diff --git a/SOURCES/additional-cipher-suites-enabled-by-default.patch b/SOURCES/additional-cipher-suites-enabled-by-default.patch
new file mode 100644
index 0000000..0e28419
--- /dev/null
+++ b/SOURCES/additional-cipher-suites-enabled-by-default.patch
@@ -0,0 +1,66 @@
+diff -up ./nss/lib/ssl/ssl3con.c.1245627 ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.1245627 2015-08-10 15:42:24.831988193 -0700
++++ ./nss/lib/ssl/ssl3con.c 2015-08-10 17:03:05.674965691 -0700
+@@ -90,21 +90,24 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ /* cipher_suite policy enabled isPresent */
+
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ /* Switched order of two previous to meet Suite B requirements
++ * but implemented by default yet.
++ */
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+ * bug 946147.
+ */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -119,7 +122,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -143,7 +146,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ #endif /* NSS_DISABLE_ECC */
+
+ /* RSA */
+- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+diff -up ./nss/lib/ssl/sslenum.c.1245627 ./nss/lib/ssl/sslenum.c
+--- ./nss/lib/ssl/sslenum.c.1245627 2015-08-10 15:42:24.809988026 -0700
++++ ./nss/lib/ssl/sslenum.c 2015-08-10 15:42:24.846988306 -0700
+@@ -48,8 +48,8 @@
+ */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+ #ifndef NSS_DISABLE_ECC
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
diff --git a/SOURCES/enable-ecdsa-ciphers-by-default.patch b/SOURCES/enable-ecdsa-ciphers-by-default.patch
new file mode 100644
index 0000000..bb1a948
--- /dev/null
+++ b/SOURCES/enable-ecdsa-ciphers-by-default.patch
@@ -0,0 +1,46 @@
+diff -up ./nss/lib/ssl/ssl3con.c.enable_ecdsa ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.enable_ecdsa 2015-08-18 07:34:41.627936333 -0700
++++ ./nss/lib/ssl/ssl3con.c 2015-08-18 07:37:19.781532228 -0700
+@@ -97,7 +97,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ */
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+ * bug 946147.
+@@ -105,12 +105,12 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+
+@@ -135,13 +135,13 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+
diff --git a/SOURCES/fix-disable-sslv2-libssl.patch b/SOURCES/fix-disable-sslv2-libssl.patch
new file mode 100644
index 0000000..92715db
--- /dev/null
+++ b/SOURCES/fix-disable-sslv2-libssl.patch
@@ -0,0 +1,23 @@
+diff -up ./nss/lib/ssl/sslsock.c.handle_null ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.handle_null 2015-08-07 11:14:17.664389222 -0700
++++ ./nss/lib/ssl/sslsock.c 2015-08-07 11:15:33.690950335 -0700
+@@ -1193,8 +1193,17 @@ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ /* both ssl2 and export cipher suites disabled */
+ if (SSL_IS_SSL2_CIPHER(suite))
+ return PR_TRUE;
+- if (SSL_IsExportCipherSuite(suite))
+- return PR_TRUE;
++ if (SSL_IsExportCipherSuite(suite)) {
++ SSLCipherSuiteInfo csdef;
++ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
++ /* failure to retrieve info, disable */
++ return PR_TRUE;
++ }
++ if (csdef.symCipher != ssl_calg_null) {
++ /* disable all except NULL ciphersuites */
++ return PR_TRUE;
++ }
++ }
+ #endif /* NSS_NO_SSL2_NO_EXPORT */
+ switch (suite) {
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
diff --git a/SOURCES/fix-disable-sslv2-tests.patch b/SOURCES/fix-disable-sslv2-tests.patch
new file mode 100644
index 0000000..cc1689c
--- /dev/null
+++ b/SOURCES/fix-disable-sslv2-tests.patch
@@ -0,0 +1,33 @@
+diff -up ./nss/tests/ssl/ssl.sh.fix_skipping ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.fix_skipping 2015-08-09 08:19:47.771702882 -0700
++++ ./nss/tests/ssl/ssl.sh 2015-08-09 08:21:35.749328230 -0700
+@@ -125,7 +125,7 @@ is_selfserv_alive()
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+- if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then
+ echo "No server to kill"
+ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+@@ -152,7 +152,7 @@ wait_for_selfserv()
+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+- if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then
+ html_passed "Server never started"
+ else
+ html_failed "Waiting for Server"
+@@ -294,7 +294,10 @@ ssl_cov()
+ SSL2=$?
