diff --git a/gnutls-3.2.11.tar.xz b/gnutls-3.2.11.tar.xz
new file mode 100644
index 0000000..f430c19
--- /dev/null
+++ b/gnutls-3.2.11.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b844c58a72d6930abbda42129f4051dbf97f91754bea3514931173e3d01cf3c1
+size 5135168
diff --git a/gnutls-3.2.11.tar.xz.sig b/gnutls-3.2.11.tar.xz.sig
new file mode 100644
index 0000000..68f78bf
Binary files /dev/null and b/gnutls-3.2.11.tar.xz.sig differ
diff --git a/gnutls-3.2.8-noecc.patch b/gnutls-3.2.8-noecc.patch
deleted file mode 100644
index cf111df..0000000
--- a/gnutls-3.2.8-noecc.patch
+++ /dev/null
@@ -1,862 +0,0 @@
-Index: gnutls-3.2.8/lib/algorithms/publickey.c
-===================================================================
---- gnutls-3.2.8.orig/lib/algorithms/publickey.c
-+++ gnutls-3.2.8/lib/algorithms/publickey.c
-@@ -48,8 +48,10 @@ static const gnutls_pk_map pk_mappings[]
- 	{GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT},
- 	{GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN},
- 	{GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN},
-+#ifdef ENABLE_ECC
- 	{GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN},
- 	{GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EC, CIPHER_SIGN},
-+#endif
- 	{GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN},
- 	{GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN},
- 	{GNUTLS_KX_RSA_PSK, GNUTLS_PK_RSA, CIPHER_ENCRYPT},
-@@ -96,7 +98,9 @@ static const gnutls_pk_entry pk_algorith
- 	{"DSA", PK_DSA_OID, GNUTLS_PK_DSA},
- 	{"GOST R 34.10-2001", PK_GOST_R3410_2001_OID, GNUTLS_PK_UNKNOWN},
- 	{"GOST R 34.10-94", PK_GOST_R3410_94_OID, GNUTLS_PK_UNKNOWN},
-+#ifdef ENABLE_ECC
- 	{"EC", "1.2.840.10045.2.1", GNUTLS_PK_EC},
-+#endif
- 	{0, 0, 0}
- };
- 
-Index: gnutls-3.2.8/lib/auth/cert.c
-===================================================================
---- gnutls-3.2.8.orig/lib/auth/cert.c
-+++ gnutls-3.2.8/lib/auth/cert.c
-@@ -65,7 +65,12 @@ static gnutls_privkey_t alloc_and_load_p
- 						  key, int deinit);
- #endif
- 
-+#ifdef ENABLE_ECC
- #define MAX_CLIENT_SIGN_ALGOS 3
-+#else
-+#define MAX_CLIENT_SIGN_ALGOS 2
-+#endif
-+
- #define CERTTYPE_SIZE (MAX_CLIENT_SIGN_ALGOS+1)
- typedef enum CertificateSigType
-     { RSA_SIGN = 1, DSA_SIGN = 2, ECDSA_SIGN = 64
-@@ -1397,8 +1402,10 @@ _gnutls_check_supported_sign_algo(Certif
- 		return GNUTLS_PK_RSA;
- 	case DSA_SIGN:
- 		return GNUTLS_PK_DSA;
-+#ifdef ENABLE_ECC
- 	case ECDSA_SIGN:
- 		return GNUTLS_PK_EC;
-+#endif
- 	}
- 
- 	return -1;
-@@ -1675,7 +1682,9 @@ _gnutls_gen_cert_server_cert_req(gnutls_
- 	tmp_data[0] = CERTTYPE_SIZE - 1;
- 	tmp_data[1] = RSA_SIGN;
- 	tmp_data[2] = DSA_SIGN;
-+#ifdef ENABLE_ECC
- 	tmp_data[3] = ECDSA_SIGN;	/* only these for now */
-+#endif
- 
- 	ret = _gnutls_buffer_append_data(data, tmp_data, CERTTYPE_SIZE);
- 	if (ret < 0)
-Index: gnutls-3.2.8/lib/auth/dhe_psk.c
-===================================================================
---- gnutls-3.2.8.orig/lib/auth/dhe_psk.c
-+++ gnutls-3.2.8/lib/auth/dhe_psk.c
-@@ -93,6 +93,7 @@ const mod_auth_st ecdhe_psk_auth_struct
- };
- #endif
- 
-+#ifdef ENABLE_ECDHE
- static int
- gen_ecdhe_psk_client_kx(gnutls_session_t session, gnutls_buffer_st * data)
- {
-@@ -136,6 +137,7 @@ gen_ecdhe_psk_client_kx(gnutls_session_t
- 
- 	return ret;
- }
-+#endif
- 
- static int
- gen_dhe_psk_client_kx(gnutls_session_t session, gnutls_buffer_st * data)
-@@ -231,6 +233,7 @@ gen_dhe_psk_server_kx(gnutls_session_t s
- 	return ret;
- }
- 
-+#ifdef ENABLE_ECDHE
- static int
- gen_ecdhe_psk_server_kx(gnutls_session_t session, gnutls_buffer_st * data)
- {
-@@ -255,7 +258,7 @@ gen_ecdhe_psk_server_kx(gnutls_session_t
- 
- 	return ret;
- }
--
-+#endif
- 
- static int
- proc_dhe_psk_client_kx(gnutls_session_t session, uint8_t * data,
-@@ -333,7 +336,7 @@ proc_dhe_psk_client_kx(gnutls_session_t
- 	return ret;
- 
- }
--
-+#ifdef ENABLE_ECDHE
- static int
- proc_ecdhe_psk_client_kx(gnutls_session_t session, uint8_t * data,
- 			 size_t _data_size)
-@@ -397,6 +400,7 @@ proc_ecdhe_psk_client_kx(gnutls_session_
- 
- 	return ret;
- }
-+#endif
- 
- static int
- proc_dhe_psk_server_kx(gnutls_session_t session, uint8_t * data,
-@@ -428,6 +432,7 @@ proc_dhe_psk_server_kx(gnutls_session_t
- 	return 0;
- }
- 
-+#ifdef ENABLE_ECDHE
- static int
- proc_ecdhe_psk_server_kx(gnutls_session_t session, uint8_t * data,
