Accepting request 178606 from mozilla:Factory

OBS-URL: https://build.opensuse.org/request/show/178606
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=80

bug-834091.patch

@@ -1,216 +0,0 @@
-Index: security/nss/lib/pkcs7/p7decode.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v
-retrieving revision 1.31
-diff -u -8 -p -r1.31 p7decode.c
---- security/nss/lib/pkcs7/p7decode.c	12 Dec 2012 19:25:36 -0000	1.31
-+++ security/nss/lib/pkcs7/p7decode.c	25 Jan 2013 23:22:54 -0000
-@@ -1276,17 +1276,18 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten
-  * there should be NO authenticatedAttributes (signerinfo->authAttr should
-  * be NULL).
-  */
- static PRBool
- sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
- 			   SECCertUsage certusage,
- 			   const SECItem *detached_digest,
- 			   HASH_HashType digest_type,
--			   PRBool keepcerts)
-+			   PRBool keepcerts,
-+			   PRTime atTime)
- {
-     SECAlgorithmID **digestalgs, *bulkid;
-     const SECItem *digest;
-     SECItem **digests;
-     SECItem **rawcerts;
-     CERTSignedCrl **crls;
-     SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
-     CERTCertificate *cert, **certs;
-@@ -1294,17 +1295,18 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
-     CERTCertDBHandle *certdb, *defaultdb; 
-     SECOidTag encTag,digestTag;
-     HASH_HashType found_type;
-     int i, certcount;
-     SECKEYPublicKey *publickey;
-     SECItem *content_type;
-     PK11SymKey *sigkey;
-     SECItem *encoded_stime;
--    int64 stime;
-+    PRTime stime;
-+    PRTime verificationTime;
-     SECStatus rv;
- 
-     /*
-      * Everything needed in order to "goto done" safely.
-      */
-     goodsig = PR_FALSE;
-     certcount = 0;
-     cert = NULL;
-@@ -1431,18 +1433,20 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
-     /*
-      * XXX  This uses the signing time, if available.  Additionally, we
-      * might want to, if there is no signing time, get the message time
-      * from the mail header itself, and use that.  That would require
-      * a change to our interface though, and for S/MIME callers to pass
-      * in a time (and for non-S/MIME callers to pass in nothing, or
-      * maybe make them pass in the current time, always?).
-      */
-+    verificationTime = atTime ? atTime
-+			      : (encoded_stime ? stime : PR_Now());
-     if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
--			 encoded_stime != NULL ? stime : PR_Now(),
-+			 verificationTime,
- 			 cinfo->pwfn_arg, NULL) != SECSuccess)
- 	{
- 	/*
- 	 * XXX Give the user an option to check the signature anyway?
- 	 * If we want to do this, need to give a way to leave and display
- 	 * some dialog and get the answer and come back through (or do
- 	 * the rest of what we do below elsewhere, maybe by putting it
- 	 * in a function that we call below and could call from a dialog
-@@ -1752,17 +1756,17 @@ done:
-  *	into our local database.
-  */
- PRBool
- SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
- 			 SECCertUsage certusage,
- 			 PRBool keepcerts)
- {
-     return sec_pkcs7_verify_signature (cinfo, certusage,
--				       NULL, HASH_AlgNULL, keepcerts);
-+				       NULL, HASH_AlgNULL, keepcerts, 0);
- }
- 
- /*
-  * SEC_PKCS7VerifyDetachedSignature
-  *	Look at a PKCS7 contentInfo and check if the signature matches
-  *	a passed-in digest (calculated, supposedly, from detached contents).
-  *	The verification checks that the signing cert is valid and trusted
-  *	for the purpose specified by "certusage".
-@@ -1774,19 +1778,44 @@ PRBool
- SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
- 				 SECCertUsage certusage,
- 				 const SECItem *detached_digest,
- 				 HASH_HashType digest_type,
- 				 PRBool keepcerts)
- {
-     return sec_pkcs7_verify_signature (cinfo, certusage,
- 				       detached_digest, digest_type,
--				       keepcerts);
-+				       keepcerts, 0);
- }
- 
-+/*
-+ * SEC_PKCS7VerifyDetachedSignatureAtTime
