diff --git a/.gitignore b/.gitignore
index 4f7cff8..4befa78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,6 @@
-SOURCES/PayPalEE.cert
-SOURCES/PayPalICA.cert
-SOURCES/TestOldCA.p12
 SOURCES/blank-cert8.db
 SOURCES/blank-cert9.db
 SOURCES/blank-key3.db
 SOURCES/blank-key4.db
 SOURCES/blank-secmod.db
-SOURCES/nss-3.67.tar.gz
+SOURCES/nss-3.79.tar.gz
diff --git a/.nss.metadata b/.nss.metadata
index d284a79..b374a5a 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,9 +1,6 @@
-bc5c03643bfa1a5ea8519b8e7e2d7d5e30abea30 SOURCES/PayPalEE.cert
-7e2f3a4f8fe8fa8a5730aeca029696637e986f3f SOURCES/PayPalICA.cert
-706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12
 d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
 b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
 bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
-9cccf98f0476905c0d863a6b2cb08a1955482241 SOURCES/nss-3.67.tar.gz
+3719dd97c8ec9cb04aa61e6aca41b129b4adc004 SOURCES/nss-3.79.tar.gz
diff --git a/SOURCES/NameConstraints.ipaca.cert b/SOURCES/NameConstraints.ipaca.cert
deleted file mode 100644
index 4a451f3..0000000
Binary files a/SOURCES/NameConstraints.ipaca.cert and /dev/null differ
diff --git a/SOURCES/NameConstraints.ocsp1.cert b/SOURCES/NameConstraints.ocsp1.cert
deleted file mode 100644
index 817faaf..0000000
Binary files a/SOURCES/NameConstraints.ocsp1.cert and /dev/null differ
diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert
deleted file mode 100644
index dae0196..0000000
Binary files a/SOURCES/PayPalRootCA.cert and /dev/null differ
diff --git a/SOURCES/TestCA.ca.cert b/SOURCES/TestCA.ca.cert
deleted file mode 100644
index 929b793..0000000
Binary files a/SOURCES/TestCA.ca.cert and /dev/null differ
diff --git a/SOURCES/TestUser50.cert b/SOURCES/TestUser50.cert
deleted file mode 100644
index ed71727..0000000
Binary files a/SOURCES/TestUser50.cert and /dev/null differ
diff --git a/SOURCES/TestUser51.cert b/SOURCES/TestUser51.cert
deleted file mode 100644
index 1b45db2..0000000
Binary files a/SOURCES/TestUser51.cert and /dev/null differ
diff --git a/SOURCES/nss-3.53-fix-private_key_mac.patch b/SOURCES/nss-3.53-fix-private_key_mac.patch
deleted file mode 100644
index 60df7d5..0000000
--- a/SOURCES/nss-3.53-fix-private_key_mac.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
---- a/lib/softoken/sftkpwd.c
-+++ b/lib/softoken/sftkpwd.c
-@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
-     *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
-                                  PR_FALSE, NULL);
-     if (*plain == NULL) {
-         rv = SECFailure;
-         goto loser;
-     }
- 
-     /* If we are using aes 256, we need to check authentication as well.*/
--    if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
-+    if ((type != CKT_INVALID_TYPE) && 
-+	(cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
-+        (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
-         SECItem signature;
-         unsigned char signData[SDB_MAX_META_DATA_LEN];
- 
-         /* if we get here from the old legacy db, there is clearly an
-          * error, don't return the plaintext */
-         if (handle == NULL) {
-             rv = SECFailure;
-             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
-         rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
-                                           &signature);
-         if (rv != SECSuccess) {
-             goto loser;
-         }
-         rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
-                                     *plain, &signature);
-         if (rv != SECSuccess) {
--            goto loser;
-+            /*  handle a bug where old versions of NSS misfiled the signature
-+             *  attribute on password update */
-+            id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
-+            signature.len = sizeof(signData);
-+            rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
-+                                              &signature);
-+            if (rv != SECSuccess) {
-+                goto loser;
-+            }
-+            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
-+                                        type, *plain, &signature);
-         }
-     }
- 
- loser:
-     if (cipherValue.param) {
-         nsspkcs5_DestroyPBEParameter(cipherValue.param);
-     }
-     if (cipherValue.arena) {
-@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena,
-     };
-     const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
- 
-     // We don't know what attributes this object has, so we update them one at a
-     // time.
-     unsigned int i;
-     for (i = 0; i < privAttrCount; i++) {
-         // Read the old attribute in the clear.
-+        CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
-         CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
-         CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
-         if (crv != CKR_OK) {
-             continue;
-         }
-         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
-             continue;
-         }
-@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena,
-         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
-             return CKR_GENERAL_ERROR;
-         }
-         SECItem plainText;
-         SECItem *result;
-         plainText.data = privAttr.pValue;
-         plainText.len = privAttr.ulValueLen;
-         if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
--                                    iterationCount, id, privAttr.type,
-+                                    iterationCount, sdbId, privAttr.type,
-                                     &plainText, &result) != SECSuccess) {
-             return CKR_GENERAL_ERROR;
-         }
-         privAttr.pValue = result->data;
-         privAttr.ulValueLen = result->len;
-         // Clear sensitive data.
-         PORT_Memset(plainText.data, 0, plainText.len);
- 
-         // Write the newly encrypted attributes out directly.
--        CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
-         keydb->newKey = newKey;
-         keydb->newDefaultIterationCount = iterationCount;
--        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
-+        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
-         keydb->newKey = NULL;
-         if (crv != CKR_OK) {
-             return crv;
-         }
-     }
- 
-     return CKR_OK;
- }
diff --git a/SOURCES/nss-3.66-no-combo-tests.patch b/SOURCES/nss-3.66-no-combo-tests.patch
deleted file mode 100644
index 32f7c35..0000000
--- a/SOURCES/nss-3.66-no-combo-tests.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-diff -up ./gtests/freebl_gtest/rsa_unittest.cc.oldsoft ./gtests/freebl_gtest/rsa_unittest.cc
---- ./gtests/freebl_gtest/rsa_unittest.cc.oldsoft	2021-05-28 09:50:43.000000000 +0000
-+++ ./gtests/freebl_gtest/rsa_unittest.cc	2021-06-11 19:06:57.778552974 +0000
-@@ -9,6 +9,7 @@
- 
- #include "blapi.h"
- #include "secitem.h"
-+#include "prenv.h"
- 
- template <class T>
- struct ScopedDelete {
-@@ -76,6 +77,13 @@ TEST_F(RSATest, DecryptBlockTestErrors)
-                                   in_small, sizeof(in_small));
-   EXPECT_EQ(SECFailure, rv);
- 
-+  char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+  if (env) {
-+    std::cerr << "Skipping RSA blapi DecryptBlockTestErrors because of"
-+              << " semantic differences between old and new softoken."
-+              << std::endl;
-+  }
-+
-   uint8_t in[256] = {0};
-   // This should fail because the padding checks will fail,
-   // however, mitigations for Bleichenbacher attacks transform failures
-diff -up ./gtests/pk11_gtest/pk11_ike_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_ike_unittest.cc
---- ./gtests/pk11_gtest/pk11_ike_unittest.cc.oldsoft	2021-05-28 09:50:43.000000000 +0000
-+++ ./gtests/pk11_gtest/pk11_ike_unittest.cc	2021-06-11 19:41:20.381137781 +0000
-@@ -12,8 +12,10 @@
- #include "pk11pub.h"
- #include "secerr.h"
- #include "sechash.h"
-+#include "hasht.h"
- #include "util.h"
- #include "databuffer.h"
-+#include "prenv.h"
- 
- #include "testvectors/ike-sha1-vectors.h"
- #include "testvectors/ike-sha256-vectors.h"
-@@ -23,6 +25,24 @@
- 
- namespace nss_test {
- 
-+unsigned mech_to_size(CK_MECHANISM_TYPE mech) {
-+    switch (mech) {
-+    case CKM_SHA_1_HMAC:
-+        return SHA1_LENGTH;
-+    case CKM_SHA256_HMAC:
-+        return SHA256_LENGTH;
-+    case CKM_SHA384_HMAC:
-+        return SHA384_LENGTH;
-+    case CKM_SHA512_HMAC:
-+        return SHA512_LENGTH;
-+    case CKM_AES_XCBC_MAC:
-+        return AES_BLOCK_SIZE;
-+    default:
-+        break;
-+    }
-+    return 0;
-+}
-+
- class Pkcs11IkeTest : public ::testing::TestWithParam<
-                           std::tuple<IkeTestVector, CK_MECHANISM_TYPE>> {
-  protected:
-@@ -59,6 +79,7 @@ class Pkcs11IkeTest : public ::testing::
-     ScopedPK11SymKey gxy_key = nullptr;
-     ScopedPK11SymKey prev_key = nullptr;
-     ScopedPK11SymKey ikm = ImportKey(ikm_item);
-+    unsigned hashsize = mech_to_size(prf_mech);
- 
-     // IKE_PRF structure (used in cases 1, 2 and 3)
-     CK_NSS_IKE_PRF_DERIVE_PARAMS nss_ike_prf_params = {
-@@ -148,6 +169,14 @@ class Pkcs11IkeTest : public ::testing::
-     ScopedPK11SymKey okm = ScopedPK11SymKey(
-         PK11_Derive(ikm.get(), derive_mech, &params_item,
-                     CKM_GENERIC_SECRET_KEY_GEN, CKA_DERIVE, vec.size));
-+    char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+    if (env  && (derive_mech == CKM_NSS_IKE1_APP_B_PRF_DERIVE) &&
-+            (vec.size <= hashsize)) {
-+      std::cerr << "Skipping Test #" << std::to_string(vec.id) 
-+               << ". Old tokens process APP B Prf for small keys incorrectly" 
-+               << std::endl;
-+      return;
-+    }
-     if (vec.valid) {
-       ASSERT_NE(nullptr, okm.get()) << msg;
-       ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(okm.get())) << msg;
-diff -up ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc
---- ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc.oldsoft	2021-05-28 09:50:43.000000000 +0000
-+++ ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc	2021-06-11 19:06:57.779552981 +0000
-@@ -14,6 +14,7 @@
- #include "nss_scoped_ptrs.h"
- #include "pk11pub.h"
- #include "databuffer.h"
-+#include "prenv.h"
- 
- #include "testvectors/rsa_pkcs1_2048_test-vectors.h"
- #include "testvectors/rsa_pkcs1_3072_test-vectors.h"
-@@ -45,6 +46,14 @@ class RsaDecryptWycheproofTest
-     rv = PK11_PrivDecryptPKCS1(priv_key.get(), decrypted.data(), &decrypted_len,
-                                decrypted.size(), vec.ct.data(), vec.ct.size());
- 
-+    // semantics changed since the old softken
-+    char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+    if (env && vec.valid && (rv == SECFailure)) {