+
+ # skip export and ssl2 tests when build has disabled SSL2
+- [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
++ if [ "${NSS_NO_SSL2}" = "1" ] && [ ${EXP} -eq 0 || ${SSL2} -eq 0 ]; then
++ echo "yyy exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
++ continue
++ fi
+
+ if [ "${SSL2}" -eq 0 ] ; then
+ # We cannot use asynchronous cert verification with SSL2
diff --git a/SOURCES/fix-min-library-version-in-SSLVersionRange.patch b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
new file mode 100644
index 0000000..49026a2
--- /dev/null
+++ b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
@@ -0,0 +1,12 @@
+diff -up ./nss/lib/ssl/sslsock.c.1171318 ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.1171318 2015-08-26 13:21:57.225290386 -0700
++++ ./nss/lib/ssl/sslsock.c 2015-08-26 13:23:28.037507487 -0700
+@@ -91,7 +91,7 @@ static sslOptions ssl_defaults = {
+ * default range of enabled SSL/TLS protocols
+ */
+ static SSLVersionRange versions_defaults_stream = {
+- SSL_LIBRARY_VERSION_TLS_1_0,
++ SSL_LIBRARY_VERSION_3_0,
+ SSL_LIBRARY_VERSION_TLS_1_2
+ };
+
diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch
deleted file mode 100644
index ab0b10a..0000000
--- a/SOURCES/nss-revert-tls-version-defaults.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.keep_tls_default nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.keep_tls_default 2015-06-05 15:23:25.816895506 -0700
-+++ nss/lib/ssl/sslsock.c 2015-06-05 15:24:05.343176138 -0700
-@@ -89,13 +89,13 @@ static sslOptions ssl_defaults = {
- * default range of enabled SSL/TLS protocols
- */
- static SSLVersionRange versions_defaults_stream = {
-- SSL_LIBRARY_VERSION_TLS_1_0,
-- SSL_LIBRARY_VERSION_TLS_1_2
-+ SSL_LIBRARY_VERSION_3_0,
-+ SSL_LIBRARY_VERSION_TLS_1_0
- };
-
- static SSLVersionRange versions_defaults_datagram = {
- SSL_LIBRARY_VERSION_TLS_1_1,
-- SSL_LIBRARY_VERSION_TLS_1_2
-+ SSL_LIBRARY_VERSION_TLS_1_1
- };
-
- #define VERSIONS_DEFAULTS(variant) \
diff --git a/SOURCES/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch b/SOURCES/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
new file mode 100644
index 0000000..3ba7ae1
--- /dev/null
+++ b/SOURCES/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
@@ -0,0 +1,38 @@
+diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
+--- ./nss/tests/ssl/sslauth.txt.ocsp_sni 2015-05-28 10:50:45.000000000 -0700
++++ ./nss/tests/ssl/sslauth.txt 2015-08-30 08:49:22.025299419 -0700
+@@ -65,12 +65,12 @@
+ # SNI Tests
+ #
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
++ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
++ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
+- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.ocsp_sni 2015-08-30 08:49:21.905301105 -0700
++++ ./nss/tests/ssl/ssl.sh 2015-08-30 08:49:22.017299531 -0700
+@@ -457,10 +457,10 @@ ssl_stapling_sub()
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
+- echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
++ echo " -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+- -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
++ -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
diff --git a/SOURCES/reorder-cipher-suites.patch b/SOURCES/reorder-cipher-suites.patch
new file mode 100644
index 0000000..6e677e7
--- /dev/null
+++ b/SOURCES/reorder-cipher-suites.patch
@@ -0,0 +1,206 @@
+diff -up ./nss/lib/ssl/ssl3con.c.order ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.order 2015-08-31 17:14:13.539138213 -0700
++++ ./nss/lib/ssl/ssl3con.c 2015-08-31 17:35:23.841003936 -0700
+@@ -90,38 +90,29 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ /* cipher_suite policy enabled isPresent */
+
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- /* Switched order of two previous to meet Suite B requirements
+- * but implemented by default yet.
++ /* Ephemeral ECDH */
++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must be before TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
++ * to workaround bug 946147.
+ */
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+- * bug 946147.
