diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index cc1ab5c..11c3179 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Thu Sep 24 09:39:17 UTC 2015 - wr@rosenauer.org
+
+- update to NSS 3.20
+  New functionality:
+  * The TLS library has been extended to support DHE ciphersuites in
+    server applications.
+  New Functions:
+  * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group
+    parameters that can be used by NSS for a server socket.
+  * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
+    parameters that are smaller than the library default's minimum size.
+  New Types:
+  * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in
+    NSS that can be used with function SSL_DHEGroupPrefSet.
+  New Macros:
+  * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable
+    DHE ciphersuites for a server socket.
+  Notable Changes:
+  * For backwards compatibility reasons, the server side implementation
+    of the TLS library keeps all DHE ciphersuites disabled by default.
+    They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE
+    and the SSL_OptionSet or the SSL_OptionSetDefault API.
+  * The server side implementation of the TLS implementation does not
+    support session tickets when using a DHE ciphersuite (see bmo#1174677).
+  * Support for the following ciphersuites has been added:
+    - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
+    - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+    - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+  * By default, the server side TLS implementation will use DHE
+    parameters with a size of 2048 bits when using DHE ciphersuites.
+  * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
+    8192 bits, which were copied from version 08 of the Internet-Draft
+    "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
+    TLS", Appendix A.
+  * A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
+    server application to select one or multiple of the embedded DHE
+    parameters as the preferred parameters. The current implementation of
+    NSS will always use the first entry in the array that is passed as a
+    parameter to the SSL_DHEGroupPrefSet API. In future versions of the
+    TLS implementation, a TLS client might signal a preference for
+    certain DHE parameters, and the NSS TLS server side implementation
+    might select a matching entry from the set of parameters that have
+    been configured as preferred on the server side.
+  * NSS optionally supports the use of weak DHE parameters with DHE
+    ciphersuites to support legacy clients. In order to enable this
+    support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
+    time this API is called for the first time in a process, a fresh set
+    of weak DHE parameters will be randomly created, which may take a
+    long amount of time. Please refer to the comments in the header file
+    that declares the SSL_EnableWeakDHEPrimeGroup API for additional
+    details.
+  * The size of the default PQG parameters used by certutil when
+    creating DSA keys has been increased to use 2048 bit parameters.
+  * The selfserv utility has been enhanced to support the new DHE features.
+  * NSS no longer supports C compilers that predate the ANSI C standard (C89).
+
+-------------------------------------------------------------------
+Thu Sep 24 09:38:17 UTC 2015 - wr@rosenauer.org
+
+- update to NSS 3.19.3; certstore updates only
+  * The following CA certificates were removed
+    - Buypass Class 3 CA 1
+    - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+    - SG TRUST SERVICES RACINE
+    - TC TrustCenter Universal CA I
+    - TC TrustCenter Class 2 CA II
+  * The following CA certificate had the Websites trust bit turned off
+    - ComSign Secured CA
+  * The following CA certificates were added
+    - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
+    - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
+    - Certinomis - Root CA
+  * The version number of the updated root CA list has been set to 2.5
+
 -------------------------------------------------------------------
 Thu Sep 24 09:31:11 UTC 2015 - fstrba@suse.com
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index 9c043fd..15253e6 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.10.8
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.19.2
+Version:        3.20
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.19.2/nss ; cd nss-3.19.2/nss ; hg up NSS_3_19_2_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.20/nss ; cd nss-3.20/nss ; hg up NSS_3_20_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
diff --git a/nss-3.19.2.tar.gz b/nss-3.19.2.tar.gz
deleted file mode 100644
index 5a60d73..0000000
--- a/nss-3.19.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1306663e8f61d8449ad8cbcffab743a604dcd9f6f34232c210847c51dce2c9ae
-size 6953657
diff --git a/nss-3.20.tar.gz b/nss-3.20.tar.gz
new file mode 100644
index 0000000..62a9959
--- /dev/null
+++ b/nss-3.20.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c
+size 6955552