diff --git a/SOURCES/nss-ca-2.14.patch b/SOURCES/nss-ca-2.14.patch
new file mode 100644
index 0000000..b571fa6
--- /dev/null
+++ b/SOURCES/nss-ca-2.14.patch
@@ -0,0 +1,1190 @@
+diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
+--- a/lib/ckfw/builtins/certdata.txt
++++ b/lib/ckfw/builtins/certdata.txt
+@@ -8188,177 +8188,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \150\340
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+-# Certificate "WellsSecure Public Root Certificate Authority"
+-#
+-# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Serial Number: 1 (0x1)
+-# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Not Valid Before: Thu Dec 13 17:07:54 2007
+-# Not Valid After : Wed Dec 14 00:07:54 2022
+-# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
+-# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
+-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
+-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
+-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
+-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
+-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
+-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
+-\165\164\150\157\162\151\164\171
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
+-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
+-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
+-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
+-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
+-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
+-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
+-\165\164\150\157\162\151\164\171
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\001
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+-\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+-\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040
+-\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162
+-\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154
+-\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061
+-\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123
+-\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157
+-\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
+-\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061
+-\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064
+-\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003
+-\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012
+-\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145
+-\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125
+-\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040
+-\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003
+-\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165
+-\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146
+-\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060
+-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
+-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
+-\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253
+-\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210
+-\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051
+-\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324
+-\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122
+-\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060
+-\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054
+-\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344
+-\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264
+-\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143
+-\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050
+-\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204
+-\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237
+-\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005
+-\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300
+-\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145
+-\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006
+-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071
+-\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206
+-\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056
+-\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167
+-\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017
+-\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016
+-\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031
+-\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043
+-\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227
+-\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244
+-\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002
+-\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154
+-\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145
+-\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127
+-\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040
+-\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154
+-\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040
+-\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145
+-\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006
+-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+-\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173
+-\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355
+-\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035
+-\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225
+-\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045
+-\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101
+-\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344
+-\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255
+-\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247
+-\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163
+-\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166
+-\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075
+-\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147
+-\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176
+-\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157
+-\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130
+-\333
+-END
+-
+-# Trust for Certificate "WellsSecure Public Root Certificate Authority"
+-# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Serial Number: 1 (0x1)
+-# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Not Valid Before: Thu Dec 13 17:07:54 2007
+-# Not Valid After : Wed Dec 14 00:07:54 2022
+-# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
+-# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364
+-\175\117\350\356
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
+-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
+-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
+-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
+-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
+-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
+-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
+-\165\164\150\157\162\151\164\171
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\001
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "COMODO ECC Certification Authority"
+ #
+ # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
+ # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Thu Mar 06 00:00:00 2008
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
+@@ -8930,222 +8769,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \337\232
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+-# Certificate "Microsec e-Szigno Root CA"
+-#
+-# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
+-# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Not Valid Before: Wed Apr 06 12:28:44 2005
+-# Not Valid After : Thu Apr 06 12:28:44 2017
+-# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
+-# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
+-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
+-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
+-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
+-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
+-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
+-\164\040\103\101
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
+-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
+-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
+-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
+-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
+-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
+-\164\040\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
+-\054\017\021
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000
+-\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+-\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021
+-\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163
+-\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162
+-\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125
+-\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061
+-\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163
+-\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164
+-\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062
+-\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070
+-\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002
+-\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144
+-\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015
+-\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060
+-\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157
+-\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151
+-\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040
+-\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052
+-\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
+-\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070
+-\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207
+-\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256
+-\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167
+-\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331
+-\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376
+-\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006
