- fix CVE-2023-0767

- fix CVE-2023-0767

- fix regression for pkcs12.

- fix regression for pkcs12.

- fix CVE-2021-43527

- fix CVE-2021-43527

- revert sql default language in man pages
- fix SEC_PKCS12EnableCipher so python-nss tests will still work.

- revert sql default language in man pages
- fix SEC_PKCS12EnableCipher so python-nss tests will still work.

- Fix HSM load failure because of CKO_Profile
- Allow builds with strict-proto

- Fix HSM load failure because of CKO_Profile
- Allow builds with strict-proto

- Disable dh timing test because it's unreliable on s390 (from Bob Relyea)
- Explicitly enable upgradedb/sharedb test cycles

- Disable dh timing test because it's unreliable on s390 (from Bob Relyea)
- Explicitly enable upgradedb/sharedb test cycles

- Increase timeout on ssl_gtest so that slow platforms can complete when
   running on a busy system.

- Increase timeout on ssl_gtest so that slow platforms can complete when
   running on a busy system.

- Fix certutil man page
- Fix extracting a public key from a private key for dh, ec, and dsa

- Fix certutil man page
- Fix extracting a public key from a private key for dh, ec, and dsa

- Backport upstream fix for CVE-2018-12384
- Remove nss-lockcert-api-change.patch, which turned out to be a
  mistake (the symbol was not exported from libnss)

- Backport upstream fix for CVE-2018-12384
- Remove nss-lockcert-api-change.patch, which turned out to be a
  mistake (the symbol was not exported from libnss)

- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h

- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h

- Re-enable nss-is-token-present-race.patch

- Re-enable nss-is-token-present-race.patch

- Backport patch to simplify transcript calculation for CertificateVerify

- Backport patch to simplify transcript calculation for CertificateVerify

- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5

- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5

- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5

- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5

- Rebase to NSS 3.28.4

- Rebase to NSS 3.28.4

- Restore ssl-server-min-key-sizes.patch
- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
  patch in the previous release
- Fix crash with tstclnt -W

- Restore ssl-server-min-key-sizes.patch
- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
  patch in the previous release
- Fix crash with tstclnt -W

- Mozilla #1314604 / Red Hat CVE-2016-8635

- Mozilla #1314604 / Red Hat CVE-2016-8635

- Rebuild to require the latest nss-util build and nss-softokn build.

- Rebuild to require the latest nss-util build and nss-softokn build.

- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol
- Resolves: Bug 1289883

- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol
- Resolves: Bug 1289883

- Eliminated rpmbuild "bogus date" error due to inconsistent weekday,
  by assuming the date is correct and changing the weekday.

- Eliminated rpmbuild "bogus date" error due to inconsistent weekday,
  by assuming the date is correct and changing the weekday.

- Eliminated rpmbuild "bogus date" error due to inconsistent weekday,
  by assuming the date is correct and changing the weekday.

- Eliminated rpmbuild "bogus date" error due to inconsistent weekday,
  by assuming the date is correct and changing the weekday.

- On RHEL 7.1 keep the TLS version defaults unchanged.

- On RHEL 7.1 keep the TLS version defaults unchanged.