Log message:
Update to 3.16.2

Changelog:
Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16.

New functionality:
* DTLS 1.2 is supported.
* The TLS application layer protocol negotiation (ALPN) extension
  is also supported on the server side.
* RSA-OEAP is supported. Use the new PK11_PrivDecrypt and
  PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism.
* New Intel AES assembly code for 32-bit and 64-bit Windows,
  contributed by Shay Gueron and Vlad Krasnov of Intel.

New Functions:
* CERT_AddExtensionByOID
* PK11_PrivDecrypt
* PK11_PubEncrypt

New Macros
* SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK
* SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL

Notable Changes:
* The btoa command has a new command-line option -w suffix, which
  causes the output to be wrapped in BEGIN/END lines with the
  given suffix
* The certutil commands supports additionals types of subject
  alt name extensions.
* The certutil command supports generic certificate extensions,
  by loading binary data from files, which have been prepared using
  external tools, or which have been extracted from other existing
  certificates and dumped to file.
* The certutil command supports three new certificate usage specifiers.
* The pp command supports printing UTF-8 (-u).
* On Linux, NSS is built with the -ffunction-sections -fdata-sections
  compiler flags and the --gc-sections linker flag to allow unused
  functions to be discarded.

Log message:
Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.

Log message:
Correct wrong install_name for Darwin.

Makefile had a SUBST for this but it wasn't working.

Log message:
Update to 3.16.1

Changelog:
Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16.

New functionality:
* Added the "ECC" flag for modutil to select the module used for
  elliptic curve cryptography (ECC) operations.

New Functions:
* PK11_ExportDERPrivateKeyInfo
* PK11_ExportPrivKeyInfo
* SECMOD_InternalToPubMechFlags

New Types:
* ssl_padding_xtn

New Macros
* PUBLIC_MECH_ECC_FLAG
* SECMOD_ECC_FLAG

Notable Changes:
* Imposed name constraints on the French government root CA ANSSI
  (DCISS).

Log message:
Reduce PLIST divergence for OpenBSD

Log message:
recursive bump from icu shlib major bump.

Log message:
fixup nss fetch location

Log message:
Update to 3.16

* Improve 3.16 like 2 number version support (firefox etc. requires 3 number
  version string)

Changelog:
From https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

The following security-relevant bug has been resolved.
Users are encouraged to upgrade immediately.
* Bug 903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard
  character should not be embedded within the U-label of an
  internationalized domain name. See the last bullet point in RFC 6125,
  Section 7.2.

New functionality:
* Supports the Linux x32 ABI. To build for the Linux x32 target, set
  the environment variable USE_X32=1 when building NSS.

New Functions:
* NSS_CMSSignerInfo_Verify

New Macros
* TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.,
  cipher suites that were first defined in SSL 3.0 can now be referred
  to with their official IANA names in TLS, with the TLS_ prefix.
  Previously, they had to be referred to with their names in SSL 3.0,
  with the SSL_ prefix.

Notable Changes:
* ECC is enabled by default. It is no longer necessary to set the
  environment variable NSS_ENABLE_ECC=1 when building NSS. To disable
  ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
* libpkix should not include the common name of CA as DNS names when
  evaluating name constraints.
* AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
* Fix a memory corruption in sec_pkcs12_new_asafe.
* If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime
  test sdb_measureAccess.
* The built-in roots module has been updated to version 1.97, which
  adds, removes, and distrusts several certificates.
* The atob utility has been improved to automatically ignore lines of
  text that aren't in base64 format.
* The certutil utility has been improved to support creation of
  version 1 and version 2 certificates, in addition to the existing
  version 3 support.

Log message:
Set USE_GCC_RUNTIME=yes for packages which build shared libraries but do
not use libtool to do so.  This is required to correctly depend upon a
gcc runtime package (e.g. gcc47-libs) when using USE_PKGSRC_GCC_RUNTIME.

Log message:
Update to 3.15.5

Changelog:
From: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.5_release_notes

Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15.

New functionality:
* Added support for the TLS application layer protocol negotiation
  (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
  SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
  should be used for application layer protocol negotiation.
* Added the TLS padding extension. The extension type value is 35655,
  which may change when an official extension type value is assigned
  by IANA. NSS automatically adds the padding extension to ClientHello
  when necessary.
* Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
  the tail of a CERTCertList.

Notable Changes:
* Bug 950129: Improve the OCSP fetching policy when verifying OCSP
  responses
* Bug 949060: Validate the iov input argument (an array of PRIOVec
  structures) of ssl_WriteV (called via PR_Writev). Applications should
  still take care when converting struct iov to PRIOVec because the
  iov_len members of the two structures have different types
  (size_t vs. int). size_t is unsigned and may be larger than int.