diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index a1cfda8..ea3b203 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,85 @@
+-------------------------------------------------------------------
+Wed Jan 18 22:00:31 UTC 2017 - wr@rosenauer.org
+
+- update to NSS 3.28.1
+  No new functionality is introduced in this release. This is a patch release to
+  update the list of root CA certificates and address a minor TLS compatibility
+  issue that some applications experienced with NSS 3.28.
+  * The following CA certificates were Removed
+    CN = Buypass Class 2 CA 1
+    CN = Root CA Generalitat Valenciana
+    OU = RSA Security 2048 V3
+  * The following CA certificates were Added
+    OU = AC RAIZ FNMT-RCM
+    CN = Amazon Root CA 1
+    CN = Amazon Root CA 2
+    CN = Amazon Root CA 3
+    CN = Amazon Root CA 4
+    CN = LuxTrust Global Root 2
+    CN = Symantec Class 1 Public Primary Certification Authority - G4
+    CN = Symantec Class 1 Public Primary Certification Authority - G6
+    CN = Symantec Class 2 Public Primary Certification Authority - G4
+    CN = Symantec Class 2 Public Primary Certification Authority - G6
+  * The version number of the updated root CA list has been set to 2.11
+  * A misleading assertion/alert has been removed when NSS tries to flush data
+    to the peer but the connection was already reset.
+- update to NSS 3.28
+  New functionality:
+  * NSS includes support for TLS 1.3 draft -18. This includes a number
+    of improvements to TLS 1.3:
+    - The signed certificate timestamp, used in certificate
+      transparency, is supported in TLS 1.3.
+    - Key exporters for TLS 1.3 are supported. This includes the early
+      key exporter, which can be used if 0-RTT is enabled. Note that
+      there is a difference between TLS 1.3 and key exporters in older
+      versions of TLS. TLS 1.3 does not distinguish between an empty
+      context and no context.
+    - The TLS 1.3 (draft) protocol can be enabled, by defining
+      NSS_ENABLE_TLS_1_3=1 when building NSS.
+    - NSS includes support for the X25519 key exchange algorithm,
+      which is supported and enabled by default in all versions of TLS.
+  New Functions:
+  * SSL_ExportEarlyKeyingMaterial
+  * SSL_SendAdditionalKeyShares
+  * SSL_SignatureSchemePrefSet
+  * SSL_SignatureSchemePrefGet
+  Notable Changes:
+  * NSS can no longer be compiled with support for additional elliptic curves.
+    This was previously possible by replacing certain NSS source files.
+  * NSS will now detect the presence of tokens that support additional
+    elliptic curves and enable those curves for use in TLS.
+    Note that this detection has a one-off performance cost, which can be
+    avoided by using the SSL_NamedGroupConfig function to limit supported
+    groups to those that NSS provides.
+  * PKCS#11 bypass for TLS is no longer supported and has been removed.
+  * Support for "export" grade SSL/TLS cipher suites has been removed.
+  * NSS now uses the signature schemes definition in TLS 1.3.
+    This also affects TLS 1.2. NSS will now only generate signatures with the
+    combinations of hash and signature scheme that are defined in TLS 1.3,
+    even when negotiating TLS 1.2.
+    - This means that SHA-256 will only be used with P-256 ECDSA certificates,
+      SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
+      SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
+      compatibility reasons.
+    - New functions to configure signature schemes are provided:
+      SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.
+      The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are
+      now deprecated.
+    - NSS will now no longer assume that default signature schemes are
+      supported by a peer if there was no commonly supported signature scheme.
+  * NSS will now check if RSA-PSS signing is supported by the token that holds
+    the private key prior to using it for TLS.
+  * The certificate validation code contains checks to no longer trust
+    certificates that are issued by old WoSign and StartCom CAs after
+    October 21, 2016. This is equivalent to the behavior that Mozilla will
+    release with Firefox 51.
+- update to NSS 3.27.2
+  * SSL_SetTrustAnchors leaks (bmo#1318561)
+- removed upstreamed patch
+  * nss-uninitialized.patch
+- raised the minimum softokn/freebl version to 3.28 as reported in
+  boo#1021636
+
 -------------------------------------------------------------------
 Mon Nov 14 12:35:55 UTC 2016 - wr@rosenauer.org
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index a6d7a4b..82cc782 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2006-2016 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
@@ -17,15 +17,15 @@
 #
 