+- */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+
+- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ /* Ephemeral Finite Field DH */
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -130,35 +121,44 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* Non ephemeral ECDH */
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+
+ /* RSA */
+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ /* 56-bit DES "domestic" cipher suites */
+ { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+diff -up ./nss/lib/ssl/sslenum.c.order ./nss/lib/ssl/sslenum.c
+--- ./nss/lib/ssl/sslenum.c.order 2015-08-31 17:14:13.531138366 -0700
++++ ./nss/lib/ssl/sslenum.c 2015-08-31 17:34:03.139562367 -0700
+@@ -48,35 +48,29 @@
+ */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+ #ifndef NSS_DISABLE_ECC
++ /* Ephemeral ECDH */
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+ */
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_DISABLE_ECC */
+
+- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
++ /* Ephemeral Finite Field DH */
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+@@ -85,11 +79,20 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
+
+ #ifndef NSS_DISABLE_ECC
++ /* Non ephemeral ECDH */
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+@@ -100,19 +103,20 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_DISABLE_ECC */
+
++ /* RSA */
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_RSA_WITH_AES_256_CBC_SHA,
++ TLS_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_RSA_WITH_AES_256_CBC_SHA,
+- TLS_RSA_WITH_AES_256_CBC_SHA256,
+- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
+- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_RC4_128_SHA,
+ TLS_RSA_WITH_RC4_128_MD5,
++ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+
+ /* 56-bit DES "domestic" cipher suites */
+ TLS_DHE_RSA_WITH_DES_CBC_SHA,
diff --git a/SOURCES/rh1238290.patch b/SOURCES/rh1238290.patch
new file mode 100644
index 0000000..2564a26
--- /dev/null
+++ b/SOURCES/rh1238290.patch
@@ -0,0 +1,22 @@
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -993,17 +993,17 @@ SECKEY_PublicKeyStrengthInBits(const SEC
+ }
+
+ /* interpret modulus length as key strength */
+ switch (pubk->keyType) {
+ case rsaKey:
+ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus);
+ break;
+ case dsaKey:
+- bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.publicValue);
++ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.params.prime);
+ break;
+ case dhKey:
+ bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.publicValue);
+ break;
+ case ecKey:
+ bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
+ break;
+ default:
diff --git a/SOURCES/sslinfo-fix-info.patch b/SOURCES/sslinfo-fix-info.patch
new file mode 100644
index 0000000..2e0219f
--- /dev/null
+++ b/SOURCES/sslinfo-fix-info.patch
@@ -0,0 +1,12 @@
+diff -up ./nss/lib/ssl/sslinfo.c.fix_info ./nss/lib/ssl/sslinfo.c
+--- ./nss/lib/ssl/sslinfo.c.fix_info 2015-08-17 07:25:53.039762148 -0700
++++ ./nss/lib/ssl/sslinfo.c 2015-08-17 07:26:44.556390051 -0700
+@@ -218,7 +218,7 @@ static const SSLCipherSuiteInfo suiteInf
+ {0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+ {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
+-{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_SHA384, 1, 0, 0, },
++{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
+
+ /* SSL 2 table */
+ {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 4ab339a..893792a 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -3,7 +3,7 @@
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.16.2
%global nss_softokn_version 3.16.2.3
-%global required_softokn_build_version -11
+%global required_softokn_build_version -13
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -23,7 +23,7 @@
Summary: Network Security Services
Name: nss
Version: 3.19.1
-Release: 7%{?dist}.2
+Release: 18%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -102,16 +102,34 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
-# Patch to keep the TLS protocol versions that are enabled by default
-Patch98: nss-revert-tls-version-defaults.patch
Patch99: ssl-server-min-key-sizes.patch
-# Add support for sha384 tls cipher suites, dss ciper suites, and
+# Add support for sha384 tls cipher suites, dss cipher suites, and
# server-side dhe key exchange
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
-# TODO: File upstream bug for sha384 tls cipher suites support
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
Patch101: dhe-sha384-dss-support.patch
Patch102: prfnonsha256.patch
Patch103: sha384-client-verify.patch
+# Fix flaws in Patch53 which caused needed tests to be skipped which could hide errors
+Patch104: fix-disable-sslv2-tests.patch
+# Fix Patch52 which caused NULL ciphers failures
+Patch105: fix-disable-sslv2-libssl.patch
+# Enables veriying fix for TLS_RSA_WITH_NULL_... not working in RHEL7
+# Partial set of the required ciphers to be enabled by default
+Patch106: additional-cipher-suites-enabled-by-default.patch
+Patch107: sslinfo-fix-info.patch
+Patch108: fix-min-library-version-in-SSLVersionRange.patch
+Patch109: enable-ecdsa-ciphers-by-default.patch
+# Enable by default two additional ciphers and fix order of two tables
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
+Patch110: reorder-cipher-suites.patch
+# Expand client side CLI options for ocsp stapling and SNI tests
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+Patch111: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
+# TODO: File a bug upstream with and expanded patch
+Patch112: rh1238290.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -209,13 +227,24 @@ pushd nss
