diff --git a/.gitignore b/.gitignore
index 1d16491..dac23b7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,7 +9,7 @@ SOURCES/cert8.db.xml
 SOURCES/cert9.db.xml
 SOURCES/key3.db.xml
 SOURCES/key4.db.xml
-SOURCES/nss-3.28.2.tar.gz
+SOURCES/nss-3.28.4.tar.gz
 SOURCES/nss-config.xml
 SOURCES/nss-pem-20140125.tar.bz2
 SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index bb1ad7d..abcc374 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
 af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-4f972f53cef8f87416a12199863e1ec043f0050d SOURCES/nss-3.28.2.tar.gz
+f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz
 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/nss-ecpoint-encoding.patch b/SOURCES/nss-ecpoint-encoding.patch
deleted file mode 100644
index 2577621..0000000
--- a/SOURCES/nss-ecpoint-encoding.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-
-# HG changeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1487329827 -3600
-# Node ID 0050234a859c2aac2cf8cb5092218191300b1901
-# Parent  0e25df041c8fdc8610c6f227084d11eb8ad81149
-Bug 1340103, Introduction of SECKEYECPublicKey.encoding in NSS 3.28 broke ABI, r=rrelyea/mt
-
-diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h
---- a/lib/cryptohi/keyi.h
-+++ b/lib/cryptohi/keyi.h
-@@ -12,18 +12,11 @@ SEC_BEGIN_PROTOS
- KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
- 
- /* extract the 'encryption' (could be signing) and hash oids from and
-  * algorithm, key and parameters (parameters is the parameters field
-  * of a algorithm ID structure (SECAlgorithmID)*/
- SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
-                            const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
- 
--/*
-- * Set the point encoding of a SECKEYPublicKey from the OID.
-- * This has to be called on any SECKEYPublicKey holding a SECKEYECPublicKey
-- * before it can be used. The encoding is used to dermine the public key size.
-- */
--SECStatus seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey);
--
- SEC_END_PROTOS
- 
- #endif /* _KEYHI_H_ */
-diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h
---- a/lib/cryptohi/keythi.h
-+++ b/lib/cryptohi/keythi.h
-@@ -120,19 +120,19 @@ typedef struct SECKEYDHPublicKeyStr SECK
- ** Elliptic curve Public Key structure
- ** The PKCS#11 layer needs DER encoding of ANSI X9.62
- ** parameters value
- */
- typedef SECItem SECKEYECParams;
- 
- struct SECKEYECPublicKeyStr {
-     SECKEYECParams DEREncodedParams;
--    int size;            /* size in bits */
--    SECItem publicValue; /* encoded point */
--    ECPointEncoding encoding;
-+    int size;                 /* size in bits */
-+    SECItem publicValue;      /* encoded point */
-+    ECPointEncoding encoding; /* deprecated, ignored */
- };
- typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey;
- 
- /*
- ** FORTEZZA Public Key structures
- */
- struct SECKEYFortezzaPublicKeyStr {
-     int KEAversion;
-diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
---- a/lib/cryptohi/seckey.c
-+++ b/lib/cryptohi/seckey.c
-@@ -542,16 +542,33 @@ seckey_GetKeyType(SECOidTag tag)
- 
- /* Function used to determine what kind of cert we are dealing with. */
- KeyType
- CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki)
- {
-     return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm));
- }
- 
-+/* Ensure pubKey contains an OID */
-+static SECStatus
-+seckey_HasCurveOID(const SECKEYPublicKey *pubKey)
-+{
-+    SECItem oid;
-+    SECStatus rv;
-+    PORTCheapArenaPool tmpArena;
-+
-+    PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
-+    /* If we can decode it, an OID is available. */
-+    rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid,
-+                                SEC_ASN1_GET(SEC_ObjectIDTemplate),
-+                                &pubKey->u.ec.DEREncodedParams);
-+    PORT_DestroyCheapArena(&tmpArena);
-+    return rv;
-+}
-+
- static SECKEYPublicKey *
- seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
- {
-     SECKEYPublicKey *pubk;
-     SECItem os, newOs, newParms;
-     SECStatus rv;
-     PLArenaPool *arena;
-     SECOidTag tag;
-@@ -634,17 +651,18 @@ seckey_ExtractPublicKey(const CERTSubjec
-                                       &spki->algorithm.parameters);
-                 if (rv != SECSuccess) {
-                     break;
-                 }
-                 rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs);
-                 if (rv != SECSuccess) {
-                     break;
-                 }