-+        std::cerr << "Skipping Decrypt test. Old softoken failed on bad data,"
-+                  << "New softoken generates fake data" << std::endl;
-+        return;
-+    }
-+
-     if (vec.valid) {
-       EXPECT_EQ(SECSuccess, rv);
-       decrypted.resize(decrypted_len);
-diff -up ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
---- ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc.oldsoft	2021-05-28 09:50:43.000000000 +0000
-+++ ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc	2021-06-11 19:06:57.780552988 +0000
-@@ -13,6 +13,7 @@
- #include "nss.h"
- #include "nss_scoped_ptrs.h"
- #include "pk11pub.h"
-+#include "prenv.h"
- 
- #include "testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h"
- #include "testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h"
-@@ -161,6 +162,12 @@ TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwr
-   rv = PK11_ExtractKeyValue(to_wrap.get());
-   ASSERT_EQ(rv, SECSuccess);
- 
-+  char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+  if (env) {
-+    std::cerr << "Skipping OAEP test, not supported in old softoken\n";
-+    return;
-+  }
-+
-   // References owned by PKCS#11 layer; no need to scope and free.
-   SECItem* expectedItem = PK11_GetKeyData(to_wrap.get());
- 
-diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
---- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.oldsoft	2021-05-28 09:50:43.000000000 +0000
-+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc	2021-06-11 19:06:57.781552995 +0000
-@@ -16,6 +16,7 @@
- #include "secerr.h"
- #include "sechash.h"
- #include "pk11_signature_test.h"
-+#include "prenv.h"
- 
- #include "testvectors/rsa_signature_2048_sha224-vectors.h"
- #include "testvectors/rsa_signature_2048_sha256-vectors.h"
-@@ -175,6 +176,13 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
-   SECItem hash_item = {siBuffer, toUcharPtr(hash.data()),
-                        static_cast<unsigned int>(hash.len())};
-   SECItem sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len};
-+
-+  char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+  if (env) {
-+    std::cerr << "Skipping pkcs1 padding test, not supported in old softoken\n";
-+    return;
-+  }
-+
-   rv = VFY_VerifyDigestDirect(&hash_item, short_pub.get(), &sig_item,
-                               SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
-                               nullptr);
-diff -up ./gtests/pk11_gtest/pk11_signature_test.cc.oldsoft ./gtests/pk11_gtest/pk11_signature_test.cc
---- ./gtests/pk11_gtest/pk11_signature_test.cc.oldsoft	2021-05-28 09:50:43.000000000 +0000
-+++ ./gtests/pk11_gtest/pk11_signature_test.cc	2021-06-11 19:06:57.781552995 +0000
-@@ -4,6 +4,7 @@
- 
- #include <memory>
- #include "nss.h"
-+#include "prenv.h"
- #include "pk11pub.h"
- #include "sechash.h"
- #include "prerror.h"
-@@ -77,6 +78,25 @@ bool Pk11SignatureTest::SignData(ScopedS
-   EXPECT_LT(0, (int)sigLen);
-   sig->Allocate(static_cast<size_t>(sigLen));
- 
-+  char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+  if (env != NULL) {
-+    std::cerr << "Skipping combo mechanism 0x" << std::hex << combo_
-+              << ", no token support.\n";
-+    DataBuffer hash;
-+    if (!ComputeHash(data, &hash)) {
-+      ADD_FAILURE() << "Failed to compute hash";
-+      return false;
-+    }
-+    if (!SignHashedData(privKey, hash, sig)) {
-+      ADD_FAILURE() << "Failed to sign hashed data";
-+      return false;
-+    }
-+    
-+    return true;
-+  } else {
-+    std::cerr << "PR_GetEnvSecure(\"NSS_OLD_SOFTOKEN\") return null!!!\n";
-+  }
-+
-   // test the hash and verify interface */
-   PK11Context* context = PK11_CreateContextByPrivKey(
-       combo_, CKA_SIGN, privKey.get(), parameters());
-@@ -160,6 +180,17 @@ void Pk11SignatureTest::Verify(const Pkc
-     EXPECT_EQ(rv, valid ? SECSuccess : SECFailure);
-   }
- 
-+  /* old softokens don't understand all the new combo mechanism. */
-+  /* skip it */
-+  char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN");
-+  if (env != NULL) {
-+    std::cerr << "Skipping combo mechanism 0x" << std::hex << combo_
-+              << ", no token support.\n";
-+    return;
-+  }  else {
-+    std::cerr << "PR_GetEnvSecure(\"NSS_OLD_SOFTOKEN\") return null!!!\n";
-+  }
-+
-   // test the hash and verify interface */
-   PK11Context* context = PK11_CreateContextByPubKey(
-       combo_, CKA_VERIFY, pubKey.get(), parameters(), NULL);
diff --git a/SOURCES/nss-3.66-no-small-primes.patch b/SOURCES/nss-3.66-no-small-primes.patch
deleted file mode 100644
index 31be316..0000000
--- a/SOURCES/nss-3.66-no-small-primes.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-diff -up ./gtests/softoken_gtest/softoken_dh_vectors.h.orig ./gtests/softoken_gtest/softoken_dh_vectors.h
---- ./gtests/softoken_gtest/softoken_dh_vectors.h.orig	2021-06-02 16:57:50.557008790 -0700
-+++ ./gtests/softoken_gtest/softoken_dh_vectors.h	2021-06-02 16:59:52.781735096 -0700
-@@ -2872,7 +2872,7 @@ static const DhTestVector DH_TEST_VECTOR
-      {siBuffer, (unsigned char *)g2, sizeof(g2)},
-      {siBuffer, NULL, 0},
-      {siBuffer, NULL, 0},
--     IKE_APPROVED,
-+     SAFE_PRIME,
-      CLASS_1536},
-     {"IKE 2048",
-      {siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
-@@ -2952,7 +2952,7 @@ static const DhTestVector DH_TEST_VECTOR
-      {siBuffer, (unsigned char *)sub2_prime_ike_1536,
-       sizeof(sub2_prime_ike_1536)},
-      {siBuffer, NULL, 0},
--     IKE_APPROVED,
-+     SAFE_PRIME,
-      CLASS_1536},
-     {"IKE 2048 with subprime",
-      {siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
-diff -up ./lib/softoken/pkcs11c.c.orig ./lib/softoken/pkcs11c.c
---- ./lib/softoken/pkcs11c.c.orig	2021-05-28 02:50:43.000000000 -0700
-+++ ./lib/softoken/pkcs11c.c	2021-06-02 16:52:01.196932757 -0700
-@@ -5193,7 +5193,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
-                 /* subprime not supplied, In this case look it up.
-                  * This only works with approved primes, but in FIPS mode
-                  * that's the only kine of prime that will get here */
--                subPrimePtr = sftk_VerifyDH_Prime(&prime);
-+                subPrimePtr = sftk_VerifyDH_Prime(&prime,isFIPS);
-                 if (subPrimePtr == NULL) {
-                     crv = CKR_GENERAL_ERROR;
-                     goto done;
-@@ -8351,7 +8351,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
- 
-             /* if the prime is an approved prime, we can skip all the other
-              * checks. */
--            subPrime = sftk_VerifyDH_Prime(&dhPrime);
-+            subPrime = sftk_VerifyDH_Prime(&dhPrime,isFIPS);
-             if (subPrime == NULL) {
-                 SECItem dhSubPrime;
-                 /* If the caller set the subprime value, it means that
-diff -up ./lib/softoken/pkcs11i.h.orig ./lib/softoken/pkcs11i.h
---- ./lib/softoken/pkcs11i.h.orig	2021-06-02 16:52:01.196932757 -0700
-+++ ./lib/softoken/pkcs11i.h	2021-06-02 16:52:54.281248207 -0700
-@@ -946,7 +946,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
- /* dh verify functions */
- /* verify that dhPrime matches one of our known primes, and if so return
-  * it's subprime value */
--const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime);
-+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
- /* check if dhSubPrime claims dhPrime is a safe prime. */
- SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
- /* map an operation Attribute to a Mechanism flag */
-diff -up ./lib/softoken/pkcs11u.c.orig ./lib/softoken/pkcs11u.c
---- ./lib/softoken/pkcs11u.c.orig	2021-06-02 16:54:23.387777705 -0700
-+++ ./lib/softoken/pkcs11u.c	2021-06-02 16:54:51.012941866 -0700
-@@ -2312,7 +2312,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-             if (crv != CKR_OK) {
-                 return PR_FALSE;
-             }
--            dhSubPrime = sftk_VerifyDH_Prime(&dhPrime);
-+            dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
-             SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
-             return (dhSubPrime) ? PR_TRUE : PR_FALSE;
-         }
-diff -up ./lib/softoken/sftkdhverify.c.orig ./lib/softoken/sftkdhverify.c
---- ./lib/softoken/sftkdhverify.c.orig	2021-05-28 02:50:43.000000000 -0700
-+++ ./lib/softoken/sftkdhverify.c	2021-06-02 16:52:01.196932757 -0700
-@@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192 =
-  * verify that dhPrime matches one of our known primes
-  */
- const SECItem *
--sftk_VerifyDH_Prime(SECItem *dhPrime)
-+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
- {
-     /* use the length to decide which primes to check */
-     switch (dhPrime->len) {
-         case 1536 / PR_BITS_PER_BYTE:
-+            /* don't accept 1536 bit primes in FIPS mode */
-+            if (isFIPS) {
-+                break;
-+            }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
-                             sizeof(prime_ike_1536)) == 0) {
-                 return &subprime_ike_1536;
diff --git a/SOURCES/nss-3.67-cve-2021-43527-test.patch b/SOURCES/nss-3.67-cve-2021-43527-test.patch
deleted file mode 100644
index 51cb8e0..0000000
--- a/SOURCES/nss-3.67-cve-2021-43527-test.patch
+++ /dev/null
@@ -1,325 +0,0 @@
-diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
-new file mode 100644
---- /dev/null
-+++ b/tests/cert/Leaf-bogus-dsa.crt
-@@ -0,0 +1,143 @@
-+-----BEGIN CERTIFICATE-----
-+MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
-+RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
-+WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
-+dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
-+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
-+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
-+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
-+u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
-+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
-+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
-+zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
-+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
-+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
-+ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
-+7u7u7u7uAoIIAQD/////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+////////////////////////////////////////////////////////////////
-+/////////////////////////////////////////////////////////w==
-+-----END CERTIFICATE-----
-diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
-new file mode 100644
---- /dev/null
-+++ b/tests/cert/Leaf-bogus-rsa-pss.crt
-@@ -0,0 +1,126 @@
-+-----BEGIN CERTIFICATE-----
-+MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
-+AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