-+ *      Look at a PKCS7 contentInfo and check if the signature matches
-+ *      a passed-in digest (calculated, supposedly, from detached contents).
-+ *      The verification checks that the signing cert is valid and trusted
-+ *      for the purpose specified by "certusage" at time "atTime"
-+ *      if "atTime" is non-zero, or at the current time (as returned by
-+ *      PR_Now) otherwise.
-+ */
-+PRBool
-+SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
-+				       SECCertUsage certusage,
-+				       const SECItem *detached_digest,
-+				       HASH_HashType digest_type,
-+				       PRBool keepcerts,
-+				       PRTime atTime)
-+{
-+    if (!atTime) {
-+	atTime = PR_Now();
-+    }
-+
-+    return sec_pkcs7_verify_signature (cinfo, certusage,
-+				       detached_digest, digest_type,
-+				       keepcerts, atTime);
-+}
- 
- /*
-  * Return the asked-for portion of the name of the signer of a PKCS7
-  * signed object.
-  *
-  * Returns a pointer to allocated memory, which must be freed.
-  * A NULL return value is an error.
-  */
-@@ -1839,17 +1868,17 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7
-      */
-     if (signercert == NULL) {
- 	/*
- 	 * The cert usage does not matter in this case, because we do not
- 	 * actually care about the verification itself, but we have to pick
- 	 * some valid usage to pass in.
- 	 */
- 	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
--					   NULL, HASH_AlgNULL, PR_FALSE);
-+					   NULL, HASH_AlgNULL, PR_FALSE, 0);
- 	signercert = signerinfos[0]->cert;
- 	if (signercert == NULL)
- 	    return NULL;
-     }
- 
-     switch (selector) {
-       case sec_common_name:
- 	container = CERT_GetCommonName (&signercert->subject);
-Index: security/nss/lib/pkcs7/secpkcs7.h
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v
-retrieving revision 1.10
-diff -u -8 -p -r1.10 secpkcs7.h
---- security/nss/lib/pkcs7/secpkcs7.h	27 Nov 2012 22:48:08 -0000	1.10
-+++ security/nss/lib/pkcs7/secpkcs7.h	25 Jan 2013 23:22:54 -0000
-@@ -128,16 +128,33 @@ extern PRBool SEC_PKCS7VerifySignature(S
-  *	into our local database.
-  */
- extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
- 					       SECCertUsage certusage,
- 					       const SECItem *detached_digest,
- 					       HASH_HashType digest_type,
- 					       PRBool keepcerts);
- 
-+
-+/*
-+ * SEC_PKCS7VerifyDetachedSignatureAtTime
-+ *      Look at a PKCS7 contentInfo and check if the signature matches
-+ *      a passed-in digest (calculated, supposedly, from detached contents).
-+ *      The verification checks that the signing cert is valid and trusted
-+ *      for the purpose specified by "certusage" at time "atTime"
-+ *      if "atTime" is non-zero, or at the current time (as returned by
-+ *      PR_Now) otherwise.
-+ */
-+extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
-+						     SECCertUsage certusage,
-+						     const SECItem *detached_digest,
-+						     HASH_HashType digest_type,
-+						     PRBool keepcerts,
-+						     PRTime atTime);
-+
- /*
-  * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
-  *      The passed-in contentInfo is espected to be Signed, and these
-  *      functions return the specified portion of the full signer name.
-  *
-  *      Returns a pointer to allocated memory, which must be freed.
-  *      A NULL return value is an error.
-  */
-Index: security/nss/lib/smime/smime.def
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/smime/smime.def,v
-retrieving revision 1.39
-diff -u -8 -p -r1.39 smime.def
---- security/nss/lib/smime/smime.def	25 Apr 2012 14:50:09 -0000	1.39
-+++ security/nss/lib/smime/smime.def	25 Jan 2013 23:22:54 -0000
-@@ -262,8 +262,14 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDa
- ;+       *;
- ;+};
- ;+NSS_3.13 {    # NSS 3.13 release
- ;+    global:
- NSSSMIME_GetVersion;
- ;+    local:
- ;+       *;
- ;+};
-+;+NSS_3.14.3 {    # NSS 3.14.3 release
-+;+    global:
-+SEC_PKCS7VerifyDetachedSignatureAtTime;
-+;+    local:
-+;+       *;
-+;+};

