diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes
index 293cdf9..d6980ac 100644
--- a/apache2-mod_nss.changes
+++ b/apache2-mod_nss.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Oct 23 12:53:12 UTC 2017 - vcizek@suse.com
+
+- Use ss instead of the deprecated netstat in gencert (bsc#1064415)
+  * add mod_nss-gencert_use_ss_instead_of_netstat.patch
+- spec: cleanup and fix URLs
+
 -------------------------------------------------------------------
 Thu Sep 29 15:26:39 UTC 2016 - jengelh@inai.de
 
diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec
index 8fc639d..aa6cf77 100644
--- a/apache2-mod_nss.spec
+++ b/apache2-mod_nss.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_nss
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,25 +16,30 @@
 #
 
 
+%define    apxs %{_sbindir}/apxs2
+%define    apache apache2
+%define    apache_libexecdir %(%{apxs} -q LIBEXECDIR)
+%define    apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
+%define    apache_includedir %(%{apxs} -q INCLUDEDIR)
+%define    apache_serverroot %(%{apxs} -q PREFIX)
+%define    apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
+%define    apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
 Name:           apache2-mod_nss
+Version:        1.0.14
+Release:        0
 Summary:        SSL/TLS module for the Apache HTTP server
 License:        Apache-2.0
 Group:          Productivity/Networking/Web/Servers
-Version:        1.0.14
-Release:        0.4.8
-Url:            https://fedorahosted.org/mod_nss
-Source:         https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
+Url:            https://pagure.io/mod_nss
+Source:         https://releases.pagure.org/mod_nss/mod_nss-%{version}.tar.gz
 Source1:        mod_nss.conf.in
 Source2:        listen_nss.conf
 Source4:        README-SUSE.txt
 Source5:        vhost-nss.template
-Provides:       mod_nss
-Requires:       %{apache_mmn}
-Requires:       %{apache_suse_maintenance_mmn}
-Requires:       apache2 >= 2.2.12
-Requires:       findutils
-Requires:       mozilla-nss >= 3.15.1
-PreReq:         mozilla-nss-tools
+Patch1:         mod_nss-migrate.patch
+Patch2:         mod_nss-gencert-correct-ownership.patch
+Patch3:         mod_nss-dont_disable_SSLV2.patch
+Patch4:         mod_nss-gencert_use_ss_instead_of_netstat.patch
 BuildRequires:  apache-rpm-macros
 BuildRequires:  apache2-devel >= 2.2.12
 BuildRequires:  automake
@@ -43,6 +48,7 @@ BuildRequires:  curl
 BuildRequires:  findutils
 BuildRequires:  flex
 BuildRequires:  gcc-c++
+BuildRequires:  iproute2
 BuildRequires:  libapr-util1-devel
 BuildRequires:  libapr1-devel
 BuildRequires:  libtool
@@ -50,20 +56,14 @@ BuildRequires:  mozilla-nspr-devel >= 4.6.3
 BuildRequires:  mozilla-nss-devel >= 3.15.1
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  pkgconfig
-
-Patch1:         mod_nss-migrate.patch
-Patch2:         mod_nss-gencert-correct-ownership.patch
-Patch3:         mod_nss-dont_disable_SSLV2.patch
-
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-%define    apxs /usr/sbin/apxs2
-%define    apache apache2
-%define    apache_libexecdir %(%{apxs} -q LIBEXECDIR)
-%define    apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
-%define    apache_includedir %(%{apxs} -q INCLUDEDIR)
-%define    apache_serverroot %(%{apxs} -q PREFIX)
-%define    apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
-%define    apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
+Requires:       %{apache_mmn}
+Requires:       %{apache_suse_maintenance_mmn}
+Requires:       apache2 >= 2.2.12
+Requires:       findutils
+Requires:       iproute2
+Requires:       mozilla-nss >= 3.15.1
+Requires(post): mozilla-nss-tools
+Provides:       mod_nss
 
 %description
 The mod_nss module provides strong cryptography for the Apache Web
@@ -76,20 +76,21 @@ security library.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
 
 %build
-CFLAGS="$RPM_OPT_FLAGS"
+CFLAGS="%{optflags}"
 export CFLAGS
-NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
-NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
-NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
-NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
-NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
+NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nspr`
+NSPR_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nspr`
+NSS_INCLUDE_DIR=`%{_bindir}/pkg-config --variable=includedir nss`
+NSS_LIB_DIR=`%{_bindir}/pkg-config --variable=libdir nss`
+NSS_BIN=`%{_bindir}/pkg-config --variable=exec_prefix nss`
 # For some reason mod_nss can't find nss on SUSE unless we do the following
-C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
+C_INCLUDE_PATH="%{_includedir}/nss3:%{_includedir}/nspr4:%{_includedir}/apache2-prefork/"
 export C_INCLUDE_PATH
 # no more patching a config file...
 cp -a %{SOURCE1} ./nss.conf.in
@@ -110,30 +111,30 @@ make %{?_smp_mflags} all
 # The install target of the Makefile isn't used because that uses apxs
 # which tries to enable the module in the build host httpd instead of in
 # the build root.
-mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
-mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
-mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
-mkdir -p $RPM_BUILD_ROOT%{_sbindir}
-mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}
+mkdir -p %{buildroot}/%{apache_libexecdir}
+mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d
+mkdir -p %{buildroot}%{apache_sysconfdir}/vhosts.d
+mkdir -p %{buildroot}%{_sbindir}
+mkdir -p %{buildroot}%{apache_sysconf_nssdir}
 
