Log message:
Update to 3.44

Changelog:
New Functions:

    in lib/certdb/cert.h
	CERT_GetCertificateDer - Access the DER-encoded form of a
CERTCertificate.

Notable Changes in NSS 3.44:

   * It is now possible to build NSS as a static library (Bug 1543545)
   * Initial support for building for iOS.

Bugs fixed in NSS 3.44:

   * 1501542 - Implement CheckARMSupport for Android
   * 1531244 - Use __builtin_bswap64 in crypto_primitives.h
   * 1533216 - CERT_DecodeCertPackage() crash with Netscape Certificate
Sequences
   * 1533616 - sdb_GetAttributeValueNoLock should make at most one sql query,
rather than one for each attribute
   * 1531236 - Provide accessor for CERTCertificate.derCert
   * 1536734 - lib/freebl/crypto_primitives.c assumes a big endian machine
   * 1532384 - In NSS test certificates, use @example.com (not @bogus.com)
   * 1538479 - Post-Handshake messages after async server authentication break
when using record layer separation
   * 1521578 - x25519 support in pk11pars.c
   * 1540205 - freebl build fails with -DNSS_DISABLE_CHACHAPOLY
   * 1532312 - post-handshake auth doesn't interoperate with OpenSSL
   * 1542741 - certutil -F crashes with segmentation fault
   * 1546925 - Allow preceding text in try comment
   * 1534468 - Expose ChaCha20 primitive
   * 1418944 - Quote CC/CXX variables passed to nspr
   * 1543545 - Allow to build NSS as a static library
   * 1487597 - Early data that arrives before the handshake completes can be
read afterwards
   * 1548398 - freebl_gtest not building on Linux/Mac
   * 1548722 - Fix some Coverity warnings
   * 1540652 - softoken/sdb.c: Logically dead code
   * 1549413 - Android log lib is not included in build
   * 1537927 - IPsec usage is too restrictive for existing deployments
   * 1549608 - Signature fails with dbm disabled
   * 1549848 - Allow building NSS for iOS using gyp
   * 1549847 - NSS's SQLite compilation warnings make the build fail on iOS
   * 1550041 - freebl not building on iOS simulator
   * 1542950 - MacOS cipher test timeouts

Log message:
Do not conflict with MD5_Update from OpenSSL

Like SHA1_Update, define another name, NSS_MD5_Update and
use via CPP macto.
This change fixes PDF export of misc/libreoffice.

And make pkglint happier.

Log message:
Recursive revbump from textproc/icu

Log message:
Update to 3.43

Changelog:
New Functionality:
 * in sechash.h
    HASH_GetHashOidTagByHashType - convert type HASH_HashType to type
SECOidTag

 * in sslexp.h
    SSL_SendCertificateRequest - allow server to request post-handshake client
    authentication. To use this both peers need to enable the
    SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is
    present, post-handshake authentication is currently not TLS 1.3 compliant
    due to Bug 1532312

Notable changes:
 * The following CA certificates were Added:
  - CN = emSign Root CA - G1
    SHA-256 Fingerprint:
40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367

  - CN = emSign ECC Root CA - G3
    SHA-256 Fingerprint:
86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B

  - CN = emSign Root CA - C1
    SHA-256 Fingerprint:
125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F

  - CN = emSign ECC Root CA - C3
    SHA-256 Fingerprint:
BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3

  - CN = Hongkong Post Root CA 3
    SHA-256 Fingerprint:
5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6

Bugs fixed in NSS 3.43
 * Bug 1528669 and Bug 1529308 - Improve Gyp build system handling

 * Bug 1529950 and Bug 1521174 - Improve NSS S/MIME tests for Thunderbird

 * Bug 1530134 - If Docker isn't installed, try running a local clang-format
		 as a fallback

 * Bug 1531267 - Enable FIPS mode automatically if the system FIPS mode flag
		 is set

 * Bug 1528262 - Add a -J option to the strsclnt command to specify sigschemes

 * Bug 1513909 - Add manual for nss-policy-check

 * Bug 1531074 - Fix a deref after a null check in SECKEY_SetPublicValue

 * Bug 1517714 - Properly handle ESNI with HRR

 * Bug 1529813 - Expose HKDF-Expand-Label with mechanism

 * Bug 1535122 - Align TLS 1.3 HKDF trace levels

 * Bug 1530102 - Use getentropy on compatible versions of FreeBSD

Log message:
Update to 3.42

Changelog:
New Functionality:
 * Bug 818686 - Support XDG basedir specification

Notable changes:
 * Added support for some of the testcases from the Wycheproof project:
   - Bug 1508666 - Added AES-GCM test cases
   - Bug 1508673 - Added ChaCha20-Poly1305 test cases
   - Bug 1514999 - Added the Curve25519 test cases
   - Thanks to Jonas Allmann for adapting these tests.