char.patch

@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/cmd/modutil/install-ds.c,v
 retrieving revision 1.2
 diff -u -p -6 -r1.2 install-ds.c
 --- security/nss/cmd/modutil/install-ds.c	25 Apr 2004 15:02:47 -0000	1.2
-+++ security/nss/cmd/modutil/install-ds.c	5 Feb 2007 06:57:38 -0000
++++ nss/cmd/modutil/install-ds.c	5 Feb 2007 06:57:38 -0000
 @@ -249,13 +249,13 @@ Pk11Install_File_Generate(Pk11Install_Fi
  				if(!subval || (subval->type != STRING_VALUE)){
  					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],

malloc.patch

@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v
 retrieving revision 1.100
 diff -u -r1.100 ssl.sh
 --- security/nss/tests/ssl/ssl.sh	26 Mar 2009 23:14:34 -0000	1.100
-+++ security/nss/tests/ssl/ssl.sh	6 Jun 2009 06:21:07 -0000
++++ nss/tests/ssl/ssl.sh	6 Jun 2009 06:21:07 -0000
 @@ -974,6 +974,7 @@
  
  ################################# main #################################

mozilla-nss.changes

@@ -1,3 +1,73 @@
+-------------------------------------------------------------------
+Tue Jun 11 04:58:56 UTC 2013 - wr@rosenauer.org
+
+- update to 3.15
+  * Packaging
+    + removed obsolete patches
+      * nss-disable-expired-testcerts.patch
+      * bug-834091.patch
+  * New Functionality
+    + Support for OCSP Stapling (RFC 6066, Certificate Status
+      Request) has been added for both client and server sockets.
+      TLS client applications may enable this via a call to
+      SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+    + Added function SECITEM_ReallocItemV2. It replaces function
+      SECITEM_ReallocItem, which is now declared as obsolete.
+    + Support for single-operation (eg: not multi-part) symmetric
+      key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
+    + certutil has been updated to support creating name constraints
+      extensions.
+  * New Functions
+    in ssl.h
+      SSL_PeerStapledOCSPResponse - Returns the server's stapled
+        OCSP response, when used with a TLS client socket that
+        negotiated the status_request extension.
+      SSL_SetStapledOCSPResponses - Set's a stapled OCSP response
+        for a TLS server socket to return when clients send the
+        status_request extension.
+    in ocsp.h
+      CERT_PostOCSPRequest - Primarily intended for testing, permits
+        the sending and receiving of raw OCSP request/responses.
+    in secpkcs7.h
+      SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7
+        signature at a specific time other than the present time.
+    in xconst.h
+      CERT_EncodeNameConstraintsExtension - Matching function for
+        CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
+    in secitem.h
+      SECITEM_AllocArray
+      SECITEM_DupArray
+      SECITEM_FreeArray
+      SECITEM_ZfreeArray - Utility functions to handle the
+        allocation and deallocation of SECItemArrays
+      SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is
+        now obsolete. SECITEM_ReallocItemV2 better matches caller
+        expectations, in that it updates item->len on allocation.
+        For more details of the issues with SECITEM_ReallocItem,
+        see Bug 298649 and Bug 298938.
+    in pk11pub.h
+      PK11_Decrypt - Performs decryption as a single PKCS#11
+        operation (eg: not multi-part). This is necessary for AES-GCM.
+      PK11_Encrypt - Performs encryption as a single PKCS#11
+        operation (eg: not multi-part). This is necessary for AES-GCM.
+  * New Types
+    in secitem.h
+      SECItemArray - Represents a variable-length array of SECItems.
+  * New Macros
+    in ssl.h
+      SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure
+        TLS client sockets to request the certificate_status extension
+        (eg: OCSP stapling) when set to PR_TRUE
+  * Notable changes
+    + SECITEM_ReallocItem is now deprecated. Please consider using
+      SECITEM_ReallocItemV2 in all future code.
+    + The list of root CA certificates in the nssckbi module has
+      been updated.
+    + The default implementation of SSL_AuthCertificate has been
+      updated to add certificate status responses stapled by the TLS
+      server to the OCSP cache.
+  * a lot of bugfixes
+
 -------------------------------------------------------------------
 Tue Apr 16 10:27:04 UTC 2013 - idonmez@suse.com
 

