diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes
index d321d44..984edf6 100644
--- a/apache2-mod_nss.changes
+++ b/apache2-mod_nss.changes
@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Tue Nov  4 14:13:46 UTC 2014 - kstreitova@suse.com
+
+- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
+  that adding small fixes for support of TLS v1.2 
+
+-------------------------------------------------------------------
+Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com
+
+- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
+  that compare CN and VS hostname (use NSS library). Removed
+  following patches:
+  * mod_nss-SNI-checks.patch
+  * mod_nss-SNI-callback.patch 
+
+-------------------------------------------------------------------
+Thu Aug 21 07:50:57 UTC 2014 - meissner@suse.com
+
+- mod_nss-cipherlist_update_for_tls12-doc.diff,
+  mod_nss-cipherlist_update_for_tls12.diff,
+  mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.
+
 -------------------------------------------------------------------
 Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de
 
diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec
index aaa8246..579bcf9 100644
--- a/apache2-mod_nss.spec
+++ b/apache2-mod_nss.spec
@@ -69,9 +69,12 @@ Patch17:        mod_nss-overlapping_memcpy.patch
 Patch18:        mod_nss-CVE-2013-4566-NSSVerifyClient.diff
 Patch19:        mod_nss-cipherlist_update_for_tls12.diff
 Patch20:        mod_nss-cipherlist_update_for_tls12-doc.diff
-Patch21:	mod_nss-SNI-callback.patch
-Patch22:        mod_nss-SNI-checks.patch
 Patch23:        mod_nss-bnc863518-reopen_dev_tty.diff
+# PATCH-FIX-UPSTREAM bnc#897712 kstreitova@suse.com -- check for the misconfiguration of certificate's CN and virtual name
+Patch24:        mod_nss-compare_subject_CN_and_VS_hostname.patch
+# PATCH-FIX-UPSTREAM bnc#902068 kstreitova@suse.com -- small fixes for TLS-v1.2
+Patch25:        mod_nss-add_support_for_enabling_TLS_v1.2.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define    apxs /usr/sbin/apxs2
 %define    apache apache2
@@ -109,9 +112,9 @@ security library.
 %patch18 -p0 -b .CVE-2013-4566.rpmpatch
 %patch19 -p0 -b .ciphers.rpmpatch
 %patch20 -p0 -b .ciphers.doc.rpmpatch
-%patch21 -p0 -b .mod_nss-SNI-callback.rpmpatch
-%patch22 -p0 -b .mod_nss-SNI-checks.patch.rpmpatch
 %patch23 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
+%patch24 -p1 -b .mod_nss-compare_subject_CN_and_VS_hostname.rpmpatch
+%patch25 -p1 -b .mod_nss-add_support_for_enabling_TLS_v1.2.rpmpatch
 
 # keep this last, otherwise we get fuzzyness from above
 %if 0%{?suse_version} >= 1300
diff --git a/mod_nss-SNI-callback.patch b/mod_nss-SNI-callback.patch
deleted file mode 100644
index e009906..0000000
--- a/mod_nss-SNI-callback.patch
+++ /dev/null
@@ -1,241 +0,0 @@
-diff -rNU 30 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
---- ../mod_nss-1.0.8-o/mod_nss.h	2014-06-23 12:23:17.000000000 +0200
-+++ ./mod_nss.h	2014-06-25 15:43:14.000000000 +0200
-@@ -459,31 +459,37 @@
- APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
- 
- /* I/O */
- PRFileDesc * nss_io_new_fd();
- int nss_io_layer_init();
- void nss_io_filter_init(conn_rec *c, PRFileDesc *ssl);
- void nss_io_filter_register(apr_pool_t *p);
- 
- /*  Utility Functions  */
- char        *nss_util_vhostid(apr_pool_t *, server_rec *);
- apr_file_t  *nss_util_ppopen(server_rec *, apr_pool_t *, const char *,
-                              const char * const *);
- void         nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
- char        *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
-                                  const char * const *);
- /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
-  * to allow an SSL renegotiation to take place. */
- int          nss_io_buffer_fill(request_rec *r);
- 
- int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix);
- 
- /* Pass Phrase Handling */
- SECStatus nss_Init_Tokens(server_rec *s);
- 
- /* Logging */
- void nss_log_nss_error(const char *file, int line, int level, server_rec *s);
- void nss_die(void);
- 
- /* NSS callback */
- SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
-+
-+
-+#define SNIMAXNAMELEN 100
-+PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *, const SECItem *, PRUint32, void *);
-+
-+
- #endif /* __MOD_NSS_H__ */
-diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
---- ../mod_nss-1.0.8-o/nss_engine_init.c	2014-06-23 12:23:17.000000000 +0200
-+++ ./nss_engine_init.c	2014-06-25 18:33:19.000000000 +0200
-@@ -5,60 +5,62 @@
-  * You may obtain a copy of the License at
-  *
-  *     http://www.apache.org/licenses/LICENSE-2.0
-  *
-  * Unless required by applicable law or agreed to in writing, software
-  * distributed under the License is distributed on an "AS IS" BASIS,
-  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  * See the License for the specific language governing permissions and
-  * limitations under the License.
