diff --git a/SOURCES/tomcatjss-TLSv1.1-1.2-support.patch b/SOURCES/tomcatjss-TLSv1.1-1.2-support.patch
new file mode 100644
index 0000000..0145c15
--- /dev/null
+++ b/SOURCES/tomcatjss-TLSv1.1-1.2-support.patch
@@ -0,0 +1,178 @@
+Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
+===================================================================
+--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 278)
++++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
+@@ -138,6 +138,23 @@
+ cipherMap.put("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", SSLSocket.TLS_ECDH_anon_WITH_AES_128_CBC_SHA);
+ cipherMap.put("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", SSLSocket.TLS_ECDH_anon_WITH_AES_256_CBC_SHA);
+
++ //TLSv1_2
++ cipherMap.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256);
++ cipherMap.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256);
++ cipherMap.put("TLS_RSA_WITH_NULL_SHA256", SSLSocket.TLS_RSA_WITH_NULL_SHA256);
++ cipherMap.put("TLS_RSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256);
++ cipherMap.put("TLS_RSA_WITH_AES_256_CBC_SHA256", SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256);
++ cipherMap.put("TLS_RSA_WITH_SEED_CBC_SHA", SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA);
++ cipherMap.put("TLS_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256);
++ cipherMap.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256);
++ cipherMap.put("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256);
++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
++ cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
++ cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
++
+ }
+
+ private static HashMap eccCipherMap = new HashMap();
+@@ -197,9 +214,13 @@
+ }
+ }
+
+- public void setSSLCiphers(String attr) throws SocketException
++ public void setSSLCiphers(String attr) throws SocketException, IOException
+ {
+ String ciphers = (String)endpoint.getAttribute(attr);
++ if (ciphers == null || ciphers.equals("")) {
++ debugWrite("JSSSocketFactory setSSLCiphers: "+ attr +" not found");
++ return;
++ }
+ StringTokenizer st = new StringTokenizer(ciphers, ",");
+ while (st.hasMoreTokens()) {
+ String cipherstr = st.nextToken();
+@@ -257,7 +278,14 @@
+ }
+ }
+
+- public void setSSLOptions() throws SocketException
++ /*
++ * note: the SSL_OptionSet-based API for controlling the enabled
++ * protocol versions are obsolete and replaced by the
++ * setSSLVersionRange calls. If the "range" parameters are
++ * present in the attributes then the sslOptions parameter is
++ * ignored.
++ */
++ public void setSSLOptions() throws SocketException, IOException
+ {
+ String options = (String)endpoint.getAttribute("sslOptions");
+ StringTokenizer st = new StringTokenizer(options, ",");
+@@ -308,6 +336,61 @@
+ }
+ }
+
++
++ /*
++ * setSSLVersionRangeDefault sets the range of allowed ssl versions.
++ * This replaces the obsolete SSL_Option* API
++ *
++ * @param protoVariant indicates whether this setting is for
++ type "stream" or "datagram"
++ * @param sslVersionRange_s takes on the form of "min:max" where
++ * min/max values can be "ssl3, tls1_0, tls1_1, or tls1_2"
++ * ssl2 is not supported for tomcatjss via this interface
++ * The format is "sslVersionRange=min:max"
++ */
++ public void setSSLVersionRangeDefault(
++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant protoVariant,
++ String sslVersionRange_s)
++ throws SocketException, IllegalArgumentException, IOException {
++
++ // process sslVersionRange_s
++ String[] sslVersionRange = sslVersionRange_s.split(":");
++ if (sslVersionRange.length != 2) {
++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- SSL Version Range format error: " + sslVersionRange_s +"\n");
++ throw new SocketException("tomcatjss: setSSLversionRangeDefault format error");
++ }
++ String min_s = sslVersionRange[0];
++ String max_s = sslVersionRange[1];
++ int min = getSSLVersionRangeEnum(min_s);
++ int max = getSSLVersionRangeEnum(max_s);
++ if ((min == -1) || (max== -1)) {
++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- SSL Version Range format error: " + sslVersionRange_s +"\n");
++ throw new SocketException("tomcatjss: setSSLversionRangeDefault format error");
++ }
++
++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- SSL Version Range set to min=" + min + " max = " + max +"\n");
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range =
++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(min, max);
++
++ SSLSocket.setSSLVersionRangeDefault(protoVariant, range);
++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- variant set\n");
++ }
++
++ int getSSLVersionRangeEnum (String rangeString) {
++ if (rangeString == null)
++ return -1;
++ if (rangeString.equals("ssl3"))
++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.ssl3;
++ else if (rangeString.equals("tls1_0"))
++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0;
++ else if (rangeString.equals("tls1_1"))
++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1;
++ else if (rangeString.equals("tls1_2"))
++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2;
++
++ return -1;
++ }
++
+ void init() throws IOException {
+ try {
+ String deb = (String)endpoint.getAttribute("debug");
+@@ -543,14 +626,52 @@
+ }
+ if (mStrictCiphers == true) {
+ // what ciphers do we have to start with? turn them all off
+- debugWrite("SSSocketFactory init - before setSSLOptions, strictCiphers is true\n");
++ debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is true\n");
+ unsetSSLCiphers();
+ } else {
+- debugWrite("SSSocketFactory init - before setSSLOptions, strictCiphers is false\n");
++ debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is false\n");
+ }
+
+- setSSLOptions();
+- debugWrite("SSSocketFactory init - after setSSLOptions\n");
++ String sslVersionRangeStream = (String)endpoint.getAttribute("sslVersionRangeStream");
++ if ((sslVersionRangeStream != null) && !sslVersionRangeStream.equals("")) {
++ debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type STREAM\n");
++ setSSLVersionRangeDefault(org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, sslVersionRangeStream);
++ debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type STREAM\n");
++ }
++
++ String sslVersionRangeDatagram = (String)endpoint.getAttribute("sslVersionRangeDatagram");
++ if ((sslVersionRangeDatagram != null) && !sslVersionRangeDatagram.equals("")) {
++ debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type DATA_GRAM\n");
++ setSSLVersionRangeDefault(org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, sslVersionRangeDatagram);
++ debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type DATA_GRAM\n");
++ }
++
++ /*
++ * According to NSS:
++ * the SSL_OptionSet-based API for controlling the enabled
++ * protocol versions are obsolete and replaced by the
++ * setSSLVersionRange calls.
