From d0828bee6c2d2debe46f8c1a2f18a1a9c271fcce Mon Sep 17 00:00:00 2001
From: Matúš Honěk <mhonek@redhat.com>
Date: Mar 24 2017 19:02:46 +0000
Subject: NSS: Rearrange ciphers-, parsing-, and protocol-related patches


In addition, remove (or better, do not include anymore) unused
variables *variant* and *range* that were forgotten to be
removed when landing patch openldap-nss-protocol-version-new-api.patch
in commit 9e30b98.

Related: #1435689

---

diff --git a/openldap-nss-cipher-attributes.patch b/openldap-nss-cipher-attributes.patch
index e51f1ea..5ebd347 100644
--- a/openldap-nss-cipher-attributes.patch
+++ b/openldap-nss-cipher-attributes.patch
@@ -6,31 +6,51 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
-@@ -210,27 +210,37 @@ typedef struct {
+@@ -210,27 +210,44 @@ typedef struct {
+ 	int num;            /* The cipher id */
+ 	int attr;           /* cipher attributes: algorithms, etc */
+ 	int version;        /* protocol version valid for this cipher */
+-	int bits;           /* bits of strength */
+-	int alg_bits;       /* bits of the algorithm */
+ 	int strength;       /* LOW, MEDIUM, HIGH */
+ 	int enabled;        /* Enabled by default? */
+ } cipher_properties;
+ 
  /* cipher attributes  */
- #define SSL_kRSA        0x00000001L
- #define SSL_aRSA        0x00000002L
--#define SSL_RSA         (SSL_kRSA|SSL_aRSA)
- #define SSL_aDSA        0x00000004L
- #define SSL_DSA         SSL_aDSA
- #define SSL_eNULL       0x00000008L
- #define SSL_DES         0x00000010L
- #define SSL_3DES        0x00000020L
- #define SSL_RC4         0x00000040L
- #define SSL_RC2         0x00000080L
- #define SSL_AES128      0x00000100L
- #define SSL_AES256      0x00000200L
--#define SSL_AES         (SSL_AES128|SSL_AES256)
- #define SSL_MD5         0x00000400L
- #define SSL_SHA1        0x00000800L
- #define SSL_kEDH        0x00001000L
- #define SSL_CAMELLIA128 0x00002000L
- #define SSL_CAMELLIA256 0x00004000L
--#define SSL_CAMELLIA    (SSL_CAMELLIA128|SSL_CAMELLIA256)
- #define SSL_SEED        0x00008000L
- #define SSL_kECDH       0x00010000L
- #define SSL_kECDHE      0x00020000L
- #define SSL_aECDSA      0x00040000L
+-#define SSL_kRSA  0x00000001L
+-#define SSL_aRSA  0x00000002L
+-#define SSL_aDSS  0x00000004L
+-#define SSL_DSS   SSL_aDSS
+-#define SSL_eNULL 0x00000008L
+-#define SSL_DES   0x00000010L
+-#define SSL_3DES  0x00000020L
+-#define SSL_RC4   0x00000040L
+-#define SSL_RC2   0x00000080L
+-#define SSL_AES   0x00000100L
+-#define SSL_MD5   0x00000200L
+-#define SSL_SHA1  0x00000400L
+-#define SSL_SHA   SSL_SHA1
+-#define SSL_RSA   (SSL_kRSA|SSL_aRSA)
++#define SSL_kRSA        0x00000001L
++#define SSL_aRSA        0x00000002L
++#define SSL_aDSA        0x00000004L
++#define SSL_DSA         SSL_aDSA
++#define SSL_eNULL       0x00000008L
++#define SSL_DES         0x00000010L
++#define SSL_3DES        0x00000020L
++#define SSL_RC4         0x00000040L
++#define SSL_RC2         0x00000080L
++#define SSL_AES128      0x00000100L
++#define SSL_AES256      0x00000200L
++#define SSL_MD5         0x00000400L
++#define SSL_SHA1        0x00000800L
++#define SSL_kEDH        0x00001000L
++#define SSL_CAMELLIA128 0x00002000L
++#define SSL_CAMELLIA256 0x00004000L
++#define SSL_SEED        0x00008000L
++#define SSL_kECDH       0x00010000L
++#define SSL_kECDHE      0x00020000L
++#define SSL_aECDSA      0x00040000L
 +#define SSL_SHA256      0x00080000L
 +#define SSL_SHA384      0x00100000L
 +#define SSL_kEECDH      0x00200000L
@@ -47,7 +67,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  
  /* cipher strength */
  #define SSL_NULL      0x00000001L
-@@ -237,10 +251,14 @@ typedef struct {
+@@ -240,10 +257,14 @@ typedef struct {
  #define SSL_MEDIUM    0x00000010L
  #define SSL_HIGH      0x00000020L
  
