Merge branch 'f23' into f22

- Bump the release tag

.gitignore

@@ -10,4 +10,4 @@ TestUser51.cert
 /nss-pem-20160308.tar.bz2
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.23.0.tar.gz
+/nss-3.24.0.tar.gz

disableSSL2libssl.patch

@@ -1,149 +0,0 @@
---- ./lib/ssl/config.mk.disableSSL2libssl	2016-03-05 09:20:12.712130884 -0800
-+++ ./lib/ssl/config.mk	2016-03-05 09:24:22.748518581 -0800
-@@ -2,16 +2,20 @@
- # This Source Code Form is subject to the terms of the Mozilla Public
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
- 
- ifdef NISCC_TEST
- DEFINES += -DNISCC_TEST
- endif
- 
-+ifdef NSS_NO_SSL2_NO_EXPORT
-+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
-+endif
-+
- ifdef NSS_NO_PKCS11_BYPASS
- DEFINES += -DNO_PKCS11_BYPASS
- else
- CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
- 
- EXTRA_LIBS += \
- 	$(CRYPTOLIB) \
- 	$(NULL)
---- ./lib/ssl/sslsock.c.disableSSL2libssl	2016-03-05 09:20:12.713130866 -0800
-+++ ./lib/ssl/sslsock.c	2016-03-05 09:32:55.060592007 -0800
-@@ -707,16 +707,22 @@
-             if (ss->cipherSpecs) {
-                 PORT_Free(ss->cipherSpecs);
-                 ss->cipherSpecs = NULL;
-                 ss->sizeCipherSpecs = 0;
-             }
-             break;
- 
-         case SSL_ENABLE_SSL2:
-+#ifdef NSS_NO_SSL2_NO_EXPORT
-+            if (on) {
-+                PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+                rv = SECFailure; /* not allowed */
-+            }
-+#else
-             if (IS_DTLS(ss)) {
-                 if (on) {
-                     PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                     rv = SECFailure; /* not allowed */
-                 }
-                 break;
-             }
-             if (on) {
-@@ -731,52 +737,67 @@
-                 ss->opt.v2CompatibleHello = on;
-             }
-             ss->preferredCipher = NULL;
-             if (ss->cipherSpecs) {
-                 PORT_Free(ss->cipherSpecs);
-                 ss->cipherSpecs = NULL;
-                 ss->sizeCipherSpecs = 0;
-             }
-+#endif /* NSS_NO_SSL2_NO_EXPORT */
-             break;
- 
-         case SSL_NO_CACHE:
-             ss->opt.noCache = on;
-             break;
- 
-         case SSL_ENABLE_FDX:
-             if (on && ss->opt.noLocks) {
-                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                 rv = SECFailure;
-             }
-             ss->opt.fdx = on;
-             break;
- 
-         case SSL_V2_COMPATIBLE_HELLO:
-+#ifdef NSS_NO_SSL2_NO_EXPORT
-+            if (on) {
-+                PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+                rv = SECFailure; /* not allowed */
-+            }
-+#else
-             if (IS_DTLS(ss)) {
-                 if (on) {
-                     PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                     rv = SECFailure; /* not allowed */
-                 }
-                 break;
-             }
-             ss->opt.v2CompatibleHello = on;
-             if (!on) {
-                 ss->opt.enableSSL2 = on;
-             }
-+#endif /* NSS_NO_SSL2_NO_EXPORT */
-             break;
- 
-         case SSL_ROLLBACK_DETECTION:
-             ss->opt.detectRollBack = on;
-             break;
- 
-         case SSL_NO_STEP_DOWN:
-+#ifdef NSS_NO_SSL2_NO_EXPORT
-+            if (!on) {
-+                PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+                rv = SECFailure; /* not allowed */
-+            }
-+#else
-             ss->opt.noStepDown = on;
-             if (on)
-                 SSL_DisableExportCipherSuites(fd);
-+#endif /* NSS_NO_SSL2_NO_EXPORT */
-             break;
- 
-         case SSL_BYPASS_PKCS11:
-             if (ss->handshakeBegun) {
-                 PORT_SetError(PR_INVALID_STATE_ERROR);
-                 rv = SECFailure;
-             } else {
-                 if (PR_FALSE != on) {
-@@ -1324,16 +1345,32 @@
-     }
-     return SECSuccess;
- }
- 
- /* function tells us if the cipher suite is one that we no longer support. */
- static PRBool
- ssl_IsRemovedCipherSuite(PRInt32 suite)
- {
-+#ifdef NSS_NO_SSL2_NO_EXPORT
-+    /* both ssl2 and export cipher suites disabled */
-+    if (SSL_IS_SSL2_CIPHER(suite))
-+        return PR_TRUE;
-+    if (SSL_IsExportCipherSuite(suite)) {
-+        SSLCipherSuiteInfo csdef;
-+        if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
-+            /* failure to retrieve info, disable */
-+            return PR_TRUE;
-+        }
-+        if (csdef.symCipher != ssl_calg_null) {
-+            /* disable all except NULL ciphersuites */
-+            return PR_TRUE;
-+        }
-+    }
-+#endif /* NSS_NO_SSL2_NO_EXPORT */
-     switch (suite) {
-         case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
-         case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
-         case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
-             return PR_TRUE;
-         default:
-             return PR_FALSE;
-     }