+-\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254
+-\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300
+-\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140
+-\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270
+-\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364
+-\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341
+-\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111
+-\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161
+-\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346
+-\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004
+-\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001
+-\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060
+-\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145
+-\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060
+-\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164
+-\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157
+-\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017
+-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
+-\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146
+-\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001
+-\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007
+-\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145
+-\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057
+-\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202
+-\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156
+-\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171
+-\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145
+-\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040
+-\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147
+-\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172
+-\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147
+-\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123
+-\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141
+-\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141
+-\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141
+-\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164
+-\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154
+-\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150
+-\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167
+-\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147
+-\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132
+-\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201
+-\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150
+-\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147
+-\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154
+-\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145
+-\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151
+-\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156
+-\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125
+-\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117
+-\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056
+-\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125
+-\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157
+-\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162
+-\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
+-\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201
+-\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150
+-\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032
+-\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156
+-\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003
+-\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110
+-\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003
+-\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060
+-\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125
+-\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141
+-\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166
+-\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110
+-\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141
+-\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115
+-\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022
+-\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040
+-\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143
+-\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122
+-\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032
+-\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016
+-\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322
+-\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206
+-\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146
+-\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154
+-\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240
+-\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247
+-\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345
+-\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172
+-\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250
+-\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332
+-\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133
+-\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323
+-\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321
+-\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235
+-\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362
+-\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077
+-\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226
+-\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040
+-\103\307\003\340\067\116\135\012\334\131\040\045
+-END
+-
+-# Trust for Certificate "Microsec e-Szigno Root CA"
+-# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
+-# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Not Valid Before: Wed Apr 06 12:28:44 2005
+-# Not Valid After : Thu Apr 06 12:28:44 2017
+-# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
+-# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326
+-\045\354\031\015
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
+-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
+-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
+-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
+-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
+-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
+-\164\040\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
+-\054\017\021
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Certigna"
+ #
+ # Issuer: CN=Certigna,O=Dhimyotis,C=FR
+ # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
+ # Subject: CN=Certigna,O=Dhimyotis,C=FR
+ # Not Valid Before: Fri Jun 29 15:13:05 2007
+ # Not Valid After : Tue Jun 29 15:13:05 2027
+ # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
+@@ -10742,147 +10375,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\004\111\063\000\001
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+-# Certificate "ApplicationCA - Japanese Government"
+-#
+-# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Serial Number: 49 (0x31)
+-# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Not Valid Before: Wed Dec 12 15:00:00 2007
+-# Not Valid After : Tue Dec 12 15:00:00 2017
+-# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
+-# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
+-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
+-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
+-\151\157\156\103\101
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
+-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
+-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
+-\151\157\156\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\061
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+-\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034
+-\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163
+-\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024
+-\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151
+-\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065
+-\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060
+-\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023
+-\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141
+-\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156
+-\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154
+-\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006
+-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+-\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207
+-\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005
+-\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212
+-\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212
+-\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240
+-\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006
+-\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171
+-\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004
+-\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155
+-\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060
+-\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214
+-\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005
+-\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155
+-\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331
+-\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060
+-\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046
+-\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243
+-\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024
+-\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320
+-\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004
+-\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244
+-\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120
+-\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234
+-\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003
+-\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202
+-\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060
+-\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
+-\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017
+-\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172