- 			 size_t _data_size)
-@@ -457,5 +462,6 @@ proc_ecdhe_psk_server_kx(gnutls_session_
- 
- 	return 0;
- }
-+#endif
- 
- #endif				/* ENABLE_PSK */
-Index: gnutls-3.2.8/lib/ext/ecc.c
-===================================================================
---- gnutls-3.2.8.orig/lib/ext/ecc.c
-+++ gnutls-3.2.8/lib/ext/ecc.c
-@@ -36,6 +36,7 @@
-  * extensions draft.
-  */
- 
-+#ifdef ENABLE_ECC
- static int _gnutls_supported_ecc_recv_params(gnutls_session_t session,
- 					     const uint8_t * data,
- 					     size_t data_size);
-@@ -285,3 +286,4 @@ _gnutls_session_supports_ecc_curve(gnutl
- 
- 	return GNUTLS_E_ECC_UNSUPPORTED_CURVE;
- }
-+#endif
-Index: gnutls-3.2.8/lib/gnutls_extensions.c
-===================================================================
---- gnutls-3.2.8.orig/lib/gnutls_extensions.c
-+++ gnutls-3.2.8/lib/gnutls_extensions.c
-@@ -345,6 +345,7 @@ int _gnutls_ext_init(void)
- 	if (ret != GNUTLS_E_SUCCESS)
- 		return ret;
- 
-+#ifdef ENABLE_ECC
- 	ret = _gnutls_ext_register(&ext_mod_supported_ecc);
- 	if (ret != GNUTLS_E_SUCCESS)
- 		return ret;
-@@ -352,6 +353,7 @@ int _gnutls_ext_init(void)
- 	ret = _gnutls_ext_register(&ext_mod_supported_ecc_pf);
- 	if (ret != GNUTLS_E_SUCCESS)
- 		return ret;
-+#endif
- 
- 	ret = _gnutls_ext_register(&ext_mod_sig);
- 	if (ret != GNUTLS_E_SUCCESS)
-Index: gnutls-3.2.8/lib/gnutls_priority.c
-===================================================================
---- gnutls-3.2.8.orig/lib/gnutls_priority.c
-+++ gnutls-3.2.8/lib/gnutls_priority.c
-@@ -231,6 +231,7 @@ gnutls_certificate_type_set_priority(gnu
- }
- 
- static const int supported_ecc_normal[] = {
-+#ifdef ENABLE_ECC
- #ifdef ENABLE_NON_SUITEB_CURVES
- 	GNUTLS_ECC_CURVE_SECP192R1,
- 	GNUTLS_ECC_CURVE_SECP224R1,
-@@ -238,30 +239,39 @@ static const int supported_ecc_normal[]
- 	GNUTLS_ECC_CURVE_SECP256R1,
- 	GNUTLS_ECC_CURVE_SECP384R1,
- 	GNUTLS_ECC_CURVE_SECP521R1,
-+#endif
- 	0
- };
- 
- static const int supported_ecc_secure128[] = {
-+#ifdef ENABLE_ECC
- 	GNUTLS_ECC_CURVE_SECP256R1,
- 	GNUTLS_ECC_CURVE_SECP384R1,
- 	GNUTLS_ECC_CURVE_SECP521R1,
-+#endif
- 	0
- };
- 
- static const int supported_ecc_suiteb128[] = {
-+#ifdef ENABLE_ECC
- 	GNUTLS_ECC_CURVE_SECP256R1,
- 	GNUTLS_ECC_CURVE_SECP384R1,
-+#endif
- 	0
- };
- 
- static const int supported_ecc_suiteb192[] = {
-+#ifdef ENABLE_ECC
- 	GNUTLS_ECC_CURVE_SECP384R1,
-+#endif
- 	0
- };
- 
- static const int supported_ecc_secure192[] = {
-+#ifdef ENABLE_ECC
- 	GNUTLS_ECC_CURVE_SECP384R1,
- 	GNUTLS_ECC_CURVE_SECP521R1,
-+#endif
- 	0
- };
- 
-@@ -412,51 +422,75 @@ static const int comp_priority[] = {
- static const int sign_priority_default[] = {
- 	GNUTLS_SIGN_RSA_SHA256,
- 	GNUTLS_SIGN_DSA_SHA256,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA256,
-+#endif
- 
- 	GNUTLS_SIGN_RSA_SHA384,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA384,
-+#endif
- 
- 	GNUTLS_SIGN_RSA_SHA512,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA512,
-+#endif
- 
- 	GNUTLS_SIGN_RSA_SHA224,
- 	GNUTLS_SIGN_DSA_SHA224,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA224,
-+#endif
- 
- 	GNUTLS_SIGN_RSA_SHA1,
- 	GNUTLS_SIGN_DSA_SHA1,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA1,
-+#endif
- 	0
- };
- 
- static const int sign_priority_suiteb128[] = {
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA256,
- 	GNUTLS_SIGN_ECDSA_SHA384,
-+#endif
- 	0
- };
- 
- static const int sign_priority_suiteb192[] = {
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA384,
-+#endif
- 	0
- };
- 
- static const int sign_priority_secure128[] = {
- 	GNUTLS_SIGN_RSA_SHA256,
- 	GNUTLS_SIGN_DSA_SHA256,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA256,
-+#endif
- 	GNUTLS_SIGN_RSA_SHA384,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA384,
-+#endif
- 	GNUTLS_SIGN_RSA_SHA512,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA512,
-+#endif
- 	0
- };
- 
- static const int sign_priority_secure192[] = {
- 	GNUTLS_SIGN_RSA_SHA384,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA384,
-+#endif
- 	GNUTLS_SIGN_RSA_SHA512,
-+#ifdef ENABLE_ECC
- 	GNUTLS_SIGN_ECDSA_SHA512,
-+#endif
- 	0
- };
- 
-Index: gnutls-3.2.8/lib/nettle/pk.c
-===================================================================
---- gnutls-3.2.8.orig/lib/nettle/pk.c
-+++ gnutls-3.2.8/lib/nettle/pk.c
-@@ -148,6 +148,7 @@ static int _wrap_nettle_pk_derive(gnutls