 %if 0%{?suse_version}
 perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
 %endif
 
-install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
-install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
-install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
-install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
-install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl
+install -m 644 nss.conf %{buildroot}%{apache_sysconfdir}/conf.d/mod_nss.conf
+install -m 644 %{SOURCE5} %{buildroot}%{apache_sysconfdir}/vhosts.d/vhost-nss.template
+install -m 644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/listen_nss.conf
+install -m 755 .libs/libmodnss.so %{buildroot}%{apache_libexecdir}/mod_nss.so
+install -m 755 nss_pcache %{buildroot}%{_sbindir}/
+install -m 755 gencert %{buildroot}%{_sbindir}/
+install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl
 
 #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
-touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
-touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
-touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
-touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
-perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert
+touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db
+touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db
+touch %{buildroot}%{apache_sysconf_nssdir}/key3.db
+touch %{buildroot}%{apache_sysconf_nssdir}/install.log
+perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert
 
 %check
 set +x
@@ -148,7 +149,7 @@ NSSEngine on
 NSSNickname Server-Cert
 NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
 NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
-NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
+NSSPassPhraseHelper %{buildroot}%{_sbindir}/nss_pcache
 NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
 <Directory /tmp/apache2-mod_nss_test/htdocs>
@@ -173,7 +174,7 @@ EOF
 exit_code=0
 # run apache test instance
 %apache_test_module_start_apache -m nss -i mod_nss-test.conf
-# get test document 
+# get test document
 %apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
 echo
 echo 'Testing /index.html output'
@@ -203,7 +204,6 @@ find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp -h www {}
 find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} +
 
 %files
-%defattr(-,root,root,-)
 %doc README LICENSE docs/mod_nss.html README-SUSE.txt
 %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
 %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
diff --git a/mod_nss-gencert_use_ss_instead_of_netstat.patch b/mod_nss-gencert_use_ss_instead_of_netstat.patch
new file mode 100644
index 0000000..ea5cc7e
--- /dev/null
+++ b/mod_nss-gencert_use_ss_instead_of_netstat.patch
@@ -0,0 +1,49 @@
+Index: mod_nss-1.0.14/gencert.in
+===================================================================
+--- mod_nss-1.0.14.orig/gencert.in	2017-10-23 14:24:27.151814720 +0200
++++ mod_nss-1.0.14/gencert.in	2017-10-23 14:46:58.661468853 +0200
+@@ -181,7 +181,7 @@ echo ""
+ echo "#####################################################################"
+ echo "Generating self-signed client CA certificate"
+ echo "#####################################################################"
+-(ps -elf; date; netstat -a) > $DEST/noise
++(ps -elf; date; ss -a) > $DEST/noise
+ let CERTSERIAL=CERTSERIAL+1
+ # 5 9 n  -> Cert signing key
+ # y 10 y  -> basic constraints: CA cert
+@@ -203,7 +203,7 @@ echo ""
+ echo "#####################################################################"
+ echo "Generating user certificate for \"alpha\"."
+ echo "#####################################################################"
+-(ps -elf; date; netstat -a) > $DEST/noise
++(ps -elf; date; ss -a) > $DEST/noise
+ let CERTSERIAL=CERTSERIAL+1
+ # 0 2 9 n  -> Key usage: Key Encipherment, Digital Signature
+ # 0 9 n  -> SSL Client
+@@ -225,7 +225,7 @@ echo ""
+ echo "#####################################################################"
+ echo "Generating user certificate for \"beta\"."
+ echo "#####################################################################"
+-(ps -elf; date; netstat -a) > $DEST/noise
++(ps -elf; date; ss -a) > $DEST/noise
+ let CERTSERIAL=CERTSERIAL+1
+ # 0 2 9 n  -> Key usage: Key Encipherment, Digital Signature
+ # 0 9 n  -> SSL Client
+@@ -248,7 +248,7 @@ echo ""
+ echo "#####################################################################"
+ echo "Generating user certificate for \"colon\"."
+ echo "#####################################################################"
+-(ps -elf; date; netstat -a) > $DEST/noise
++(ps -elf; date; ss -a) > $DEST/noise
+ let CERTSERIAL=CERTSERIAL+1
+ # 0 2 9 n  -> Key usage: Key Encipherment, Digital Signature
+ # 0 9 n  -> SSL Client
+@@ -274,7 +274,7 @@ echo ""
+ echo "#####################################################################"
+ echo "Generating server certificate request"
+ echo "#####################################################################"
+-(ps -elf; date; netstat -a) > $DEST/noise
++(ps -elf; date; ss -a) > $DEST/noise
+ $CERTUTIL -R -d $DBDIR \
+             -s "$SERVER_CERTDN" \
+             -o $DEST/tmpcertreq \