@@ -62,3 +82,13 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  
  /* Cipher translation */
  static cipher_properties ciphers_def[] = {
+--- openldap-2.4.40/include/ldap.h	2014-09-19 03:48:49.000000000 +0200
++++ openldap-2.4.40/include/ldap.h	2014-11-14 09:25:54.560801030 +0100
+@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
+ 
+ /* OpenLDAP SASL options */
+ #define LDAP_OPT_X_SASL_MECH			0x6100
diff --git a/openldap-nss-ciphers-definitions.patch b/openldap-nss-ciphers-definitions.patch
index beb0e55..7b7a868 100644
--- a/openldap-nss-ciphers-definitions.patch
+++ b/openldap-nss-ciphers-definitions.patch
@@ -6,41 +6,37 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
-@@ -255,69 +255,103 @@ typedef struct {
+@@ -268,29 +268,104 @@ typedef struct {
+ 
  /* Cipher translation */
  static cipher_properties ciphers_def[] = {
- 
--	/*
--	 * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
--	 */
+-	/* SSL 2 ciphers */
+-	{"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
+-	{"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+-	{"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+-	{"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
+-	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
+-	{"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
 -
- 	/* SSLv2 ciphers */
--	{"DES-CBC-MD5",     SSL_EN_DES_64_CBC_WITH_MD5,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5,  SSL2, SSL_LOW,      SSL_NOT_ALLOWED},
--	{"DES-CBC3-MD5",    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH,     SSL_NOT_ALLOWED},
--	{"RC2-CBC-MD5",     SSL_EN_RC2_128_CBC_WITH_MD5,          SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
--	{"RC4-MD5",         SSL_EN_RC4_128_WITH_MD5,              SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
--	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
--	{"EXP-RC4-MD5",     SSL_EN_RC4_128_EXPORT40_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
+-	/* SSL3 ciphers */
+-	{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+-	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
+-	{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
+-	{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
+-	{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
+-	{"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
+-	{"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
+-	{"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
++
++	/* SSLv2 ciphers */
 +	{"DES-CBC-MD5",     SSL_EN_DES_64_CBC_WITH_MD5,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5,  SSL2, SSL_LOW},
 +	{"DES-CBC3-MD5",    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
 +	{"RC2-CBC-MD5",     SSL_EN_RC2_128_CBC_WITH_MD5,          SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_MEDIUM},
 +	{"RC4-MD5",         SSL_EN_RC4_128_WITH_MD5,              SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_MEDIUM},
 +	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_EXPORT40},
 +	{"EXP-RC4-MD5",     SSL_EN_RC4_128_EXPORT40_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_EXPORT40},
- 
- 	/* SSLv3 ciphers */
--	{"NULL-MD5",             SSL_RSA_WITH_NULL_MD5,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5,  SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
--	{"NULL-SHA",             SSL_RSA_WITH_NULL_SHA,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
--	{"DES-CBC-SHA",          SSL_RSA_WITH_DES_CBC_SHA,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
--	{"DES-CBC3-SHA",         SSL_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
--	{"RC4-MD5",              SSL_RSA_WITH_RC4_128_MD5,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_MEDIUM,   SSL_ALLOWED},
--	{"RC4-SHA",              SSL_RSA_WITH_RC4_128_SHA,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,   SSL3, SSL_MEDIUM,   SSL_ALLOWED},
--	{"EXP-RC2-CBC-MD5",      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
--	{"EXP-RC4-MD5",          SSL_RSA_EXPORT_WITH_RC4_40_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
--	{"EDH-RSA-DES-CBC-SHA",  SSL_DHE_RSA_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
--	{"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
--	{"EDH-DSS-DES-CBC-SHA",  SSL_DHE_DSS_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
--	{"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
++
++	/* SSLv3 ciphers */
 +	{"NULL-MD5",             TLS_RSA_WITH_NULL_MD5,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5,  SSL3, SSL_NULL},      /* SSL_RSA_WITH_NULL_MD5 */
 +	{"NULL-SHA",             TLS_RSA_WITH_NULL_SHA,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL},	 /* SSL_RSA_WITH_NULL_SHA */
 +	{"DES-CBC-SHA",          TLS_RSA_WITH_DES_CBC_SHA,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW},	 /* SSL_RSA_WITH_DES_CBC_SHA */
@@ -55,42 +51,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 +	{"EDH-DSS-DES-CBC3-SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH},	 /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
  