disableSSL2tests.patch

@@ -1,126 +0,0 @@
---- ./tests/ssl/ssl.sh.disableSSL2tests	2016-01-29 02:30:10.000000000 -0800
-+++ ./tests/ssl/ssl.sh	2016-02-06 11:50:26.496668124 -0800
-@@ -57,19 +57,24 @@ ssl_init()
-   fi
- 
-   PORT=${PORT-8443}
-   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
-   nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
-   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
- 
-   # Test case files
--  SSLCOV=${QADIR}/ssl/sslcov.txt
-+  if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
-+    SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
-+    SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
-+  else
-+    SSLCOV=${QADIR}/ssl/sslcov.txt
-+    SSLSTRESS=${QADIR}/ssl/sslstress.txt
-+  fi
-   SSLAUTH=${QADIR}/ssl/sslauth.txt
--  SSLSTRESS=${QADIR}/ssl/sslstress.txt
-   SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
-   REQUEST_FILE=${QADIR}/ssl/sslreq.dat
- 
-   #temparary files
-   SERVEROUTFILE=${TMP}/tests_server.$$
-   SERVERPID=${TMP}/tests_pid.$$
- 
-   R_SERVERPID=../tests_pid.$$
-@@ -116,17 +121,21 @@ is_selfserv_alive()
-   if [ "${OS_ARCH}" = "WINNT" ] && \
-      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
-       PID=${SHELL_SERVERPID}
-   else
-       PID=`cat ${SERVERPID}`
-   fi
- 
-   echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
-+  if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
-+  echo "No server to kill"
-+  else
-   kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
-+  fi
- 
-   echo "selfserv with PID ${PID} found at `date`"
- }
- 
- ########################### wait_for_selfserv ##########################
- # local shell function to wait until selfserver is running and initialized
- ########################################################################
- wait_for_selfserv()
-@@ -139,17 +148,21 @@ wait_for_selfserv()
-   if [ $? -ne 0 ]; then
-       sleep 5
-       echo "retrying to connect to selfserv at `date`"
-       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
-       echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
-       ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-               -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
-       if [ $? -ne 0 ]; then
-+          if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
-+              html_passed "Server never started"
-+          else
-           html_failed "Waiting for Server"
-+          fi
-       fi
-   fi
-   is_selfserv_alive
- }
- 
- ########################### kill_selfserv ##############################
- # local shell function to kill the selfserver after the tests are done
- ########################################################################
-@@ -210,25 +223,26 @@ start_selfserv()
-       ECC_OPTIONS=""
-   fi
-   if [ "$1" = "mixed" ]; then
-       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
-   fi
-   echo "selfserv starting at `date`"
-   echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
-   echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
--  echo "         $verbose -H 1 &"
-+  echo "         $verbose -H 1 -V ssl3: &"
-   if [ ${fileout} -eq 1 ]; then
-       ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-                ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
--               > ${SERVEROUTFILE} 2>&1 &
-+               -V ssl3:> ${SERVEROUTFILE} 2>&1 &
-       RET=$?
-   else
-       ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
--               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
-+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
-+               -V ssl3: &
-       RET=$?
-   fi
- 
-   # The PID $! returned by the MKS or Cygwin shell is not the PID of
-   # the real background process, but rather the PID of a helper
-   # process (sh.exe).  MKS's kill command has a bug: invoking kill
-   # on the helper process does not terminate the real background
-   # process.  Our workaround has been to have selfserv save its PID
-@@ -275,16 +289,22 @@ ssl_cov()
-   exec < ${SSLCOV}
-   while read ectype testmax param testname
-   do
-       echo "${testname}" | grep "EXPORT" > /dev/null 
-       EXP=$?
-       echo "${testname}" | grep "SSL2" > /dev/null
-       SSL2=$?
- 
-+      #  skip export and ssl2 tests when build has disabled SSL2
-+      if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
-+         echo "exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
-+         continue
-+      fi
-+
-       if [ "${SSL2}" -eq 0 ] ; then
-           # We cannot use asynchronous cert verification with SSL2
-           SSL2_FLAGS=-O
-           VMIN="ssl2"
-       else
-           # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
-           # default in libssl but it is enabled by default in tstclnt; we want
-           # to test the libssl default whenever possible.

