Allow application requests to disable SSL v2 to succeed

- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
- Update nss_tests with some of the new gtests from upstream

mozbz1277569backport.patch

@@ -0,0 +1,102 @@
+--- ./lib/ssl/sslsock.c.compatibility	2016-06-02 10:59:07.188831825 -0700
++++ ./lib/ssl/sslsock.c	2016-06-02 10:59:07.205831404 -0700
+@@ -675,16 +675,28 @@
+                     PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                     rv = SECFailure; /* not allowed */
+                 }
+                 break;
+             }
+             ssl_EnableSSL3(&ss->vrange, on);
+             break;
+ 
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            /* We no longer support SSL v2.
++             * However, if an old application requests to disable SSL v2,
++             * we shouldn't fail.
++             */
++            if (on) {
++                PORT_SetError(SEC_ERROR_INVALID_ARGS);
++                rv = SECFailure;
++            }
++            break;
++
+         case SSL_NO_CACHE:
+             ss->opt.noCache = on;
+             break;
+ 
+         case SSL_ENABLE_FDX:
+             if (on && ss->opt.noLocks) {
+                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                 rv = SECFailure;
+@@ -856,16 +868,20 @@
+             on = ss->opt.handshakeAsServer;
+             break;
+         case SSL_ENABLE_TLS:
+             on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+             break;
+         case SSL_ENABLE_SSL3:
+             on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
+             break;
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            on = PR_FALSE;
++            break;
+         case SSL_NO_CACHE:
+             on = ss->opt.noCache;
+             break;
+         case SSL_ENABLE_FDX:
+             on = ss->opt.fdx;
+             break;
+         case SSL_ROLLBACK_DETECTION:
+             on = ss->opt.detectRollBack;
+@@ -967,16 +983,20 @@
+             on = ssl_defaults.handshakeAsServer;
+             break;
+         case SSL_ENABLE_TLS:
+             on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+             break;
+         case SSL_ENABLE_SSL3:
+             on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
+             break;
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            on = PR_FALSE;
++            break;
+         case SSL_NO_CACHE:
+             on = ssl_defaults.noCache;
+             break;
+         case SSL_ENABLE_FDX:
+             on = ssl_defaults.fdx;
+             break;
+         case SSL_ROLLBACK_DETECTION:
+             on = ssl_defaults.detectRollBack;
+@@ -1100,16 +1120,28 @@
+         case SSL_ENABLE_TLS:
+             ssl_EnableTLS(&versions_defaults_stream, on);
+             break;
+ 
+         case SSL_ENABLE_SSL3:
+             ssl_EnableSSL3(&versions_defaults_stream, on);
+             break;
+ 
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            /* We no longer support SSL v2.
++             * However, if an old application requests to disable SSL v2,
++             * we shouldn't fail.
++             */
++            if (on) {
++                PORT_SetError(SEC_ERROR_INVALID_ARGS);
++                return SECFailure;
++            }
++            break;
++
+         case SSL_NO_CACHE:
+             ssl_defaults.noCache = on;
+             break;
+ 
+         case SSL_ENABLE_FDX:
+             if (on && ssl_defaults.noLocks) {
+                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                 return SECFailure;

nss-skip-util-gtest.patch

@@ -1,6 +1,6 @@
-diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn
+diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
---- ./nss/external_tests/manifest.mn.skip_util_gtest	2016-05-21 21:34:56.156346633 -0700
+--- ./external_tests/manifest.mn.skip_util_gtest	2016-05-21 21:34:56.156346633 -0700
-+++ ./nss/external_tests/manifest.mn	2016-05-21 21:35:23.408854282 -0700
++++ ./external_tests/manifest.mn	2016-05-21 21:35:23.408854282 -0700
 @@ -8,7 +8,6 @@ DEPTH      = ..
  DIRS = \
  	google_test \

nss.spec

@@ -96,7 +96,8 @@ Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch60: nss-pem-unitialized-vars.path
 Patch61: nss-skip-util-gtest.patch
-
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
+Patch62: mozbz1277569backport.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -183,8 +184,9 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch60 -p1 -b .unitialized_vars
-popd
 %patch61 -p0 -b .skip_util_gtest
+%patch62 -p1 -b .compatibility
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -446,7 +448,7 @@ pushd ./nss/tests/
 
 #  don't need to run all the tests when testing packaging
 #  nss_cycles: standard pkix upgradedb sharedb
-%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains pk11_gtests der_gtests"
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 #  nss_ssl_run: cov auth stress
 #
@@ -793,6 +795,11 @@ fi
 
 
 %changelog
+* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.2
+- Allow application requests to disable SSL v2 to succeed
+- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
+- Update nss_tests with some of the new gtests from upstream
+
 * Fri May 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0
 - Rebase to NSS 3.24.0