  	/* TLSv1 ciphers */
--	{"EXP1024-DES-CBC-SHA",      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,   SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
--	{"EXP1024-RC4-SHA",          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
--	{"SEED-SHA",                 TLS_RSA_WITH_SEED_CBC_SHA,             SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
--	{"AES128-SHA",               TLS_RSA_WITH_AES_128_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"AES256-SHA",               TLS_RSA_WITH_AES_256_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"CAMELLIA256-SHA",          TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"CAMELLIA128-SHA",          TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-RSA-AES128-SHA",       TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-RSA-AES256-SHA",       TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-RSA-CAMELLIA128-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-RSA-CAMELLIA256-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-DSS-RC4-SHA",          TLS_DHE_DSS_WITH_RC4_128_SHA,          SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_MEDIUM,   SSL_ALLOWED},
--	{"DHE-DSS-AES128-SHA",       TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-DSS-AES256-SHA",       TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-DSS-CAMELLIA128-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"DHE-DSS-CAMELLIA256-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDH-RSA-NULL-SHA",        TLS_ECDH_RSA_WITH_NULL_SHA,            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1,      TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
--	{"ECDH-RSA-RC4-SHA",         TLS_ECDH_RSA_WITH_RC4_128_SHA,         SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
--	{"ECDH-RSA-DES-CBC3-SHA",    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1,       TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDH-RSA-AES128-SHA",      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDH-RSA-AES256-SHA",      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDH-ECDSA-NULL-SHA",      TLS_ECDH_ECDSA_WITH_NULL_SHA,          SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1,    TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
--	{"ECDH-ECDSA-RC4-SHA",       TLS_ECDH_ECDSA_WITH_RC4_128_SHA,       SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1,      TLS1, SSL_MEDIUM,   SSL_ALLOWED},
--	{"ECDH-ECDSA-DES-CBC3-SHA",  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDH-ECDSA-AES128-SHA",    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDH-ECDSA-AES256-SHA",    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDHE-RSA-NULL-SHA",       TLS_ECDHE_RSA_WITH_NULL_SHA,           SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1,     TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
--	{"ECDHE-RSA-RC4-SHA",        TLS_ECDHE_RSA_WITH_RC4_128_SHA,        SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1,       TLS1, SSL_MEDIUM,   SSL_ALLOWED},
--	{"ECDHE-RSA-DES-CBC3-SHA",   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,   SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDHE-RSA-AES128-SHA",     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDHE-RSA-AES256-SHA",     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDHE-ECDSA-NULL-SHA",     TLS_ECDHE_ECDSA_WITH_NULL_SHA,         SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1,   TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
--	{"ECDHE-ECDSA-RC4-SHA",      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1,     TLS1, SSL_MEDIUM,   SSL_ALLOWED},
--	{"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDHE-ECDSA-AES128-SHA",   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
--	{"ECDHE-ECDSA-AES256-SHA",   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
+-	{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
+-	{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
+-	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
+-	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
 +	{"EXP1024-DES-CBC-SHA",      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,   SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,         TLS1, SSL_EXPORT56},
 +	{"EXP1024-RC4-SHA",          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_EXPORT56},
 +	{"SEED-SHA",                 TLS_RSA_WITH_SEED_CBC_SHA,             SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1,        TLS1, SSL_MEDIUM},
diff --git a/openldap-nss-ciphers-parsing.patch b/openldap-nss-ciphers-parsing.patch
index 8b7c4e5..b91d07d 100644
--- a/openldap-nss-ciphers-parsing.patch
+++ b/openldap-nss-ciphers-parsing.patch
@@ -6,7 +6,7 @@ PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
-@@ -597,10 +597,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -617,10 +617,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
  		while ((*cipher) && (isspace(*cipher)))
  			++cipher;
  