mozbz1277569backport.patch

@@ -0,0 +1,102 @@
+--- ./lib/ssl/sslsock.c.compatibility	2016-06-02 10:59:07.188831825 -0700
++++ ./lib/ssl/sslsock.c	2016-06-02 10:59:07.205831404 -0700
+@@ -675,16 +675,28 @@
+                     PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                     rv = SECFailure; /* not allowed */
+                 }
+                 break;
+             }
+             ssl_EnableSSL3(&ss->vrange, on);
+             break;
+ 
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            /* We no longer support SSL v2.
++             * However, if an old application requests to disable SSL v2,
++             * we shouldn't fail.
++             */
++            if (on) {
++                PORT_SetError(SEC_ERROR_INVALID_ARGS);
++                rv = SECFailure;
++            }
++            break;
++
+         case SSL_NO_CACHE:
+             ss->opt.noCache = on;
+             break;
+ 
+         case SSL_ENABLE_FDX:
+             if (on && ss->opt.noLocks) {
+                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                 rv = SECFailure;
+@@ -856,16 +868,20 @@
+             on = ss->opt.handshakeAsServer;
+             break;
+         case SSL_ENABLE_TLS:
+             on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+             break;
+         case SSL_ENABLE_SSL3:
+             on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
+             break;
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            on = PR_FALSE;
++            break;
+         case SSL_NO_CACHE:
+             on = ss->opt.noCache;
+             break;
+         case SSL_ENABLE_FDX:
+             on = ss->opt.fdx;
+             break;
+         case SSL_ROLLBACK_DETECTION:
+             on = ss->opt.detectRollBack;
+@@ -967,16 +983,20 @@
+             on = ssl_defaults.handshakeAsServer;
+             break;
+         case SSL_ENABLE_TLS:
+             on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+             break;
+         case SSL_ENABLE_SSL3:
+             on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
+             break;
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            on = PR_FALSE;
++            break;
+         case SSL_NO_CACHE:
+             on = ssl_defaults.noCache;
+             break;
+         case SSL_ENABLE_FDX:
+             on = ssl_defaults.fdx;
+             break;
+         case SSL_ROLLBACK_DETECTION:
+             on = ssl_defaults.detectRollBack;
+@@ -1100,16 +1120,28 @@
+         case SSL_ENABLE_TLS:
+             ssl_EnableTLS(&versions_defaults_stream, on);
+             break;
+ 
+         case SSL_ENABLE_SSL3:
+             ssl_EnableSSL3(&versions_defaults_stream, on);
+             break;
+ 
++        case SSL_ENABLE_SSL2:
++        case SSL_V2_COMPATIBLE_HELLO:
++            /* We no longer support SSL v2.
++             * However, if an old application requests to disable SSL v2,
++             * we shouldn't fail.
++             */
++            if (on) {
++                PORT_SetError(SEC_ERROR_INVALID_ARGS);
++                return SECFailure;
++            }
++            break;
++
+         case SSL_NO_CACHE:
+             ssl_defaults.noCache = on;
+             break;
+ 
+         case SSL_ENABLE_FDX:
+             if (on && ssl_defaults.noLocks) {
+                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                 return SECFailure;