- 	int ret;
- 
- 	switch (algo) {
-+#ifdef ENABLE_ECC
- 	case GNUTLS_PK_EC:
- 		{
- 			struct ecc_scalar ecc_priv;
-@@ -193,6 +194,7 @@ static int _wrap_nettle_pk_derive(gnutls
- 				goto cleanup;
- 			break;
- 		}
-+#endif
- 	default:
- 		gnutls_assert();
- 		ret = GNUTLS_E_INTERNAL_ERROR;
-@@ -348,6 +350,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm
- 	const mac_entry_st *me;
- 
- 	switch (algo) {
-+#ifdef ENABLE_ECC
- 	case GNUTLS_PK_EC:	/* we do ECDSA */
- 		{
- 			struct ecc_scalar priv;
-@@ -396,6 +399,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm
- 			}
- 			break;
- 		}
-+#endif
- 	case GNUTLS_PK_DSA:
- 		{
- 			struct dsa_public_key pub;
-@@ -500,6 +504,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorit
- 	bigint_t tmp[2] = { NULL, NULL };
- 
- 	switch (algo) {
-+#ifdef ENABLE_ECC
- 	case GNUTLS_PK_EC:	/* ECDSA */
- 		{
- 			struct ecc_point pub;
-@@ -546,6 +551,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorit
- 			ecc_point_clear(&pub);
- 			break;
- 		}
-+#endif
- 	case GNUTLS_PK_DSA:
- 		{
- 			struct dsa_public_key pub;
-@@ -759,6 +765,7 @@ wrap_nettle_pk_generate_params(gnutls_pk
- 
- 			break;
- 		}
-+#ifdef ENABLE_ECC
- 	case GNUTLS_PK_EC:
- 		{
- 			struct ecc_scalar key;
-@@ -805,6 +812,7 @@ wrap_nettle_pk_generate_params(gnutls_pk
- 
- 			break;
- 		}
-+#endif
- 	default:
- 		gnutls_assert();
- 		return GNUTLS_E_INVALID_REQUEST;
-@@ -946,6 +954,7 @@ wrap_nettle_pk_verify_params(gnutls_pk_a
- 		}
- 
- 		break;
-+#ifdef ENABLE_ECC
- 	case GNUTLS_PK_EC:
- 		{
- 			struct ecc_point r, pub;
-@@ -1014,6 +1023,7 @@ wrap_nettle_pk_verify_params(gnutls_pk_a
- 			ecc_point_clear(&pub);
- 		}
- 		break;
-+#endif
- 	default:
- 		ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- 	}
-@@ -1173,6 +1183,7 @@ static int wrap_nettle_hash_algorithm(gn
- 
- 		ret = 0;
- 		break;
-+
- 	case GNUTLS_PK_RSA:
- 		if (sig == NULL) {	/* return a sensible algorithm */
- 			if (hash_algo)
-Index: gnutls-3.2.8/lib/algorithms/kx.c
-===================================================================
---- gnutls-3.2.8.orig/lib/algorithms/kx.c
-+++ gnutls-3.2.8/lib/algorithms/kx.c
-@@ -28,9 +28,11 @@
- 
- extern mod_auth_st rsa_auth_struct;
- extern mod_auth_st dhe_rsa_auth_struct;
-+#ifdef ENABLE_ECC
- extern mod_auth_st ecdhe_rsa_auth_struct;
- extern mod_auth_st ecdhe_psk_auth_struct;
- extern mod_auth_st ecdhe_ecdsa_auth_struct;
-+#endif
- extern mod_auth_st dhe_dss_auth_struct;
- extern mod_auth_st anon_auth_struct;
- extern mod_auth_st anon_ecdh_auth_struct;
-@@ -57,10 +59,12 @@ static const gnutls_cred_map cred_mappin
- 	{GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON},
- 	{GNUTLS_KX_ANON_ECDH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON},
- 	{GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE},
-+#ifdef ENABLE_ECDHE
- 	{GNUTLS_KX_ECDHE_RSA, GNUTLS_CRD_CERTIFICATE,
- 	 GNUTLS_CRD_CERTIFICATE},
- 	{GNUTLS_KX_ECDHE_ECDSA, GNUTLS_CRD_CERTIFICATE,
- 	 GNUTLS_CRD_CERTIFICATE},
-+#endif
- 	{GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE,
- 	 GNUTLS_CRD_CERTIFICATE},
- 	{GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE,
-@@ -68,7 +72,9 @@ static const gnutls_cred_map cred_mappin
- 	{GNUTLS_KX_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK},
- 	{GNUTLS_KX_DHE_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK},
- 	{GNUTLS_KX_RSA_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_CERTIFICATE},
-+#ifdef ENABLE_ECDHE
- 	{GNUTLS_KX_ECDHE_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK},
-+#endif
- 	{GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP},
- 	{GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE},
- 	{GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE},
-@@ -102,7 +108,7 @@ static const gnutls_kx_algo_entry _gnutl
- 	{"DHE-RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1},
- 	{"DHE-DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1},
- #endif
--#ifdef ENABLE_ECDHE
-+#if defined(ENABLE_ECDHE) && defined(ENABLE_ECC)
- 	{"ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, &ecdhe_rsa_auth_struct, 0},
- 	{"ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, &ecdhe_ecdsa_auth_struct,
- 	 0},
-@@ -119,7 +125,7 @@ static const gnutls_kx_algo_entry _gnutl
- 	{"DHE-PSK", GNUTLS_KX_DHE_PSK, &dhe_psk_auth_struct,
- 	 1 /* needs DHE params */ },