@@ -22,7 +22,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  			cipher++;
  			break;
  		case '-': /* Subtract something */
-@@ -611,8 +613,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -631,8 +633,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
  			action = -1;
  			cipher++;
  			break;
@@ -33,7 +33,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  			break;
  		}
  
-@@ -646,7 +648,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -666,7 +668,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
  			}
  		} else {
  			int mask = 0;
@@ -44,7 +44,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  			int protocol = 0;
  			char *c;
  
-@@ -657,16 +662,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -677,12 +682,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
  					*c++ = '\0';
  				}
  
@@ -57,10 +57,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 +					negative_mask |= SSL_kECDH;
  				} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
  					mask |= SSL_eNULL;
- 				} else if (!strcmp(cipher, "AES128")) {
- 					mask |= SSL_AES128;
- 				} else if (!strcmp(cipher, "AES256")) {
- 					mask |= SSL_AES256;
++				} else if (!strcmp(cipher, "AES128")) {
++					mask |= SSL_AES128;
++				} else if (!strcmp(cipher, "AES256")) {
++					mask |= SSL_AES256;
 +				} else if (!strcmp(cipher, "AESGCM")) {
 +					mask |= SSL_AESGCM;
  				} else if (!strcmp(cipher, "AES")) {
@@ -69,7 +69,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  				} else if (!strcmp(cipher, "3DES")) {
  					mask |= SSL_3DES;
  				} else if (!strcmp(cipher, "DES")) {
-@@ -673,44 +687,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -693,26 +707,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
  					mask |= SSL_RC2;
  				} else if (!strcmp(cipher, "MD5")) {
  					mask |= SSL_MD5;
@@ -79,29 +79,18 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 +					mask |= SSL_SHA384;
  				} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
  					mask |= SSL_SHA1;
--				} else if (!strcmp(cipher, "EDH")) {
--					mask |= SSL_kEDH;
--				} else if (!strcmp(cipher, "DSS")) {
--					mask |= SSL_aDSA;
 +				} else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
 +					mask |= SSL_kEDH;
 +				} else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
 +					mask |= SSL_aDSA;
- 				} else if (!strcmp(cipher, "CAMELLIA128")) {
- 					mask |= SSL_CAMELLIA128;
- 				} else if (!strcmp(cipher, "CAMELLIA256")) {
- 					mask |= SSL_CAMELLIA256;
- 				} else if (!strcmp(cipher, "CAMELLIA")) {
--					mask |= SSL_CAMELLIA;
++				} else if (!strcmp(cipher, "CAMELLIA128")) {
++					mask |= SSL_CAMELLIA128;
++				} else if (!strcmp(cipher, "CAMELLIA256")) {
++					mask |= SSL_CAMELLIA256;
++				} else if (!strcmp(cipher, "CAMELLIA")) {
 +					multi_mask |= SSL_CAMELLIA;
- 				} else if (!strcmp(cipher, "SEED")) {
- 					mask |= SSL_SEED;
--				} else if (!strcmp(cipher, "ECDH")) {
--					mask |= SSL_kECDH;
--				} else if (!strcmp(cipher, "ECDHE")) {
--					mask |= SSL_kECDHE;
--				} else if (!strcmp(cipher, "ECDSA")) {
--					mask |= SSL_aECDSA;
++				} else if (!strcmp(cipher, "SEED")) {
++					mask |= SSL_SEED;
 +				} else if (!strcmp(cipher, "kECDHe")) {
 +					mask |= SSL_kECDH|SSL_aECDSA;
 +				} else if (!strcmp(cipher, "kECDHr")) {
@@ -150,7 +139,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
  				}
  