-+EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
-+MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
-+AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
-+RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
-+CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
-+CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
-+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
-+-----END CERTIFICATE-----
-diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
---- a/tests/cert/cert.sh
-+++ b/tests/cert/cert.sh
-@@ -114,16 +114,28 @@ certu()
-         cert_log "ERROR: ${CU_ACTION} failed $RET"
-     else
-         html_passed "${CU_ACTION}"
-     fi
- 
-     return $RET
- }
- 
-+cert_test_vfy()
-+{
-+  echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
-+  echo " vfychain -a  Leaf-bogus-dsa.crt"
-+  vfychain -a  ${QADIR}/cert/Leaf-bogus-dsa.crt
-+  html_msg $? 1 "Verify large dsa signature"
-+  echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
-+  echo " vfychain -a  Leaf-bogus-rsa-pss.crt"
-+  vfychain -a  ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
-+  html_msg $? 1 "Verify large rsa pss signature"
-+}
-+
- ################################ crlu #################################
- # local shell function to call crlutil, also: writes action and options to
- # stdout, sets variable RET and writes results to the html file results
- ########################################################################
- crlu()
- {
-     echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
-     
-@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
- else
-     echo "$SCRIPTNAME: Skipping CRL Tests"
- fi
- 
- if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
-     cert_stresscerts
- fi
- 
-+cert_test_vfy
-+
- cert_iopr_setup
- 
- cert_cleanup
diff --git a/SOURCES/nss-3.67-cve-2021-43527.patch b/SOURCES/nss-3.67-cve-2021-43527.patch
deleted file mode 100644
index 8fc81d3..0000000
--- a/SOURCES/nss-3.67-cve-2021-43527.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
---- a/lib/cryptohi/secvfy.c
-+++ b/lib/cryptohi/secvfy.c
-@@ -164,6 +164,37 @@
-         PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
- }
- 
-+static unsigned int
-+checkedSignatureLen(const SECKEYPublicKey *pubk)
-+{
-+    unsigned int sigLen = SECKEY_SignatureLen(pubk);
-+    if (sigLen == 0) {
-+        /* Error set by SECKEY_SignatureLen */
-+        return sigLen;
-+    }
-+    unsigned int maxSigLen;
-+    switch (pubk->keyType) {
-+        case rsaKey:
-+        case rsaPssKey:
-+            maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
-+            break;
-+        case dsaKey:
-+            maxSigLen = DSA_MAX_SIGNATURE_LEN;
-+            break;
-+        case ecKey:
-+            maxSigLen = 2 * MAX_ECKEY_LEN;
-+            break;
-+        default:
-+            PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-+            return 0;
-+    }
-+    if (sigLen > maxSigLen) {
-+        PORT_SetError(SEC_ERROR_INVALID_KEY);
-+        return 0;
-+    }
-+    return sigLen;
-+}
-+
- /*
-  * decode the ECDSA or DSA signature from it's DER wrapping.
-  * The unwrapped/raw signature is placed in the buffer pointed
-@@ -174,38 +205,38 @@
-                        unsigned int len)
- {
-     SECItem *dsasig = NULL; /* also used for ECDSA */
--    SECStatus rv = SECSuccess;
- 
--    if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
--        (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
--        if (sig->len != len) {
--            PORT_SetError(SEC_ERROR_BAD_DER);
--            return SECFailure;
-+    /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
-+    if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
-+        if (len > DSA_MAX_SIGNATURE_LEN) {
-+            goto loser;
-         }
--
--        PORT_Memcpy(dsig, sig->data, sig->len);
--        return SECSuccess;
-+    } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
-+        if (len > MAX_ECKEY_LEN * 2) {
-+            goto loser;
-+        }
-+    } else {
-+        goto loser;
-     }
- 
--    if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
--        if (len > MAX_ECKEY_LEN * 2) {
--            PORT_SetError(SEC_ERROR_BAD_DER);
--            return SECFailure;
--        }
-+    /* Decode and pad to length */
-+    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-+    if (dsasig == NULL) {
-+        goto loser;
-     }
--    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
--
--    if ((dsasig == NULL) || (dsasig->len != len)) {
--        rv = SECFailure;
--    } else {
--        PORT_Memcpy(dsig, dsasig->data, dsasig->len);
-+    if (dsasig->len != len) {
-+        SECITEM_FreeItem(dsasig, PR_TRUE);
-+        goto loser;
-     }
- 
--    if (dsasig != NULL)
--        SECITEM_FreeItem(dsasig, PR_TRUE);
--    if (rv == SECFailure)
--        PORT_SetError(SEC_ERROR_BAD_DER);
--    return rv;
-+    PORT_Memcpy(dsig, dsasig->data, len);
-+    SECITEM_FreeItem(dsasig, PR_TRUE);
-+
-+    return SECSuccess;
-+
-+loser:
-+    PORT_SetError(SEC_ERROR_BAD_DER);
-+    return SECFailure;
- }
- 
- const SEC_ASN1Template hashParameterTemplate[] =
-@@ -281,7 +312,7 @@
- sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
-                  const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
- {
--    int len;
-+    unsigned int len;
-     PLArenaPool *arena;
-     SECStatus rv;
-     SECItem oid;
-@@ -466,48 +497,52 @@
-     cx->pkcs1RSADigestInfo = NULL;
-     rv = SECSuccess;
-     if (sig) {
--        switch (type) {
--            case rsaKey:
--                rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
--                                            &cx->pkcs1RSADigestInfo,
--                                            &cx->pkcs1RSADigestInfoLen,
--                                            cx->key,
--                                            sig, wincx);
--                break;
--            case rsaPssKey:
--                sigLen = SECKEY_SignatureLen(key);
--                if (sigLen == 0) {
--                    /* error set by SECKEY_SignatureLen */
--                    rv = SECFailure;
-+        rv = SECFailure;
-+        if (type == rsaKey) {
-+            rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
-+                                        &cx->pkcs1RSADigestInfo,
-+                                        &cx->pkcs1RSADigestInfoLen,
-+                                        cx->key,
-+                                        sig, wincx);
-+        } else {
-+            sigLen = checkedSignatureLen(key);
-+            /* Check signature length is within limits */
-+            if (sigLen == 0) {
-+                /* error set by checkedSignatureLen */
-+                rv = SECFailure;
-+                goto loser;
-+            }
-+            if (sigLen > sizeof(cx->u)) {
-+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                rv = SECFailure;
-+                goto loser;
-+            }
-+            switch (type) {
-+                case rsaPssKey:
-+                    if (sig->len != sigLen) {
-+                        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                        rv = SECFailure;
-+                        goto loser;
-+                    }
-+                    PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
-+                    rv = SECSuccess;
-                     break;
--                }
--                if (sig->len != sigLen) {
--                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                case ecKey:
-+                case dsaKey:
-+                    /* decodeECorDSASignature will check sigLen == sig->len after padding */
-+                    rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
-+                    break;
-+                default:
-+                    /* Unreachable */
-                     rv = SECFailure;
--                    break;
--                }
--                PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
--                break;
--            case dsaKey:
--            case ecKey:
--                sigLen = SECKEY_SignatureLen(key);
--                if (sigLen == 0) {
--                    /* error set by SECKEY_SignatureLen */
--                    rv = SECFailure;
--                    break;
--                }
--                rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
--                break;
--            default:
--                rv = SECFailure;
--                PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
--                break;
-+                    goto loser;
-+            }
-+        }
-+        if (rv != SECSuccess) {
-+            goto loser;
-         }
-     }
- 
--    if (rv)
--        goto loser;
--
-     /* check hash alg again, RSA may have changed it.*/
-     if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
-         /* error set by HASH_GetHashTypeByOidTag */
-@@ -650,11 +685,16 @@
-     switch (cx->key->keyType) {
-         case ecKey:
-         case dsaKey:
--            dsasig.data = cx->u.buffer;
--            dsasig.len = SECKEY_SignatureLen(cx->key);
-+            dsasig.len = checkedSignatureLen(cx->key);
-             if (dsasig.len == 0) {
-                 return SECFailure;
-             }
-+            if (dsasig.len > sizeof(cx->u)) {
-+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                return SECFailure;
-+            }
-+            dsasig.data = cx->u.buffer;
-+
-             if (sig) {
-                 rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
-                                             dsasig.len);
-@@ -686,8 +726,13 @@
-                 }
- 
-                 rsasig.data = cx->u.buffer;
--                rsasig.len = SECKEY_SignatureLen(cx->key);
-+                rsasig.len = checkedSignatureLen(cx->key);
-                 if (rsasig.len == 0) {
-+                    /* Error set by checkedSignatureLen */
-+                    return SECFailure;
-+                }
-+                if (rsasig.len > sizeof(cx->u)) {
-+                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                     return SECFailure;
-                 }
-                 if (sig) {
-@@ -749,7 +794,6 @@
-     SECStatus rv;
-     VFYContext *cx;
-     SECItem dsasig; /* also used for ECDSA */
--
-     rv = SECFailure;
- 
-     cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
-@@ -757,19 +801,25 @@
-         switch (key->keyType) {
-             case rsaKey:
-                 rv = verifyPKCS1DigestInfo(cx, digest);
-+                /* Error (if any) set by verifyPKCS1DigestInfo */
-                 break;
--            case dsaKey:
-             case ecKey:
-+            case dsaKey:
