diff --git a/nss-fedora-relax-sha1.patch b/nss-fedora-relax-sha1.patch
new file mode 100644
index 0000000..5c2f5bb
--- /dev/null
+++ b/nss-fedora-relax-sha1.patch
@@ -0,0 +1,22 @@
+diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c
++++ b/lib/pk11wrap/pk11pars.c
+@@ -325,17 +325,17 @@ static const oidValDef hashOptList[] = {
+     /* Hashes */
+     { CIPHER_NAME("MD2"), SEC_OID_MD2,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("MD4"), SEC_OID_MD4,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("MD5"), SEC_OID_MD5,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+     { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("SHA256"), SEC_OID_SHA256,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("SHA384"), SEC_OID_SHA384,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("SHA512"), SEC_OID_SHA512,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }
diff --git a/nss.spec b/nss.spec
index 0e3133a..90afceb 100644
--- a/nss.spec
+++ b/nss.spec
@@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -116,6 +116,7 @@ Patch20:          nss-gcm-param-default-pkcs11v2.patch
 Patch30:          nss-fedora-btrf-sql-hack.patch
 # can drop this patch once crypto-policies has been updated
 Patch31:          nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
+Patch33:          nss-fedora-relax-sha1.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -906,6 +907,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Tue Dec 15 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-3
+- Back out strict SHA-1 signature control because firefox
+  Addon system is still using sha-1 signatures
+
 * Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
 - Work around btrfs/sqlite bug
 - Disable new policy entries until crypto-polices has been updated