nss-539183.patch

@@ -1,44 +1,62 @@
-diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
---- ./nss/cmd/httpserv/httpserv.c.539183	2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/httpserv/httpserv.c	2015-11-12 13:28:01.574855325 -0800
-@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
-     PRNetAddr          addr;
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
      PRSocketOptionData opt;
  
 -    addr.inet.family = PR_AF_INET;
--    addr.inet.ip     = PR_INADDR_ANY;
--    addr.inet.port   = PR_htons(port);
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
 +    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+	errExit("PR_SetNetAddr");
++        errExit("PR_SetNetAddr");
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
--	errExit("PR_NewTCPSocket");
-+	errExit("PR_OpenTCPSocket error");
+-        errExit("PR_NewTCPSocket");
++        errExit("PR_OpenTCPSockett");
      }
  
      opt.option = PR_SockOpt_Nonblocking;
-diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
---- ./nss/cmd/selfserv/selfserv.c.539183	2015-11-08 21:12:59.000000000 -0800
-+++ ./nss/cmd/selfserv/selfserv.c	2015-11-12 13:26:40.498345875 -0800
-@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
-     PRNetAddr          addr;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
      PRSocketOptionData opt;
  
 -    addr.inet.family = PR_AF_INET;
--    addr.inet.ip     = PR_INADDR_ANY;
--    addr.inet.port   = PR_htons(port);
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
 +    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+	errExit("PR_SetNetAddr");
++        errExit("PR_SetNetAddr");
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
--	errExit("PR_NewTCPSocket");
+-        errExit("PR_NewTCPSocket");
 +        errExit("PR_OpenTCPSocket error");
      }
  
      opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-allow-keylogfile-in-opt-builds.patch

@@ -0,0 +1,26 @@
+--- ./lib/ssl/Makefile.allow_keylogfile	2016-06-08 21:54:29.504328764 -0700
++++ ./lib/ssl/Makefile	2016-06-08 22:03:57.061313047 -0700
+@@ -34,19 +34,20 @@
+ else
+ ifeq ($(OS_TARGET),OS2)
+ CSRCS	+= os2_err.c
+ else
+ CSRCS	+= unix_err.c
+ endif
+ endif
+ 
+-# Enable key logging by default in debug builds, but not opt builds.
+-# Logging still needs to be enabled at runtime through env vars.
+-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
++# For Fedora stable branch compatibility, i.e f23 and f22
++# Enable key logging by default in debug builds and opt builds.
++# Logging doesn't need to be enabled at runtime through env vars.
++NSS_ALLOW_SSLKEYLOGFILE = 1
+ ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
+ DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
+ endif
+ 
+ #######################################################################
+ # (5) Execute "global" rules. (OPTIONAL)                              #
+ #######################################################################
+ 

nss-pem-unitialized-vars.path

@@ -0,0 +1,15 @@
+diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c
+--- ./lib/ckfw/pem/pinst.c.unitialized_var	2016-05-21 19:04:24.471221863 -0700
++++ ./lib/ckfw/pem/pinst.c	2016-05-21 19:31:07.124298651 -0700
+@@ -534,9 +534,9 @@ CK_RV
+ AddCertificate(char *certfile, char *keyfile, PRBool cacert,
+                CK_SLOT_ID slotID)
+ {
+-    pemInternalObject *o;
++    pemInternalObject *o = NULL;
+     CK_RV error = 0;
+-    int objid, i;
++    int objid, i = 0;
+     int nobjs = 0;
+     SECItem **objs = NULL;
+     char *ivstring = NULL;