-                 dsasig.data = cx->u.buffer;
--                dsasig.len = SECKEY_SignatureLen(cx->key);
-+                dsasig.len = checkedSignatureLen(cx->key);
-                 if (dsasig.len == 0) {
-+                    /* Error set by checkedSignatureLen */
-+                    rv = SECFailure;
-                     break;
-                 }
--                if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
--                    SECSuccess) {
-+                if (dsasig.len > sizeof(cx->u)) {
-                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
--                } else {
--                    rv = SECSuccess;
-+                    rv = SECFailure;
-+                    break;
-+                }
-+                rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
-+                if (rv != SECSuccess) {
-+                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                 }
-                 break;
-             default:
-
diff --git a/SOURCES/nss-3.67-fix-pkcs12-policy.patch b/SOURCES/nss-3.67-fix-pkcs12-policy.patch
deleted file mode 100644
index 26912a5..0000000
--- a/SOURCES/nss-3.67-fix-pkcs12-policy.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff -up ./lib/pkcs12/p12plcy.c.policy_enable_fix ./lib/pkcs12/p12plcy.c
---- ./lib/pkcs12/p12plcy.c.policy_enable_fix	2021-09-21 15:58:46.013861285 -0700
-+++ ./lib/pkcs12/p12plcy.c	2021-09-21 15:59:06.440987853 -0700
-@@ -85,17 +85,12 @@ SECStatus
- SEC_PKCS12EnableCipher(long which, int on)
- {
-     int i;
--    SECStatus rv;
-     PRUint32 set = on ? NSS_USE_ALG_IN_PKCS12 : 0;
-     PRUint32 clear = on ? 0 : NSS_USE_ALG_IN_PKCS12;
- 
-     for (i = 0; pkcs12SuiteMaps[i].suite != 0L; i++) {
-         if (pkcs12SuiteMaps[i].suite == (unsigned long)which) {
--            rv = NSS_SetAlgorithmPolicy(pkcs12SuiteMaps[i].algTag, set, clear);
--            /* could fail if the policy has been locked */
--            if (rv != SECSuccess) {
--                return rv;
--            }
-+            return NSS_SetAlgorithmPolicy(pkcs12SuiteMaps[i].algTag, set, clear);
-         }
-     }
-     PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
diff --git a/SOURCES/nss-3.67-fix-sdb-timeout.patch b/SOURCES/nss-3.67-fix-sdb-timeout.patch
deleted file mode 100644
index 120cb5b..0000000
--- a/SOURCES/nss-3.67-fix-sdb-timeout.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c
---- a/lib/softoken/sdb.c
-+++ b/lib/softoken/sdb.c
-@@ -1519,16 +1519,18 @@ sdb_Begin(SDB *sdb)
- 
-     sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL);
- 
-     do {
-         sqlerr = sqlite3_step(stmt);
-         if (sqlerr == SQLITE_BUSY) {
-             PR_Sleep(SDB_BUSY_RETRY_TIME);
-         }
-+        /* don't retry BEGIN transaction*/
-+        retry = 0;
-     } while (!sdb_done(sqlerr, &retry));
- 
-     if (stmt) {
-         sqlite3_reset(stmt);
-         sqlite3_finalize(stmt);
-     }
- 
- loser:
-diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
---- a/lib/softoken/sftkdb.c
-+++ b/lib/softoken/sftkdb.c
-@@ -1521,17 +1521,17 @@ sftkdb_DestroyObject(SFTKDBHandle *handl
-     if (handle == NULL) {
-         return CKR_TOKEN_WRITE_PROTECTED;
-     }
-     db = SFTK_GET_SDB(handle);
-     objectID &= SFTK_OBJ_ID_MASK;
- 
-     crv = (*db->sdb_Begin)(db);
-     if (crv != CKR_OK) {
--        goto loser;
-+        return crv;
-     }
-     crv = (*db->sdb_DestroyObject)(db, objectID);
-     if (crv != CKR_OK) {
-         goto loser;
-     }
-     /* if the database supports meta data, delete any old signatures
-      * that we may have added */
-     if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) {
-@@ -2456,17 +2456,17 @@ sftkdb_Update(SFTKDBHandle *handle, SECI
-         return CKR_OK;
-     }
-     /*
-      * put the whole update under a transaction. This allows us to handle
-      * any possible race conditions between with the updateID check.
-      */
-     crv = (*handle->db->sdb_Begin)(handle->db);
-     if (crv != CKR_OK) {
--        goto loser;
-+        return crv;
-     }
-     inTransaction = PR_TRUE;
- 
-     /* some one else has already updated this db */
-     if (sftkdb_hasUpdate(sftkdb_TypeString(handle),
-                          handle->db, handle->updateID)) {
-         crv = CKR_OK;
-         goto done;
diff --git a/SOURCES/nss-3.67-fix-ssl-alerts.patch b/SOURCES/nss-3.67-fix-ssl-alerts.patch
deleted file mode 100644
index 10cdaf5..0000000
--- a/SOURCES/nss-3.67-fix-ssl-alerts.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-diff -up ./lib/ssl/ssl3con.c.alert-fix ./lib/ssl/ssl3con.c
---- ./lib/ssl/ssl3con.c.alert-fix	2021-06-10 05:33:12.000000000 -0700
-+++ ./lib/ssl/ssl3con.c	2021-07-06 17:08:25.894018521 -0700
-@@ -4319,7 +4319,11 @@ ssl_SignatureSchemeValid(SSLSignatureSch
-     if (!ssl_IsSupportedSignatureScheme(scheme)) {
-         return PR_FALSE;
-     }
--    if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
-+    /* if we are purposefully passed SEC_OID_UNKOWN, it means
-+     * we not checking the scheme against a potential key, so skip
-+     * the call */
-+    if ((spkiOid != SEC_OID_UNKNOWN) &&
-+        !ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
-         return PR_FALSE;
-     }
-     if (isTls13) {
-@@ -4517,7 +4521,8 @@ ssl_CheckSignatureSchemeConsistency(sslS
-     }
- 
-     /* Verify that the signature scheme matches the signing key. */
--    if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
-+    if ((spkiOid == SEC_OID_UNKNOWN) || 
-+         !ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
-         PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
-         return SECFailure;
-     }
-@@ -4533,6 +4538,7 @@ ssl_CheckSignatureSchemeConsistency(sslS
- PRBool
- ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
- {
-+    PRBool isSupported = PR_FALSE;
-     switch (scheme) {
-         case ssl_sig_rsa_pkcs1_sha1:
-         case ssl_sig_rsa_pkcs1_sha256:
-@@ -4552,7 +4558,8 @@ ssl_IsSupportedSignatureScheme(SSLSignat
-         case ssl_sig_dsa_sha384:
-         case ssl_sig_dsa_sha512:
-         case ssl_sig_ecdsa_sha1:
--            return PR_TRUE;
-+            isSupported = PR_TRUE;
-+            break;
- 
-         case ssl_sig_rsa_pkcs1_sha1md5:
-         case ssl_sig_none:
-@@ -4560,7 +4567,19 @@ ssl_IsSupportedSignatureScheme(SSLSignat
-         case ssl_sig_ed448:
-             return PR_FALSE;
-     }
--    return PR_FALSE;
-+    if (isSupported) {
-+        SECOidTag hashOID = ssl3_HashTypeToOID(ssl_SignatureSchemeToHashType(scheme));
-+        PRUint32 policy;
-+        const PRUint32 sigSchemePolicy=
-+                NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SIGNATURE;
-+        /* check hash policy */
-+        if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
-+            ((policy & sigSchemePolicy) != sigSchemePolicy)) {
-+            return PR_FALSE;
-+        }
-+        /* check algorithm policy */
-+    }
-+    return isSupported;
- }
- 
- PRBool
-@@ -6533,6 +6552,9 @@ ssl_PickSignatureScheme(sslSocket *ss,
-     }
- 
-     spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
-+    if (spkiOid == SEC_OID_UNKNOWN) {
-+        goto loser;
-+    }
- 
-     /* Now we have to search based on the key type. Go through our preferred
-      * schemes in order and find the first that can be used. */
-@@ -6547,6 +6569,7 @@ ssl_PickSignatureScheme(sslSocket *ss,
-         }
-     }
- 
-+loser:
-     PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
-     return SECFailure;
- }
-@@ -7700,7 +7723,8 @@ ssl_ParseSignatureSchemes(const sslSocke
-             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-             return SECFailure;
-         }
--        if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
-+        if (ssl_SignatureSchemeValid((SSLSignatureScheme)tmp, SEC_OID_UNKNOWN,
-+            (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {;
-             schemes[numSupported++] = (SSLSignatureScheme)tmp;
-         }
-     }
-@@ -10286,7 +10310,12 @@ ssl3_HandleCertificateVerify(sslSocket *
-         PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_record);
-         rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
-         if (rv != SECSuccess) {
--            goto loser; /* malformed or unsupported. */
-+            errCode = PORT_GetError();
-+            /* unsupported == illegal_parameter, others == handshake_failure. */
-+            if (errCode  == SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM) {
-+                desc = illegal_parameter;
-+            }
-+            goto alert_loser;
-         }
-         rv = ssl_CheckSignatureSchemeConsistency(
-             ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo);
-diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix ./gtests/ssl_gtest/ssl_extension_unittest.cc
---- ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix	2021-07-07 11:32:11.634376932 -0700
-+++ ./gtests/ssl_gtest/ssl_extension_unittest.cc	2021-07-07 11:33:30.595841110 -0700
-@@ -428,7 +428,10 @@ TEST_P(TlsExtensionTest12Plus, Signature
- }
- 
- TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) {
--  const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00};  // sha-256, rsa
-+  // make sure the test uses an algorithm that is legal for
-+  // tls 1.3 (or tls 1.3 will through and illegalParameter
-+  // instead of a decode error)
-+  const uint8_t val[] = {0x00, 0x02, 0x08, 0x09, 0x00};  // sha-256, rsa-pss-pss
-   DataBuffer extension(val, sizeof(val));
-   ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
-       client_, ssl_signature_algorithms_xtn, extension));
diff --git a/SOURCES/nss-3.79-distrusted-certs.patch b/SOURCES/nss-3.79-distrusted-certs.patch
new file mode 100644
index 0000000..14a5b0c
--- /dev/null
+++ b/SOURCES/nss-3.79-distrusted-certs.patch
@@ -0,0 +1,375 @@
+# HG changeset patch
+# User John M. Schanck <jschanck@mozilla.com>
+# Date 1648094761 0
+#      Thu Mar 24 04:06:01 2022 +0000
+# Node ID b722e523d66297fe4bc1fac0ebb06203138eccbb
+# Parent  853b64626b19a46f41f4ba9c684490dc15923c94
+Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. r=KathleenWilson
+
+Differential Revision: https://phabricator.services.mozilla.com/D141919
+
+diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
+--- a/lib/ckfw/builtins/certdata.txt
++++ b/lib/ckfw/builtins/certdata.txt
+@@ -7663,197 +7663,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \377\377
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+-#
+-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+-# Serial Number: 268435455 (0xfffffff)
+-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+-# Not Valid Before: Wed May 12 08:51:39 2010
+-# Not Valid After : Mon Mar 23 09:50:05 2020