Bugs fixed in NSS 3.42:
 * Bug 1490006 - Reject invalid CH.legacy_version in TLS 1.3
 * Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS
   functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak
   for the discovery and fixes.
 * Bug 1513913 - A fix for Solaris where Firefox 60 core dumps during start when
   using profile from version 52

Log message:
Update to 3.41

New functionality:
* Bug 1252891 - Implemented EKU handling for IPsec IKE.
* Bug 1423043 - Enable half-closed states for TLS.
* Bug 1493215 - Enabled the following ciphersuites by default:
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_GCM_SHA384

Notable changes:
* The following CA certificates were added:
    CN = Certigna Root CA
    CN = GTS Root R1
    CN = GTS Root R2
    CN = GTS Root R3
    CN = GTS Root R4
    CN = UCA Global G2 Root
    CN = UCA Extended Validation Root

* The following CA certificates were removed:
    CN = AC Raíz Certicámara S.A.
    CN = Certplus Root CA G1
    CN = Certplus Root CA G2
    CN = OpenTrust Root CA G1
    CN = OpenTrust Root CA G2
    CN = OpenTrust Root CA G3

Bugs fixed in NSS 3.41:
* Bug 1412829, Reject empty supported_signature_algorithms in Certificate
  Request in TLS 1.2
* Bug 1485864 - Cache side-channel variant of the Bleichenbacher attack
  (CVE-2018-12404)
* Bug 1481271 - Resend the same ticket in ClientHello after HelloRetryRequest
* Bug 1493769 - Set session_id for external resumption tokens
* Bug 1507179 - Reject CCS after handshake is complete in TLS 1.3

Log message:
revbump after updating textproc/icu

Log message:
*: Add CTF_SUPPORTED/CTF_FILES_SKIP where necessary.

Log message:
Update to 3.40

Changelog:
Notable bug fixes:
* Bug 1478698 - FFDHE key exchange sometimes fails with decryption failure

New functionality:
* The draft-00 version of encrypted SNI support is implemented
* tstclnt now takes -N option to specify encrypted SNI key

Notable changes:
* The mozilla::pkix library has been ported from Mozilla PSM to NSS.
  This is a C++ library for building certification paths.
  mozilla::pkix APIs are not exposed in the libraries NSS builds.
* It is easier to build NSS on Windows in mozilla-build environments.
* The following CA certificates were Removed:
    CN = Visa eCommerce Root

Log message:
Update to 3.39

Changelog:
Notable bug fixes:
* Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello
  with a ServerHello that had an all-zero random (CVE-2018-12384)

New functionality:
* The tstclnt and selfserv utilities added support for configuring
  the enabled TLS signature schemes using the -J parameter.
* NSS will use RSA-PSS keys to authenticate in TLS. Support for
  these keys is disabled by default but can be enabled using
  SSL_SignatureSchemePrefSet().
* certutil added the ability to delete an orphan private key from
  an NSS key database.
* Added the nss-policy-check utility, which can be used to check
  an NSS policy configuration for problems.
* A PKCS#11 URI can be used as an identifier for a PKCS#11 token.

Notable changes:
* The TLS 1.3 implementation uses the final version number from
  RFC 8446.
* Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature
  where the DigestInfo structure was missing the NULL parameter.
  Starting with version 3.39, NSS requires the encoding to contain
  the NULL parameter.
* The tstclnt and selfserv test utilities no longer accept the -z
  parameter, as support for TLS compression was removed in a
  previous NSS version.
* The CA certificates list was updated to version 2.26.
* The following CA certificates were Added:
  - OU = GlobalSign Root CA - R6
  - CN = OISTE WISeKey Global Root GC CA
  The following CA certificate was Removed:
  - CN = ComSign
  The following CA certificates had the Websites trust bit disabled:
  - CN = Certplus Root CA G1
  - CN = Certplus Root CA G2
  - CN = OpenTrust Root CA G1
  - CN = OpenTrust Root CA G2
  - CN = OpenTrust Root CA G3