  				if (c)
-@@ -700,23 +751,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -720,23 +775,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
  
  			} /* while */
  
diff --git a/openldap-nss-protocol-version-new-api.patch b/openldap-nss-protocol-version-new-api.patch
index 65cedf3..0ee0ec2 100644
--- a/openldap-nss-protocol-version-new-api.patch
+++ b/openldap-nss-protocol-version-new-api.patch
@@ -10,23 +10,6 @@ RHBZ: #1375432
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
-@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg )
- 			}
- 		}
- 
--		/*
--		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
--		 *
--		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
--		 */
--		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
--		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
--		variant = ssl_variant_stream;
--		SSL_VersionRangeSetDefault(variant, &range);
--
- 		NSS_SetDomesticPolicy();
- 
- 		PK11_SetPasswordFunc( tlsm_pin_prompt );
 @@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
  		       0, 0, 0 );
  		return -1;
diff --git a/openldap-nss-update-list-of-ciphers.patch b/openldap-nss-update-list-of-ciphers.patch
deleted file mode 100644
index d5986c0..0000000
--- a/openldap-nss-update-list-of-ciphers.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-MozNSS: update list of supported cipher suites
-
-The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
-
-Author: Jan Vcelak <jvcelak@redhat.com>
-Upstream ITS: #7374
-
-diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index 1422ce2..5e49fc5 100644
---- a/libraries/libldap/tls_m.c
-+++ b/libraries/libldap/tls_m.c
-@@ -211,27 +211,34 @@ typedef struct {
- 	int num;            /* The cipher id */
- 	int attr;           /* cipher attributes: algorithms, etc */
- 	int version;        /* protocol version valid for this cipher */
--	int bits;           /* bits of strength */
--	int alg_bits;       /* bits of the algorithm */
- 	int strength;       /* LOW, MEDIUM, HIGH */
- 	int enabled;        /* Enabled by default? */
- } cipher_properties;
- 
- /* cipher attributes  */
--#define SSL_kRSA  0x00000001L
--#define SSL_aRSA  0x00000002L
--#define SSL_aDSS  0x00000004L
--#define SSL_DSS   SSL_aDSS
--#define SSL_eNULL 0x00000008L
--#define SSL_DES   0x00000010L
--#define SSL_3DES  0x00000020L
--#define SSL_RC4   0x00000040L
--#define SSL_RC2   0x00000080L
--#define SSL_AES   0x00000100L
--#define SSL_MD5   0x00000200L
--#define SSL_SHA1  0x00000400L
--#define SSL_SHA   SSL_SHA1
--#define SSL_RSA   (SSL_kRSA|SSL_aRSA)
-+#define SSL_kRSA        0x00000001L
-+#define SSL_aRSA        0x00000002L
-+#define SSL_RSA         (SSL_kRSA|SSL_aRSA)
-+#define SSL_aDSA        0x00000004L
-+#define SSL_DSA         SSL_aDSA
-+#define SSL_eNULL       0x00000008L
-+#define SSL_DES         0x00000010L
-+#define SSL_3DES        0x00000020L
-+#define SSL_RC4         0x00000040L
-+#define SSL_RC2         0x00000080L
-+#define SSL_AES128      0x00000100L
-+#define SSL_AES256      0x00000200L
-+#define SSL_AES         (SSL_AES128|SSL_AES256)
-+#define SSL_MD5         0x00000400L
-+#define SSL_SHA1        0x00000800L
-+#define SSL_kEDH        0x00001000L
-+#define SSL_CAMELLIA128 0x00002000L
-+#define SSL_CAMELLIA256 0x00004000L
-+#define SSL_CAMELLIA    (SSL_CAMELLIA128|SSL_CAMELLIA256)
-+#define SSL_SEED        0x00008000L
-+#define SSL_kECDH       0x00010000L
-+#define SSL_kECDHE      0x00020000L
-+#define SSL_aECDSA      0x00040000L
- 
- /* cipher strength */
- #define SSL_NULL      0x00000001L
-@@ -248,29 +255,70 @@ typedef struct {
- 
- /* Cipher translation */
- static cipher_properties ciphers_def[] = {
--	/* SSL 2 ciphers */
--	{"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
--	{"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
--	{"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
--	{"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
--	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
--	{"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
--
--	/* SSL3 ciphers */
--	{"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
--	{"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
