diff --git a/SOURCES/additional-cipher-suites-enabled-by-default.patch b/SOURCES/additional-cipher-suites-enabled-by-default.patch
new file mode 100644
index 0000000..0e28419
--- /dev/null
+++ b/SOURCES/additional-cipher-suites-enabled-by-default.patch
@@ -0,0 +1,66 @@
+diff -up ./nss/lib/ssl/ssl3con.c.1245627 ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.1245627	2015-08-10 15:42:24.831988193 -0700
++++ ./nss/lib/ssl/ssl3con.c	2015-08-10 17:03:05.674965691 -0700
+@@ -90,21 +90,24 @@ static ssl3CipherSuiteCfg cipherSuites[s
+    /*      cipher_suite                     policy       enabled   isPresent */
+ 
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ /* Switched order of two previous to meet Suite B requirements
++  * but implemented by default yet.
++  */
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+     * bug 946147.
+     */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -119,7 +122,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+@@ -143,7 +146,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ #endif /* NSS_DISABLE_ECC */
+ 
+  /* RSA */
+- { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_FALSE,  PR_FALSE},
++ { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+diff -up ./nss/lib/ssl/sslenum.c.1245627 ./nss/lib/ssl/sslenum.c
+--- ./nss/lib/ssl/sslenum.c.1245627	2015-08-10 15:42:24.809988026 -0700
++++ ./nss/lib/ssl/sslenum.c	2015-08-10 15:42:24.846988306 -0700
+@@ -48,8 +48,8 @@
+  */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+ #ifndef NSS_DISABLE_ECC
+-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
++    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
diff --git a/SOURCES/enable-ecdsa-ciphers-by-default.patch b/SOURCES/enable-ecdsa-ciphers-by-default.patch
new file mode 100644
index 0000000..bb1a948
--- /dev/null
+++ b/SOURCES/enable-ecdsa-ciphers-by-default.patch
@@ -0,0 +1,46 @@
+diff -up ./nss/lib/ssl/ssl3con.c.enable_ecdsa ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.enable_ecdsa	2015-08-18 07:34:41.627936333 -0700
++++ ./nss/lib/ssl/ssl3con.c	2015-08-18 07:37:19.781532228 -0700
+@@ -97,7 +97,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+   */
+  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+     * bug 946147.
+@@ -105,12 +105,12 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+ 
+@@ -135,13 +135,13 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+ 
diff --git a/SOURCES/fix-disable-sslv2-libssl.patch b/SOURCES/fix-disable-sslv2-libssl.patch
new file mode 100644
index 0000000..92715db
--- /dev/null
+++ b/SOURCES/fix-disable-sslv2-libssl.patch
@@ -0,0 +1,23 @@
+diff -up ./nss/lib/ssl/sslsock.c.handle_null ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.handle_null	2015-08-07 11:14:17.664389222 -0700
++++ ./nss/lib/ssl/sslsock.c	2015-08-07 11:15:33.690950335 -0700
+@@ -1193,8 +1193,17 @@ ssl_IsRemovedCipherSuite(PRInt32 suite)
+     /* both ssl2 and export cipher suites disabled */
+     if (SSL_IS_SSL2_CIPHER(suite))
+         return PR_TRUE;
+-    if (SSL_IsExportCipherSuite(suite))
+-      return PR_TRUE;
++    if (SSL_IsExportCipherSuite(suite)) {
++        SSLCipherSuiteInfo csdef;
++        if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
++            /* failure to retrieve info, disable */
++            return PR_TRUE;
++        }
++        if (csdef.symCipher != ssl_calg_null) {
++            /* disable all except NULL ciphersuites */
++            return PR_TRUE;
++        }
++    }
+ #endif /* NSS_NO_SSL2_NO_EXPORT */
+     switch (suite) {
+     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
diff --git a/SOURCES/fix-disable-sslv2-tests.patch b/SOURCES/fix-disable-sslv2-tests.patch
new file mode 100644
index 0000000..cc1689c
--- /dev/null
+++ b/SOURCES/fix-disable-sslv2-tests.patch
@@ -0,0 +1,33 @@
+diff -up ./nss/tests/ssl/ssl.sh.fix_skipping ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.fix_skipping	2015-08-09 08:19:47.771702882 -0700
++++ ./nss/tests/ssl/ssl.sh	2015-08-09 08:21:35.749328230 -0700
+@@ -125,7 +125,7 @@ is_selfserv_alive()
+   fi
+ 
+   echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
+-  if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++  if [ "${NSS_NO_SSL2}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then
+   echo "No server to kill"
+   else
+   kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+@@ -152,7 +152,7 @@ wait_for_selfserv()
+       ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+               -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
+       if [ $? -ne 0 ]; then
+-          if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++          if [ "${NSS_NO_SSL2}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then
+               html_passed "Server never started"
+           else
+           html_failed "Waiting for Server"
+@@ -294,7 +294,10 @@ ssl_cov()
+       SSL2=$?
+ 
+       #  skip export and ssl2 tests when build has disabled SSL2
+-      [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
++      if [ "${NSS_NO_SSL2}" = "1" ] && [ ${EXP} -eq 0 || ${SSL2} -eq 0 ]; then
++         echo "yyy exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
++         continue
++      fi
+ 
+       if [ "${SSL2}" -eq 0 ] ; then
+           # We cannot use asynchronous cert verification with SSL2