nss-skip-util-gtest.patch

@@ -0,0 +1,11 @@
+diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
+--- ./external_tests/manifest.mn.skip_util_gtest	2016-05-21 21:34:56.156346633 -0700
++++ ./external_tests/manifest.mn	2016-05-21 21:35:23.408854282 -0700
+@@ -8,7 +8,6 @@ DEPTH      = ..
+ DIRS = \
+ 	google_test \
+         der_gtest \
+-	util_gtest \
+         pk11_gtest \
+         ssl_gtest \
+ 	$(NULL)

nss.spec

@@ -1,6 +1,6 @@
 %global nspr_version 4.12.0
-%global nss_util_version 3.23.0
-%global nss_softokn_version 3.23.0
+%global nss_util_version 3.24.0
+%global nss_softokn_version 3.24.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.23.0
+Version:          3.24.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          1.3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -91,13 +91,15 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 # headers are older. Such is the case when starting an update with API changes or even private export changes.
 # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
 Patch50:          iquote.patch
-Patch52:          disableSSL2libssl.patch
-Patch53:          disableSSL2tests.patch
-Patch54:          tstclnt-ssl2-off-by-default.patch
 Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-
+Patch60: nss-pem-unitialized-vars.path
+Patch61: nss-skip-util-gtest.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
+Patch62: mozbz1277569backport.patch
+# Local: for stable branch compatibility
+Patch63: nss-allow-keylogfile-in-opt-builds.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -180,13 +182,14 @@ low level services.
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
-pushd nss
-%patch52 -p1 -b .disableSSL2libssl
-%patch53 -p1 -b .disableSSL2tests
-popd
-%patch54 -p0 -b .ssl2_off
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
 %patch58 -p0 -b .1185708_3des
+pushd nss
+%patch60 -p1 -b .unitialized_vars
+%patch61 -p0 -b .skip_util_gtest
+%patch62 -p1 -b .compatibility
+%patch63 -p1 -b .allow_keylogfile
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -219,6 +222,9 @@ done
 %{__rm} -rf ./nss/cmd/fipstest
 %{__rm} -rf ./nss/cmd/rsaperf_low
 
+######## Remove portions that need to statically link with libnssutil.a
+%{__rm} -rf ./nss/external_tests/util_gtests
+
 pushd nss/tests/ssl
 # Create versions of sslcov.txt and sslstress.txt that disable tests
 # for SSL2 and EXPORT ciphers.
@@ -237,8 +243,7 @@ FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
 # Enable compiler optimizations and disable debugging code
-BUILD_OPT=1
-export BUILD_OPT
+export BUILD_OPT=1
 
 # Uncomment to disable optimizations
 #RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
@@ -302,7 +307,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/lib/dbm
 
 # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
-# need nss/lib/util/verref.h which is which is exported privately,
+# need nss/lib/util/verref.h which is exported privately,
 # copy the one we saved during prep so it they can find it.
 %{__mkdir_p} ./dist/private/nss
 %{__mv} ./nss/verref.h ./dist/private/nss/verref.h
@@ -386,14 +391,10 @@ fi
 
 # Begin -- copied from the build section
 
-# inform the ssl test scripts that SSL2 is disabled
-export NSS_NO_SSL2_NO_EXPORT=1
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
-BUILD_OPT=1
-export BUILD_OPT
+export BUILD_OPT=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -404,7 +405,7 @@ export USE_64
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 
-# needed for the fips manging test
+# needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}
 
 # End -- copied from the build section
@@ -450,7 +451,7 @@ pushd ./nss/tests/
 
 #  don't need to run all the tests when testing packaging
 #  nss_cycles: standard pkix upgradedb sharedb
-%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains pk11_gtests der_gtests"
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 #  nss_ssl_run: cov auth stress
 #
@@ -646,24 +647,6 @@ else
 fi
 /sbin/ldconfig
 