mozilla-nss.spec

@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.14.3
+Version:        3.15
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r <RTM_TAG> NSS
+# hg clone https://hg.mozilla.org/projects/nss; hg up NSS_3_15_RTM
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/nss-%{version}.tar.gz
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
 Source4:        %{name}-rpmlintrc
@@ -55,8 +55,6 @@ Patch5:         renegotiate-transitional.patch
 Patch6:         malloc.patch
 Patch7:         nss-disable-ocsp-test.patch
 Patch8:         nss-sqlitename.patch
-Patch9:         nss-disable-expired-testcerts.patch
-Patch10:        bug-834091.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@@ -161,31 +159,29 @@ Mozilla project.
 
 %prep
 %setup -n nss-%{version} -q
-cd mozilla
+cd nss
-%patch1
+%patch1 -p1
-%patch2
+%patch2 -p1
-%patch3
+%patch3 -p1
-%patch4
+%patch4 -p1
-%patch5
+%patch5 -p1
 %if %suse_version > 1110
-%patch6
+%patch6 -p1
 %endif
-%patch7
+%patch7 -p1
-%patch8
+%patch8 -p1
-%patch9
-%patch10
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
 #make generate
 
 %build
+cd nss
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"
 DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
 TIME="\"$(date -d "${modified}" "+%%R")\""
 find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
 
-cd mozilla/security/nss
 export FREEBL_NO_DEPEND=1
 export NSPR_INCLUDE_DIR=`nspr-config --includedir`
 export NSPR_LIB_DIR=`nspr-config --libdir`
@@ -214,6 +210,7 @@ fi
 %endif
 
 %install
+cd nss
 mkdir -p $RPM_BUILD_ROOT%{_libdir}
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss
 mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3
@@ -221,7 +218,7 @@ mkdir -p $RPM_BUILD_ROOT%{_bindir}
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT%{nssdbdir}
-pushd mozilla/dist/Linux*
+pushd ../dist/Linux*
 # copy headers
 cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3
 # copy dynamic libs
@@ -278,9 +275,9 @@ s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
   %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc
 # prepare nss-config file
 popd
-NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
-NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
-NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
 cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
                      -e "s,@prefix@,%{_prefix},g" \
                      -e "s,@exec_prefix@,%{_prefix},g" \

nss-3.14.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d9d366be94d33395597ebf82363fcdedfa693a6d627cf7f6bec025f609d54cc0
-size 6189790

nss-3.15.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c139f331ddcff4d5485590ee1b4489d3731aa520d4f5d942e2e40bba1e23a3cd
+size 6276213

nss-disable-expired-testcerts.patch

@@ -1,30 +0,0 @@
-Index: security/nss/tests/chains/scenarios/realcerts.cfg
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg,v
-retrieving revision 1.4
-diff -u -r1.4 realcerts.cfg
---- security/nss/tests/chains/scenarios/realcerts.cfg	20 Mar 2012 14:47:29 -0000	1.4
-+++ security/nss/tests/chains/scenarios/realcerts.cfg	3 Apr 2013 07:39:49 -0000
-@@ -14,15 +14,15 @@
- import PayPalEE:x:
- import BrAirWaysBadSig:x:
- 
--verify TestUser50:x
--  result pass
-+#verify TestUser50:x
-+#  result pass
- 
--verify TestUser51:x
--  result pass
-+#verify TestUser51:x
-+#  result pass
- 
--verify PayPalEE:x
--  policy OID.2.16.840.1.113733.1.7.23.6 
--  result pass
-+#verify PayPalEE:x
-+#  policy OID.2.16.840.1.113733.1.7.23.6 
-+#  result pass
- 
- verify BrAirWaysBadSig:x
-   result fail

nss-disable-ocsp-test.patch

@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v
 retrieving revision 1.10
 diff -u -r1.10 scenarios
 --- security/nss/tests/chains/scenarios/scenarios	7 Jan 2013 03:56:15 -0000	1.10
-+++ security/nss/tests/chains/scenarios/scenarios	28 Jan 2013 18:11:16 -0000
++++ nss/tests/chains/scenarios/scenarios	28 Jan 2013 18:11:16 -0000
 @@ -50,6 +50,5 @@
  realcerts.cfg
  dsa.cfg