- #endif
--#ifdef ENABLE_ECDHE
-+#if defined(ENABLE_ECDHE) && defined(ENABLE_ECC)
- 	{"ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, &ecdhe_psk_auth_struct, 0},
- #endif
- #endif
-Index: gnutls-3.2.8/lib/auth/ecdhe.c
-===================================================================
---- gnutls-3.2.8.orig/lib/auth/ecdhe.c
-+++ gnutls-3.2.8/lib/auth/ecdhe.c
-@@ -50,7 +50,7 @@ static int
- proc_ecdhe_client_kx(gnutls_session_t session,
- 		     uint8_t * data, size_t _data_size);
- 
--#if defined(ENABLE_ECDHE)
-+#if defined(ENABLE_ECDHE) && defined(ENABLE_ECC)
- const mod_auth_st ecdhe_ecdsa_auth_struct = {
- 	"ECDHE_ECDSA",
- 	_gnutls_gen_cert_server_crt,
-Index: gnutls-3.2.8/tests/cert-tests/dane
-===================================================================
---- gnutls-3.2.8.orig/tests/cert-tests/dane
-+++ gnutls-3.2.8/tests/cert-tests/dane
-@@ -22,6 +22,8 @@
- 
- set -e
- 
-+exit 77
-+
- srcdir=${srcdir:-.}
- DANETOOL=${DANETOOL:-../../src/danetool$EXEEXT}
- DIFF=${DIFF:-diff}
-Index: gnutls-3.2.8/tests/dtls/dtls
-===================================================================
---- gnutls-3.2.8.orig/tests/dtls/dtls
-+++ gnutls-3.2.8/tests/dtls/dtls
-@@ -22,9 +22,7 @@
- 
- set -e
- 
--if test "${WINDIR}" != "";then
--  exit 77
--fi
-+exit 77
- 
- ./dtls-stress -shello 021 -sfinished 01 -cfinished 012 SKeyExchange CKeyExchange CFinished
- ./dtls-stress -shello 012 -sfinished 10 -cfinished 210 SHello SKeyExchange SHelloDone
-Index: gnutls-3.2.8/tests/dtls/dtls-nb
-===================================================================
---- gnutls-3.2.8.orig/tests/dtls/dtls-nb
-+++ gnutls-3.2.8/tests/dtls/dtls-nb
-@@ -22,9 +22,7 @@
- 
- set -e
- 
--if test "${WINDIR}" != "";then
--  exit 77
--fi
-+exit 77
- 
- ./dtls-stress -nb -shello 021 -sfinished 01 -cfinished 012 SKeyExchange CKeyExchange CFinished
- ./dtls-stress -nb -shello 012 -sfinished 10 -cfinished 210 SHello SKeyExchange SHelloDone
-Index: gnutls-3.2.8/tests/ecdsa/ecdsa
-===================================================================
---- gnutls-3.2.8.orig/tests/ecdsa/ecdsa
-+++ gnutls-3.2.8/tests/ecdsa/ecdsa
-@@ -22,6 +22,8 @@
- 
- #set -e
- 
-+exit 77
-+
- srcdir=${srcdir:-.}
- CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
- 
-Index: gnutls-3.2.8/tests/mini-alpn.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-alpn.c
-+++ gnutls-3.2.8/tests/mini-alpn.c
-@@ -25,7 +25,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(ENABLE_ALPN)
-+#if defined(_WIN32) || !defined(ENABLE_ALPN) || !defined(ENABLE_ECDH)
- 
- int main(int argc, char **argv)
- {
-Index: gnutls-3.2.8/tests/mini-dtls-heartbeat.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-dtls-heartbeat.c
-+++ gnutls-3.2.8/tests/mini-dtls-heartbeat.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(ENABLE_HEARTBEAT)
-+#if defined(_WIN32) || !defined(ENABLE_HEARTBEAT) || !defined(ENABLE_ECC)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/mini-dtls-hello-verify.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-dtls-hello-verify.c
-+++ gnutls-3.2.8/tests/mini-dtls-hello-verify.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_ECDH)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/mini-dtls-large.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-dtls-large.c
-+++ gnutls-3.2.8/tests/mini-dtls-large.c
-@@ -25,7 +25,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(ENABLE_HEARTBEAT)
-+#if defined(_WIN32) || !defined(ENABLE_HEARTBEAT) || !defined(ENABLE_ECC)
- 
- int main()
- {
-@@ -179,8 +179,12 @@ static void server(int fd)
- 	/* avoid calling all the priority functions, since the defaults
- 	 * are adequate.
- 	 */
-+#ifdef ENABLE_ECDH
- 	gnutls_priority_set_direct(session,
- 				   "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
-+#else
-+                               "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
-+#endif
- 				   NULL);
- 
- 	gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
-Index: gnutls-3.2.8/tests/mini-dtls-record.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-dtls-record.c
-+++ gnutls-3.2.8/tests/mini-dtls-record.c
-@@ -29,7 +29,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/mini-dtls-rehandshake.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-dtls-rehandshake.c