+-\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011
+-\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234
+-\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026
+-\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176
+-\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221
+-\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217
+-\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124
+-\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210
+-\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353
+-\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243
+-\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046
+-\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377
+-\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113
+-\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177
+-\262\033\211\124
+-END
+-
+-# Trust for Certificate "ApplicationCA - Japanese Government"
+-# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Serial Number: 49 (0x31)
+-# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Not Valid Before: Wed Dec 12 15:00:00 2007
+-# Not Valid After : Tue Dec 12 15:00:00 2017
+-# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
+-# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214
+-\323\065\374\164
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
+-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
+-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
+-\151\157\156\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\061
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "GeoTrust Primary Certification Authority - G3"
+ #
+ # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
+ # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Wed Apr 02 00:00:00 2008
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
+@@ -26272,176 +25774,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\007\000\216\027\376\044\040\201
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+-# Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-#
+-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Serial Number:7d:a1:f2:65:ec:8a
+-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Not Valid Before: Wed Dec 18 09:04:10 2013
+-# Not Valid After : Sat Dec 16 09:04:10 2023
+-# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
+-# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
+-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
+-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
+-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
+-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
+-\261\040\110\066
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
+-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
+-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
+-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
+-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
+-\261\040\110\066
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\006\175\241\362\145\354\212
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175
+-\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001
+-\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006
+-\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101
+-\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104
+-\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151
+-\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102
+-\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151
+-\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101
+-\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124
+-\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162
+-\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110
+-\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143
+-\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062
+-\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061
+-\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006
+-\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004
+-\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125
+-\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102
+-\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040
+-\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166
+-\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145
+-\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004
+-\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154
+-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
+-\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141
+-\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042
+-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+-\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150
+-\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161
+-\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063
+-\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157
+-\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275
+-\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324
+-\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327
+-\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200
+-\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324
+-\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330
+-\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051
+-\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315
+-\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136
+-\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251
+-\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171
+-\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143
+-\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001
+-\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004
+-\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000
+-\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004
+-\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
+-\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015
+-\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252
+-\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122
+-\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024
+-\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002
+-\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066
+-\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356
+-\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062
+-\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226
+-\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024
+-\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003
+-\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050
+-\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342
+-\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246
+-\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203
+-\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130
+-\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006
+-\264\013\230\113\050\136\257\210\130\313
+-END
+-
+-# Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Serial Number:7d:a1:f2:65:ec:8a
+-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Not Valid Before: Wed Dec 18 09:04:10 2013
+-# Not Valid After : Sat Dec 16 09:04:10 2023
+-# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
+-# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260
+-\355\345\057\340
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
+-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
+-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
+-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
+-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
+-\261\040\110\066
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\006\175\241\362\145\354\212
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Certinomis - Root CA"
+ #
+ # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
+ # Serial Number: 1 (0x1)
+ # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
+ # Not Valid Before: Mon Oct 21 09:17:18 2013
+ # Not Valid After : Fri Oct 21 09:17:18 2033
+ # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
+@@ -29849,8 +29191,316 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125
+ \246\036
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "D-TRUST Root CA 3 2013"
++#
++# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Serial Number: 1039788 (0xfddac)
++# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Not Valid Before: Fri Sep 20 08:25:51 2013
++# Not Valid After : Wed Sep 20 08:25:51 2028
++# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
++# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
++\040\063\040\062\060\061\063
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
++\040\063\040\062\060\061\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\017\335\254
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017
++\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005
++\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165
++\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003
++\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103
++\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071
++\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062
++\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003
++\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012
++\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037
++\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124
++\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060
++\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
++\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
++\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337
++\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341
++\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046
++\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154
++\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340
++\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011
++\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274
++\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323
++\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352
++\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121