+-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
+-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+-\156\151\163\141\164\151\145\040\055\040\107\062
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+-\156\151\163\141\164\151\145\040\055\040\107\062
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\004\017\377\377\377
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
+-\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
+-\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
+-\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
+-\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
+-\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
+-\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
+-\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
+-\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
+-\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
+-\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
+-\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
+-\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
+-\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
+-\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
+-\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
+-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
+-\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
+-\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
+-\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
+-\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
+-\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
+-\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
+-\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
+-\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
+-\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
+-\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
+-\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
+-\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
+-\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
+-\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
+-\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
+-\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
+-\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
+-\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
+-\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
+-\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
+-\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
+-\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
+-\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
+-\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
+-\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
+-\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
+-\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
+-\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
+-\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
+-\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
+-\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
+-\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
+-\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
+-\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
+-\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
+-\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
+-\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
+-\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
+-\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
+-\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
+-\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
+-\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
+-\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
+-\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
+-\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
+-\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
+-\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
+-\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
+-\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
+-\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
+-\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
+-\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
+-\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
+-\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
+-\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
+-\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
+-\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
+-\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
+-\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
+-\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
+-\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
+-\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
+-\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
+-\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
+-\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
+-\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
+-\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
+-\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
+-\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
+-\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
+-\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
+-\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
+-\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
+-\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
+-\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
+-\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
+-\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
+-\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
+-\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
+-\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
+-\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
+-\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
+-\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
+-\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
+-\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
+-\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
+-\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
+-\244\363\116\272\067\230\173\202\271
+-END
+-
+-# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+-# Serial Number: 268435455 (0xfffffff)
+-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+-# Not Valid Before: Wed May 12 08:51:39 2010
+-# Not Valid After : Mon Mar 23 09:50:05 2020
+-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
+-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
+-\222\341\102\102
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+-\156\151\163\141\164\151\145\040\055\040\107\062
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\004\017\377\377\377
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Security Communication RootCA2"
+ #
+ # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+ # Serial Number: 0 (0x0)
+ # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+ # Not Valid Before: Fri May 29 05:00:39 2009
+ # Not Valid After : Tue May 29 05:00:39 2029
+ # Fingerprint (SHA-256): 51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6
+@@ -8337,78 +8156,16 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\001\000
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+-# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
+-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
+-# Serial Number: 1800000005 (0x6b49d205)
+-# Not Before: Apr  7 15:37:15 2011 GMT
+-# Not After : Apr  4 15:37:15 2021 GMT
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
+-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
+-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
+-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
+-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
+-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
+-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
+-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
+-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
+-\100\164\162\165\163\164\167\141\166\145\056\143\157\155
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\004\153\111\322\005
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
+-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
+-# Serial Number: 1800000006 (0x6b49d206)
+-# Not Before: Apr 18 21:09:30 2011 GMT
+-# Not After : Apr 15 21:09:30 2021 GMT
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
+-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
+-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
+-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
+-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
+-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
+-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
+-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
+-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
+-\100\164\162\165\163\164\167\141\166\145\056\143\157\155
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\004\153\111\322\006
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+ #
+ # Certificate "Actalis Authentication Root CA"
+ #
+ # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
+ # Serial Number:57:0a:11:97:42:c4:e3:cc
+ # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
+ # Not Valid Before: Thu Sep 22 11:22:02 2011
+ # Not Valid After : Sun Sep 22 11:22:02 2030
+@@ -9042,84 +8799,16 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\001\001
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
+-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
+-# Serial Number: 2087 (0x827)
+-# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
+-# Not Valid Before: Mon Aug 08 07:07:51 2011
+-# Not Valid After : Tue Jul 06 07:07:51 2021
+-# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
+-# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
+-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
+-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
+-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
+-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
+-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
+-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
+-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
+-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\002\010\047
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
+-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
+-# Serial Number: 2148 (0x864)
+-# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
+-# Not Valid Before: Mon Aug 08 07:07:51 2011
+-# Not Valid After : Thu Aug 05 07:07:51 2021
+-# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