--                rv = seckey_SetPointEncoding(arena, pubk);
-+                pubk->u.ec.encoding = ECPoint_Undefined;
-+                rv = seckey_HasCurveOID(pubk);
-                 if (rv == SECSuccess) {
-                     return pubk;
-                 }
-                 break;
- 
-             default:
-                 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-                 break;
-@@ -1157,26 +1175,26 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
-             rv = SECITEM_CopyItem(arena, &copyk->u.dh.base, &pubk->u.dh.base);
-             if (rv != SECSuccess)
-                 break;
-             rv = SECITEM_CopyItem(arena, &copyk->u.dh.publicValue,
-                                   &pubk->u.dh.publicValue);
-             break;
-         case ecKey:
-             copyk->u.ec.size = pubk->u.ec.size;
-+            rv = seckey_HasCurveOID(pubk);
-+            if (rv != SECSuccess) {
-+                break;
-+            }
-             rv = SECITEM_CopyItem(arena, &copyk->u.ec.DEREncodedParams,
-                                   &pubk->u.ec.DEREncodedParams);
-             if (rv != SECSuccess) {
-                 break;
-             }
--            rv = seckey_SetPointEncoding(arena, copyk);
--            if (rv != SECSuccess) {
--                break;
--            }
--            PORT_Assert(copyk->u.ec.encoding == pubk->u.ec.encoding);
-+            copyk->u.ec.encoding = ECPoint_Undefined;
-             rv = SECITEM_CopyItem(arena, &copyk->u.ec.publicValue,
-                                   &pubk->u.ec.publicValue);
-             break;
-         case nullKey:
-             return copyk;
-         default:
-             PORT_SetError(SEC_ERROR_INVALID_KEY);
-             rv = SECFailure;
-@@ -1938,44 +1956,8 @@ SECKEY_GetECCOid(const SECKEYECParams *p
-         return 0;
-     oid.len = params->len - 2;
-     oid.data = params->data + 2;
-     if ((oidData = SECOID_FindOID(&oid)) == NULL)
-         return 0;
- 
-     return oidData->offset;
- }
--
--/* Set curve encoding in SECKEYECPublicKey in pubKey from OID.
-- * If the encoding is not set, determining the key size of EC public keys will
-- * fail.
-- */
--SECStatus
--seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey)
--{
--    SECItem oid;
--    SECOidTag tag;
--    SECStatus rv;
--
--    /* decode the OID tag */
--    rv = SEC_QuickDERDecodeItem(arena, &oid, SEC_ASN1_GET(SEC_ObjectIDTemplate),
--                                &pubKey->u.ec.DEREncodedParams);
--    if (rv != SECSuccess) {
--        return SECFailure;
--    }
--
--    tag = SECOID_FindOIDTag(&oid);
--    switch (tag) {
--        case SEC_OID_CURVE25519:
--            pubKey->u.ec.encoding = ECPoint_XOnly;
--            break;
--        case SEC_OID_SECG_EC_SECP256R1:
--        /* fall through */
--        case SEC_OID_SECG_EC_SECP384R1:
--        /* fall through */
--        case SEC_OID_SECG_EC_SECP521R1:
--        /* fall through */
--        default:
--            /* unknown curve, default to uncompressed */
--            pubKey->u.ec.encoding = ECPoint_Uncompressed;
--    }
--    return SECSuccess;
--}
-diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
---- a/lib/pk11wrap/pk11akey.c
-+++ b/lib/pk11wrap/pk11akey.c
-@@ -760,22 +760,20 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot
-                 crv = CKR_OBJECT_HANDLE_INVALID;
-                 break;
-             }
- 
-             crv = pk11_Attr2SecItem(arena, ecparams,
-                                     &pubKey->u.ec.DEREncodedParams);
-             if (crv != CKR_OK)
-                 break;
-+            pubKey->u.ec.encoding = ECPoint_Undefined;
-             crv = pk11_get_Decoded_ECPoint(arena,
-                                            &pubKey->u.ec.DEREncodedParams, value,
-                                            &pubKey->u.ec.publicValue);
--            if (seckey_SetPointEncoding(arena, pubKey) != SECSuccess) {
--                crv |= CKR_GENERAL_ERROR;
--            }
-             break;
-         case fortezzaKey:
-         case nullKey:
-         default:
-             crv = CKR_OBJECT_HANDLE_INVALID;
-             break;
-     }
- 
-diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c
---- a/lib/pk11wrap/pk11skey.c
-+++ b/lib/pk11wrap/pk11skey.c
-@@ -2032,27 +2032,62 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
-             PORT_SetError(PK11_MapError(crv));
-         }
-     }
- 
-     PK11_FreeSymKey(symKey);
-     return NULL;
- }
- 
-+/* Test for curves that are known to use a special encoding.