++\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075
++\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256
++\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077
++\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357
++\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174
++\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263
++\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006
++\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
++\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157
++\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006
++\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276
++\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240
++\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164
++\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057
++\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157
++\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061
++\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155
++\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143
++\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163
++\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057
++\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057
++\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164
++\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015
++\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001
++\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234
++\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237
++\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317
++\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175
++\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040
++\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065
++\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210
++\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157
++\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246
++\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303
++\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115
++\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223
++\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113
++\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147
++\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155
++\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111
++\137\134
++END
++
++# Trust for "D-TRUST Root CA 3 2013"
++# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Serial Number: 1039788 (0xfddac)
++# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Not Valid Before: Fri Sep 20 08:25:51 2013
++# Not Valid After : Wed Sep 20 08:25:51 2028
++# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
++# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170
++\337\157\357\227
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
++\040\063\040\062\060\061\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\017\335\254
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++#
++# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Serial Number: 1 (0x1)
++# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Not Valid Before: Mon Nov 25 08:25:55 2013
++# Not Valid After : Sun Oct 25 08:25:55 2043
++# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
++# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
++\162\165\155\040\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
++\162\165\155\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\001\001
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001
++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
++\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061
++\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040
++\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125
++\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151
++\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152
++\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162
++\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060
++\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162
++\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145
++\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064
++\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113
++\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123
++\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162
++\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070
++\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062
++\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006
++\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107
++\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102
++\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145
++\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153
++\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155
++\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124
++\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155
++\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040
++\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123
++\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111
++\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040
++\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040
++\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006
++\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
++\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273
++\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377
++\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372
++\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253
++\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154
++\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320
++\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153
++\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000
++\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116
++\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227
++\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332
++\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311
++\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177
++\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054
++\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352
++\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037
++\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243
++\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077
++\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107
++\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002
++\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
++\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230
++\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175
++\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341
++\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260
++\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355
++\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337
++\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027
++\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235
++\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270
++\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226
++\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223
++\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334
++\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177
++\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255
++\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237
++\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302
++\237\042\136\242\017\241\343
++END
++
++# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Serial Number: 1 (0x1)
++# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Not Valid Before: Mon Nov 25 08:25:55 2013
++# Not Valid After : Sun Oct 25 08:25:55 2043
++# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
++# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350
++\221\335\356\312
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
++\162\165\155\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\001\001
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h
+--- a/lib/ckfw/builtins/nssckbi.h
++++ b/lib/ckfw/builtins/nssckbi.h
+@@ -17,41 +17,42 @@
+ */
+ #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
+ #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
+
+ /* These version numbers detail the changes
+ * to the list of trusted certificates.
+ *
+ * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
+- * for each NSS minor release AND whenever we change the list of
+- * trusted certificates. 10 minor versions are allocated for each
+- * NSS 3.x branch as follows, allowing us to change the list of
+- * trusted certificates up to 9 times on each branch.
+- * - NSS 3.5 branch: 3-9
+- * - NSS 3.6 branch: 10-19
+- * - NSS 3.7 branch: 20-29
+- * - NSS 3.8 branch: 30-39
+- * - NSS 3.9 branch: 40-49
+- * - NSS 3.10 branch: 50-59
+- * - NSS 3.11 branch: 60-69
+- * ...
+- * - NSS 3.12 branch: 70-89
+- * - NSS 3.13 branch: 90-99
+- * - NSS 3.14 branch: 100-109
+- * ...
+- * - NSS 3.29 branch: 250-255
++ * whenever we change the list of trusted certificates.
++ *
++ * Please use the following rules when increasing the version number:
++ *
++ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
++ * must always be an EVEN number (e.g. 16, 18, 20 etc.)
++ *
++ * - whenever possible, if older branches require a modification to the
++ * list, these changes should be made on the main line of development (trunk),
++ * and the older branches should update to the most recent list.
++ *
++ * - ODD minor version numbers are reserved to indicate a snapshot that has
++ * deviated from the main line of development, e.g. if it was necessary
++ * to modify the list on a stable branch.
++ * Once the version has been changed to an odd number (e.g. 2.13) on a branch,
++ * it should remain unchanged on that branch, even if further changes are
++ * made on that branch.
+ *
+ * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
++ * It's recommend to switch back to 0 after having reached version 98/99.