diff --git a/SOURCES/fix-min-library-version-in-SSLVersionRange.patch b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
new file mode 100644
index 0000000..49026a2
--- /dev/null
+++ b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
@@ -0,0 +1,12 @@
+diff -up ./nss/lib/ssl/sslsock.c.1171318 ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.1171318	2015-08-26 13:21:57.225290386 -0700
++++ ./nss/lib/ssl/sslsock.c	2015-08-26 13:23:28.037507487 -0700
+@@ -91,7 +91,7 @@ static sslOptions ssl_defaults = {
+  * default range of enabled SSL/TLS protocols
+  */
+ static SSLVersionRange versions_defaults_stream = {
+-    SSL_LIBRARY_VERSION_TLS_1_0,
++    SSL_LIBRARY_VERSION_3_0,
+     SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch
deleted file mode 100644
index ab0b10a..0000000
--- a/SOURCES/nss-revert-tls-version-defaults.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.keep_tls_default nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.keep_tls_default	2015-06-05 15:23:25.816895506 -0700
-+++ nss/lib/ssl/sslsock.c	2015-06-05 15:24:05.343176138 -0700
-@@ -89,13 +89,13 @@ static sslOptions ssl_defaults = {
-  * default range of enabled SSL/TLS protocols
-  */
- static SSLVersionRange versions_defaults_stream = {
--    SSL_LIBRARY_VERSION_TLS_1_0,
--    SSL_LIBRARY_VERSION_TLS_1_2
-+    SSL_LIBRARY_VERSION_3_0,
-+    SSL_LIBRARY_VERSION_TLS_1_0
- };
- 
- static SSLVersionRange versions_defaults_datagram = {
-     SSL_LIBRARY_VERSION_TLS_1_1,
--    SSL_LIBRARY_VERSION_TLS_1_2
-+    SSL_LIBRARY_VERSION_TLS_1_1
- };
- 
- #define VERSIONS_DEFAULTS(variant) \
diff --git a/SOURCES/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch b/SOURCES/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
new file mode 100644
index 0000000..3ba7ae1
--- /dev/null
+++ b/SOURCES/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
@@ -0,0 +1,38 @@
+diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
+--- ./nss/tests/ssl/sslauth.txt.ocsp_sni	2015-05-28 10:50:45.000000000 -0700
++++ ./nss/tests/ssl/sslauth.txt	2015-08-30 08:49:22.025299419 -0700
+@@ -65,12 +65,12 @@
+ # SNI Tests
+ #
+   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
+-  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+-  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
++  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
++  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
+-  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
++  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
+   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
+-  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
++  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+   SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+-  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+-  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
++  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
++  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.ocsp_sni	2015-08-30 08:49:21.905301105 -0700
++++ ./nss/tests/ssl/ssl.sh	2015-08-30 08:49:22.017299531 -0700
+@@ -457,10 +457,10 @@ ssl_stapling_sub()
+     start_selfserv
+ 
+     echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
+-    echo "        -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
++    echo "        -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+     ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+-	    -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
++	    -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+ 	    >${TMP}/$HOST.tmp.$$  2>&1
+     ret=$?
+     cat ${TMP}/$HOST.tmp.$$
diff --git a/SOURCES/reorder-cipher-suites.patch b/SOURCES/reorder-cipher-suites.patch
new file mode 100644
index 0000000..6e677e7
--- /dev/null
+++ b/SOURCES/reorder-cipher-suites.patch
@@ -0,0 +1,206 @@
+diff -up ./nss/lib/ssl/ssl3con.c.order ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.order	2015-08-31 17:14:13.539138213 -0700
++++ ./nss/lib/ssl/ssl3con.c	2015-08-31 17:35:23.841003936 -0700
+@@ -90,38 +90,29 @@ static ssl3CipherSuiteCfg cipherSuites[s
+    /*      cipher_suite                     policy       enabled   isPresent */
+ 
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- /* Switched order of two previous to meet Suite B requirements
+-  * but implemented by default yet.
++ /* Ephemeral ECDH */
++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must be before TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
++  * to workaround bug 946147.
+   */
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-   /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+-    * bug 946147.
+-    */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+ 
+- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ /* Ephemeral Finite Field DH */
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+@@ -130,35 +121,44 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* Non ephemeral ECDH */
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+ 
+  /* RSA */
+  { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_RSA_WITH_SEED_CBC_SHA,               SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_RSA_WITH_3DES_EDE_CBC_SHA,           SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_RC4_128_SHA,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_RC4_128_MD5,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+  /* 56-bit DES "domestic" cipher suites */