-  */
- 
- #include "mod_nss.h"
- #include "apr_thread_proc.h"
- #include "ap_mpm.h"
- #include "secmod.h"
- #include "sslerr.h"
- #include "pk11func.h"
- #include "ocsp.h"
- #include "keyhi.h"
- #include "cert.h"
- 
- static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
- static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
- static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg);
- static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist);
- SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
- 
- /*
-  * Global variables defined in this file.
-  */
-+void * sni_callback_arg;
-+
- char* INTERNAL_TOKEN_NAME = "internal                         ";
- 
- cipher_properties ciphers_def[ciphernum] =
- {
-     /* SSL2 cipher suites */
-     {"rc4", SSL_EN_RC4_128_WITH_MD5, 0, SSL2},
-     {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, 0, SSL2},
-     {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, 0, SSL2},
-     {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, 0, SSL2},
-     {"des", SSL_EN_DES_64_CBC_WITH_MD5, 0, SSL2},
-     {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, 0, SSL2},
-     /* SSL3/TLS cipher suites */
-     {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, 0, SSL3 | TLS},
-     {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, 0, SSL3 | TLS},
-     {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
-     {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
-     {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0, SSL3 | TLS},
-     {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0, SSL3 | TLS},
-     {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, 0, SSL3 | TLS},
-     {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, 0, SSL3 | TLS},
-     {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, 0, SSL3 | TLS},
-     {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
-     {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 1, SSL3 | TLS},
-     {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, 1, SSL3 | TLS},
-     {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, 1, SSL3 | TLS},
-     /* TLS 1.0: Exportable 56-bit Cipher Suites. */
-     {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 0, SSL3 | TLS},
-     {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
-     /* AES ciphers.*/
-     {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
-@@ -850,60 +852,78 @@
- 
- static void nss_init_ctx_callbacks(server_rec *s,
-                                    apr_pool_t *p,
-                                    apr_pool_t *ptemp,
-                                    modnss_ctx_t *mctx)
- {
-     if (SSL_AuthCertificateHook(mctx->model, nss_AuthCertificate, (void *)CERT_GetDefaultCertDB()) != SECSuccess) {
-         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                 "SSL_AuthCertificateHook failed.");
-         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-         nss_die();
-     }
-     if (SSL_BadCertHook(mctx->model, (SSLBadCertHandler) ownBadCertHandler, NULL) != SECSuccess) {
-         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                 "SSL_BadCertHook failed");
-         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-         nss_die();
-     }
-     if (SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback) ownHandshakeCallback, NULL) != SECSuccess) {
-         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                 "SSL_HandshakeCallback failed");
-         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-         nss_die();
-     }
-     if (SSL_GetClientAuthDataHook(mctx->model, NSS_GetClientAuthData, (void *)mctx->nickname) != SECSuccess) {
-         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-                 "SSL_GetClientAuthDataHook failed");
-         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-         nss_die();
-     }
-+
-+    sni_callback_arg = apr_pcalloc(p, SNIMAXNAMELEN + 1);
-+    if(sni_callback_arg) {
-+	if(SSL_SNISocketConfigHook(mctx->model, mod_nss_SSLSNISocketConfig,
-+		 sni_callback_arg)) {
-+	    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+		"SSL_SNISocketConfigHook failed");
-+	    nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-+	    nss_die();
-+	}
-+    } else {
-+	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+		"apr_palloc returned NULL for sni_callback_arg");
-+	nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
-+	nss_die();
-+    }
-+
-+
- }
- 
- static void nss_init_ctx_verify(server_rec *s,
-                                 apr_pool_t *p,
-                                 apr_pool_t *ptemp,
-                                 modnss_ctx_t *mctx)
- {
-     if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
-         SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-         SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
-     } else if (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) {
-         SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_TRUE);
-         SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
-     } else {
-         SSL_OptionSet(mctx->model, SSL_REQUEST_CERTIFICATE, PR_FALSE);
-         SSL_OptionSet(mctx->model, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
-     }
- }
- 
- static int countciphers(PRBool cipher_state[ciphernum], int version) {
-     int ciphercount = 0;
-     int i;
- 
-     for (i = 0; i < ciphernum; i++)
-     {
-         if ((cipher_state[i] == PR_TRUE) &&
-             (ciphers_def[i].version & version)) {
-             ciphercount++;
-         }
-     }
-@@ -1702,30 +1722,54 @@
-             return -1;
-         }
- 
-         if ((ciphers = strchr(cipher, ','))) {
-             *ciphers++ = '\0';
-         }
- 
-         found = PR_FALSE;
- 
-         for (i = 0; i < ciphernum; i++)
-         {
-             if (!strcasecmp(cipher, ciphers_def[i].name)) {
-                 cipher_list[i] = active;
-                 found = PR_TRUE;
-                 break;
-             }
-         }
- 
-         if (found == PR_FALSE) {
-             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                          "Unknown cipher %s", cipher);
-         }
- 
-         if (ciphers) {
-             cipher = ciphers;
-         }
-     }
- 
-     return 0;
- }
-+
-+
-+
-+
-+PRInt32 mod_nss_SSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
-+           PRUint32 sniNameArrSize, void *arg)
-+{
-+  /* 
-+	arg is apr pool memory from apr_palloc(), SNIMAXNAMELEN+1 bytes long.