+ */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.11"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
++#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
+
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+ #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+
+ /* These version numbers detail the semantic changes to ckbi itself
+ * (new PKCS #11 objects), etc. */
+ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+
+diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c
+--- a/lib/certdb/genname.c
++++ b/lib/certdb/genname.c
+@@ -1583,19 +1583,19 @@ done:
+
+ #define NAME_CONSTRAINTS_ENTRY(CA) \
+ { \
+ STRING_TO_SECITEM(CA##_SUBJECT_DN) \
+ , \
+ STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \
+ }
+
+-/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
++/* clang-format off */
+
+-/* clang-format off */
++/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
+
+ #define ANSSI_SUBJECT_DN \
+ "\x30\x81\x85" \
+ "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR" /* C */ \
+ "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France" /* ST */ \
+ "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris" /* L */ \
+ "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN" /* O */ \
+ "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI" /* OU */ \
+@@ -1614,20 +1614,49 @@ done:
+ "\x30\x05\x82\x03" ".pm" \
+ "\x30\x05\x82\x03" ".bl" \
+ "\x30\x05\x82\x03" ".mf" \
+ "\x30\x05\x82\x03" ".wf" \
+ "\x30\x05\x82\x03" ".pf" \
+ "\x30\x05\x82\x03" ".nc" \
+ "\x30\x05\x82\x03" ".tf"
+
++/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */
++
++#define TUBITAK1_SUBJECT_DN \
++ "\x30\x81\xd2" \
++ "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02" \
++ /* C */ "TR" \
++ "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f" \
++ /* L */ "Gebze - Kocaeli" \
++ "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39" \
++ /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK" \
++ "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24" \
++ /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM" \
++ "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d" \
++ /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++
++#define TUBITAK1_NAME_CONSTRAINTS \
++ "\x30\x65\xa0\x63" \
++ "\x30\x09\x82\x07" ".gov.tr" \
++ "\x30\x09\x82\x07" ".k12.tr" \
++ "\x30\x09\x82\x07" ".pol.tr" \
++ "\x30\x09\x82\x07" ".mil.tr" \
++ "\x30\x09\x82\x07" ".tsk.tr" \
++ "\x30\x09\x82\x07" ".kep.tr" \
++ "\x30\x09\x82\x07" ".bel.tr" \
++ "\x30\x09\x82\x07" ".edu.tr" \
++ "\x30\x09\x82\x07" ".org.tr"
++
+ /* clang-format on */
+
+-static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY(
+- ANSSI) };
++static const SECItem builtInNameConstraints[][2] = {
++ NAME_CONSTRAINTS_ENTRY(ANSSI),
++ NAME_CONSTRAINTS_ENTRY(TUBITAK1)
++};
+
+ SECStatus
+ CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions)
+ {
+ size_t i;
+
+ if (!extensions) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+
diff --git a/SOURCES/nss-ssl3gthr.patch b/SOURCES/nss-ssl3gthr.patch
new file mode 100644
index 0000000..438b0f2
--- /dev/null
+++ b/SOURCES/nss-ssl3gthr.patch
@@ -0,0 +1,301 @@
+diff -up nss/gtests/ssl_gtest/ssl_gather_unittest.cc.ssl3gthr nss/gtests/ssl_gtest/ssl_gather_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_gather_unittest.cc.ssl3gthr 2017-04-28 14:40:23.579583263 +0200
++++ nss/gtests/ssl_gtest/ssl_gather_unittest.cc 2017-04-28 14:40:23.579583263 +0200
+@@ -0,0 +1,153 @@
++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* vim: set ts=2 et sw=2 tw=80: */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "gtest_utils.h"
++#include "tls_connect.h"
++
++namespace nss_test {
++
++class GatherV2ClientHelloTest : public TlsConnectTestBase {
++ public:
++ GatherV2ClientHelloTest() : TlsConnectTestBase(STREAM, 0) {}
++
++ void ConnectExpectMalformedClientHello(const DataBuffer &data) {
++ EnsureTlsSetup();
++
++ auto alert_recorder = new TlsAlertRecorder();
++ server_->SetPacketFilter(alert_recorder);
++
++ client_->SendDirect(data);
++ server_->StartConnect();
++ server_->Handshake();
++ ASSERT_TRUE_WAIT(
++ (server_->error_code() == SSL_ERROR_RX_MALFORMED_CLIENT_HELLO), 2000);
++
++ EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
++ EXPECT_EQ(illegal_parameter, alert_recorder->description());
++ }
++};
++
++// Gather a 5-byte v3 record, with a zero fragment length. The empty handshake
++// message should be ignored, and the connection will succeed afterwards.
++TEST_F(TlsConnectTest, GatherEmptyV3Record) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x16, 1); // handshake
++ idx = buffer.Write(idx, 0x0301, 2); // record_version
++ (void)buffer.Write(idx, 0U, 2); // length=0
++
++ EnsureTlsSetup();
++ client_->SendDirect(buffer);
++ Connect();
++}
++
++// Gather a 5-byte v3 record, with a fragment length exceeding the maximum.