++ * Therefore, if the "range" parameters are
++ * present in the attributes then the sslOptions parameter is
++ * ignored.
++ * Using the new version range API in conjunction with the older
++ * SSL_OptionSet-based API for controlling the enabled protocol
++ * versions may cause unexpected results
++ */
++ if (((sslVersionRangeStream != null)
++ && !sslVersionRangeStream.equals(""))
++ || ((sslVersionRangeDatagram != null)
++ && !sslVersionRangeDatagram.equals(""))) {
++ /* deliberately lose the ssl2 here */
++ debugWrite("SSSocketFactory init - calling setSSLCiphers() honoring only sslRangeCiphers\n");
++ setSSLCiphers("sslRangeCiphers");
++ debugWrite("SSSocketFactory init - after setSSLCiphers() honoring only sslRangeCiphers\n");
++ } else {
++ debugWrite("SSSocketFactory init - calling setSSLOptions()\n");
++ setSSLOptions();
++ debugWrite("SSSocketFactory init - after setSSLOptions()\n");
++ }
++
+ } catch (Exception ex) {
+ debugWrite("JSSSocketFactory init - exception thrown:"+
+ ex.toString()+"\n");
diff --git a/SOURCES/tomcatjss-clientauth-NullPtrException.patch b/SOURCES/tomcatjss-clientauth-NullPtrException.patch
new file mode 100644
index 0000000..9657a5c
--- /dev/null
+++ b/SOURCES/tomcatjss-clientauth-NullPtrException.patch
@@ -0,0 +1,15 @@
+Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
+===================================================================
+--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 278)
++++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
+@@ -405,6 +405,10 @@
+ // MUST look for "clientauth" (ALL lowercase) since "clientAuth"
+ // (camel case) has already been processed by Tomcat 7
+ String clientAuthStr = (String)endpoint.getAttribute("clientauth");
++ if (clientAuthStr == null) {
++ debugWrite("JSSSocketFactory init - \"clientauth\" not found, default to want.");
++ clientAuthStr = "want";
++ }
+ File file = null;
+ try {
+ mServerCertNickPath = (String)endpoint.getAttribute("serverCertNickFile");
diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec
index 6db8b97..1f14c50 100644
--- a/SPECS/tomcatjss.spec
+++ b/SPECS/tomcatjss.spec
@@ -1,6 +1,6 @@
Name: tomcatjss
Version: 7.1.0
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: JSSE implementation using JSS for Tomcat
URL: http://pki.fedoraproject.org/
License: LGPLv2+
@@ -17,14 +17,17 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.ta
BuildRequires: ant
BuildRequires: java-devel
BuildRequires: jpackage-utils >= 0:1.7.5-15
-BuildRequires: jss >= 4.2.6-24
+BuildRequires: jss >= 4.2.6-35
BuildRequires: tomcat >= 7.0.40
Requires: java
Requires: jpackage-utils >= 0:1.7.5-15
-Requires: jss >= 4.2.6-24
+Requires: jss >= 4.2.6-35
Requires: tomcat >= 7.0.40
+Patch1: tomcatjss-clientauth-NullPtrException.patch
+Patch2: tomcatjss-TLSv1.1-1.2-support.patch
+
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
# OpenSSL security model, so these two packages may not co-exist.
@@ -45,8 +48,9 @@ NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package
OpenSSL security model, so these two packages may not co-exist.
%prep
-
%setup -q
+%patch1 -p0
+%patch2 -p0
%build
@@ -76,6 +80,12 @@ rm -rf %{buildroot}
%{_javadir}/*
%changelog
+* Mon Sep 29 2014 Christina Fu <cfu@redhat.com> - 7.1.0-5
+- Bugzilla Bug #1058366 NullPointerException in tomcatjss searching
+ for attribute "clientauth" (cfu)
+- Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and
+ TLS v1.2 (cfu)
+
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 7.1.0-4
- Mass rebuild 2013-12-27