-%posttrans
-# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
-# (The incorrect %%postun always called "update-alternatives --remove",
-# because it incorrectly assumed that test -f returns false for symbolic links.)
-# The only possible remedy to fix the mistake that "always removes on upgrade"
-# made by the older %%postun script, is to repair it in %%posttrans of the new package.
-# Strategy:
-# %%posttrans is never called when uninstalling.
-# %%posttrans is only called when installing or upgrading a package.
-# Because %%posttrans is the very last action of a package install,
-# %%{_libdir}/libnssckbi.so must exist.
-# If it does not, it's the result of the incorrect removal from a broken %%postun.
-# In this case, we repeat installation of the alternatives link.
-if ! test -e %{_libdir}/libnssckbi.so; then
-  %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-    %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
-fi
-
 
 %files
 %defattr(-,root,root)
@@ -815,79 +798,78 @@ fi
 
 
 %changelog
-* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-3
+* Mon Jun 1 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.3
+- Restore optimized build support for logging SSL/TLS key material to logfile
+- Resolves: Bug - 1343289 - Update to nss 3.24 removes sslkeylogfile support
+
+* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.1
+- Allow application requests to disable SSL v2 to succeed
+- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
+- Update nss_tests with some of the new gtests from upstream
+
+* Sat May 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.0
+- Rebase to NSS 3.24.0
+
+* Thu Mar 10 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.1
 - Update pem sources to latest from nss-pem upstream
 - Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
 
-* Sat Mar 05 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-2
-- Rebase to NSS 3.23
+* Sun Mar 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.0
+- Rebase to NSS 3.23.0
 
-* Sat Feb 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-2
+* Mon Feb 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-1.0
 - Rebase to NSS 3.22.2
 
-* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-3
+* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1.1
 - Fix ssl2/exp test disabling to run all the required tests
 
-* Sun Feb 21 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1
+* Mon Feb 22 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1.0
 - Rebase to NSS 3.22.1
 
-* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-3
-- Update .gitignore as part of updating to nss 3.22
-
-* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-2
+* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-1.0
 - Update to NSS 3.22
 
-* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-6
+* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.2
 - Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
 - Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
 - Use %%define when specifying the nss_tests to run
 
-* Wed Dec 30 2015 Michal Toman <mtoman@fedoraproject.org> - 3.21.0-5
-- Add 64-bit MIPS to multilib arches
-
-* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-4
+* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.1
 - Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
 - Resolves: Bug 1284095 - all https fails with sec_error_no_token
-
-* Sun Nov 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-3
 - Add references to bugs filed upstream
 
-* Fri Nov 13 2015 Elio Maldonado Batiz <emaldona@redhat.com> - 3.21.1-2
+* Mon Nov 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.0
 - Update to NSS 3.21
 - Package listsuites as part of the unsupported tools set
 - Resolves: Bug 1279912 - nss-3.21 is available
 - Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
 - Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
 
-* Fri Oct 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-2
+* Mon Nov 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-1.0
 - Update to NSS 3.20.1
 
-* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
+* Sun Oct 04 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.3
 - Enable ECC cipher-suites by default [hrbz#1185708]
 - Split the enabling patch in two for easier maintenance
-- Remove unused patches rendered obsolete by prior rebase
+- Remove unused patches
 
-* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-5
+* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.2
 - Enable ECC cipher-suites by default [hrbz#1185708]
 - Implement corrections requested in code review
 
-* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-4
-- Enable ECC cipher-suites by default [hrbz#1185708]
-
-* Mon Sep 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-3
-- Fix patches that disable ssl2 and export cipher suites support
+* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.1
+- Enable ECC cipher-suites by default [rhbz#1185708]
+- Fix patches that disable ssl2 and export cipher suites support [rhbz#1263005]
 - Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
 - Fix syntax errors in patch to skip ssl2 and export cipher suite tests
 - Turn ssl2 off by default in the tstclnt tool
 - Disable ssl stress tests containing TLS RC4 128 with MD5
 
-* Thu Aug 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-2
+* Fri Aug 21 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.0
 - Update to NSS 3.20
 