-+	initialized zero.
-+   */
-+
-+   char * retptr = NULL;
-+   const SECItem *mysni = sniNameArr;
-+
-+	if(mysni) {
-+	    retptr = apr_cpystrn(arg, mysni[0].data, 
-+			( mysni[0].len + 1 < SNIMAXNAMELEN ) ? mysni[0].len + 1 : SNIMAXNAMELEN );
-+	    return 0;
-+	} else {
-+	    /* no SNI provided... Well. */
-+	    return SSL_SNI_CURRENT_CONFIG_IS_USED;
-+	}
-+}
diff --git a/mod_nss-SNI-checks.patch b/mod_nss-SNI-checks.patch
deleted file mode 100644
index d879292..0000000
--- a/mod_nss-SNI-checks.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-diff -rNU 30 ../mod_nss-1.0.8-o/nss_engine_kernel.c ./nss_engine_kernel.c
---- ../mod_nss-1.0.8-o/nss_engine_kernel.c	2014-06-25 19:13:26.000000000 +0200
-+++ ./nss_engine_kernel.c	2014-06-27 13:57:40.000000000 +0200
-@@ -1,102 +1,151 @@
- /* Copyright 2001-2004 The Apache Software Foundation
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-  * You may obtain a copy of the License at
-  *
-  *     http://www.apache.org/licenses/LICENSE-2.0
-  *
-  * Unless required by applicable law or agreed to in writing, software
-  * distributed under the License is distributed on an "AS IS" BASIS,
-  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  * See the License for the specific language governing permissions and
-  * limitations under the License.
-  */
- #include "mod_nss.h"
- #include "secerr.h"
- 
- static void HandshakeDone(PRFileDesc *fd, void *doneflag);
- 
-+extern void * sni_callback_arg;
-+
- /*
-  *  Post Read Request Handler
-  */
- int nss_hook_ReadReq(request_rec *r)
- {
-     SSLConnRec *sslconn = myConnConfig(r->connection);
-     PRFileDesc *ssl = sslconn ? sslconn->ssl : NULL;
- 
-     if (!sslconn) {
-         return DECLINED;
-     }
- 
-     if (sslconn->non_nss_request) {
-         const char *errmsg;
-         char *thisurl;
-         char *thisport = "";
-         int port = ap_get_server_port(r);
- 
-         if (!ap_is_default_port(port, r)) {
-             thisport = apr_psprintf(r->pool, ":%u", port);
-         }
- 
-         thisurl = ap_escape_html(r->pool,
-                                  apr_psprintf(r->pool, "https://%s%s/",
-                                               ap_get_server_name(r),
-                                               thisport));
- 
-         errmsg = apr_psprintf(r->pool,
-                               "Reason: You're speaking plain HTTP "
-                               "to an SSL-enabled server port.<br />\n"
-                               "Instead use the HTTPS scheme to access "
-                               "this URL, please.<br />\n"
-                               "<blockquote>Hint: "
-                               "<a href=\"%s\"><b>%s</b></a></blockquote>",
-                               thisurl, thisurl);
- 
-         apr_table_setn(r->notes, "error-notes", errmsg);
-         /* Now that we have caught this error, forget it. we are done
-          * with using SSL on this request.
