diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch
index 38d092a..6286184 100644
--- a/disableSSL2libssl.patch
+++ b/disableSSL2libssl.patch
@@ -10,8 +10,8 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
  DEFINES += -DNISCC_TEST
  endif
  
-+ifdef NSS_NO_SSL2
-+DEFINES += -DNSS_NO_SSL2
++ifdef NSS_NO_SSL2_NO_EXPORT
++DEFINES += -DNSS_NO_SSL2_NO_EXPORT
 +endif
 +
  # Allow build-time configuration of TLS 1.3 (Experimental)
@@ -34,7 +34,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
          break;
  
        case SSL_ENABLE_SSL2:
-+#ifdef NSS_NO_SSL2
++#ifdef NSS_NO_SSL2_NO_EXPORT
 +        if (on) {
 +            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
 +            rv = SECFailure; /* not allowed */
@@ -48,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
              break;
          }
          ss->opt.enableSSL2       = on;
-@@ -667,42 +673,50 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
              ss->opt.v2CompatibleHello = on;
          }
          ss->preferredCipher     = NULL;
@@ -57,7 +57,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
              ss->cipherSpecs     = NULL;
              ss->sizeCipherSpecs = 0;
          }
-+#endif /* NSS_NO_SSL2 */
++#endif /* NSS_NO_SSL2_NO_EXPORT */
          break;
  
        case SSL_NO_CACHE:
@@ -73,7 +73,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
          break;
  
        case SSL_V2_COMPATIBLE_HELLO:
-+#ifdef NSS_NO_SSL2
++#ifdef NSS_NO_SSL2_NO_EXPORT
 +        if (on) {
 +            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
 +            rv = SECFailure; /* not allowed */
@@ -90,7 +90,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
          if (!on) {
              ss->opt.enableSSL2    = on;
          }
-+#endif /* NSS_NO_SSL2 */
++#endif /* NSS_NO_SSL2_NO_EXPORT */
          break;
  
        case SSL_ROLLBACK_DETECTION:
@@ -98,26 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
          break;
  
        case SSL_NO_STEP_DOWN:
-         ss->opt.noStepDown     = on;
-@@ -1168,17 +1182,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
- 
-     if (rv != SECSuccess) {
-         return rv;
-     }
- 
-     if (ssl_IsRemovedCipherSuite(which)) {
-         rv = SECSuccess;
-     } else if (SSL_IS_SSL2_CIPHER(which)) {
-+#ifdef NSS_NO_SSL2
-+        rv = SSL_ERROR_SSL2_DISABLED;
++#ifdef NSS_NO_SSL2_NO_EXPORT
++        if (!on) {
++            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++            rv = SECFailure; /* not allowed */
++        }
 +#else
-         rv = ssl2_SetPolicy(which, policy);
-+#endif /* NSS_NO_SSL2 */
-     } else {
-         rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+         ss->opt.noStepDown     = on;
+         if (on)
+             SSL_DisableExportCipherSuites(fd);
++#endif /* NSS_NO_SSL2_NO_EXPORT */
+         break;
+ 
+       case SSL_BYPASS_PKCS11:
+         if (ss->handshakeBegun) {
+             PORT_SetError(PR_INVALID_STATE_ERROR);
+             rv = SECFailure;
+         } else {
+             if (PR_FALSE != on) {
+@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
      }
-     return rv;
+     return SECSuccess;
  }
  
- SECStatus
- SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
+ /* function tells us if the cipher suite is one that we no longer support. */
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2_NO_EXPORT
++    /* both ssl2 and export cipher suites disabled */
++    if (SSL_IS_SSL2_CIPHER(suite))
++        return PR_TRUE;
++    if (SSL_IsExportCipherSuite(suite))
++      return PR_TRUE;
++#endif /* NSS_NO_SSL2_NO_EXPORT */
+     switch (suite) {
+     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+         return PR_TRUE;
+     default:
+         return PR_FALSE;
+     }
diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch
index d0d9871..4fecca2 100644
--- a/disableSSL2tests.patch
+++ b/disableSSL2tests.patch
@@ -1,7 +1,7 @@
 diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
 --- a/tests/ssl/ssl.sh
 +++ b/tests/ssl/ssl.sh
-@@ -57,18 +57,23 @@ ssl_init()
+@@ -57,19 +57,23 @@ ssl_init()
    fi
  