+-# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
+-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
+-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
+-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
+-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
+-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
+-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
+-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
+-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\002\010\144
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+ #
+ # Certificate "D-TRUST Root Class 3 CA 2 2009"
+ #
+ # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+ # Serial Number: 623603 (0x983f3)
+ # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+ # Not Valid Before: Thu Nov 05 08:35:58 2009
+ # Not Valid After : Mon Nov 05 08:35:58 2029
diff --git a/SOURCES/nss-3.79-fix-client-cert-crash.patch b/SOURCES/nss-3.79-fix-client-cert-crash.patch
new file mode 100644
index 0000000..2d752e4
--- /dev/null
+++ b/SOURCES/nss-3.79-fix-client-cert-crash.patch
@@ -0,0 +1,23 @@
+diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
+--- a/lib/ssl/authcert.c
++++ b/lib/ssl/authcert.c
+@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
+ 
+     /* otherwise look through the cache based on usage
+      * if chosenNickname is set, we ignore the expiration date */
+     if (certList == NULL) {
+         certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
+                                              certUsageSSLClient,
+                                              PR_FALSE, chosenNickName == NULL,
+                                              pw_arg);
++        if (certList == NULL) {
++            return SECFailure;
++        }
+         /* filter only the certs that meet the nickname requirements */
+         if (chosenNickName) {
+             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
+                                                pw_arg);
+         } else {
+             int nnames = 0;
+             char **names = ssl_DistNamesToStrings(caNames, &nnames);
+             rv = CERT_FilterCertListByCANames(certList, nnames, names,
diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch
new file mode 100644
index 0000000..1195e5c
--- /dev/null
+++ b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch
@@ -0,0 +1,21 @@
+diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.fix_null_password	2022-07-20 14:15:45.081009438 -0700
++++ ./lib/pkcs12/p12local.c	2022-07-20 14:19:40.856546963 -0700
+@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+     if (zeroTerm) {
+         /* unicode adds two nulls at the end */
+         if (toUnicode) {
+-            if ((dest->len >= 2) &&
+-                (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
++            if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
+                 /* we've already allocated space for these new NULLs */
+                 PORT_Assert(dest->len + 2 <= bufferSize);
+                 dest->len += 2;
+                 dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
+             }
+             /* ascii/utf-8 adds just 1 */
+-        } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
++        } else if (!dest->len || dest->data[dest->len - 1]) {
+             PORT_Assert(dest->len + 1 <= bufferSize);
+             dest->len++;
+             dest->data[dest->len - 1] = 0;
diff --git a/SOURCES/nss-3.79-r7-remove-explicit-ipv4.patch b/SOURCES/nss-3.79-r7-remove-explicit-ipv4.patch
new file mode 100644
index 0000000..845dc6e
--- /dev/null
+++ b/SOURCES/nss-3.79-r7-remove-explicit-ipv4.patch
@@ -0,0 +1,258 @@
+diff -up ./tests/ssl/ssl.sh.remove-explicit-ipv4 ./tests/ssl/ssl.sh
+--- ./tests/ssl/ssl.sh.remove-explicit-ipv4	2022-06-08 19:00:03.508875175 -0700
++++ ./tests/ssl/ssl.sh	2022-06-08 19:02:17.230744026 -0700
+@@ -86,6 +86,8 @@ ssl_init()
+   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+   nss_ssl_run="stapling signed_cert_timestamps cov auth dtls scheme exporter"
+   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
++  IPVER=${NSS_CLIENT_IPVER}
++
+ 
+   # Test case files
+   if [ "${NSS_NO_SSL2}" = "1" ]; then
+@@ -180,16 +182,16 @@ wait_for_selfserv()
+ {
+   #verbose="-v"
+   echo "trying to connect to selfserv at `date`"
+-  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
++  echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+   echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+-  ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
++  ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+           -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+   if [ $? -ne 0 ]; then
+       sleep 5
+       echo "retrying to connect to selfserv at `date`"
+       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+       echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+-      ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
++      ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+               -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+       if [ $? -ne 0 ]; then
+           if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
+@@ -395,11 +397,11 @@ ssl_cov()
+ 
+ 
+ 
+-      echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
++      echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+       echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+ 
+       rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-      ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
++      ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+               -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+               >${TMP}/$HOST.tmp.$$  2>&1
+       ret=$?
+@@ -451,11 +453,11 @@ ssl_cov_rsa_pss()
+ 
+       echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
+ 
+-      echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
++      echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+       echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+ 
+       rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-      ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
++      ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+               -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+               >${TMP}/$HOST.tmp.$$  2>&1
+       ret=$?
+@@ -504,10 +506,10 @@ ssl_auth()
+ 	  fi
+           start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'`
+ 
+-          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
++          echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+           echo "        ${cparam}  < ${REQUEST_FILE}"
+           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
++          ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+                   -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
+                   >${TMP}/$HOST.tmp.$$  2>&1
+           ret=$?
+@@ -552,10 +554,10 @@ ssl_stapling_sub()
+ 
+     start_selfserv
+ 
+-    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
++    echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+     echo "        -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}"
+     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
++    ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+             -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \
+             >${TMP}/$HOST.tmp.$$  2>&1
+     ret=$?
+@@ -596,10 +598,10 @@ ssl_stapling_stress()
+     echo "${testname}"
+     start_selfserv
+ 
+-    echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
++    echo "strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+     echo "         -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
+     echo "strsclnt started at `date`"
+-    ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
++    ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+             -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+     ret=$?
+ 
+@@ -662,10 +664,10 @@ ssl_signed_cert_timestamps()
+ 
+     # Since we don't have server-side support, this test only covers advertising the
+     # extension in the client hello.
+-    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
++    echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+     echo "        -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}"
+     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
++    ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+             -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \
+             >${TMP}/$HOST.tmp.$$  2>&1
+     ret=$?
+@@ -721,10 +723,10 @@ ssl_stress()
+               dbdir=${P_R_CLIENTDIR}
+           fi
+ 
+-          echo "strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\"
++          echo "strsclnt ${IPVER} -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\"
+           echo "         -V ssl3:tls1.2 $verbose ${HOSTADDR}"
+           echo "strsclnt started at `date`"
+-          ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \
++          ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \
+                    -V ssl3:tls1.2 $verbose ${HOSTADDR}
+           ret=$?
+           echo "strsclnt completed at `date`"
+@@ -813,10 +815,10 @@ ssl_crl_ssl()
+           cparam=`echo $_cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" `
+           start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'`
+ 
+-          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
++          echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+           echo "        ${cparam}  < ${REQUEST_FILE}"
+           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
++          ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+               -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+               >${TMP}/$HOST.tmp.$$  2>&1
+           ret=$?
+@@ -908,11 +910,11 @@ ssl_policy()
+       policy=`echo ${policy} | sed -e 's;_; ;g'`
+       setup_policy "$policy" ${P_R_CLIENTDIR}
+ 
+-      echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
++      echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+       echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+ 
+       rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-      ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
++      ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+               -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+               >${TMP}/$HOST.tmp.$$  2>&1
+       ret=$?
+@@ -1090,12 +1092,12 @@ ssl_policy_selfserv()
+   VMAX="tls1.2"
+ 
+   # Try to connect to the server with a ciphersuite using RSA in key exchange
+-  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