++TEST_F(TlsConnectTest, GatherExcessiveV3Record) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x16, 1); // handshake
++ idx = buffer.Write(idx, 0x0301, 2); // record_version
++ (void)buffer.Write(idx, MAX_FRAGMENT_LENGTH + 2048 + 1, 2); // length=max+1
++
++ EnsureTlsSetup();
++ auto alert_recorder = new TlsAlertRecorder();
++ server_->SetPacketFilter(alert_recorder);
++ client_->SendDirect(buffer);
++ server_->StartConnect();
++ server_->Handshake();
++ ASSERT_TRUE_WAIT((server_->error_code() == SSL_ERROR_RX_RECORD_TOO_LONG),
++ 2000);
++
++ EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
++ EXPECT_EQ(record_overflow, alert_recorder->description());
++}
++
++// Gather a 3-byte v2 header, with a fragment length of 2.
++TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x0002, 2); // length=2 (long header)
++ idx = buffer.Write(idx, 0U, 1); // padding=0
++ (void)buffer.Write(idx, 0U, 2); // data
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++// Gather a 3-byte v2 header, with a fragment length of 1.
++TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader2) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x0001, 2); // length=1 (long header)
++ idx = buffer.Write(idx, 0U, 1); // padding=0
++ idx = buffer.Write(idx, 0U, 1); // data
++ (void)buffer.Write(idx, 0U, 1); // surplus (need 5 bytes total)
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++// Gather a 3-byte v2 header, with a zero fragment length.
++TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordLongHeader) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0U, 2); // length=0 (long header)
++ idx = buffer.Write(idx, 0U, 1); // padding=0
++ (void)buffer.Write(idx, 0U, 2); // surplus (need 5 bytes total)
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++// Gather a 2-byte v2 header, with a fragment length of 3.
++TEST_F(GatherV2ClientHelloTest, GatherV2RecordShortHeader) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x8003, 2); // length=3 (short header)
++ (void)buffer.Write(idx, 0U, 3); // data
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++// Gather a 2-byte v2 header, with a fragment length of 2.
++TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader2) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x8002, 2); // length=2 (short header)
++ idx = buffer.Write(idx, 0U, 2); // data
++ (void)buffer.Write(idx, 0U, 1); // surplus (need 5 bytes total)
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++// Gather a 2-byte v2 header, with a fragment length of 1.
++TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader3) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x8001, 2); // length=1 (short header)
++ idx = buffer.Write(idx, 0U, 1); // data
++ (void)buffer.Write(idx, 0U, 2); // surplus (need 5 bytes total)
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++// Gather a 2-byte v2 header, with a zero fragment length.
++TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x8000, 2); // length=0 (short header)
++ (void)buffer.Write(idx, 0U, 3); // surplus (need 5 bytes total)
++
++ ConnectExpectMalformedClientHello(buffer);
++}
++
++} // namespace nss_test
+diff -up nss/gtests/ssl_gtest/ssl_gtest.gyp.ssl3gthr nss/gtests/ssl_gtest/ssl_gtest.gyp
+--- nss/gtests/ssl_gtest/ssl_gtest.gyp.ssl3gthr 2017-04-28 14:40:23.579583263 +0200
++++ nss/gtests/ssl_gtest/ssl_gtest.gyp 2017-04-28 14:42:07.853153503 +0200
+@@ -25,6 +25,7 @@
+ 'ssl_exporter_unittest.cc',
+ 'ssl_extension_unittest.cc',
+ 'ssl_fuzz_unittest.cc',
++ 'ssl_gather_unittest.cc',
+ 'ssl_gtest.cc',
+ 'ssl_hrr_unittest.cc',
+ 'ssl_loopback_unittest.cc',
+diff -up nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.ssl3gthr nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.ssl3gthr 2017-04-05 14:23:56.000000000 +0200
++++ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc 2017-04-28 14:40:23.579583263 +0200
+@@ -202,6 +202,28 @@ TEST_P(SSLv2ClientHelloTest, Connect) {
+ Connect();
+ }
+
++// Sending a v2 ClientHello after a no-op v3 record must fail.