+  { TLS_DHE_RSA_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+diff -up ./nss/lib/ssl/sslenum.c.order ./nss/lib/ssl/sslenum.c
+--- ./nss/lib/ssl/sslenum.c.order	2015-08-31 17:14:13.531138366 -0700
++++ ./nss/lib/ssl/sslenum.c	2015-08-31 17:34:03.139562367 -0700
+@@ -48,35 +48,29 @@
+  */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+ #ifndef NSS_DISABLE_ECC
++    /* Ephemeral ECDH */
+     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
++    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+     /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+      * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+      */
+-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+-    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
++    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
++    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
++    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_DISABLE_ECC */
+ 
+-    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+-    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+-    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+-    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
++    /* Ephemeral Finite Field DH */
+     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+@@ -85,11 +79,20 @@ const PRUint16 SSL_ImplementedCiphers[]
+     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+     TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
++    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
++    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
++    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
++    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
++    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
++    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
++    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+     TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+     TLS_DHE_DSS_WITH_RC4_128_SHA,
+ 
+ #ifndef NSS_DISABLE_ECC
++    /* Non ephemeral ECDH */
+     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+@@ -100,19 +103,20 @@ const PRUint16 SSL_ImplementedCiphers[]
+     TLS_ECDH_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_DISABLE_ECC */
+ 
++    /* RSA */
+     TLS_RSA_WITH_AES_256_GCM_SHA384,
++    TLS_RSA_WITH_AES_256_CBC_SHA,
++    TLS_RSA_WITH_AES_256_CBC_SHA256,
++    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+     TLS_RSA_WITH_AES_128_GCM_SHA256,
+     TLS_RSA_WITH_AES_128_CBC_SHA,
+     TLS_RSA_WITH_AES_128_CBC_SHA256,
+     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+-    TLS_RSA_WITH_AES_256_CBC_SHA,
+-    TLS_RSA_WITH_AES_256_CBC_SHA256,
+-    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+     TLS_RSA_WITH_SEED_CBC_SHA,
+-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+     TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+     TLS_RSA_WITH_RC4_128_SHA,
+     TLS_RSA_WITH_RC4_128_MD5,
++    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+ 
+     /* 56-bit DES "domestic" cipher suites */
+     TLS_DHE_RSA_WITH_DES_CBC_SHA,
diff --git a/SOURCES/rh1238290.patch b/SOURCES/rh1238290.patch
new file mode 100644
index 0000000..2564a26
--- /dev/null
+++ b/SOURCES/rh1238290.patch
@@ -0,0 +1,22 @@
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -993,17 +993,17 @@ SECKEY_PublicKeyStrengthInBits(const SEC
+     }
+ 
+     /* interpret modulus length as key strength */
+     switch (pubk->keyType) {
+     case rsaKey:
+         bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus);
+         break;
+     case dsaKey:
+-        bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.publicValue);
++        bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.params.prime);
+         break;
+     case dhKey:
+         bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.publicValue);
+         break;
+     case ecKey:
+         bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
+         break;
+     default:
diff --git a/SOURCES/sslinfo-fix-info.patch b/SOURCES/sslinfo-fix-info.patch
new file mode 100644
index 0000000..2e0219f
--- /dev/null
+++ b/SOURCES/sslinfo-fix-info.patch
@@ -0,0 +1,12 @@
+diff -up ./nss/lib/ssl/sslinfo.c.fix_info ./nss/lib/ssl/sslinfo.c
+--- ./nss/lib/ssl/sslinfo.c.fix_info	2015-08-17 07:25:53.039762148 -0700
++++ ./nss/lib/ssl/sslinfo.c	2015-08-17 07:26:44.556390051 -0700
+@@ -218,7 +218,7 @@ static const SSLCipherSuiteInfo suiteInf
+ {0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+ {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
+ {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
+-{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384),     S_RSA, K_RSA, C_AESGCM, B_256, M_SHA384, 1, 0, 0, },
++{0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384),     S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
+ 
+ /* SSL 2 table */
+ {0,CK(SSL_CK_RC4_128_WITH_MD5),               S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 4ab339a..893792a 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -3,7 +3,7 @@
 # adjust to the version that gets submitted for FIPS validation
 %global nss_softokn_fips_version 3.16.2
 %global nss_softokn_version 3.16.2.3
-%global required_softokn_build_version -11
+%global required_softokn_build_version -13
 