-* Sat Aug 08 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-2
+* Tue Aug 11 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-1.0
 - Update to NSS 3.19.3
 
 * Fri Jun 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.2-3

pem-compile-with-Werror.patch

@@ -1,146 +0,0 @@
-diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
---- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/ckpem.h	2015-11-13 12:07:29.219887390 -0800
-@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
- };
- typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
- 
-+/* NOTE: Discrepancy with the the way callers use of the return value as a count
-+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
-+ */
- SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
- const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
- void pem_PopulateModulusExponent(pemInternalObject *io);
-diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
---- ./nss/lib/ckfw/pem/pinst.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/pinst.c	2015-11-13 12:07:29.219887390 -0800
-@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
-     char *ivstring = NULL;
-     int cipher;
- 
--    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+    /* TODO: Fix discrepancy between our usage of the return value as
-+     * as an int (a count) and the declaration as a SECStatus. */
-+    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-     if (nobjs <= 0) {
-         nss_ZFreeIf(objs);
-         return CKR_GENERAL_ERROR;
-@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
-         if (keyfile) {          /* add the private key */
-             SECItem **keyobjs = NULL;
-             int kobjs = 0;
-+            /* TODO: Fix discrepancy between our usage of the return value as
-+             * as an int and the declaration as a SECStatus. */
-             kobjs =
--                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-+                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-                                 &ivstring, PR_FALSE);
-             if (kobjs < 1) {
-                 error = CKR_GENERAL_ERROR;
-diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
---- ./nss/lib/ckfw/pem/pobject.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/pobject.c	2015-11-13 12:07:29.220887368 -0800
-@@ -630,6 +630,11 @@ pem_DestroyInternalObject
-         if (io->u.key.ivstring)
-             free(io->u.key.ivstring);
-         break;
-+    case pemAll:
-+        /* pemAll is not used, keep the compiler happy
-+         * TODO: investigate a proper solution
-+         */
-+        return;
-     }
- 
-     if (NULL != gobj)
-@@ -1044,7 +1049,9 @@ pem_CreateObject
-     int nobjs = 0;
-     int i;
-     int objid;
-+#if 0
-     pemToken *token;
-+#endif
-     int cipher;
-     char *ivstring = NULL;
-     pemInternalObject *listObj = NULL;
-@@ -1073,7 +1080,9 @@ pem_CreateObject
-     }
-     slotID = nssCKFWSlot_GetSlotID(fwSlot);
- 
-+#if 0
-     token = (pemToken *) mdToken->etc;
-+#endif
- 
-     /*
-      * only create keys and certs.
-@@ -1114,7 +1123,11 @@ pem_CreateObject
-     }
- 
-     if (objClass == CKO_CERTIFICATE) {
--        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+        /* TODO: Fix discrepancy between our usage of the return value as
-+         * as an int and the declaration as a SECStatus. Typecasting as a
-+         * temporary workaround.
-+         */
-+        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-         if (nobjs < 1)
-             goto loser;
- 
-diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
---- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/rsawrapr.c	2015-11-13 12:07:29.220887368 -0800
-@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
-     return 0;
- }
- 
-+/* unused functions */
-+#if 0
- static SHA1Context *SHA1_CloneContext(SHA1Context * original)
- {
-     SHA1Context *clone = NULL;
-@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
- 
-     return SECSuccess;
- }
-+#endif /* unused functions */
- 
- /*
-  * Format one block of data for public/private key encryption using
-diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
---- ./nss/lib/ckfw/pem/util.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/util.c	2015-11-13 12:22:52.282196306 -0800
-@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
-     return SECFailure;
- }
- 
--int
-+/* FIX: Returns a SECStatus yet callers take result as a count */
-+SECStatus
- ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
- 		int *cipher, char **ivstring, PRBool certsonly)
- {
-@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 		    goto loser;
- 		}
-                 if ((certsonly && !key) || (!certsonly && key)) {
-+		    error = CKR_OK;
- 		    PUT_Object(der, error);
-+		    if (error != CKR_OK) {
-+			free(der);
-+			goto loser;
-+		    }
-                 } else {
-                     free(der->data);
-                     free(der);
-@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 	    }
- 
- 	    /* NOTE: This code path has never been tested. */
-+	    error = CKR_OK;
- 	    PUT_Object(der, error);
-+	    if (error != CKR_OK) {
-+		free(der);
-+		goto loser;
-+	    }
- 	}
- 
- 	nss_ZFreeIf(filedata.data);