++TEST_P(SSLv2ClientHelloTest, ConnectAfterEmptyV3Record) {
++ DataBuffer buffer;
++
++ size_t idx = 0;
++ idx = buffer.Write(idx, 0x16, 1); // handshake
++ idx = buffer.Write(idx, 0x0301, 2); // record_version
++ (void)buffer.Write(idx, 0U, 2); // length=0
++
++ SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
++ EnsureTlsSetup();
++ client_->SendDirect(buffer);
++
++ // Need padding so the connection doesn't just time out. With a v2
++ // ClientHello parsed as a v3 record we will use the record version
++ // as the record length.
++ SetPadding(255);
++
++ ConnectExpectFail();
++ EXPECT_EQ(SSL_ERROR_BAD_CLIENT, server_->error_code());
++}
++
+ // Test negotiating TLS 1.3.
+ TEST_F(SSLv2ClientHelloTestF, Connect13) {
+ EnsureTlsSetup();
+diff -up nss/lib/ssl/ssl3gthr.c.ssl3gthr nss/lib/ssl/ssl3gthr.c
+--- nss/lib/ssl/ssl3gthr.c.ssl3gthr 2017-04-05 14:23:56.000000000 +0200
++++ nss/lib/ssl/ssl3gthr.c 2017-04-28 14:40:23.579583263 +0200
+@@ -32,6 +32,7 @@ ssl3_InitGather(sslGather *gs)
+ gs->readOffset = 0;
+ gs->dtlsPacketOffset = 0;
+ gs->dtlsPacket.len = 0;
++ gs->rejectV2Records = PR_FALSE;
+ status = sslBuffer_Grow(&gs->buf, 4096);
+ return status;
+ }
+@@ -147,8 +148,11 @@ ssl3_GatherData(sslSocket *ss, sslGather
+ switch (gs->state) {
+ case GS_HEADER:
+ /* Check for SSLv2 handshakes. Always assume SSLv3 on clients,
+- * support SSLv2 handshakes only when ssl2gs != NULL. */
+- if (!ssl2gs || ssl3_isLikelyV3Hello(gs->hdr)) {
++ * support SSLv2 handshakes only when ssl2gs != NULL.
++ * Always assume v3 after we received the first record. */
++ if (!ssl2gs ||
++ ss->gs.rejectV2Records ||
++ ssl3_isLikelyV3Hello(gs->hdr)) {
+ /* Should have a non-SSLv2 record header in gs->hdr. Extract
+ * the length of the following encrypted data, and then
+ * read in the rest of the record into gs->inbuf. */
+@@ -183,7 +187,7 @@ ssl3_GatherData(sslSocket *ss, sslGather
+ /* This is the max length for an encrypted SSLv3+ fragment. */
+ if (!v2HdrLength &&
+ gs->remainder > (MAX_FRAGMENT_LENGTH + 2048)) {
+- SSL3_SendAlert(ss, alert_fatal, unexpected_message);
++ SSL3_SendAlert(ss, alert_fatal, record_overflow);
+ gs->state = GS_INIT;
+ PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+ return SECFailure;
+@@ -205,13 +209,28 @@ ssl3_GatherData(sslSocket *ss, sslGather
+ * many into the gs->hdr[] buffer. Copy them over into inbuf so
+ * that we can properly process the hello record later. */
+ if (v2HdrLength) {
++ /* Reject v2 records that don't even carry enough data to
++ * resemble a valid ClientHello header. */
++ if (gs->remainder < SSL_HL_CLIENT_HELLO_HBYTES) {
++ SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
++ return SECFailure;
++ }
++
++ PORT_Assert(lbp);
+ gs->inbuf.len = 5 - v2HdrLength;
+ PORT_Memcpy(lbp, gs->hdr + v2HdrLength, gs->inbuf.len);
+ gs->remainder -= gs->inbuf.len;
+ lbp += gs->inbuf.len;
+ }
+
+- break; /* End this case. Continue around the loop. */