-+++ gnutls-3.2.8/tests/mini-dtls-rehandshake.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/mini-dtls-srtp.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-dtls-srtp.c
-+++ gnutls-3.2.8/tests/mini-dtls-srtp.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(ENABLE_DTLS_SRTP)
-+#if defined(_WIN32) || !defined(ENABLE_DTLS_SRTP) || !defined(ENABLE_ECC)
- 
- int main(int argc, char **argv)
- {
-Index: gnutls-3.2.8/tests/mini-handshake-timeout.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-handshake-timeout.c
-+++ gnutls-3.2.8/tests/mini-handshake-timeout.c
-@@ -28,7 +28,7 @@
- #include <stdlib.h>
- #include <string.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- 
- int main()
- {
-@@ -136,7 +136,11 @@ static void initialize_tls_session(gnutl
- 	/* avoid calling all the priority functions, since the defaults
- 	 * are adequate.
- 	 */
--	gnutls_priority_set_direct(*session, "NORMAL:+ANON-ECDH", NULL);
-+#ifdef ENABLE_ECC
-+  gnutls_priority_set_direct (session, "NORMAL:+ANON-ECDH", NULL);
-+#else
-+  gnutls_priority_set_direct (session, "NORMAL:+ANON-DH", NULL);
-+#endif
- }
- 
- static void server(int fd, int wait)
-Index: gnutls-3.2.8/tests/mini-loss-time.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-loss-time.c
-+++ gnutls-3.2.8/tests/mini-loss-time.c
-@@ -28,7 +28,7 @@
- #include <stdlib.h>
- #include <string.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/mini-record-2.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-record-2.c
-+++ gnutls-3.2.8/tests/mini-record-2.c
-@@ -340,22 +340,22 @@ static void start(const char *prio, int
- 	}
- }
- 
--#define AES_CBC "NONE:+VERS-TLS1.0:-CIPHER-ALL:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL"
--#define AES_CBC_SHA256 "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA256:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL"
--#define AES_GCM "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-GCM:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL"
--
--#define ARCFOUR_SHA1 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL"
--#define ARCFOUR_MD5 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL:+RSA"
--
--#define NULL_SHA1 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+NULL:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+RSA:+CURVE-ALL"
--
--#define NEW_AES_CBC "NONE:+VERS-TLS1.0:-CIPHER-ALL:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL:%NEW_PADDING"
--#define NEW_ARCFOUR_SHA1 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL:%NEW_PADDING"
--#define NEW_AES_CBC_SHA256 "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA256:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL:%NEW_PADDING"
--#define NEW_AES_GCM "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-GCM:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+ANON-ECDH:+CURVE-ALL:%NEW_PADDING"
-+#define AES_CBC "NONE:+VERS-TLS1.0:-CIPHER-ALL:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL"
-+#define AES_CBC_SHA256 "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA256:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL"
-+#define AES_GCM "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-GCM:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL"
-+
-+#define ARCFOUR_SHA1 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL"
-+#define ARCFOUR_MD5 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+MD5:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL:+RSA"
-+
-+#define NULL_SHA1 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+NULL:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL"
-+
-+#define NEW_AES_CBC "NONE:+VERS-TLS1.0:-CIPHER-ALL:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL:%NEW_PADDING"
-+#define NEW_ARCFOUR_SHA1 "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL:%NEW_PADDING"
-+#define NEW_AES_CBC_SHA256 "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA256:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL:%NEW_PADDING"
-+#define NEW_AES_GCM "NONE:+VERS-TLS1.2:-CIPHER-ALL:+RSA:+AES-128-GCM:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+RSA:+CURVE-ALL:%NEW_PADDING"
- 
--#define ARCFOUR_SHA1_ZLIB "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-DEFLATE:+ANON-ECDH:+CURVE-ALL"
--#define NEW_ARCFOUR_SHA1_ZLIB "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-DEFLATE:+ANON-ECDH:+CURVE-ALL:%NEW_PADDING"
