diff --git a/baselibs.conf b/baselibs.conf
index 64dfa4a..05ab7e7 100644
--- a/baselibs.conf
+++ b/baselibs.conf
@@ -1,7 +1,12 @@
 mozilla-nss
-  requires "libfreebl3-<targettype> >= <version>"
+  requires "libfreebl3-<targettype>"
+  requires "libsoftokn3-<targettype>"
   requires "mozilla-nss-certs-<targettype>"
+libsoftokn3
+  requires "libfreebl3-<targettype> = <version>-<release>"
   +/usr/lib/libsoftokn3.chk
-  +/lib/libfreebl3.chk
+  +/usr/lib/libnssdbm3.chk
 libfreebl3
+  +/lib/libfreebl3.chk
+mozilla-nss-sysinit
 mozilla-nss-certs
diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index 26bdd09..20dbc6c 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Mar  9 19:18:24 CET 2010 - wr@rosenauer.org
+
+- update to 3.12.6 RTM release
+  * added mozilla-nss-sysinit subpackage
+- change renegotiation behaviour to the old default for a
+  transition phase
+
+-------------------------------------------------------------------
+Tue Mar  9 13:08:24 CET 2010 - wr@rosenauer.org
+
+- split off libsoftokn3 subpackage to allow mixed NSS installation
+
 -------------------------------------------------------------------
 Sat Dec 26 12:42:56 CET 2009 - wr@rosenauer.org
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index 732950a..7432f47 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -1,8 +1,8 @@
 #
-# spec file for package mozilla-nss (Version 3.12.4)
+# spec file for package mozilla-nss (Version 3.12.6)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# Copyright (c) 2006-2009 Wolfgang Rosenauer
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2006-2010 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,6 +18,7 @@
 
 # norootforbuild
 
+%global nss_softokn_fips_version 3.12.4
 
 Name:           mozilla-nss
 BuildRequires:  gcc-c++ mozilla-nspr-devel zlib-devel
@@ -28,14 +29,14 @@ BuildRequires:  sqlite-devel
 BuildRequires:  sqlite3-devel
 %endif
 License:        GPLv2+ ; LGPLv2.1+ ; MPL
-Version:        3.12.4
-Release:        5
+Version:        3.12.6
+Release:        1
 # bug437293
 %ifarch ppc64
 Obsoletes:      mozilla-nss-64bit
 %endif
 #
-Summary:        Network (Netscape) Security Services
+Summary:        Network Security Services
 Url:            http://www.mozilla.org/projects/security/pki/nss/
 Group:          System/Libraries
 # cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r <RTM_TAG> NSS
@@ -45,18 +46,19 @@ Source2:        addon-certs.txt
 Source3:        nss-config.in
 Source4:        %{name}-rpmlintrc
 Source5:        baselibs.conf
+Source6:        setup-nsssysinit.sh
 Patch1:         nss-opt.patch
 Patch2:         nss-sqlitename.patch
 Patch3:         system-nspr.patch
 Patch4:         char.patch
 Patch5:         nss-no-rpath.patch
-Patch6:         nss-ckbi-1_77.patch.bz2
+Patch6:         renegotiate-transitional.patch
 Patch9:         malloc.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
-PreReq:         libfreebl3 >= %{version}
+PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
+PreReq:         libsoftokn3 >= %{nss_softokn_fips_version}
 Requires:       mozilla-nss-certs
-Requires(post): coreutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 %define run_testsuite 1
@@ -75,7 +77,8 @@ Summary:        Network (Netscape) Security Services development files
 Group:          Development/Libraries/Other
 Requires:       mozilla-nspr-devel 
 Requires:       mozilla-nss = %{version}-%{release}
-Requires:       libfreebl3 = %{version}-%{release}
+Requires:       libfreebl3
+Requires:       libsoftokn3
 # bug437293
 %ifarch ppc64
 Obsoletes:      mozilla-nss-devel-64bit
@@ -100,6 +103,20 @@ The NSS Security Tools allow developers to test, debug, and manage
 applications that use NSS.
 
