms =
+ 	getFlagsFromString(mechanismString, mechanismStrings,
+@@ -493,6 +548,11 @@ ListModule(char *moduleName)
+ 	return SUCCESS;
+     }
+ 
++    rv = loadMechanismList();
++    if (rv != SUCCESS) {
++	return rv;
++    }
++
+     module = SECMOD_FindModule(moduleName);
+     if(!module) {
+ 	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
+@@ -811,19 +871,18 @@ SetDefaultModule(char *moduleName, char
+     SECMODModule *module = NULL;
+     PK11SlotInfo *slot;
+     int s, i;
+-    unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
+-	numMechanismStrings);
++    unsigned long mechFlags;
+     PRBool found = PR_FALSE;
+-    Error errcode = UNSPECIFIED_ERR;
++    Error errcode;
+ 
+-    if (pk11_DefaultArray == NULL) {
+-	pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
+-	if (pk11_DefaultArray == NULL) {
+-	    /* should assert. This shouldn't happen */
+-	    goto loser;
+-	}
++    errcode = loadMechanismList();
++    if (errcode != SUCCESS) {
++	return errcode;
+     }
++    errcode = UNSPECIFIED_ERR;
+ 
++    mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
++	numMechanismStrings);
+     mechFlags =  SECMOD_PubMechFlagstoInternal(mechFlags);
+ 
+     module = SECMOD_FindModule(moduleName);
+@@ -889,20 +948,17 @@ UnsetDefaultModule(char *moduleName, cha
+     SECMODModule * module = NULL;
+     PK11SlotInfo *slot;
+     int s, i;
+-    unsigned long mechFlags = getFlagsFromString(mechanisms,
+-	mechanismStrings, numMechanismStrings);
++    unsigned long mechFlags;
+     PRBool found = PR_FALSE;
+     Error rv;
+ 
+-    if (pk11_DefaultArray == NULL) {
+-	pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
+-	if (pk11_DefaultArray == NULL) {
+-	    /* should assert. This shouldn't happen */
+-	    rv = UNSPECIFIED_ERR;
+-            goto loser;
+-	}
++    rv  = loadMechanismList();
++    if (rv != SUCCESS) {
++	return rv;
+     }
+ 
++    mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
++	numMechanismStrings);
+     mechFlags =  SECMOD_PubMechFlagstoInternal(mechFlags);
+ 
+     module = SECMOD_FindModule(moduleName);
+diff -up ./nss/lib/pk11wrap/pk11slot.c.ecc-lists ./nss/lib/pk11wrap/pk11slot.c
+--- ./nss/lib/pk11wrap/pk11slot.c.ecc-lists	2013-11-09 09:23:30.000000000 -0800
++++ ./nss/lib/pk11wrap/pk11slot.c	2013-12-20 10:29:55.756109883 -0800
+@@ -32,6 +32,7 @@
+ PK11DefaultArrayEntry PK11_DefaultArray[] = {
+ 	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
+ 	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
++	{ "ECC", SECMOD_ECC_FLAG, CKM_ECDSA },
+ 	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
+ 	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
+ 	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
+diff -up ./nss/lib/pk11wrap/secmod.h.ecc-lists ./nss/lib/pk11wrap/secmod.h
+--- ./nss/lib/pk11wrap/secmod.h.ecc-lists	2013-11-09 09:23:30.000000000 -0800
++++ ./nss/lib/pk11wrap/secmod.h	2013-12-20 10:26:20.881585723 -0800
+@@ -28,6 +28,7 @@
+ #define PUBLIC_MECH_SHA512_FLAG      0x00008000ul
+ #define PUBLIC_MECH_CAMELLIA_FLAG    0x00010000ul
+ #define PUBLIC_MECH_SEED_FLAG        0x00020000ul
++#define PUBLIC_MECH_ECC_FLAG         0x00040000ul
+ 
+ #define PUBLIC_MECH_RANDOM_FLAG      0x08000000ul
+ #define PUBLIC_MECH_FRIENDLY_FLAG    0x10000000ul
diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml
index bca4bfa..5b9827f 100644
--- a/SOURCES/setup-nsssysinit.xml
+++ b/SOURCES/setup-nsssysinit.xml
@@ -55,7 +55,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>status</option> <replaceable>count</replaceable></term>
+        <term><option>status</option></term>
         <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
       </varlistentry>
 
@@ -67,13 +67,13 @@
 
     <para>The following example will query for the status of nss-sysinit:
       <programlisting>
-        /usr/bin/setup-nsssysinit --status
+        /usr/bin/setup-nsssysinit status
       </programlisting>
     </para>
 