-+#define ARCFOUR_SHA1_ZLIB "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-DEFLATE:+RSA:+CURVE-ALL"
-+#define NEW_ARCFOUR_SHA1_ZLIB "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-DEFLATE:+RSA:+CURVE-ALL:%NEW_PADDING"
- 
- static void ch_handler(int sig)
- {
-Index: gnutls-3.2.8/tests/mini-record-range.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-record-range.c
-+++ gnutls-3.2.8/tests/mini-record-range.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/mini-record.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-record.c
-+++ gnutls-3.2.8/tests/mini-record.c
-@@ -27,8 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32)
--
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- int main()
- {
- 	exit(77);
-Index: gnutls-3.2.8/tests/mini-x509-callbacks.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-x509-callbacks.c
-+++ gnutls-3.2.8/tests/mini-x509-callbacks.c
-@@ -57,8 +57,13 @@ unsigned int msg_order[] = {
- 	GNUTLS_HANDSHAKE_CLIENT_HELLO,
- 	GNUTLS_HANDSHAKE_SERVER_HELLO,
- 	GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
-+#ifndef ENABLE_ECC
-+              /*Sent: CERTIFICATE REQUEST, expected SERVER KEY EXCHANGE*/
-+              GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
-+#else
- 	GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
- 	GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
-+#endif
- 	GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
- 	GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
- 	GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
-Index: gnutls-3.2.8/tests/mini-xssl.c
-===================================================================
---- gnutls-3.2.8.orig/tests/mini-xssl.c
-+++ gnutls-3.2.8/tests/mini-xssl.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(ENABLE_NON_SUITEB_CURVES)
-+#if defined(_WIN32) || !defined(ENABLE_ECC)
- 
- int main()
- {
-Index: gnutls-3.2.8/tests/pkcs12_simple.c
-===================================================================
---- gnutls-3.2.8.orig/tests/pkcs12_simple.c
-+++ gnutls-3.2.8/tests/pkcs12_simple.c
-@@ -49,6 +49,10 @@ void doit(void)
- 	gnutls_x509_privkey_t pkey;
- 	int ret;
- 
-+#ifndef ENABLE_ECC
-+  exit(77);
-+#endif
-+
- 	ret = global_init();
- 	if (ret < 0)
- 		fail("global_init failed %d\n", ret);
-Index: gnutls-3.2.8/tests/priorities.c
-===================================================================
---- gnutls-3.2.8.orig/tests/priorities.c
-+++ gnutls-3.2.8/tests/priorities.c
-@@ -71,8 +71,7 @@ try_prio(const char *prio, unsigned expe
- 			fprintf(stderr, "%s\n",
- 				gnutls_cipher_get_name(t[i]));
- #endif
--		fail("expected %d ciphers, found %d\n", expected_ciphers,
--		     ret);
-+       fail("%s: expected %d ciphers, found %d\n", prio, expected_ciphers, ret);
- 		exit(1);
- 	}
- 
-@@ -84,28 +83,42 @@ try_prio(const char *prio, unsigned expe
- 		success("finished: %s\n", prio);
- 
- 	if (count != expected_cs) {
--		fail("expected %d ciphersuites, found %d\n", expected_cs,
--		     count);
-+           fail("%s: expected %d ciphersuites, found %d\n", prio, expected_cs, count);
- 		exit(1);
- 	}
- }
- 
- void doit(void)
- {
-+#ifdef ENABLE_ECC
- 	const int normal = 66;
- 	const int null = 5;
- 	const int sec128 = 56;
--
-+#else
-+       const int normal = 42;
-+       const int null = 3;
-+       const int sec128 = 36;
-+#endif
- 	try_prio("NORMAL", normal, 10);
- 	try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 10);
- 	try_prio("NORMAL:+CIPHER-ALL", normal, 10);	/* all (except null) */
- 	try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1);	/* null */
- 	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 11);	/* should be null + all */
-+#ifdef ENABLE_ECC
- 	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1);	/* should be null + all */
-+#else
-+  try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 6, 1); /* should be null + all */
-+#endif
- 	try_prio("PERFORMANCE", normal, 10);
-+#ifdef ENABLE_ECC
- 	try_prio("SECURE256", 20, 4);
-+#else
-+  try_prio("SECURE256", 12, 4);
-+#endif
- 	try_prio("SECURE128", sec128, 8);
- 	try_prio("SECURE128:+SECURE256", sec128, 8);	/* should be the same as SECURE128 */
- 	try_prio("SECURE128:+SECURE256:+NORMAL", normal, 10);	/* should be the same as NORMAL */
-+#ifdef ENABLE_ECC
- 	try_prio("SUITEB192", 1, 1);
-+#endif
- }