skip_stress_TLS_RC4_128_with_MD5.patch

@@ -1,11 +1,10 @@
 diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
---- ./nss/tests/ssl/sslstress.txt.skip	2015-09-11 21:48:21.763187957 -0700
-+++ ./nss/tests/ssl/sslstress.txt	2015-09-11 21:50:10.516514535 -0700
-@@ -8,29 +8,29 @@
+--- ./nss/tests/ssl/sslstress.txt.skip	2016-05-24 09:02:26.506457846 -0700
++++ ./nss/tests/ssl/sslstress.txt	2016-05-24 09:08:19.475268491 -0700
+@@ -8,27 +8,27 @@
  # Enable  return  server     client                         Test Case name
  #  ECC    value   params     params
  # ------- ------  ------     ------                         ---------------
--  noECC     0      _         -c_1000_-C_A                  Stress SSL2 RC4 128 with MD5
 -  noECC     0      _         -c_1000_-C_c_-V_:ssl3               Stress SSL3 RC4 128 with MD5
 -  noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
 -  noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
@@ -14,7 +13,6 @@ diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
 -  noECC     0      -u_-z     -V_ssl3:_-c_1000_-C_c_-u_-z         Stress TLS  RC4 128 with MD5 (session ticket, compression)
 -  noECC     0      -u_-z     -V_ssl3:_-c_1000_-C_c_-u_-z_-g      Stress TLS  RC4 128 with MD5 (session ticket, compression, false start)
 -  SNI       0      -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
-+#  noECC     0      _         -c_1000_-C_A                  Stress SSL2 RC4 128 with MD5
 +#  noECC     0      _         -c_1000_-C_c_-V_:ssl3               Stress SSL3 RC4 128 with MD5
 +#  noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
 +#  noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
@@ -27,7 +25,6 @@ diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
  #
  # add client auth versions here...
  #
--  noECC     0      -r_-r     -c_100_-C_A_-N_-n_TestUser    Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
 -  noECC     0      -r_-r     -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
 -  noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
 -  noECC     0      -r_-r_-u  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
@@ -37,7 +34,6 @@ diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
 -  noECC     0   -r_-r_-u_-z  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
 -  SNI       0   -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
 -  SNI       0   -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
-+#  noECC     0      -r_-r     -c_100_-C_A_-N_-n_TestUser    Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
 +#  noECC     0      -r_-r     -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
 +#  noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
 +#  noECC     0      -r_-r_-u  -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)

sources

@@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
 4d8e770b105483e365f3327d883dd229  nss-pem-20160308.tar.bz2
-574488f97390085832299cc3b90814a8  nss-3.23.0.tar.gz
+2a3ffd2f46b60ecc116ac086343a537a  nss-3.24.0.tar.gz

tstclnt-ssl2-off-by-default.patch

@@ -1,21 +0,0 @@
-diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c
---- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off	2015-08-07 11:12:13.000000000 -0700
-+++ ./nss/cmd/tstclnt/tstclnt.c	2015-09-11 20:08:34.771859950 -0700
-@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
-     fprintf(stderr, 
-             "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
-             "%-20s All versions are enabled by default.\n"
--            "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
-+            "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
-             "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
-             "-V [min]:[max]", "", "", "");
-     fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
-@@ -911,7 +911,7 @@ int main(int argc, char **argv)
-     int                npds;
-     int                override = 0;
-     SSLVersionRange    enabledVersions;
--    PRBool             enableSSL2 = PR_TRUE;
-+    PRBool             enableSSL2 = PR_FALSE;
-     int                bypassPKCS11 = 0;
-     int                disableLocking = 0;
-     int                useExportPolicy = 0;