-          */
-         sslconn->non_nss_request = 0;
- 
- 
-         return HTTP_BAD_REQUEST;
-     }
- 
-     /* Get the SSL connection structure and perform the
-      * delayed interlinking from SSL back to request_rec
-      */
-     if (!ssl) {
-         return DECLINED; 
-     }
- 
-+
-+    /*
-+     * SNI.
-+     *
-+     * global pool-allocated char * sni_callback_arg contains SNI name
-+     * coming from mod_nss_SSLSNISocketConfig() callback by nss as soon as 
-+     * SNI extension information was supplied by the client.
-+     *
-+     * With the SNI provided servername, this is now widely analogous
-+     * to mod_ssl; the same checks apply.
-+     *
-+     */
-+
-+
-+
-+    char *servername;
-+    servername = (char *) sni_callback_arg;
-+
-+    if(servername[0] != '\0') {
-+	char *host, *scope_id;
-+        apr_port_t port;
-+        apr_status_t rv;
-+
-+	if (!r->hostname) {
-+	    ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-+		"Hostname %s provided via SNI, but no hostname"
-+		" provided in HTTP request", servername);
-+	    return HTTP_BAD_REQUEST;
-+	}
-+
-+        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
-+        if (rv != APR_SUCCESS || scope_id) {
-+            return HTTP_BAD_REQUEST;
-+        }
-+
-+	if (strcasecmp(host, servername)) {
-+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-+                        "Hostname %s provided via SNI and hostname %s provided"
-+                        " via HTTP are different", servername, host);
-+            return HTTP_BAD_REQUEST;
-+        }
-+
-+
-+    }
-+
-+
-+
-     /*
-      * Log information about incoming HTTPS requests
-      */
-     if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
-         ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
-                      "%s HTTPS request received for child %ld (server %s)",
-                      (r->connection->keepalives <= 0 ?
-                      "Initial (No.1)" :
-                      apr_psprintf(r->pool, "Subsequent (No.%d)",
-                                   r->connection->keepalives+1)),
-                      r->connection->id,
-                      nss_util_vhostid(r->pool, r->server));
-     }
- 
-     if (sslconn->client_cert != NULL)
-         CERT_DestroyCertificate(sslconn->client_cert);
-     sslconn->client_cert = SSL_PeerCertificate(ssl);
-     sslconn->client_dn = NULL;
- 
-     return DECLINED;
- }
- 
- /*
-  *  Access Handler
-  */
- int nss_hook_Access(request_rec *r)
- {
-     SSLDirConfigRec *dc = myDirConfig(r);
-     SSLSrvConfigRec *sc = mySrvConfig(r->server);
-     SSLConnRec *sslconn = myConnConfig(r->connection);
diff --git a/mod_nss-cipherlist_update_for_tls12-doc.diff b/mod_nss-cipherlist_update_for_tls12-doc.diff
index eed96d7..0b132b0 100644
--- a/mod_nss-cipherlist_update_for_tls12-doc.diff
+++ b/mod_nss-cipherlist_update_for_tls12-doc.diff
@@ -1,7 +1,7 @@
 diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
 --- ../mod_nss-1.0.8-o/docs/mod_nss.html	2014-02-18 16:30:19.000000000 +0100
 +++ ./docs/mod_nss.html	2014-02-18 16:48:18.000000000 +0100
-@@ -632,100 +632,121 @@
+@@ -632,100 +632,135 @@
        </td>
        <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
      </tr>
@@ -53,11 +53,18 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
        <td style="vertical-align: top;">SSLv3/TLSv1.0/TLSv1.1/TLSv1.2</td>
      </tr>
 +    <tr>
++      <td style="vertical-align: top;">rsa_aes_128_sha256<br>
++      </td>
++      <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_CBC_SHA256<br>
++      </td>
++      <td style="vertical-align: top;">TLSv1.2</td>
++    </tr>
++    <tr>
 +      <td style="vertical-align: top;">rsa_aes_128_gcm_sha<br>
 +      </td>
 +      <td style="vertical-align: top;">TLS_RSA_WITH_AES_128_GCM_SHA256<br>
 +      </td>
-+      <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
++      <td style="vertical-align: top;">TLSv1.2</td>
 +    </tr>
 +    <tr>
 +      <td style="vertical-align: top;">rsa_camellia_128_sha<br>
@@ -72,6 +79,13 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
 +      <td style="vertical-align: top;">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br>
 +      </td>
 +      <td style="vertical-align: top;">TLSv1.0/TLSv1.1/TLSv1.2</td>
++    </tr>
++    <tr>
++      <td style="vertical-align: top;">rsa_aes_256_sha256<br>
++      </td>
++      <td style="vertical-align: top;">TLS_RSA_WITH_AES_256_CBC_SHA256<br>
++      </td>
++      <td style="vertical-align: top;">TLSv1.2</td>