popd
%patch55 -p0 -b .852023
%patch56 -p0 -b .1026677
-%patch98 -p0 -b .keep_tls_default
%patch99 -p0 -b .min_key_sizes
pushd nss
%patch101 -p1 -b .dhe_and_sha384
%patch102 -p1 -b .prfnonsha256
%patch103 -p1 -b .sha384_client_verify
popd
+%patch104 -p0 -b .fix_skipping
+%patch105 -p0 -b .null_ciphers
+%patch106 -p0 -b .1245627
+%patch107 -p0 -b .fix_info
+%patch108 -p0 -b .1171318
+%patch109 -p0 -b .enable_ecdsa
+%patch110 -p0 -b .order
+%patch111 -p0 -b .ocsp_sni
+pushd nss
+%patch112 -p1 -b .1238290
+popd
+
#########################################################
# Higher-level libraries and test tools need access to
@@ -476,6 +505,11 @@ pushd ./nss/tests/
# global nss_ssl_tests "normal_fips"
# global nss_ssl_run "cov auth"
+# Temporarily disabling ssl stress tests for s390
+%ifarch s390
+%global nss_ssl_run "cov auth"
+%endif
+
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
popd
@@ -561,7 +595,7 @@ do
done
# Copy the binaries we ship as unsupported
-for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
+for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
@@ -704,6 +738,7 @@ fi
%{unsupported_tools_directory}/atob
%{unsupported_tools_directory}/btoa
%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
%{unsupported_tools_directory}/ocspclnt
%{unsupported_tools_directory}/pp
%{unsupported_tools_directory}/selfserv
@@ -803,14 +838,52 @@ fi
%changelog
-* Wed Oct 21 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-7.el7_2
+* Wed Oct 21 2015 Kai Engert <kaie@redhat.com> - 3.19.1-18
- Rebuild against updated NSPR
-* Wed Oct 21 2015 Kai Engert <kaie@redhat.com> - 3.19.1-7.el7_1.1
-- Rebuild against updated NSPR
+* Thu Sep 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-17
+- Change the required_softokn_build_version back to -13
+- Ensure we use nss-softokn-3.16.2.3-13.el7_1
+
+* Thu Sep 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-16
+- Fix check for public key size of DSA certificates
+- Use size of prime P not the size of dsa.publicValue
+
+* Mon Aug 31 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-15
+- Reorder the cipher suites and enable two more by default
+
+* Sun Aug 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-14
+- Update the required_softokn_build_version to -14
+- Add references to bugs filed upstream for new patches
+- Merge ocsp stapling and sslauth sni tests patches into one
-* Mon Jun 29 2015 Kai Engert <kaie@redhat.com> - 3.19.1-6
-- experimental build
+* Sat Aug 29 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-13
+- Reorder the cipher suites and enable two more by default
+- Fix some of the ssauth sni and ocsp stapling tests
+
+* Thu Aug 27 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-12
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+- Enable ECDSA cipher suites by default, a subset of the ones requested
+
+* Wed Aug 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-11
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+
+* Mon Aug 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-10
+- Fix to correctly report integrity mechanism for TLS_RSA_WITH_AES_256_GCM_SHA384
+
+* Mon Aug 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-9
+- Fix checks to skip ssl2/export cipher suites tests to not skip needed tests
+- Fix libssl ssl2/export disabling patch to handle NULL cipher cases
+- Enable additional cipher suites by default
+
+* Thu Jul 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-8
+- Add links to filed upstream bugs to better track patches in spec file
+
+* Tue Jul 07 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-7
+- Package listsuites as part of the unsupported tools
+
+* Thu Jul 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-6
+- Bump the release tag
* Mon Jun 29 2015 Kai Engert <kaie@redhat.com> - 3.19.1-5
- Incremental patches to fix SSL/TLS test suite execution,
@@ -824,30 +897,34 @@ fi
* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-3
- Reenable a patch that had been mistakenly disabled
-- Resolves: Bug 1224451
* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-2
- Build against nss-softokn-3.16.2.3-9
-- Resolves: Bug 1224451
* Fri Jun 05 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1
- Rebase to nss-3.19.1
-- Resolves: Bug 1224451
+- Resolves: Bug 1228913 - Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1]
-* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.2
-- On RHEL 7.1 keep the TLS version defaults unchanged.
+* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-6
+- Backport mozbz#1155922 to support SHA512 signatures with TLS 1.2
-* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.1
+* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-5
- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
-* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
-- Update and reenable nss-646045.patch on account of the rebase
-- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-4
+- Update and reeneable nss-646045.patch on account of the rebase
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
-* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
-- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-3
- Fix shell syntax error on nss/tests/all.sh
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Fri Apr 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
- Replace expired PayPal test certificate that breaks the build
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Mon Mar 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
* Mon Jan 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-5
- Reverse the sense of a test in patch to fix pk12util segfault