--	{"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
--	{"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
--	{"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
--	{"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
--	{"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
--	{"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
-+
-+	/*
-+	 * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
-+	 */
-+
-+	/* SSLv2 ciphers */
-+	{"DES-CBC-MD5",     SSL_EN_DES_64_CBC_WITH_MD5,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5,  SSL2, SSL_LOW,      SSL_NOT_ALLOWED},
-+	{"DES-CBC3-MD5",    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH,     SSL_NOT_ALLOWED},
-+	{"RC2-CBC-MD5",     SSL_EN_RC2_128_CBC_WITH_MD5,          SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
-+	{"RC4-MD5",         SSL_EN_RC4_128_WITH_MD5,              SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_MEDIUM,   SSL_NOT_ALLOWED},
-+	{"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
-+	{"EXP-RC4-MD5",     SSL_EN_RC4_128_EXPORT40_WITH_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,  SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
-+
-+	/* SSLv3 ciphers */
-+	{"NULL-MD5",             SSL_RSA_WITH_NULL_MD5,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5,  SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
-+	{"NULL-SHA",             SSL_RSA_WITH_NULL_SHA,              SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL,     SSL_NOT_ALLOWED},
-+	{"DES-CBC-SHA",          SSL_RSA_WITH_DES_CBC_SHA,           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
-+	{"DES-CBC3-SHA",         SSL_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
-+	{"RC4-MD5",              SSL_RSA_WITH_RC4_128_MD5,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"RC4-SHA",              SSL_RSA_WITH_RC4_128_SHA,           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,   SSL3, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"EXP-RC2-CBC-MD5",      SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
-+	{"EXP-RC4-MD5",          SSL_RSA_EXPORT_WITH_RC4_40_MD5,     SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5,    SSL3, SSL_EXPORT40, SSL_ALLOWED},
-+	{"EDH-RSA-DES-CBC-SHA",  SSL_DHE_RSA_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
-+	{"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
-+	{"EDH-DSS-DES-CBC-SHA",  SSL_DHE_DSS_WITH_DES_CBC_SHA,       SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1,   SSL3, SSL_LOW,      SSL_ALLOWED},
-+	{"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1,  SSL3, SSL_HIGH,     SSL_ALLOWED},
- 
- 	/* TLSv1 ciphers */
--	{"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
--	{"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
--	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
--	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
-+	{"EXP1024-DES-CBC-SHA",      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,   SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
-+	{"EXP1024-RC4-SHA",          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_EXPORT56, SSL_ALLOWED},
-+	{"SEED-SHA",                 TLS_RSA_WITH_SEED_CBC_SHA,             SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"AES128-SHA",               TLS_RSA_WITH_AES_128_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"AES256-SHA",               TLS_RSA_WITH_AES_256_CBC_SHA,          SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"CAMELLIA256-SHA",          TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"CAMELLIA128-SHA",          TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,     SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-RSA-AES128-SHA",       TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-RSA-AES256-SHA",       TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-RSA-CAMELLIA128-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-RSA-CAMELLIA256-SHA",  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-DSS-RC4-SHA",          TLS_DHE_DSS_WITH_RC4_128_SHA,          SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1,         TLS1, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"DHE-DSS-AES128-SHA",       TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-DSS-AES256-SHA",       TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-DSS-CAMELLIA128-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"DHE-DSS-CAMELLIA256-SHA",  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDH-RSA-NULL-SHA",        TLS_ECDH_RSA_WITH_NULL_SHA,            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1,      TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