 +    </tr>
    </tbody>
  </table>
@@ -123,7 +137,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
        <td>ecdhe_ecdsa_rc4_128_sha</td>
        <td>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</td>
        <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
-@@ -773,100 +794,120 @@
+@@ -773,100 +794,130 @@
      <tr>
        <td>echde_rsa_null</td>
        <td>TLS_ECDHE_RSA_WITH_NULL_SHA</td>
@@ -175,6 +189,16 @@ diff -rNU 50 ../mod_nss-1.0.8-o/docs/mod_nss.html ./docs/mod_nss.html
        <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
      </tr>
 +    <tr>
++      <td>ecdh_ecdsa_aes_128_sha256</td>
++      <td>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</td>
++      <td>TLSv1.2</td>
++    </tr>
++    <tr>
++      <td>ecdh_rsa_aes_128_sha256</td>
++      <td>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</td>
++      <td>TLSv1.2</td>
++    </tr>
++    <tr>
 +      <td>ecdh_ecdsa_aes_128_gcm_sha</td>
 +      <td>TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256</td>
 +      <td>TLSv1.0/TLSv1.1/TLSv1.2</td>
diff --git a/mod_nss-cipherlist_update_for_tls12.diff b/mod_nss-cipherlist_update_for_tls12.diff
index fb3e1ed..7bee592 100644
--- a/mod_nss-cipherlist_update_for_tls12.diff
+++ b/mod_nss-cipherlist_update_for_tls12.diff
@@ -53,10 +53,10 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
  /* the table itself is defined in nss_engine_init.c */
  #ifdef NSS_ENABLE_ECC
 -#define ciphernum 48
-+#define ciphernum 55
++#define ciphernum 59
  #else
 -#define ciphernum 23
-+#define ciphernum 26
++#define ciphernum 28
  #endif
  
  /*
@@ -110,7 +110,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/mod_nss.h ./mod_nss.h
 diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
 --- ../mod_nss-1.0.8-o/nss_engine_init.c	2014-02-18 16:30:19.000000000 +0100
 +++ ./nss_engine_init.c	2014-02-18 16:30:51.000000000 +0100
-@@ -15,122 +15,130 @@
+@@ -15,122 +15,134 @@
  
  #include "mod_nss.h"
  #include "apr_thread_proc.h"
@@ -161,9 +161,11 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
      {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, 0, SSL3 | TLS},
      /* AES ciphers.*/
      {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, 0, SSL3 | TLS},
++    {"rsa_aes_128_sha256", TLS_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
 +    {"rsa_aes_128_gcm_sha", TLS_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
 +    {"rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 0, TLS},
      {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, 0, SSL3 | TLS},
++    {"rsa_aes_256_sha256", TLS_RSA_WITH_AES_256_CBC_SHA256, 0, TLS},
 +    {"rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 0, TLS},
 +
  #ifdef NSS_ENABLE_ECC
@@ -178,6 +180,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
      {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0, TLS},
      {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
      {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, TLS},
++    {"ecdhe_ecdsa_aes_128_sha256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0, TLS},
 +    {"ecdhe_ecdsa_aes_128_gcm_sha", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0, TLS},
      {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0, TLS},
      {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, 0, TLS},
@@ -190,6 +193,7 @@ diff -rNU 50 ../mod_nss-1.0.8-o/nss_engine_init.c ./nss_engine_init.c
      {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0, TLS},
      {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0, TLS},
      {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0, TLS},
++    {"ecdhe_rsa_aes_128_sha256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0, TLS},
 +    {"ecdhe_rsa_aes_128_gcm_sha", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0, TLS},
      {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0, TLS},
      {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, 0, TLS},
diff --git a/mod_nss.conf.in b/mod_nss.conf.in
index 2a980bf..ad35f30 100644
--- a/mod_nss.conf.in
+++ b/mod_nss.conf.in
@@ -216,7 +216,7 @@ NSSRequireSafeNegotiation off
 # * no rc4, no 3des, no des
 # * ephemeral is what you want (PFS).
 # * EC has precedence over RSA
-NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha
+NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+ecdhe_rsa_aes_256_sha256,+rsa_aes_256_sha256,+ecdhe_rsa_aes_256_sha256
 
 #   SSL Protocol:
 #   Cryptographic protocols that provide communication security.