[nss] Update to nss-3.39 and nss-pem-1.0.4, fixes jb#36180

26457ca8 · kende · ab6de8f6 · 26457ca8 · 26457ca8 · ab6de8f6
Commit 26457ca8 authored Jan 09, 2019 by kende
24 changed files
--- a/add-relro-linker-option.patch
+++ b/add-relro-linker-option.patch
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS	+= -Wl,-z,relro
+endif
+
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 
--- a/iquote.patch
+++ b/iquote.patch
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
+++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
+ endif
+ 
+# Prefer in-tree headers over system headers
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
+    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
+endif
+
+ MK_LOCATION = included
--- a/nss-3.13.3-notimestamps.patch
+++ b/nss-3.13.3-notimestamps.patch
-Index: nss-3.20.1/nss/lib/ckfw/pem/ckpemver.c
-===================================================================
--- nss-3.20.1.orig/nss/lib/ckfw/pem/ckpemver.c
-+++ nss-3.20.1/nss/lib/ckfw/pem/ckpemver.c
-@@ -53,7 +53,7 @@
-  */
- const char __nss_ckpem_rcsid[] = "$Header: NSS Access to Flat Files in PEM format"
-         NSS_CKPEM_LIBRARY_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-+        "  " "Built in OBS" " " "see rpm -q --info nss for more information" " $";
- const char __nss_ckcapi_sccsid[] = "@(#)NSS Access to Flag Files in PEM format "
-         NSS_CKPEM_LIBRARY_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
-+        "  " "Built in OBS" " " "see rpm -q --info nss for more information";
--- a/nss-3.20.1.tar.gz
+++ b/nss-3.20.1.tar.gz
--- a/nss-3.39.tar.gz
+++ b/nss-3.39.tar.gz
--- a/nss-539183.patch
+++ b/nss-539183.patch
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
+++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
+     PRSocketOptionData opt;
+ 
+-    addr.inet.family = PR_AF_INET;
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+        errExit("PR_SetNetAddr");
+    }
+ 
+-    listen_sock = PR_NewTCPSocket();
+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+     if (listen_sock == NULL) {
+-        errExit("PR_NewTCPSocket");
+        errExit("PR_OpenTCPSockett");
+     }
+ 
+     opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
+++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
+     PRSocketOptionData opt;
+ 
+-    addr.inet.family = PR_AF_INET;
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+        errExit("PR_SetNetAddr");
+    }
+ 
+-    listen_sock = PR_NewTCPSocket();
+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+     if (listen_sock == NULL) {
+-        errExit("PR_NewTCPSocket");
+        errExit("PR_OpenTCPSocket error");
+     }
+ 
+     opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- a/nss-config.in
+++ b/nss-config.in
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	nss
-	nssutil
-	ssl
-	smime
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-lib_ssl=yes
-lib_smime=yes
-lib_nss=yes
-lib_nssutil=yes
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    ssl)
-      lib_ssl=yes
-      ;;
-    smime)
-      lib_smime=yes
-      ;;
-    nss)
-      lib_nss=yes
-      ;;
-    nssutil)
-      lib_nssutil=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      if test -n "$lib_ssl"; then
-	libdirs="$libdirs -lssl${major_version}"
-      fi
-      if test -n "$lib_smime"; then
-	libdirs="$libdirs -lsmime${major_version}"
-      fi
-      if test -n "$lib_nss"; then
-	libdirs="$libdirs -lnss${major_version}"
-      fi
-      if test -n "$lib_nssutil"; then
-	libdirs="$libdirs -lnssutil${major_version}"
-      fi
-      echo $libdirs
-fi      
-
--- a/nss-enable-pem.patch
+++ b/nss-enable-pem.patch
-diff -up ./nss/lib/ckfw/manifest.mn.prepem ./nss/lib/ckfw/manifest.mn
--- ./nss/lib/ckfw/manifest.mn.prepem	2008-08-05 16:34:23.000000000 -0700
-+++ ./nss/lib/ckfw/manifest.mn	2008-08-05 16:34:30.000000000 -0700
-@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
- 
- CORE_DEPTH = ../..
- 
-DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \
--- a/nss-no-rpath.patch
+++ b/nss-no-rpath.patch
--- ./nss/cmd/platlibs.mk.withrpath	2013-03-09 02:09:57.584660753 +0200
-+++ ./nss/cmd/platlibs.mk	2013-03-09 02:10:59.144484108 +0200
-@@ -18,9 +18,9 @@
- 
- ifeq ($(OS_ARCH), Linux)
- ifeq ($(USE_64), 1)
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
- else
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
- endif
- endif
- 
--- a/nss-pem-1.0.4.tar.xz
+++ b/nss-pem-1.0.4.tar.xz
--- a/nss-pem-20140125.tar.bz2
+++ b/nss-pem-20140125.tar.bz2
--- a/nss-pem.cmake
+++ b/nss-pem.cmake
+# Add external nss header locations
+include_directories(../../dist/public/nss;../../dist/private/nss)
+# Find the external library path for linking
+execute_process(COMMAND find ${PROJECT_SOURCE_DIR}/../../dist -name libnssckfw.a OUTPUT_VARIABLE NSS_EXT_LIB_PATH)
+get_filename_component(NSS_LIB_PATH ${NSS_EXT_LIB_PATH} DIRECTORY)
+link_directories(${NSS_LIB_PATH})
--- a/nss-skip-bltest-and-fipstest.patch
+++ b/nss-skip-bltest-and-fipstest.patch
+diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
+--- ./nss/cmd/Makefile.skipthem	2017-01-06 13:17:27.477848351 +0100
+++ ./nss/cmd/Makefile	2017-01-06 13:19:30.244586100 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+SHLIBSIGN_SRCDIR = shlibsign
+else
+ SHLIBSIGN_SRCDIR =
+endif
+ else
+ BLTEST_SRCDIR = bltest
+ ECPERF_SRCDIR = ecperf
--- a/nss-skip-util-gtest.patch
+++ b/nss-skip-util-gtest.patch
+diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip_util_gtest	2017-08-08 12:45:57.598801125 +0200
+++ nss/gtests/manifest.mn	2017-08-08 12:46:59.682419852 +0200
+@@ -31,6 +31,5 @@ endif
+ 
+ DIRS = \
+ 	$(LIB_SRCDIRS) \
+-	$(UTIL_SRCDIRS) \
+ 	$(NSS_SRCDIRS) \
+ 	$(NULL)
--- a/nss-softokn.pc.in
+++ b/nss-softokn.pc.in
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}
--- a/nss-sysinit-userdb-first.patch
+++ b/nss-sysinit-userdb-first.patch
-diff -up ./nss/lib/sysinit/nsssysinit.c.603313 ./nss/lib/sysinit/nsssysinit.c
--- ./nss/lib/sysinit/nsssysinit.c.603313	2010-10-15 13:57:42.719738316 -0700
-+++ ./nss/lib/sysinit/nsssysinit.c	2010-10-15 14:07:51.704637349 -0700
-@@ -263,16 +263,26 @@ get_list(char *filename, char *stripped_
+--- ./nss/lib/sysinit/nsssysinit.c.603313	2017-11-14 10:01:25.000000000 +0200
+++ ./nss/lib/sysinit/nsssysinit.c	2017-11-22 16:28:56.324234787 +0200
+@@ -231,6 +231,17 @@ get_list(char *filename, char *stripped_
     sysdb = getSystemDB();
     userdb = getUserDB();
 