-+	{"ECDH-RSA-RC4-SHA",         TLS_ECDH_RSA_WITH_RC4_128_SHA,         SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1,        TLS1, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"ECDH-RSA-DES-CBC3-SHA",    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1,       TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDH-RSA-AES128-SHA",      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDH-RSA-AES256-SHA",      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,     SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDH-ECDSA-NULL-SHA",      TLS_ECDH_ECDSA_WITH_NULL_SHA,          SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1,    TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
-+	{"ECDH-ECDSA-RC4-SHA",       TLS_ECDH_ECDSA_WITH_RC4_128_SHA,       SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1,      TLS1, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"ECDH-ECDSA-DES-CBC3-SHA",  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1,     TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDH-ECDSA-AES128-SHA",    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDH-ECDSA-AES256-SHA",    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,   SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1,   TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDHE-RSA-NULL-SHA",       TLS_ECDHE_RSA_WITH_NULL_SHA,           SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1,     TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
-+	{"ECDHE-RSA-RC4-SHA",        TLS_ECDHE_RSA_WITH_RC4_128_SHA,        SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1,       TLS1, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"ECDHE-RSA-DES-CBC3-SHA",   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,   SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1,      TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDHE-RSA-AES128-SHA",     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDHE-RSA-AES256-SHA",     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,    SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDHE-ECDSA-NULL-SHA",     TLS_ECDHE_ECDSA_WITH_NULL_SHA,         SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1,   TLS1, SSL_NULL,     SSL_NOT_ALLOWED},
-+	{"ECDHE-ECDSA-RC4-SHA",      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1,     TLS1, SSL_MEDIUM,   SSL_ALLOWED},
-+	{"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1,    TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDHE-ECDSA-AES128-SHA",   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
-+	{"ECDHE-ECDSA-AES256-SHA",   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,  SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1,  TLS1, SSL_HIGH,     SSL_ALLOWED},
- };
- 
- #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
-@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
- 					mask |= SSL_RSA;
- 				} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
- 					mask |= SSL_eNULL;
-+				} else if (!strcmp(cipher, "AES128")) {
-+					mask |= SSL_AES128;
-+				} else if (!strcmp(cipher, "AES256")) {
-+					mask |= SSL_AES256;
- 				} else if (!strcmp(cipher, "AES")) {
- 					mask |= SSL_AES;
- 				} else if (!strcmp(cipher, "3DES")) {
-@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
- 					mask |= SSL_MD5;
- 				} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
- 					mask |= SSL_SHA1;
-+				} else if (!strcmp(cipher, "EDH")) {
-+					mask |= SSL_kEDH;
-+				} else if (!strcmp(cipher, "DSS")) {
-+					mask |= SSL_aDSA;