-Index: gnutls-3.2.8/tests/slow/keygen.c
-===================================================================
---- gnutls-3.2.8.orig/tests/slow/keygen.c
-+++ gnutls-3.2.8/tests/slow/keygen.c
-@@ -62,6 +62,11 @@ void doit(void)
- 			if (algorithm == GNUTLS_PK_DH)
- 				continue;
- 
-+#ifndef ENABLE_ECC
-+               if (algorithm == GNUTLS_PK_EC)
-+                       continue;
-+#endif
-+
- 			ret = gnutls_x509_privkey_init(&pkey);
- 			if (ret < 0) {
- 				fail("gnutls_x509_privkey_init: %d\n",
-Index: gnutls-3.2.8/tests/srp/mini-srp.c
-===================================================================
---- gnutls-3.2.8.orig/tests/srp/mini-srp.c
-+++ gnutls-3.2.8/tests/srp/mini-srp.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32)
-+#if defined(_WIN32) || !defined(ENABLE_SRP)
- 
- int main()
- {
diff --git a/gnutls-3.2.8.tar.xz b/gnutls-3.2.8.tar.xz
deleted file mode 100644
index da8e4cd..0000000
--- a/gnutls-3.2.8.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:144156f4140400df2bd9303dab69f44099113a3b46780737734affe93782d94d
-size 5135984
diff --git a/gnutls-3.2.8.tar.xz.sig b/gnutls-3.2.8.tar.xz.sig
deleted file mode 100644
index e40d8c1..0000000
Binary files a/gnutls-3.2.8.tar.xz.sig and /dev/null differ
diff --git a/gnutls-implement-trust-store-dir-3.2.8.diff b/gnutls-implement-trust-store-dir-3.2.8.diff
index 4cd9630..1c6c05b 100644
--- a/gnutls-implement-trust-store-dir-3.2.8.diff
+++ b/gnutls-implement-trust-store-dir-3.2.8.diff
@@ -1,8 +1,8 @@
-Index: gnutls-3.2.8/configure.ac
+Index: gnutls-3.2.10/configure.ac
 ===================================================================
---- gnutls-3.2.8.orig/configure.ac
-+++ gnutls-3.2.8/configure.ac
-@@ -457,6 +457,25 @@ if test "$with_default_trust_store_file"
+--- gnutls-3.2.10.orig/configure.ac
++++ gnutls-3.2.10/configure.ac
+@@ -466,6 +466,25 @@ if test "$with_default_trust_store_file"
    with_default_trust_store_file=""
  fi
  
@@ -28,7 +28,7 @@ Index: gnutls-3.2.8/configure.ac
  AC_ARG_WITH([default-crl-file],
    [AS_HELP_STRING([--with-default-crl-file=FILE],
      [use the given CRL file as default])])
-@@ -470,6 +489,11 @@ if test "x$with_default_trust_store_file
+@@ -479,6 +498,11 @@ if test "x$with_default_trust_store_file
      ["$with_default_trust_store_file"], [use the given file default trust store])
  fi
  
@@ -40,19 +40,19 @@ Index: gnutls-3.2.8/configure.ac
  if test "x$with_default_crl_file" != x; then
    AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
      ["$with_default_crl_file"], [use the given CRL file])
-@@ -761,6 +785,7 @@ AC_MSG_NOTICE([System files:
+@@ -770,6 +794,7 @@ AC_MSG_NOTICE([System files:
  
-   Trust store pkcs:     $with_default_trust_store_pkcs11
+   Trust store pkcs11:   $with_default_trust_store_pkcs11
    Trust store file:     $with_default_trust_store_file
 +  Trust store dir:      $with_default_trust_store_dir
    Blacklist file:       $with_default_blacklist_file
    CRL file:             $with_default_crl_file
    DNSSEC root key file: $unbound_root_key_file
-Index: gnutls-3.2.8/lib/system.c
+Index: gnutls-3.2.10/lib/system.c
 ===================================================================
---- gnutls-3.2.8.orig/lib/system.c
-+++ gnutls-3.2.8/lib/system.c
-@@ -357,7 +357,45 @@ int _gnutls_find_config_path(char *path,
+--- gnutls-3.2.10.orig/lib/system.c
++++ gnutls-3.2.10/lib/system.c
+@@ -364,7 +364,45 @@ int _gnutls_find_config_path(char *path,
  	return 0;
  }
  
@@ -99,7 +99,7 @@ Index: gnutls-3.2.8/lib/system.c
  static
  int
  add_system_trust(gnutls_x509_trust_list_t list,
-@@ -393,6 +431,12 @@ add_system_trust(gnutls_x509_trust_list_
+@@ -400,6 +438,12 @@ add_system_trust(gnutls_x509_trust_list_
  		r += ret;
  #endif
  
@@ -112,7 +112,7 @@ Index: gnutls-3.2.8/lib/system.c
  #ifdef DEFAULT_BLACKLIST_FILE
  	ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
  	if (ret < 0) {
-@@ -467,41 +511,6 @@ int add_system_trust(gnutls_x509_trust_l
+@@ -474,41 +518,6 @@ int add_system_trust(gnutls_x509_trust_l
  	return r;
  }
  #elif defined(ANDROID) || defined(__ANDROID__)
diff --git a/gnutls.changes b/gnutls.changes
index 9ab9e06..2818926 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Thu Feb 13 20:12:06 UTC 2014 - meissner@suse.com
+
+- Upgraded to 3.2.11
+
+  ** libgnutls: Tolerate servers that send the SUPPORTED ECC extension.