     <para>The following example, when run as superuser, will turn on nss-sysinit:
       <programlisting>
-        /usr/bin/setup-nsssysinit --on
+        /usr/bin/setup-nsssysinit on
       </programlisting>
     </para>
 
@@ -81,7 +81,7 @@
 
   <refsection>
     <title>Files</title>
-    <para><filename>/usr/sbin/setup-nsssysinit</filename></para>
+    <para><filename>/usr/bin/setup-nsssysinit</filename></para>
   </refsection>
 
   <refsection>
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index fffec65..0dc3202 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,7 +1,7 @@
-%global nspr_version 4.10
-%global nss_util_version 3.15.2
-%global nss_softokn_fips_version 3.12.9
-%global nss_softokn_version 3.15.2
+%global nspr_version 4.10.2
+%global nss_util_version 3.15.4
+%global nss_softokn_fips_version 3.13.4
+%global nss_softokn_version 3.15.4
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
 
@@ -19,8 +19,8 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.15.2
-Release:          8%{?dist}
+Version:          3.15.4
+Release:          6%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -47,7 +47,7 @@ BuildRequires:    perl
 %{!?nss_ckbi_suffix:%define full_nss_version %{version}}
 %{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
 
-Source0:          %{name}-%{full_nss_version}.tar.bz2
+Source0:          %{name}-%{full_nss_version}.tar.gz
 Source1:          nss.pc.in
 Source2:          nss-config.in
 Source3:          blank-cert8.db
@@ -58,7 +58,7 @@ Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
 Source10:         PayPalEE.cert
-Source12:         %{name}-pem-20130405.tar.bz2
+Source12:         %{name}-pem-20140125.tar.bz2
 Source17:         TestCA.ca.cert
 Source18:         TestUser50.cert
 Source19:         TestUser51.cert
@@ -81,25 +81,29 @@ Patch18:          nss-646045.patch
 Patch25:          nsspem-use-system-freebl.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
-Patch44:          0001-sync-up-with-upstream-softokn-changes.patch
-Patch45:          Bug-896651-pem-dont-trash-keys-on-failed-login.patch
-# The ocsp stapling tests currently require access to the
-# kuix.de test server but koji forbids outbount connections
-Patch46:          disable-ocsp-stapling-tests.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
 Patch47:          utilwrap-include-templates.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
 Patch48:          nss-versus-softoken-tests.patch
 # TODO remove when we switch to building nss without softoken
 Patch49:          nss-skip-bltest-and-fipstest.patch
+# This patch uses the gcc-iquote dir option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to place the in-tree directories at the head of the list of list of directories
+# to be searched for for header files. This ensures a build even when system 
+# headers are older. Such is the case when starting an update with API changes or even private export changes.
+# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
 Patch50:          iquote.patch
 Patch52:          Bug-1001841-disable-sslv2-libssl.patch
 Patch53:          Bug-1001841-disable-sslv2-tests.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001
-Patch54:          document-certutil-email-option.patch
 Patch55:          enable-fips-when-system-is-in-fips-mode.patch
 # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
 Patch56:          p-ignore-setpolicy.patch
+Patch61:          nss-ecc-list-3.15.3.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
+Patch62:          dont-hold-issuer-cert-handles-in-crl-cache.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673
+Patch63:          dont-disable-internal-module.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -184,22 +188,19 @@ low level services.
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
 %patch40 -p0 -b .noocsptest
-%patch44 -p1 -b .syncupwithupstream
-%patch45 -p0 -b .notrash
-%patch46 -p0 -b .skipoutbound
 %patch47 -p0 -b .templates
 %patch48 -p0 -b .crypto
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
 %patch52 -p0 -b .disableSSL2
 %patch53 -p0 -b .disableSSL2
-pushd nss
-%patch54 -p1 -b .948495
-popd
 %patch55 -p0 -b .852023
 pushd nss
 %patch56 -p1 -b .1026677
 popd
+%patch61 -p0 -b .ecc-lists
+%patch62 -p0 -b .1034409
+%patch63 -p0 -b .1056036
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -542,7 +543,7 @@ done
 %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
 # Copy the pkcs #11 configuration script
 %{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
-# install a symbolic link top it, without the ".sh" suffix,
+# install a symbolic link to it, without the ".sh" suffix,
 # that matches the man page documentation
 ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
 