-+				} else if (!strcmp(cipher, "CAMELLIA128")) {
-+					mask |= SSL_CAMELLIA128;
-+				} else if (!strcmp(cipher, "CAMELLIA256")) {
-+					mask |= SSL_CAMELLIA256;
-+				} else if (!strcmp(cipher, "CAMELLIA")) {
-+					mask |= SSL_CAMELLIA;
-+				} else if (!strcmp(cipher, "SEED")) {
-+					mask |= SSL_SEED;
-+				} else if (!strcmp(cipher, "ECDH")) {
-+					mask |= SSL_kECDH;
-+				} else if (!strcmp(cipher, "ECDHE")) {
-+					mask |= SSL_kECDHE;
-+				} else if (!strcmp(cipher, "ECDSA")) {
-+					mask |= SSL_aECDSA;
- 				} else if (!strcmp(cipher, "SSLv2")) {
- 					protocol |= SSL2;
- 				} else if (!strcmp(cipher, "SSLv3")) {
--- 
-1.7.11.4
-
diff --git a/openldap-support-tlsv1-and-later.patch b/openldap-support-tlsv1-and-later.patch
deleted file mode 100644
index b8cc0f8..0000000
--- a/openldap-support-tlsv1-and-later.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-Support TLSv1 and later.
-
-Author: Mark Reynolds <mreynolds@redhat.com>
-Backported-by: Jan Synacek <jsynacek@redhat.com>
-Upstream ITS: #7979
-Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
-
---- openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:02:39.489493061 +0100
-+++ openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:23:07.239463097 +0100
-@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
- 	case SSL_ERROR_BAD_CERT_DOMAIN:
- 		break;
- 	default:
--		success = SECFailure;
-+ 		success = SECFailure;
- 		break;
- 	}
- 
-@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
- 	NSSInitContext *initctx = NULL;
- 	PK11SlotInfo *certdb_slot = NULL;
- #endif
-+	SSLVersionRange range;
-+	SSLProtocolVariant variant;
- 	SECStatus rc;
- 	int done = 0;
- 
-@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
- 			}
- 		}
- 
-+		/*
-+		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
-+		 *
-+		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
-+		 */
-+		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
-+		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
-+		variant = ssl_variant_stream;
-+		SSL_VersionRangeSetDefault(variant, &range);
-+
- 		NSS_SetDomesticPolicy();
- 
- 		PK11_SetPasswordFunc( tlsm_pin_prompt );
---- openldap-2.4.40/include/ldap.h	2014-09-19 03:48:49.000000000 +0200
-+++ openldap-2.4.40/include/ldap.h	2014-11-14 09:25:54.560801030 +0100
-@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
- #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
- #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
- #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
-+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
- 
- /* OpenLDAP SASL options */
- #define LDAP_OPT_X_SASL_MECH			0x6100
diff --git a/openldap.spec b/openldap.spec
index b12081b..74632df 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.44
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -29,7 +29,6 @@ Patch3: openldap-smbk5pwd-overlay.patch
 Patch4: openldap-man-sasl-nocanon.patch
 Patch5: openldap-ai-addrconfig.patch
 # nss patches, unlikely to ever get upstreamed
-Patch11: openldap-nss-update-list-of-ciphers.patch
 Patch12: openldap-tls-no-reuse-of-tls_session.patch
 Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
 Patch14: openldap-nss-ignore-certdb-type-prefix.patch
@@ -44,8 +43,6 @@ Patch17: openldap-allop-overlay.patch
 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
 # ldapi sasl fix pending upstream inclusion
 Patch20: openldap-ldapi-sasl.patch
-# TLSv1 support, already included upstream
-Patch21: openldap-support-tlsv1-and-later.patch
 Patch22: openldap-nss-protocol-version-new-api.patch
 
 Patch50: openldap-nss-cipher-attributes.patch
@@ -145,7 +142,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
-%patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
@@ -154,7 +150,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch17 -p1
 %patch19 -p1
 %patch20 -p1
-%patch21 -p1
 %patch22 -p1
 
 %patch50 -p1
@@ -553,6 +548,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8
+- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689)
+
 * Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
 - NSS: Update list of ciphers (#1387868)