-    /* Don't open root's user DB */
 +    /* return a list of databases to open. First the system database */
 +    if (sysdb) {
 +        const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
-+	module_list[next++] = PR_smprintf(
-+	    "library= "
-+	    "module=\"NSS system database\" "
-+	    "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
-+	    "NSS=\"trustOrder=80 %sflags=internal,critical\"",
+        module_list[next++] = PR_smprintf(
+            "library= "
+            "module=\"NSS system database\" "
+            "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+            "NSS=\"trustOrder=80 %sflags=internal,critical\"",
 +            sysdb, readonly, nssflags);
 +    }
 +
-+    /* Next the user database, but not for root. */
+     /* Don't open root's user DB */
     if (userdb != NULL && !userIsRoot()) {
-	/* return a list of databases to open. First the user Database */
- 	module_list[next++] = PR_smprintf(
- 	    "library= "
- 	    "module=\"NSS User database\" "
- 	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
-        "NSS=\"trustOrder=75 %sflags=internal%s\"",
-        userdb, stripped_parameters, nssflags,
-        isFIPS ? ",FIPS" : "");
-+            "NSS=\"trustOrder=75 %sflags=internal%s\"",
-+            userdb, stripped_parameters, nssflags,
-+            isFIPS ? ",FIPS" : "");
+         /* return a list of databases to open. First the user Database */
+@@ -252,17 +263,6 @@ get_list(char *filename, char *stripped_
+             userdb, stripped_parameters);
+     }
 
- 	/* now open the user's defined PKCS #11 modules */
- 	/* skip the local user DB entry */
-@@ -283,17 +293,7 @@ get_list(char *filename, char *stripped_
- 	    "module=\"NSS User database\" "
- 	    "parameters=\"configdir='sql:%s' %s\" "
- 	    "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", 
-		userdb, stripped_parameters);
-	}
-
 -    /* now the system database (always read only unless it's root) */
 -    if (sysdb) {
-	    const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
-	    module_list[next++] = PR_smprintf(
-	      "library= "
-	      "module=\"NSS system database\" "
-	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
-	      "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
-+            userdb, stripped_parameters);
-     }
- 
+-        const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+-        module_list[next++] = PR_smprintf(
+-            "library= "
+-            "module=\"NSS system database\" "
+-            "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+-            "NSS=\"trustOrder=80 %sflags=internal,critical\"",
+-            sysdb, readonly, nssflags);
+-    }
+-
     /* that was the last module */
+     module_list[next] = 0;
+ 
--- a/nss-util.pc.in
+++ b/nss-util.pc.in
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}
--- a/nss.changes
+++ b/nss.changes
+* Wed Jan 09 2019 Marko Kenttälä <marko.kenttala@jolla.com> - 3.39-1
+- Update to nss-3.39 and nss-pem-1.0.4, fixes jb#36180
+- Fedora spec file used as a base
+
 * Wed Nov 04 2015 Pasi Sjöholm <pasi.sjoholm@jollamobile.com> - 3.20.1
 - Update to 3.20.1
 - Fixes CVE-2015-7181 and CVE-2015-7182. Contributes to MER#1407
@@ -12,7 +16,7 @@
 * Wed Nov 26 2014 John Brooks <john.brooks@jollamobile.com> - 3.16.6
 - Update to 3.16.6 and split libnssckbi into a separate package