@@ -602,17 +603,17 @@ fi
 /sbin/ldconfig
 
 %posttrans
-# An earlier version of this package had an incorrect %postun script (3.14.3-9).
-# (The incorrect %postun always called "update-alternatives --remove",
+# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
+# (The incorrect %%postun always called "update-alternatives --remove",
 # because it incorrectly assumed that test -f returns false for symbolic links.)
 # The only possible remedy to fix the mistake that "always removes on upgrade"
-# made by the older %postun script, is to repair it in %posttrans of the new package.
+# made by the older %%postun script, is to repair it in %%posttrans of the new package.
 # Strategy:
-# %posttrans is never called when uninstalling.
-# %posttrans is only called when installing or upgrading a package.
-# Because %posttrans is the very last action of a package install,
-# %{_libdir}/libnssckbi.so must exist.
-# If it does not, it's the result of the incorrect removal from a broken %postun.
+# %%posttrans is never called when uninstalling.
+# %%posttrans is only called when installing or upgrading a package.
+# Because %%posttrans is the very last action of a package install,
+# %%{_libdir}/libnssckbi.so must exist.
+# If it does not, it's the result of the incorrect removal from a broken %%postun.
 # In this case, we repeat installation of the alternatives link.
 if ! test -e %{_libdir}/libnssckbi.so; then
   %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
@@ -632,20 +633,19 @@ fi
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
-%attr(0644,root,root) %doc /usr/share/man/man5/*
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
 %attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
 %attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
 %attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
 
 %files sysinit
 %defattr(-,root,root)
 %{_libdir}/libnsssysinit.so
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
-%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
 %{_bindir}/setup-nsssysinit.sh
 # symbolic link to setup-nsssysinit.sh
 %{_bindir}/setup-nsssysinit
@@ -672,7 +672,7 @@ fi
 %{unsupported_tools_directory}/tstclnt
 %{unsupported_tools_directory}/vfyserv
 %{unsupported_tools_directory}/vfychain
-# instead of %{_mandir}/man*/* let's list them explicitely
+# instead of %%{_mandir}/man*/* let's list them explicitely
 # supported tools
 %attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
 %attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
@@ -763,6 +763,81 @@ fi
 
 
 %changelog
+* Mon Mar 03 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-6
+- Disallow disabling the internal module
+- Resolves: Bug 1056036 - nss segfaults with opencryptoki module
+
+* Thu Feb 20 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-5
+- Pick up a fix from rhel-6 and fix an rpm conflict
+- Don't hold issuer cert handles in crl cache
+- Resolves: Bug 1034409 - deadlock in trust domain and object lock
+- Move nss shared db files to the main package
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Mon Jan 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-4
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem module fixes verified on RHEL and applied upstream
+- Remove no loger needed pem patches on acccount on this update
+- Add comments documenting the iquote.patch 
+- Resolves: Bug 1054457 - CVE-2013-1740
+
+* Sun Jan 26 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
+- Remove spurious man5 wildcard entry as all manpages are listed by name
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.15.4-2
+- Mass rebuild 2014-01-24
+
+* Sun Jan 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-9
+- Rebase to nss-3.15.4
+- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue
+- Remove no longer needed patches for manpages that were applied upstream
+- Remove no longer needed patch to disable ocsp stapling tests
+- Update iquote.patch on account of upstream changes
+- Update and rename patch to pem/rsawrapr.c on account of upstream changes
+- Use the pristine upstream sources for nss without repackaging
+- Avoid unneeded manual step which may introduce errors
+
+* Sun Jan 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-8
+- Fix the spec file to apply the nss ecc list patch for bug 752980
+- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc
+
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-7
+- Move several nss-sysinit manpages tar archives to the %%files
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-6
+- Fix a coverity scan compile time warning for the pem module
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Wed Jan 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-5
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Thu Jan 09 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-4
+- Improve pluggable ECC support for ECDSA
+- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.15.3-3
+- Mass rebuild 2013-12-27
+
+* Thu Dec 12 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
+- Revoke trust in one mis-issued anssi certificate
+- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0]
+
+* Mon Nov 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
+
+* Wed Nov 13 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-10
+- Fix path to script and remove -- from some options in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws
+
+* Tue Nov 12 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-9
+- Fix certutil man page options names to be consistent with help
+- Resolves: rhbz#948495 - man page scan results for nss
+- Remove incorrect count argument in status description in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions
+
 * Wed Nov 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-8
 - Fix patch for disabling ssl2 in ssl to correctly set error code
 - Fix syntax error reported in the build.log even tough it succeeds