    PORT=${PORT-8443}
@@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  
    # Test case files
 -  SSLCOV=${QADIR}/ssl/sslcov.txt
-+  SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
-+    && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
-+    || ${QADIR}/ssl/sslcov.txt
-   SSLAUTH=${QADIR}/ssl/sslauth.txt
-+  SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
-+    && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
-+    || ${QADIR}/ssl/sslstress.txt
-   SSLSTRESS=${QADIR}/ssl/sslstress.txt
+-  SSLAUTH=${QADIR}/ssl/sslauth.txt
+-  SSLSTRESS=${QADIR}/ssl/sslstress.txt
++  if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
++    SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++    SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++  else
++    SSLCOV=${QADIR}/ssl/sslcov.txt
++    SSLSTRESS=${QADIR}/ssl/sslstress.txt
++  fi
    REQUEST_FILE=${QADIR}/ssl/sslreq.dat
  
    #temparary files
@@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
    SERVERPID=${TMP}/tests_pid.$$
  
    R_SERVERPID=../tests_pid.$$
-@@ -115,17 +120,21 @@ is_selfserv_alive()
+ 
+@@ -115,17 +119,21 @@ is_selfserv_alive()
    if [ "${OS_ARCH}" = "WINNT" ] && \
       [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
        PID=${SHELL_SERVERPID}
@@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
    fi
  
    echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
-+  if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
++  if [[ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
 +  echo "No server to kill"
 +  else
    kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
@@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  # local shell function to wait until selfserver is running and initialized
  ########################################################################
  wait_for_selfserv()
-@@ -138,17 +147,21 @@ wait_for_selfserv()
+@@ -138,17 +146,21 @@ wait_for_selfserv()
    if [ $? -ne 0 ]; then
        sleep 5
        echo "retrying to connect to selfserv at `date`"
@@ -57,7 +59,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
        ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
                -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
        if [ $? -ne 0 ]; then
-+          if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++          if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
 +              html_passed "Server never started"
 +          else
            html_failed "Waiting for Server"
@@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  ########################### kill_selfserv ##############################
  # local shell function to kill the selfserver after the tests are done
  ########################################################################
-@@ -273,16 +286,19 @@ ssl_cov()
+@@ -273,16 +285,19 @@ ssl_cov()
    exec < ${SSLCOV}
    while read ectype testmax param testname
    do
@@ -80,7 +82,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
        SSL2=$?
  
 +      #  skip export and ssl2 tests when build has disabled SSL2
-+      [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
++      [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
 +
        if [ "${SSL2}" -eq 0 ] ; then
            # We cannot use asynchronous cert verification with SSL2
diff --git a/nss.spec b/nss.spec
index 510d139..bab90b2 100644
--- a/nss.spec
+++ b/nss.spec
@@ -19,7 +19,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.17.4
-Release:          4%{?dist}
+Release:          5%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -92,7 +92,6 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 Patch50:          iquote.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
 Patch51:          tls12.patch
-# SSL2 support has been disabled downstream in RHEL since RHEL-7.0
 Patch52:          disableSSL2libssl.patch
 Patch53:          disableSSL2tests.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367
@@ -219,8 +218,7 @@ done
 
 %build
 
-# uncomment this line when the work is ready
-#export NSS_NO_SSL2=1
+export NSS_NO_SSL2_NO_EXPORT=1
 
 NSS_NO_PKCS11_BYPASS=1
 export NSS_NO_PKCS11_BYPASS
@@ -371,8 +369,7 @@ fi
 # Begin -- copied from the build section
 
 # inform the ssl test scripts that SSL2 is disabled
-# uncomment this line when the work is ready
-#export NSS_NO_SSL2=1
+export NSS_NO_SSL2_NO_EXPORT=1
 
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
@@ -797,6 +794,11 @@ fi
 
 
 %changelog
+* Tue Mar 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-5
+- Disable export suites and SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.17.4-4
 - Rebuilt for Fedora 23 Change
   https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
diff --git a/scripts-syntax-errors.patch b/scripts-syntax-errors.patch
index aeff0ab..28cfc4a 100644
--- a/scripts-syntax-errors.patch
+++ b/scripts-syntax-errors.patch
@@ -11,7 +11,7 @@ diff --git a/tests/all.sh b/tests/all.sh
  # Exception: when building softoken only, shlibsign is the
  # last file created.
 -if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
-+if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
    LAST_FILE_BUILT=shlibsign
  else
    LAST_FILE_BUILT=modutil