-+ * Extend this function when additional curves are added. */
-+static ECPointEncoding
-+pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey)
-+{
-+    SECItem oid;
-+    SECStatus rv;
-+    PORTCheapArenaPool tmpArena;
-+    ECPointEncoding encoding = ECPoint_Undefined;
-+
-+    PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
-+
-+    /* decode the OID tag */
-+    rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid,
-+                                SEC_ASN1_GET(SEC_ObjectIDTemplate),
-+                                &pubKey->u.ec.DEREncodedParams);
-+    if (rv == SECSuccess) {
-+        SECOidTag tag = SECOID_FindOIDTag(&oid);
-+        switch (tag) {
-+            case SEC_OID_CURVE25519:
-+                encoding = ECPoint_XOnly;
-+                break;
-+            case SEC_OID_SECG_EC_SECP256R1:
-+            case SEC_OID_SECG_EC_SECP384R1:
-+            case SEC_OID_SECG_EC_SECP521R1:
-+            default:
-+                /* unknown curve, default to uncompressed */
-+                encoding = ECPoint_Uncompressed;
-+        }
-+    }
-+    PORT_DestroyCheapArena(&tmpArena);
-+    return encoding;
-+}
-+
- /* Returns the size of the public key, or 0 if there
-  * is an error. */
- static CK_ULONG
- pk11_ECPubKeySize(SECKEYPublicKey *pubKey)
- {
-     SECItem *publicValue = &pubKey->u.ec.publicValue;
- 
--    if (pubKey->u.ec.encoding == ECPoint_XOnly) {
-+    ECPointEncoding encoding = pk11_ECGetPubkeyEncoding(pubKey);
-+    if (encoding == ECPoint_XOnly) {
-         return publicValue->len;
-     }
--    if (publicValue->data[0] == 0x04) {
-+    if (encoding == ECPoint_Uncompressed) {
-         /* key encoded in uncompressed form */
-         return ((publicValue->len - 1) / 2);
-     }
-     /* key encoding not recognized */
-     return 0;
- }
- 
- static PK11SymKey *
-diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c
---- a/lib/ssl/ssl3ecc.c
-+++ b/lib/ssl/ssl3ecc.c
-@@ -298,17 +298,17 @@ ssl3_HandleECDHClientKeyExchange(sslSock
-     PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
-     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
- 
-     clntPubKey.keyType = ecKey;
-     clntPubKey.u.ec.DEREncodedParams.len =
-         serverKeyPair->pubKey->u.ec.DEREncodedParams.len;
-     clntPubKey.u.ec.DEREncodedParams.data =
-         serverKeyPair->pubKey->u.ec.DEREncodedParams.data;
--    clntPubKey.u.ec.encoding = serverKeyPair->pubKey->u.ec.encoding;
-+    clntPubKey.u.ec.encoding = ECPoint_Undefined;
- 
-     rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
-                                        1, &b, &length);
-     if (rv != SECSuccess) {
-         PORT_SetError(errCode);
-         return SECFailure;
-     }
- 
-@@ -382,21 +382,17 @@ ssl_ImportECDHKeyShare(sslSocket *ss, SE
-     peerKey->keyType = ecKey;
-     /* Set up the encoded params */
-     rv = ssl_NamedGroup2ECParams(peerKey->arena, ecGroup,
-                                  &peerKey->u.ec.DEREncodedParams);
-     if (rv != SECSuccess) {
-         ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE);
-         return SECFailure;
-     }
--    if (ecGroup->name == ssl_grp_ec_curve25519) {
--        peerKey->u.ec.encoding = ECPoint_XOnly;
--    } else {
--        peerKey->u.ec.encoding = ECPoint_Uncompressed;
--    }
-+    peerKey->u.ec.encoding = ECPoint_Undefined;
- 
-     /* copy publicValue in peerKey */
-     ecPoint.data = b;
-     ecPoint.len = length;
- 
-     rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.ec.publicValue, &ecPoint);
-     if (rv != SECSuccess) {
-         return SECFailure;
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 7c243ed..eaf7f49 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -26,8 +26,8 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.28.2
-Release:          1.6%{?dist}
+Version:          3.28.4
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -143,8 +143,6 @@ Patch129: moz-1320932.patch
 # Disable RSA-PSS until we get a new nss-softokn (taken from RHEL-6
 # for rhbz#1390161)
 Patch130: disable-pss.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1340103
-Patch131: nss-ecpoint-encoding.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054
 Patch132: nss-tstclnt-optspec.patch
 Patch200: nss-disable-curve25519-gtests.patch
@@ -268,7 +266,6 @@ pushd nss
 %patch128 -p1 -b .enable-cipher-suites
 %patch129 -p1 -b .fix_ssl_sh_typo
 %patch130 -p1 -b .disable_pss
-%patch131 -p1 -b .ecpoint-encoding
 %patch132 -p1 -b .tstclnt-optspec
 %patch200 -p1 -b .disable-curve25519-gtests
 %patch201 -p1 -b .disable-curve25519-tests
@@ -863,6 +860,9 @@ fi
 
 
 %changelog
+* Fri Apr  7 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-1.0
+- Rebase to NSS 3.28.4
+
 * Mon Feb 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.6
 - Restore ssl-server-min-key-sizes.patch
 - Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default