++  echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+   echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+ 
+   rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+   RET_EXP=254
+-  ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
++  ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+           -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+           >${TMP}/$HOST.tmp.$$  2>&1
+   RET=$?
+@@ -1180,7 +1182,7 @@ load_group_crl() {
+         fi
+         echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+ 
+-        echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
++        echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+         echo "          -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+         echo "Request:"
+         echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+@@ -1193,7 +1195,7 @@ GET crl://${SERVERDIR}/root.crl_${grpBeg
+ 
+ _EOF_REQUEST_
+ 
+-        ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f  \
++        ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f  \
+             -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+             >${OUTFILE_TMP}  2>&1 < ${REQF}
+ 
+@@ -1281,10 +1283,10 @@ ssl_crl_cache()
+             cparam=`echo $_cparam | sed -e 's;\([^\]\)_;\1 ;g' -e 's;\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ 
+             echo "Server Args: $SERV_ARG"
+-            echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
++            echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+             echo "        ${cparam}  < ${REQUEST_FILE}"
+             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+-            ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
++            ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+                 -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+                 >${TMP}/$HOST.tmp.$$  2>&1
+             ret=$?
+@@ -1349,19 +1351,19 @@ ssl_dtls()
+ 
+     echo "${testname}"
+ 
+-    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\"
++    echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\"
+     echo "        -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} &"
+ 
+-    (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \
++    (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \
+                 -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss 2>&1 &
+ 
+     PID=$!
+ 
+     sleep 1
+ 
+-    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\"
++    echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\"
+     echo "        -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE}"
+-    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
++    ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+             -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE} 2>&1
+     ret=$?
+     html_msg $ret $value "${testname}" \
+@@ -1388,9 +1390,9 @@ ssl_scheme()
+ 
+             start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+ 
+-            echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
++            echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+             echo "        -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE}"
+-            ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
++            ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+                         -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1
+             ret=$?
+             # If both schemes include just one option and those options don't
+@@ -1428,9 +1430,9 @@ ssl_scheme_stress()
+ 
+             start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+ 
+-            echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
++            echo "strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+             echo "         -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE}"
+-            ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} ${CLIENT_OPTIONS} \
++            ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} ${CLIENT_OPTIONS} \
+                         -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE} 2>&1
+             ret=$?
+             # If both schemes include just one option and those options don't
+@@ -1467,9 +1469,9 @@ ssl_exporter()
+     for exporter in "${exporters[@]}"; do
+         start_selfserv -V tls1.2:tls1.2 -x "$exporter"
+ 
+-        echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
++        echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+         echo "        -V tls1.2:tls1.2 -x $exporter ${CLIENT_PW} < ${REQUEST_FILE}"
+-        ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
++        ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+                     -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -x "$exporter" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 > client.out
+         kill_selfserv
+         diff <(LC_ALL=C grep -A1 "^ *Keying Material:" server.out) \
diff --git a/SOURCES/nss-3.79-skip-pwdecrypt-time.patch b/SOURCES/nss-3.79-skip-pwdecrypt-time.patch
new file mode 100644
index 0000000..004ea51
--- /dev/null
+++ b/SOURCES/nss-3.79-skip-pwdecrypt-time.patch
@@ -0,0 +1,14 @@
+diff -up ./tests/sdr/sdr.sh.skip ./tests/sdr/sdr.sh
+--- ./tests/sdr/sdr.sh.skip	2022-06-11 09:52:05.037086587 -0700
++++ ./tests/sdr/sdr.sh	2022-06-11 09:52:16.825162027 -0700
+@@ -146,7 +146,10 @@ sdr_main()
+   RARRAY=($dtime)
+   TIMEARRAY=(${RARRAY[1]//./ })
+   echo "${TIMEARRAY[0]} seconds"
++  # allow an environment variable to skip the test 
++  if [ "${NSS_SKIP_PWDECRYPT_TIME}" != "true" ]; then
+   html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression"
++  fi
+   export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS
+ }
+ 
diff --git a/SOURCES/nss-3.79-ssl2-compatible-client-hello.patch b/SOURCES/nss-3.79-ssl2-compatible-client-hello.patch
new file mode 100644
index 0000000..4451ea3
--- /dev/null
+++ b/SOURCES/nss-3.79-ssl2-compatible-client-hello.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/ssl/sslsock.c.ssl2hello ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.ssl2hello	2022-06-08 18:56:58.420672624 -0700
++++ ./lib/ssl/sslsock.c	2022-06-08 18:58:37.801318314 -0700
+@@ -90,7 +90,7 @@ static sslOptions ssl_defaults = {
+     .enableDtls13VersionCompat = PR_FALSE,
+     .enableDtlsShortHeader = PR_FALSE,
+     .enableHelloDowngradeCheck = PR_TRUE,
+-    .enableV2CompatibleHello = PR_FALSE,
++    .enableV2CompatibleHello = PR_TRUE,
+     .enablePostHandshakeAuth = PR_FALSE,
+     .suppressEndOfEarlyData = PR_FALSE,
+     .enableTls13GreaseEch = PR_FALSE,
diff --git a/SOURCES/nss-3.79-version-range.patch b/SOURCES/nss-3.79-version-range.patch
new file mode 100644
index 0000000..f131883
--- /dev/null
+++ b/SOURCES/nss-3.79-version-range.patch
@@ -0,0 +1,14 @@
+diff -up ./lib/ssl/sslsock.c.version-range ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.version-range	2022-06-08 18:47:18.882918821 -0700
++++ ./lib/ssl/sslsock.c	2022-06-08 18:55:05.555939293 -0700
+@@ -102,8 +102,8 @@ static sslOptions ssl_defaults = {
+  * default range of enabled SSL/TLS protocols
+  */
+ static SSLVersionRange versions_defaults_stream = {
+-    SSL_LIBRARY_VERSION_TLS_1_2,
+-    SSL_LIBRARY_VERSION_TLS_1_3
++    SSL_LIBRARY_VERSION_3_0,
++    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ static SSLVersionRange versions_defaults_datagram = {
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
deleted file mode 100644
index f5db089..0000000
--- a/SOURCES/nss-539183.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
---- nss/cmd/httpserv/httpserv.c.539183	2016-08-15 17:58:41.756630037 +0200
-+++ nss/cmd/httpserv/httpserv.c	2016-08-15 18:04:13.559131620 +0200
-@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+	errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+	errExit("PR_OpenTCPSocket error");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
---- nss/cmd/selfserv/selfserv.c.539183	2016-08-15 17:58:41.756630037 +0200
-+++ nss/cmd/selfserv/selfserv.c	2016-08-15 18:05:11.027487891 +0200
-@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+	errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSocket error");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
diff --git a/SOURCES/nss-ssl2-compatible-client-hello.patch b/SOURCES/nss-ssl2-compatible-client-hello.patch
deleted file mode 100644
index ec013e2..0000000
--- a/SOURCES/nss-ssl2-compatible-client-hello.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ./lib/ssl/sslsock.c.ssl2hello ./lib/ssl/sslsock.c
---- ./lib/ssl/sslsock.c.ssl2hello	2021-06-03 15:39:52.237945867 -0700
-+++ ./lib/ssl/sslsock.c	2021-06-03 15:43:21.746203666 -0700
-@@ -90,7 +90,7 @@ static sslOptions ssl_defaults = {
-     .enableDtls13VersionCompat = PR_FALSE,
-     .enableDtlsShortHeader = PR_FALSE,
-     .enableHelloDowngradeCheck = PR_FALSE,
--    .enableV2CompatibleHello = PR_FALSE,
-+    .enableV2CompatibleHello = PR_TRUE,
-     .enablePostHandshakeAuth = PR_FALSE,
-     .suppressEndOfEarlyData = PR_FALSE,
-     .enableTls13GreaseEch = PR_FALSE,
diff --git a/SOURCES/nss-version-range.patch b/SOURCES/nss-version-range.patch
deleted file mode 100644
index 4693e96..0000000
--- a/SOURCES/nss-version-range.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.version-range nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.version-range	2020-07-30 08:20:35.811375910 +0200
-+++ nss/lib/ssl/sslsock.c	2020-07-30 08:21:02.132188806 +0200
-@@ -98,8 +98,8 @@ static sslOptions ssl_defaults = {
-  * default range of enabled SSL/TLS protocols
-  */
- static SSLVersionRange versions_defaults_stream = {
--    SSL_LIBRARY_VERSION_TLS_1_0,
--    SSL_LIBRARY_VERSION_TLS_1_3
-+    SSL_LIBRARY_VERSION_3_0,
-+    SSL_LIBRARY_VERSION_TLS_1_2
- };
- 
- static SSLVersionRange versions_defaults_datagram = {
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 8310009..1efc0f7 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,14 +1,14 @@
-%global nspr_version 4.31.0
-%global nss_util_version 3.67.0
+%global nspr_version 4.34.0
+%global nss_util_version 3.79.0
 %global nss_util_build -1
 # adjust to the version that gets submitted for FIPS validation
 # Attention: Separate softokn versions for build and runtime.
-%global nss_softokn_version 3.67.0
+%global nss_softokn_version 3.79.0
 %global runtime_required_softokn_build_version -1
 # Building NSS doesn't require the same version of softokn built for runtime.
-%global nss_softokn_build_version 3.53.1
-%global build_required_softokn_build_version -2
-%global nss_version 3.67.0
+%global nss_softokn_build_version 3.67.0
+%global build_required_softokn_build_version -1
+%global nss_version 3.79.0
 