nss-no-rpath.patch

@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v
 retrieving revision 1.71
 diff -u -p -6 -r1.71 platlibs.mk
 --- security/nss/cmd/platlibs.mk	17 Jul 2012 15:22:42 -0000	1.71
-+++ security/nss/cmd/platlibs.mk	25 Oct 2012 12:07:35 -0000
++++ nss/cmd/platlibs.mk	25 Oct 2012 12:07:35 -0000
 @@ -15,15 +15,15 @@ else
  EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
  endif

nss-opt.patch

@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v
 retrieving revision 1.45.2.1
 diff -u -r1.45.2.1 Linux.mk
 --- security/coreconf/Linux.mk	31 Jul 2010 04:23:37 -0000	1.45.2.1
-+++ security/coreconf/Linux.mk	5 Aug 2010 07:35:06 -0000
++++ nss/coreconf/Linux.mk	5 Aug 2010 07:35:06 -0000
 @@ -112,11 +112,7 @@
  endif
  

nss-sqlitename.patch

@@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v
 retrieving revision 1.5
 diff -u -r1.5 manifest.mn
 --- security/nss/lib/sqlite/manifest.mn	25 Apr 2012 14:50:11 -0000	1.5
-+++ security/nss/lib/sqlite/manifest.mn	28 Jan 2013 20:48:22 -0000
++++ nss/lib/sqlite/manifest.mn	28 Jan 2013 20:48:22 -0000
 @@ -6,9 +6,10 @@
  
  MODULE = nss

renegotiate-transitional.patch

@@ -1,11 +1,9 @@
-Index: security/nss/lib/ssl/sslsock.c
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
-===================================================================
+--- a/lib/ssl/sslsock.c
-RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
++++ b/lib/ssl/sslsock.c
-retrieving revision 1.96
+@@ -144,17 +144,17 @@ static sslOptions ssl_defaults = {
-diff -u -p -6 -r1.96 sslsock.c
+     PR_FALSE,	/* fdx                */
---- security/nss/lib/ssl/sslsock.c	24 Sep 2012 23:57:42 -0000	1.96
+     PR_FALSE,	/* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
-+++ security/nss/lib/ssl/sslsock.c	25 Oct 2012 12:08:56 -0000
-@@ -147,13 +147,13 @@ static sslOptions ssl_defaults = {
      PR_TRUE,	/* detectRollBack     */
      PR_FALSE,   /* noStepDown         */
      PR_FALSE,   /* bypassPKCS11       */
@@ -16,7 +14,9 @@ diff -u -p -6 -r1.96 sslsock.c
 +    3,          /* enableRenegotiation (default: requires extension) */
      PR_FALSE,   /* requireSafeNegotiation */
      PR_FALSE,   /* enableFalseStart   */
-     PR_TRUE     /* cbcRandomIV        */
+     PR_TRUE,    /* cbcRandomIV        */
+     PR_FALSE    /* enableOCSPStapling */
  };
  
  /*
+  * default range of enabled SSL/TLS protocols

system-nspr.patch

@@ -1,16 +1,22 @@
-Index: security/nss/Makefile
+diff --git a/Makefile b/Makefile
-===================================================================
+--- a/Makefile
-RCS file: /cvsroot/mozilla/security/nss/Makefile,v
++++ b/Makefile
-retrieving revision 1.36
+@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk
-diff -u -p -r1.36 Makefile
+ #######################################################################
---- security/nss/Makefile	2 Dec 2008 23:24:39 -0000	1.36
+ 
-+++ security/nss/Makefile	23 Nov 2009 16:19:04 -0000
+ 
-@@ -78,7 +78,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ 
+ #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
  #######################################################################
  
--nss_build_all: build_coreconf build_nspr build_dbm all
+-nss_build_all: build_nspr all
-+nss_build_all: build_coreconf build_dbm all
++nss_build_all: all
  
- nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber
+ nss_clean_all: clobber_nspr clobber
  
+ NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
+ NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
+ 
+ #
+ # Translate coreconf build options to NSPR configure options.