 
+%package sysinit
+License:        GPLv2+ ; LGPLv2.1+ ; MPL
+Summary:        System NSS Initialization
+Group:          System/Management
+Requires:       mozilla-nss >= %{version}
+Requires(post): coreutils
+
+%description sysinit
+Default Operation System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+
 %package -n libfreebl3
 License:        GPLv2+ ; LGPLv2.1+ ; MPL
 Summary:        Freebl library for the Network Security Services
@@ -115,6 +132,22 @@ certificates, and other security standards.
 This package installs the freebl library from NSS.
 
 
+%package -n libsoftokn3
+License:        GPLv2+ ; LGPLv2.1+ ; MPL
+Summary:        Network Security Services Soktoken Module 
+Group:          System/Libraries
+Requires:       libfreebl3 = %{version}-%{release}
+
+%description -n libsoftokn3
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled server
+applications. Applications built with NSS can support SSL v2 and v3,
+TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3
+certificates, and other security standards.
+
+Network Security Services Softoken Cryptographic Module 
+
+
 %package certs
 License:        GPLv2+ ; LGPLv2.1+ ; MPL
 Summary:        CA certificates for NSS
@@ -133,7 +166,7 @@ cd mozilla
 %patch3
 %patch4
 %patch5
-%patch6 -p1
+%patch6
 %if %suse_version > 1110
 %patch9
 %endif
@@ -177,7 +210,9 @@ mkdir -p $RPM_BUILD_ROOT%{_libdir}
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss
 mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3
 mkdir -p $RPM_BUILD_ROOT%{_bindir}
+mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 mkdir -p $RPM_BUILD_ROOT/%{_lib}
+mkdir -p $RPM_BUILD_ROOT/%nssdbdir
 pushd mozilla/dist/Linux*
 # copy headers
 cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3
@@ -187,6 +222,7 @@ cp -L  lib/libnss3.so \
        lib/libnssdbm3.chk \
        lib/libnssutil3.so \
        lib/libnssckbi.so \
+       lib/libnsssysinit.so \
        lib/libsmime3.so \
        lib/libsoftokn3.so \
        lib/libsoftokn3.chk \
@@ -248,6 +284,16 @@ cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
                      -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
                      > $RPM_BUILD_ROOT/%{_bindir}/nss-config
 chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# setup-nsssysinfo.sh
+install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/
+# create empty NSS database
+LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create
+chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/*
+sed "s:%{buildroot}::g
+s/^library=$/library=libnsssysinit.so/
+/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \
+  $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed
+mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,}
 # create shlib sigs after extracting debuginfo
 %define __spec_install_post \
   %{?__debug_package:%{__debug_install_post}} \
@@ -266,31 +312,34 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
 
 %postun -n libfreebl3 -p /sbin/ldconfig
 
-%post tools
-if [ ! -d "%{nssdbdir}" ] ; then
-    mkdir -p "%{nssdbdir}"
-fi
-if [ ! -f "%{nssdbdir}/pkcs11.txt" ] ; then
-    modutil -force -dbdir "sql:%{nssdbdir}" -create
-    chmod 644 "%{nssdbdir}"/*
+%post -n libsoftokn3 -p /sbin/ldconfig
+
+%postun -n libsoftokn3 -p /sbin/ldconfig
+
+%post sysinit
+/sbin/ldconfig
+# make sure the current config is enabled
+%{_sbindir}/setup-nsssysinit.sh on
+
+%preun sysinit
+if [ $1 = 0 ]; then
+  %{_sbindir}/setup-nsssysinit.sh off
 fi
 