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil nss-policy-check pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -37,6 +37,7 @@ rpm.define(string.format("nss_archive_version %s",
 #% define nss_ckbi_suffix .with.ckbi.1.93
 
 %bcond_without tests
+%bcond_with gtests
 
 Summary:          Network Security Services
 Name:             nss
@@ -87,10 +88,6 @@ Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
-Source10:         PayPalEE.cert
-Source17:         TestCA.ca.cert
-Source18:         TestUser50.cert
-Source19:         TestUser51.cert
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
 Source22:         pkcs11.txt.xml
@@ -99,16 +96,11 @@ Source24:         cert9.db.xml
 Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
-Source30:         PayPalRootCA.cert
-Source31:         PayPalICA.cert
 Source32:         nss-rhel7.config
-Source33:         TestOldCA.p12
-Source34:         NameConstraints.ocsp1.cert
-Source35:         NameConstraints.ipaca.cert
 
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
-Patch16:          nss-539183.patch
+#Patch16:          nss-539183.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
@@ -130,7 +122,7 @@ Patch56:          p-ignore-setpolicy.patch
 Patch62: nss-fix-deadlock-squash.patch
 # In RHEL-7, we still disable TLS 1.3 by default, and set SSL 3.0 as
 # the hard minimum
-Patch100: nss-version-range.patch
+Patch100: nss-3.79-version-range.patch
 Patch108: nss-sni-c-v-fix.patch
 Patch123: nss-skip-util-gtest.patch
 Patch126: nss-reorder-cipher-suites.patch
@@ -149,18 +141,16 @@ Patch141: nss-sysinit-getenv.patch
 # To revert the change in:
 # https://bugzilla.mozilla.org/show_bug.cgi?id=818686
 Patch148: nss-sysinit-userdb.patch
-# Disable nss-sysinit test which is sorely to test the above change
+# Disable nss-sysinit test which is solely to test the above change
 Patch149: nss-skip-sysinit-gtests.patch
 # Enable SSLv2 compatible ClientHello, disabled in the change:
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1483128
-Patch150: nss-ssl2-compatible-client-hello.patch
+Patch150: nss-3.79-ssl2-compatible-client-hello.patch
 # For backward compatibility: make -V "ssl3:" continue working, while
 # the minimum version is clamped to tls1.0
 Patch152: nss-version-range-set.patch
 # CAVS testing should be done in nss-softkn package
 Patch156: nss-skip-cavs-tests.patch
-# no upsteam bug yet
-Patch157: nss-3.53-fix-private_key_mac.patch
 # To revert the testing portion of the change:
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1594933
 Patch158: nss-sql-default-tests.patch
@@ -168,27 +158,22 @@ Patch158: nss-sql-default-tests.patch
 Patch159: nss-disable-dc.patch
 # restore defaults when creating pkcs12 files
 Patch160:nss-3.66-restore-old-pkcs12-default.patch
+# disable tests that don't work in the brew environment
+# because we can't reference external servers.
+Patch161: nss-3.66-disable-external-host-test.patch
+# keep expired distrusted certs
+Patch162: nss-3.79-distrusted-certs.patch
+#-----------------------------------
+
+# remove when nss-softokn is 3.79 during builds
+Patch200: nss-3.79-skip-pwdecrypt-time.patch
 
 # patches that just need to be upstreamed
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1662738
-Patch200: nss-3.66-no-small-primes.patch
-# no bug number
-Patch201: nss-3.67-fix-sdb-timeout.patch
-# no bug number
-Patch202: nss-3.67-fix-ssl-alerts.patch
-# no bug number
-Patch203: nss-3.67-fix-pkcs12-policy.patch
-
-# disable tests that don't work with the  3.53 softoken
-# so builds can complete.
-Patch300: nss-3.66-no-combo-tests.patch
+Patch300: nss-3.79-r7-remove-explicit-ipv4.patch
+Patch301: nss-3.79-fix-client-cert-crash.patch
+Patch302: nss-3.79-pkcs12-fix-null-password.patch
 
-# disable tests that don't work in the brew environment
-# because we can't reference external servers.
-Patch301: nss-3.66-disable-external-host-test.patch
 
-Patch400: nss-3.67-cve-2021-43527.patch
-Patch401: nss-3.67-cve-2021-43527-test.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -259,19 +244,10 @@ low level services.
 
 %prep
 %setup -q -n %{name}-%{nss_archive_version}
-%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE33} -f ./nss/tests/tools
-%{__cp} %{SOURCE34} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE35} -f ./nss/tests/libpkix/certs
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
-%patch16 -p0 -b .539183
+#%patch16 -p0 -b .539183
 %patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch50 -p0 -b .iquote
@@ -297,19 +273,17 @@ pushd nss
 %patch150 -p1 -b .ssl2hello
 %patch152 -p1 -b .version-range-set
 %patch156 -p1 -b .skip-cavs
-%patch157 -p1 -b .privkey-mac
 %patch128 -R -p1 -b .sql-man-page
 %patch158 -p1 -b .sql-default-tests
 %patch159 -p1 -b .dc
 %patch160 -p1 -b .restore-pkcs12-defaults
-%patch200 -p1 -b .no-small-primes
-%patch201 -p1 -b .fix-sdb-timeout
-%patch202 -p1 -b .fix-ssl-alerts
-%patch203 -p1 -b .fix-pkcs12-policy
-%patch300 -p1 -b .oldsoft
-%patch301 -p1 -b .brew
-%patch400 -p1 -b .cve-2021-43527
-%patch401 -p1 -b .cve-2021-43527-test
+%patch161 -p1 -b .brew
+%patch162 -R -p1 -b .distrusted-certs
+
+%patch200 -p1 -b .skip-pwdecrypt-time
+%patch300 -p1 -b .remove-explicit-ipv4
+%patch301 -p1 -b .client-cert-crash
+%patch302 -p1 -b .fix-pkcs12-null
 popd
 
 #########################################################
@@ -428,6 +402,11 @@ export POLICY_PATH="/etc/pki/nss-legacy"
 %{__mkdir_p} ./dist/private/nss
 %{__mv} ./nss/verref.h ./dist/private/nss/verref.h
 
+# gtests require a newer version of g++ than we have natively on rhel 7.9
+# first build nss proper with our native tools
+%if %{without gtests}
+export NSS_DISABLE_GTESTS=1
+%endif
 %{__make} -C ./nss all
 %{__make} -C ./nss latest
 
@@ -532,6 +511,10 @@ export USE_64
 export NSS_BLTEST_NOT_AVAILABLE=1
 
 export NSS_FORCE_FIPS=1
+export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}"
+eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g')
+export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}"
+export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}"
 
 # needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}
@@ -544,6 +527,7 @@ export GTESTFILTER='-TlsConnectTest.DisallowSSLv3HelloWithTLSv13Enabled'
 # This is necessary because the test suite tests algorithms that are
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
+export NSS_SKIP_PWDECRYPT_TIME="true"
 
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
@@ -589,11 +573,15 @@ export NSS_DEFAULT_DB_TYPE=dbm  #in RHEL 7, the default db is sql, but we want
                                 # standard to test dbm, or upgradedb will fail
 %global nss_full_cycles "standard pkix upgradedb sharedb threadunsafe"
 %global nss_cycles "standard pkix upgradedb sharedb"
-%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
-%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec"
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec"
 %ifarch x86_64
 %global nss_cycles "standard pkix upgradedb sharedb threadunsafe"
 %endif
+%if %{with gtests}
+%global nss_full_tests "%{nss_full_tests} gtests ssl_gtests"
+%global nss_tests "%{nss_tests} ssl_gtests"
+%endif
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 #  nss_ssl_run: cov auth stress
 #
@@ -605,11 +593,14 @@ export NSS_DEFAULT_DB_TYPE=dbm  #in RHEL 7, the default db is sql, but we want
 # Temporarily disabling tests for s390
 %ifarch s390
 %global nss_ssl_run "cov auth"
-%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec gtests"
+%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec"
 %endif
 %ifarch s390x
 %global nss_ssl_run "cov auth"
-%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec gtests"
+%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec"
+%endif
+%if %{with gtests}
+%global nss_tests "%{nss_tests} gtests"
 %endif
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 soft=$(rpm -q nss-softokn)
@@ -718,7 +709,7 @@ do
 done
 
 # Copy the binaries we ship as unsupported
-for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
+for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain validation
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
@@ -855,6 +846,7 @@ fi
 %{unsupported_tools_directory}/strsclnt
 %{unsupported_tools_directory}/symkeyutil
 %{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/validation
 %{unsupported_tools_directory}/vfyserv
 %{unsupported_tools_directory}/vfychain
 # instead of %%{_mandir}/man*/* let's list them explicitely
@@ -950,6 +942,19 @@ fi
 
 
 %changelog
+* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
+- fix regression for pkcs12.
+
+* Wed Jul 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-3
+- fix crash in curl. better fix for the regression below
+
+* Sat Jun 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
+- fix regressions found in test suite
+
+* Wed Jun 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
+- Rebase to NSS 3.79
+- Set FIPS Module ID
+
 * Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
 - fix CVE-2021-43527