 
-%global nss_softokn_fips_version 3.21
+%global nss_softokn_fips_version 3.28
 
 Name:           mozilla-nss
 BuildRequires:  gcc-c++
-BuildRequires:  mozilla-nspr-devel >= 4.12
+BuildRequires:  mozilla-nspr-devel >= 4.13.1
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.26.2
+Version:        3.28.1
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_2_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.26.2/nss ; cd nss-3.26.2/nss ; hg up NSS_3_26_2_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_1_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.28.1/nss ; cd nss-3.28.1/nss ; hg up NSS_3_28_1_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -51,7 +51,6 @@ Source9:        pkcs11.txt
 Source99:       %{name}.changes
 Patch1:         nss-opt.patch
 Patch2:         system-nspr.patch
-Patch3:         nss-uninitialized.patch
 Patch4:         nss-no-rpath.patch
 Patch5:         renegotiate-transitional.patch
 Patch6:         malloc.patch
@@ -88,7 +87,7 @@ Summary:        Network (Netscape) Security Services development files
 Group:          Development/Libraries/Other
 Requires:       libfreebl3
 Requires:       libsoftokn3
-Requires:       mozilla-nspr-devel >= 4.9
+Requires:       mozilla-nspr-devel >= 4.13.1
 Requires:       mozilla-nss = %{version}-%{release}
 # bug437293
 %ifarch ppc64
@@ -170,7 +169,6 @@ Mozilla project.
 cd nss
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %if %suse_version > 1110
@@ -200,6 +198,7 @@ export LIBDIR=%{_libdir}
 export USE_64=1
 %endif
 export NSS_USE_SYSTEM_SQLITE=1
+export NSS_ENABLE_TLS_1_3=1
 #export SQLITE_LIB_NAME=nsssqlite3
 MAKE_FLAGS="BUILD_OPT=1"
 make nss_build_all $MAKE_FLAGS
diff --git a/nss-3.26.2.tar.gz b/nss-3.26.2.tar.gz
deleted file mode 100644
index 133bf1a..0000000
--- a/nss-3.26.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:13a40a2f97edf5fab3d4c7fdd928e77df36dc539cd8354b6b5d79ab93a131a5a
-size 7388390
diff --git a/nss-3.28.1.tar.gz b/nss-3.28.1.tar.gz
new file mode 100644
index 0000000..42e71f4
--- /dev/null
+++ b/nss-3.28.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:58cc0c05c0ed9523e6d820bea74f513538f48c87aac931876e3d3775de1a82ad
+size 7451477
diff --git a/nss-uninitialized.patch b/nss-uninitialized.patch
deleted file mode 100644
index edfbe58..0000000
--- a/nss-uninitialized.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/lib/jar/jarfile.c b/lib/jar/jarfile.c
---- a/lib/jar/jarfile.c
-+++ b/lib/jar/jarfile.c
-@@ -652,17 +652,17 @@ jar_gen_index(JAR *jar, jarArch format, 
-  *  List the physical contents of a Phil Katz
-  *  style .ZIP file into the JAR linked list.
-  *
-  */
- static int
- jar_listzip(JAR *jar, JAR_FILE fp)
- {
-     ZZLink *ent;
--    JAR_Item *it;
-+    JAR_Item *it = NULL;
-     JAR_Physical *phy = NULL;
-     struct ZipLocal *Local = PORT_ZNew(struct ZipLocal);
-     struct ZipCentral *Central = PORT_ZNew(struct ZipCentral);
-     struct ZipEnd *End = PORT_ZNew(struct ZipEnd);
- 
-     int err = 0;
-     long pos = 0L;
-     unsigned int compression;
diff --git a/system-nspr.patch b/system-nspr.patch
index 54459e7..5966f1b 100644
--- a/system-nspr.patch
+++ b/system-nspr.patch
@@ -1,22 +1,13 @@
 diff --git a/Makefile b/Makefile
+index c824ba2..a5abe7b 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- 
- 
- #######################################################################
+@@ -46,7 +46,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (7) Execute "local" rules. (OPTIONAL).                              #
  #######################################################################
  
--nss_build_all: build_nspr all
-+nss_build_all: all
+-nss_build_all: build_nspr all latest
++nss_build_all: all latest
  
  nss_clean_all: clobber_nspr clobber
  
- NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
- NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
- 
- #
- # Translate coreconf build options to NSPR configure options.