+%postun sysinit -p /sbin/ldconfig
+
 %clean
 rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-, root, root)
 %{_libdir}/libnss3.so
-%{_libdir}/libnssdbm3.so
 %{_libdir}/libnssutil3.so
 %{_libdir}/libsmime3.so
-%{_libdir}/libsoftokn3.so
 %{_libdir}/libssl3.so
 %if %suse_version < 1030
 %{_libdir}/libnsssqlite3.so
 %endif
-%{_libdir}/libsoftokn3.chk
-%{_libdir}/libnssdbm3.chk
 
 %files devel
 %defattr(644, root, root, 755)
@@ -302,14 +351,30 @@ rm -rf $RPM_BUILD_ROOT
 %files tools
 %defattr(-, root, root)
 %{_bindir}/*
+%exclude %{_sbindir}/setup-nsssysinit.sh
 %{_libexecdir}/nss/
 %exclude %{_bindir}/nss-config
 
+%files sysinit
+%defattr(-, root, root)
+%dir %{_sysconfdir}/pki
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %{_sysconfdir}/pki/nssdb/*
+%{_libdir}/libnsssysinit.so
+%{_sbindir}/setup-nsssysinit.sh
+
 %files -n libfreebl3
 %defattr(-, root, root)
 /%{_lib}/libfreebl3.so
 /%{_lib}/libfreebl3.chk
 
+%files -n libsoftokn3
+%defattr(-, root, root)
+%{_libdir}/libsoftokn3.so
+%{_libdir}/libsoftokn3.chk
+%{_libdir}/libnssdbm3.so
+%{_libdir}/libnssdbm3.chk
+
 %files certs
 %defattr(-, root, root)
 %{_libdir}/libnssckbi.so
diff --git a/nss-3.12.4.tar.bz2 b/nss-3.12.4.tar.bz2
deleted file mode 100644
index aee773c..0000000
--- a/nss-3.12.4.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:16427d5e72aa84ffaf1b8612949558aa8c6ad0b2ba6defaae94752d5ce9619c4
-size 4107947
diff --git a/nss-3.12.6.tar.bz2 b/nss-3.12.6.tar.bz2
new file mode 100644
index 0000000..353bcc0
--- /dev/null
+++ b/nss-3.12.6.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0384a71321b7a3a92892a5ce3c3285273655400d1436563a1a92754e9abe57b4
+size 4539229
diff --git a/nss-ckbi-1_77.patch.bz2 b/nss-ckbi-1_77.patch.bz2
deleted file mode 100644
index 071bb87..0000000
--- a/nss-ckbi-1_77.patch.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2efe4e5ce35b302beed328dc1a9c7996fc5bf620151125da7875ef58715df481
-size 26449
diff --git a/nss-sqlitename.patch b/nss-sqlitename.patch
index dd4ea27..54fa956 100644
--- a/nss-sqlitename.patch
+++ b/nss-sqlitename.patch
@@ -1,11 +1,11 @@
 Index: security/nss/cmd/platlibs.mk
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v
-retrieving revision 1.64
-diff -u -p -r1.64 platlibs.mk
---- security/nss/cmd/platlibs.mk	17 Jun 2009 23:01:48 -0000	1.64
-+++ security/nss/cmd/platlibs.mk	23 Nov 2009 16:08:54 -0000
-@@ -80,7 +80,11 @@ endif
+retrieving revision 1.66
+diff -u -r1.66 platlibs.mk
+--- security/nss/cmd/platlibs.mk	4 Feb 2010 18:59:10 -0000	1.66
++++ security/nss/cmd/platlibs.mk	9 Mar 2010 12:06:11 -0000
+@@ -80,7 +80,11 @@
  endif
  endif
  
