diff --git a/.gitignore b/.gitignore
index 2b4f3e5..ebc3ae3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@ TestUser51.cert
 /nss-3.33.0.tar.gz
 /nss-3.34.0.tar.gz
 /nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
diff --git a/nss.spec b/nss.spec
index eea6f8b..09efeb6 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,6 +1,6 @@
-%global nspr_version 4.18.0
-%global nss_util_version 3.35.0
-%global nss_softokn_version 3.35.0
+%global nspr_version 4.19.0
+%global nss_util_version 3.36.0
+%global nss_softokn_version 3.36.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.35.0
+Version:          3.36.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.1%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -44,6 +44,7 @@ BuildRequires:    pkgconfig
 BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
+BuildRequires:    gcc-c++
 
 # nss-pem used to be bundled with the nss package on Fedora -- make sure that
 # programs relying on that continue to work until they are fixed to require
@@ -489,21 +490,12 @@ popd
 killall $RANDSERV || :
 
 if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
-  TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+  TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
 else
   TEST_FAILURES=0
   GREP_EXIT_STATUS=1
 fi
 
-# ssl_drop_unittest.cc is failing on F27/s390; temporarily ignore the
-# test failures on s390x
-%if 0%{fedora} == 27
-%ifarch s390x
-TEST_FAILURES=0
-GREP_EXIT_STATUS=1
-%endif
-%endif
-
 if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
   echo "okay: test suite detected no failures"
 else
@@ -817,6 +809,12 @@ fi
 
 
 %changelog
+* Fri Mar  9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1.0
+- Update to NSS 3.36.0
+- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
+- Make test failure detection robuster
+- Enable test on s390x again
+
 * Mon Feb 12 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.1
 - Temporarily ignore test failures on F27 s390x
 
diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch
index 73b366b..d3aa3bd 100644
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@@ -1,12 +1,12 @@
-diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
-+++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
-@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,              /* noLocks            */
-     PR_FALSE,              /* enableSessionTickets */
-     PR_FALSE,              /* enableDeflate      */
--    2,                     /* enableRenegotiation (default: requires extension) */
-+    3,                     /* enableRenegotiation (default: transitional) */
-     PR_FALSE,              /* requireSafeNegotiation */
-     PR_FALSE,              /* enableFalseStart   */
-     PR_TRUE,               /* cbcRandomIV        */
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
++++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,
diff --git a/sources b/sources
index 9e54a2c..844333f 100644
--- a/sources
+++ b/sources
@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.35.0.tar.gz) = a9865fd11d8b2ab83b57b1b50fe6f0d3a6d936f7ae4d0817e9dd1bf3e5182ff7f26ebc21fe7490c3dea2b792e4e4302af876ac70750e8e1f4da6bb710fd3002e
+SHA512 (nss-3.36.0.tar.gz) = 02559b724d1665be495e52155242a154f9d18c985ff6c180db8ee99460ead12d6a4059f13a8a0b0b6864b643f2435b2e0b45de023c678a4514833f1795c4d6fe