+
+  ** libgnutls: Reduced the TLS and DTLS version requirements for all
+     ciphersuites that are not GCM.
+
+  ** libgnutls: When two initial keywords are specified then treat the
+     second as having the '+' modifier.
+
+  ** libgnutls:  When using a PKCS #11 module for verification ensure that
+     it has been marked a trusted policy module in p11-kit. Moreover, when an
+     empty (i.e., "pkcs11:") URL is specified, then try all trusted modules
+     in the system for verification.
+     http://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
+
+  ** libgnutls: Fixed bug that prevented the rejection of v1 intermediate
+     CA certificates. Reported and investigated by Suman Jana.
+     CVE-2014-1959 / bnc#863989
+
+  ** certtool: Added the --ask-pass option.
+- gnutls-3.2.10-supported-ecc.patch: upstreamed
+- gnutls-fix-missing-ipv6.patch: upstreamed
+
+-------------------------------------------------------------------
+Tue Feb 11 12:16:48 UTC 2014 - meissner@suse.com
+
+- Upgrade to 3.1.20 (released 2014-01-31)
+  ** libgnutls: fixed null pointer derefence when printing a certificate
+     DN and an LDAP description isn't present.
+  ** libgnutls: gnutls_db_check_entry_time will correctly report the time;
+     report and patch by Jonathan Roudiere.
+
+- Upgrade to 3.2.9 (released 2014-01-24)
+
+  ** libgnutls: The %DUMBFW option in priority string only
+     appends data to client hello if the expected size is in the
+     "black hole" range.
+
+  ** libgnutls: %COMPAT implies %DUMBFW.
+
+  ** libgnutls: gnutls_session_get_desc() returns a more compact
+     ciphersuite description.
+
+  * libgnutls: In PKCS #11 allow deleting multiple non-certificate data.
+
+  ** libgnutls: When a PKCS #11 trust store is specified (e.g. using the
+     configure option --with-default-trust-store-pkcs11), then the PKCS #11
+     token is used on demand to obtain the trusted anchors, rather than
+     preloading all trusted certificates. That delegates CA certificate
+     management and blacklist checking to the PKCS #11 module.
+
+  ** libgnutls: When a PKCS #11 trust store is specified in configure
+     option or in gnutls_x509_trust_list_add_trust_file(), then the module is
+     used to obtain the verification anchors and any required blacklists as
+     in
+     http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html
+
+  ** libgnutls: Fix in OCSP certificate status extension handling
+     in non-blocking servers. Patch by Nils Maier.
+
+  ** p11tool: Added --so-login option to force login as security
+     officer (admin).
+
+- reenable ECDHE after review of modern cryptographic practices.
+
+- gnutls-fix-missing-ipv6.patch: handle getaddrinfo/socket availability
+  issues in gnutls-serv
+
+- gnutls-3.2.10-supported-ecc.patch: do not abort gnutls-cli on sites
+  sending the client only ECC extension (www.bsi.de)
+
 -------------------------------------------------------------------
 Sat Dec 21 20:38:19 UTC 2013 - shchang@suse.com
 
diff --git a/gnutls.spec b/gnutls.spec
index 851ed7b..0ad0b73 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 %define gnutls_ossl_sover 27
 
 Name:           gnutls
-Version:        3.2.8
+Version:        3.2.11
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+
@@ -36,8 +36,6 @@ Source3:        baselibs.conf
 # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test
 Patch3:         gnutls-3.0.26-skip-test-fwrite.patch
 
-# Disable elliptic curves for reasons. - meissner&cfarrell
-Patch5:         gnutls-3.2.8-noecc.patch
 Patch6:         gnutls-implement-trust-store-dir-3.2.8.diff
 
 BuildRequires:  automake
@@ -138,21 +136,19 @@ Files needed for software development using gnutls.
 %prep
 %setup -q
 %patch3
-%patch5 -p1
 %patch6 -p1
 
 %build
 autoreconf -if
-# echde explicitly disabled - meissner&cfarrell
 %configure \
         gl_cv_func_printf_directive_n=yes \
         gl_cv_func_printf_infinite_long_double=yes \
         --disable-static \
         --with-pic \
         --disable-rpath \
+	--disable-srp \
         --disable-silent-rules \
 	--with-default-trust-store-dir=/var/lib/ca-certificates/pem \
-	--disable-ecdhe \
         --with-sysroot=/%{?_sysroot}
 %__make %{?_smp_mflags}