-* Tue Sep 25 2014 Pasi Sjöholm <pasi.sjoholm@jollamobile.com> - 3.16.5
+* Thu Sep 25 2014 Pasi Sjöholm <pasi.sjoholm@jollamobile.com> - 3.16.5
 - Update to 3.16.5
 - Fixes CVE-2014-1568.

@@ -69,13 +73,13 @@
 * Fri May 13 2011 Anas Nashif <anas.nashif@intel.com> - 3.12.9
 - Do not run test code, it does not work

-* Wed 02 Mar 2011 Passion Zhao <passion.zhao@intel.com>
+* Wed Mar 02 2011 Passion Zhao <passion.zhao@intel.com> - 3.12.9
 - Update to 3.12.9 from fennec requirement #BMC13425

-* Tue 16 Nov 2010 Stephan Binner <stephan.binner@basyskom.de>
+* Tue Nov 16 2010 Stephan Binner <stephan.binner@basyskom.de> - 3.12.8
 - Update to 3.12.8, disable non-applying likely obsolete patches, BMC#10122

-* Fri Apr 30 2010 David Woodhouse <David.Woodhouse@intel.com>
+* Fri Apr 30 2010 David Woodhouse <David.Woodhouse@intel.com> - 3.12.6
 - Fix Mozilla bug #524013 (hopefully MeeGo bug #1558)

 * Tue Feb 16 2010 Anas Nashif <anas.nashif@intel.com> - 3.12.5

--- a/nss.pc.in
+++ b/nss.pc.in
@@ -6,6 +6,6 @@ includedir=%includedir%
 Name: NSS
 Description: Network Security Services
 Version: %NSS_VERSION%
-Requires: nspr >= %NSPR_VERSION%
-Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}
--- a/nss.spec
+++ b/nss.spec
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
+++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
+    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
+++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
+@@ -118,18 +118,18 @@
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
--- a/setup-nsssysinit.sh
+++ b/setup-nsssysinit.sh
 #!/bin/sh
 #
 # Turns on or off the nss-sysinit module db by editing the
-# global PKCS #11 congiguration file.
+# global PKCS #11 congiguration file. Displays the status.
 #
 # This script can be invoked by the user as super user.
-# It is invoked at nss-sysinit post install time with argument on
-# and at nss-sysinit pre uninstall with argument off. 
+# It is invoked at nss-sysinit post install time with argument on.
 #
 usage()
 {
  cat <<EOF
 Usage: setup-nsssysinit [on|off]
-  on  - turns on nsssysinit
-  off - turns off nsssysinit
+  on     - turns on nsssysinit
+  off    - turns off nsssysinit
+  status - reports whether nsssysinit is turned on or off
 EOF
  exit $1
 }

 # validate
-if test $# -eq 0; then
+if [ $# -eq 0 ]; then
  usage 1 1>&2
 fi

@@ -30,17 +30,26 @@ if [ ! -f $p11conf ]; then
  exit 1
 fi

-on="1"
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+  grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
 case "$1" in
  on | ON )
+    if sysinit_enabled; then 
+      exit 0 
+    fi
    cat ${p11conf} | \
-     sed -e 's/^library=$/library=libnsssysinit.so/' \
-         -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
-    ${p11conf}.on
+    sed -e 's/^library=$/library=libnsssysinit.so/' \
+        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+        ${p11conf}.on
    mv ${p11conf}.on ${p11conf}
    ;;
  off | OFF )
-    if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
+    if ! sysinit_enabled; then
      exit 0
    fi
    cat ${p11conf} | \
@@ -49,6 +58,10 @@ case "$1" in
        ${p11conf}.off
    mv ${p11conf}.off ${p11conf}
    ;;
+  status )
+    echo -n 'NSS sysinit is '
+    sysinit_enabled && echo 'enabled' || echo 'disabled'
+    ;;
  * )
    usage 1 1>&2
    ;;

--- a/system-pkcs11.txt
+++ b/system-pkcs11.txt
-library=
+library=libnsssysinit.so
 name=NSS Internal PKCS #11 Module
 parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})