++ if (gs->remainder > 0) {
++ break; /* End this case. Continue around the loop. */
++ }
++
++ /* FALL THROUGH if (gs->remainder == 0) as we just received
++ * an empty record and there's really no point in calling
++ * ssl_DefRecv() with buf=NULL and len=0. */
+
+ case GS_DATA:
+ /*
+@@ -219,6 +238,10 @@ ssl3_GatherData(sslSocket *ss, sslGather
+ */
+ SSL_TRC(10, ("%d: SSL[%d]: got record of %d bytes",
+ SSL_GETPID(), ss->fd, gs->inbuf.len));
++
++ /* reject any v2 records from now on */
++ ss->gs.rejectV2Records = PR_TRUE;
++
+ gs->state = GS_INIT;
+ return 1;
+ }
+diff -up nss/lib/ssl/ssldef.c.ssl3gthr nss/lib/ssl/ssldef.c
+--- nss/lib/ssl/ssldef.c.ssl3gthr 2017-04-05 14:23:56.000000000 +0200
++++ nss/lib/ssl/ssldef.c 2017-04-28 14:40:23.579583263 +0200
+@@ -66,6 +66,8 @@ ssl_DefRecv(sslSocket *ss, unsigned char
+ PRFileDesc *lower = ss->fd->lower;
+ int rv;
+
++ PORT_Assert(buf && len > 0);
++
+ rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
+ if (rv < 0) {
+ DEFINE_ERROR
+diff -up nss/lib/ssl/sslimpl.h.ssl3gthr nss/lib/ssl/sslimpl.h
+--- nss/lib/ssl/sslimpl.h.ssl3gthr 2017-04-28 14:40:23.566583566 +0200
++++ nss/lib/ssl/sslimpl.h 2017-04-28 14:40:23.580583240 +0200
+@@ -367,6 +367,10 @@ struct sslGatherStr {
+
+ /* the start of the buffered DTLS record in dtlsPacket */
+ unsigned int dtlsPacketOffset;
++
++ /* tracks whether we've seen a v3-type record before and must reject
++ * any further v2-type records. */
++ PRBool rejectV2Records;
+ };
+
+ /* sslGather.state */
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index eaf7f49..5199c33 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -27,7 +27,7 @@
Summary: Network Security Services
Name: nss
Version: 3.28.4
-Release: 1.0%{?dist}
+Release: 1.2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -145,6 +145,9 @@ Patch129: moz-1320932.patch
Patch130: disable-pss.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054
Patch132: nss-tstclnt-optspec.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1328122
+Patch133: nss-ssl3gthr.patch
+Patch134: nss-ca-2.14.patch
Patch200: nss-disable-curve25519-gtests.patch
Patch201: nss-disable-curve25519-tests.patch
Patch202: nss-disable-chacha20-gtests.patch
@@ -267,6 +270,8 @@ pushd nss
%patch129 -p1 -b .fix_ssl_sh_typo
%patch130 -p1 -b .disable_pss
%patch132 -p1 -b .tstclnt-optspec
+%patch133 -p1 -b .ssl3gthr
+%patch134 -p1 -b .ca-2.14.patch
%patch200 -p1 -b .disable-curve25519-gtests
%patch201 -p1 -b .disable-curve25519-tests
%patch202 -p1 -b .disable-chacha20-gtests
@@ -860,6 +865,12 @@ fi
%changelog
+* Tue May 16 2017 Kai Engert <kaie@redhat.com> - 3.28.4-1.2
+- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5
+
+* Mon May 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-1.1
+- Fix zero-length record treatment in SSL3_GatherData
+
* Fri Apr 7 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-1.0
- Rebase to NSS 3.28.4