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -23,7 +23,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.19.1
-Release:          7%{?dist}.2
+Release:          18%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -102,16 +102,34 @@ Patch53:          Bug-1001841-disable-sslv2-tests.patch
 Patch55:          enable-fips-when-system-is-in-fips-mode.patch
 # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
 Patch56:          p-ignore-setpolicy.patch
-# Patch to keep the TLS protocol versions that are enabled by default
-Patch98: nss-revert-tls-version-defaults.patch
 Patch99: ssl-server-min-key-sizes.patch
-# Add support for sha384 tls cipher suites, dss ciper suites, and
+# Add support for sha384 tls cipher suites, dss cipher suites, and
 # server-side dhe key exchange
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
-# TODO: File upstream bug for sha384 tls cipher suites support
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
 Patch101: dhe-sha384-dss-support.patch
 Patch102: prfnonsha256.patch
 Patch103: sha384-client-verify.patch
+# Fix flaws in Patch53 which caused needed tests to be skipped which could hide errors
+Patch104: fix-disable-sslv2-tests.patch
+# Fix Patch52 which caused NULL ciphers failures
+Patch105: fix-disable-sslv2-libssl.patch
+# Enables veriying fix for TLS_RSA_WITH_NULL_... not working in RHEL7
+# Partial set of the required ciphers to be enabled by default
+Patch106: additional-cipher-suites-enabled-by-default.patch
+Patch107: sslinfo-fix-info.patch
+Patch108: fix-min-library-version-in-SSLVersionRange.patch
+Patch109: enable-ecdsa-ciphers-by-default.patch
+# Enable by default two additional ciphers and fix order of two tables 
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
+Patch110: reorder-cipher-suites.patch
+# Expand client side CLI options for ocsp stapling and SNI tests
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+Patch111: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
+# TODO: File a bug upstream with and expanded patch
+Patch112: rh1238290.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -209,13 +227,24 @@ pushd nss
 popd
 %patch55 -p0 -b .852023
 %patch56 -p0 -b .1026677
-%patch98 -p0 -b .keep_tls_default
 %patch99 -p0 -b .min_key_sizes
 pushd nss
 %patch101 -p1 -b .dhe_and_sha384
 %patch102 -p1 -b .prfnonsha256
 %patch103 -p1 -b .sha384_client_verify
 popd
+%patch104 -p0 -b .fix_skipping
+%patch105 -p0 -b .null_ciphers
+%patch106 -p0 -b .1245627
+%patch107 -p0 -b .fix_info
+%patch108 -p0 -b .1171318
+%patch109 -p0 -b .enable_ecdsa
+%patch110 -p0 -b .order
+%patch111 -p0 -b .ocsp_sni
+pushd nss
+%patch112 -p1 -b .1238290
+popd
+
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -476,6 +505,11 @@ pushd ./nss/tests/
 # global nss_ssl_tests "normal_fips"
 # global nss_ssl_run "cov auth"
 