@@ -21,10 +21,10 @@ Index: security/nss/lib/softoken/config.mk
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/softoken/config.mk,v
 retrieving revision 1.29
-diff -u -p -r1.29 config.mk
+diff -u -r1.29 config.mk
 --- security/nss/lib/softoken/config.mk	11 Jun 2009 00:55:48 -0000	1.29
-+++ security/nss/lib/softoken/config.mk	23 Nov 2009 16:08:55 -0000
-@@ -83,12 +83,16 @@ EXTRA_SHARED_LIBS += \
++++ security/nss/lib/softoken/config.mk	9 Mar 2010 12:06:12 -0000
+@@ -57,12 +57,16 @@
  	-L$(DIST)/lib \
  	-L$(NSSUTIL_LIB_DIR) \
  	-lnssutil3 \
@@ -39,17 +39,17 @@ diff -u -p -r1.29 config.mk
 +else
 +EXTRA_SHARED_LIBS += -lnsssqlite3
 +endif
- endif
+ else # ! NS_USE_GCC
  
- ifeq ($(OS_TARGET),AIX)
+ EXTRA_SHARED_LIBS += \
 Index: security/nss/lib/sqlite/manifest.mn
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v
-retrieving revision 1.3
-diff -u -p -r1.3 manifest.mn
---- security/nss/lib/sqlite/manifest.mn	15 Aug 2007 15:30:05 -0000	1.3
-+++ security/nss/lib/sqlite/manifest.mn	23 Nov 2009 16:08:55 -0000
-@@ -38,9 +38,10 @@ CORE_DEPTH = ../../..
+retrieving revision 1.4
+diff -u -r1.4 manifest.mn
+--- security/nss/lib/sqlite/manifest.mn	9 Jan 2010 05:04:37 -0000	1.4
++++ security/nss/lib/sqlite/manifest.mn	9 Mar 2010 12:06:12 -0000
+@@ -38,9 +38,10 @@
  
  MODULE = nss
  
@@ -58,6 +58,6 @@ diff -u -p -r1.3 manifest.mn
  LIBRARY_VERSION = 3
  MAPFILE = $(OBJDIR)/sqlite.def
 +MAPFILE_SOURCE = sqlite.def
- DEFINES += -DTHREADSAFE=1
+ DEFINES += -DSQLITE_THREADSAFE=1
  
  EXPORTS = \
diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch
new file mode 100644
index 0000000..bf63c70
--- /dev/null
+++ b/renegotiate-transitional.patch
@@ -0,0 +1,16 @@
+Index: security/nss/lib/ssl/sslsock.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
+retrieving revision 1.66
+diff -u -p -r1.66 sslsock.c
+--- security/nss/lib/ssl/sslsock.c	26 Feb 2010 20:44:54 -0000	1.66
++++ security/nss/lib/ssl/sslsock.c	1 Mar 2010 18:05:10 -0000
+@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,   /* noLocks            */
+     PR_FALSE,   /* enableSessionTickets */
+     PR_FALSE,   /* enableDeflate      */
+-    2,          /* enableRenegotiation (default: requires extension) */
++    3,          /* enableRenegotiation (default: transitional)
+     PR_FALSE,   /* requireSafeNegotiation */
+ };
+ 
diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh
new file mode 100644
index 0000000..7cd70db
--- /dev/null
+++ b/setup-nsssysinit.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on
+# and at nss-sysinit pre uninstall with argument off. 
+#
+usage()
+{
+  cat <<EOF
+Usage: setup-nsssysinit [on|off]
+  on  - turns on nsssysinit
+  off - turns off nsssysinit
+EOF
+  exit $1
+}
+
+# validate
+if test $# -eq 0; then
+  usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+  echo "Could not find ${p11conf}"
+  exit 1
+fi
+
+on="1"
+case "$1" in
+  on | ON )
+    cat ${p11conf} | \
+     sed -e 's/^library=$/library=libnsssysinit.so/' \
+         -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+    ${p11conf}.on
+    mv ${p11conf}.on ${p11conf}
+    ;;
+  off | OFF )
+    if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
+      exit 0
+    fi
+    cat ${p11conf} | \
+    sed -e 's/^library=libnsssysinit.so/library=/' \
+        -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+        ${p11conf}.off
+    mv ${p11conf}.off ${p11conf}
+    ;;
+  * )
+    usage 1 1>&2
+    ;;
+esac