+# Temporarily disabling ssl stress tests for s390
+%ifarch s390
+%global nss_ssl_run "cov auth"
+%endif
+
 HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
 
 popd
@@ -561,7 +595,7 @@ do
 done
 
 # Copy the binaries we ship as unsupported
-for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
+for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
@@ -704,6 +738,7 @@ fi
 %{unsupported_tools_directory}/atob
 %{unsupported_tools_directory}/btoa
 %{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
 %{unsupported_tools_directory}/ocspclnt
 %{unsupported_tools_directory}/pp
 %{unsupported_tools_directory}/selfserv
@@ -803,14 +838,52 @@ fi
 
 
 %changelog
-* Wed Oct 21 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-7.el7_2
+* Wed Oct 21 2015 Kai Engert <kaie@redhat.com> - 3.19.1-18
 - Rebuild against updated NSPR
 
-* Wed Oct 21 2015 Kai Engert <kaie@redhat.com> - 3.19.1-7.el7_1.1
-- Rebuild against updated NSPR
+* Thu Sep 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-17
+- Change the required_softokn_build_version back to -13
+- Ensure we use nss-softokn-3.16.2.3-13.el7_1
+
+* Thu Sep 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-16
+- Fix check for public key size of DSA certificates
+- Use size of prime P not the size of dsa.publicValue
+
+* Mon Aug 31 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-15
+- Reorder the cipher suites and enable two more by default
+
+* Sun Aug 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-14
+- Update the required_softokn_build_version to -14
+- Add references to bugs filed upstream for new patches
+- Merge ocsp stapling and sslauth sni tests patches into one
 
-* Mon Jun 29 2015 Kai Engert <kaie@redhat.com> - 3.19.1-6
-- experimental build
+* Sat Aug 29 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-13
+- Reorder the cipher suites and enable two more by default
+- Fix some of the ssauth sni and ocsp stapling tests
+
+* Thu Aug 27 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-12
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+- Enable ECDSA cipher suites by default, a subset of the ones requested
+
+* Wed Aug 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-11
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+
+* Mon Aug 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-10
+- Fix to correctly report integrity mechanism for TLS_RSA_WITH_AES_256_GCM_SHA384
+
+* Mon Aug 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-9
+- Fix checks to skip ssl2/export cipher suites tests to not skip needed tests
+- Fix libssl ssl2/export disabling patch to handle NULL cipher cases
+- Enable additional cipher suites by default
+
+* Thu Jul 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-8
+- Add links to filed upstream bugs to better track patches in spec file
+
+* Tue Jul 07 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-7
+- Package listsuites as part of the unsupported tools
+
+* Thu Jul 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-6
+- Bump the release tag
 
 * Mon Jun 29 2015 Kai Engert <kaie@redhat.com> - 3.19.1-5
 - Incremental patches to fix SSL/TLS test suite execution,
@@ -824,30 +897,34 @@ fi
 
 * Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-3
 - Reenable a patch that had been mistakenly disabled
-- Resolves: Bug 1224451
 
 * Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-2
 - Build against nss-softokn-3.16.2.3-9
-- Resolves: Bug 1224451
 
 * Fri Jun 05 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1
 - Rebase to nss-3.19.1
-- Resolves: Bug 1224451
+- Resolves: Bug 1228913 - Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1]
 
-* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.2
-- On RHEL 7.1 keep the TLS version defaults unchanged.
+* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-6
+- Backport mozbz#1155922 to support SHA512 signatures with TLS 1.2
 
-* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.1
+* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-5
 - Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
 
-* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
-- Update and reenable nss-646045.patch on account of the rebase
-- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-4
+- Update and reeneable nss-646045.patch on account of the rebase
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
 
-* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
-- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-3
 - Fix shell syntax error on nss/tests/all.sh
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Fri Apr 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
 - Replace expired PayPal test certificate that breaks the build
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Mon Mar 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
 
 * Mon Jan 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-5
 - Reverse the sense of a test in patch to fix pk12util segfault