From 77fff82f3a0a8909fe2bc434c4119fa7b268d60b Mon Sep 17 00:00:00 2001
From: Martin Stransky <stransky@redhat.com>
Date: Jan 16 2017 11:46:51 +0000
Subject: Added patch for nss 3.28.1 (mozbz#1290037)


---

diff --git a/firefox.spec b/firefox.spec
index 4089325..4a6c8b3 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -94,7 +94,7 @@
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
 Version:        50.1.0
-Release:        2%{?pre_tag}%{?dist}
+Release:        3%{?pre_tag}%{?dist}
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Group:          Applications/Internet
@@ -138,6 +138,7 @@ Patch406:        mozilla-256180.patch
 # Rebase Gtk3 widget code to latest trunk to
 # fix various rendering problems
 Patch407:        widget-rebase.patch
+Patch408:        mozilla-1290037.patch
 
 # Debian patches
 Patch500:        mozilla-440908.patch
@@ -280,6 +281,7 @@ cd %{tarballdir}
 # Rebase Gtk3 widget code to latest trunk to
 # fix various rendering problems
 %patch407 -p1 -b .widget-rebase
+%patch408 -p1 -b .1290037
 
 # Debian extension patch
 %patch500 -p1 -b .440908
@@ -788,6 +790,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 
 %changelog
+* Mon Jan 16 2017 Martin Stransky <stransky@redhat.com> - 50.1.0-3
+- Added patch for nss 3.28.1 (mozbz#1290037)
+
 * Wed Dec 21 2016 Martin Stransky <stransky@redhat.com> - 50.1.0-2
 - Enabled Mozilla crash reporter
 
diff --git a/mozilla-1290037.patch b/mozilla-1290037.patch
new file mode 100644
index 0000000..508d580
--- /dev/null
+++ b/mozilla-1290037.patch
@@ -0,0 +1,34 @@
+# HG changeset patch
+# User Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Date 1469717280 -7200
+#      Thu Jul 28 16:48:00 2016 +0200
+# Node ID 95aa61f1e3562e526bf88179d9d078fd90ad1bda
+# Parent  d42aacfe34af25e2f5110e2ca3d24a210eabeb33
+Update keybits in H2, r=mt
+
+MozReview-Commit-ID: 35oWoDMqe1Y
+
+diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
+--- a/netwerk/protocol/http/Http2Session.cpp
++++ b/netwerk/protocol/http/Http2Session.cpp
+@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   uint32_t keybits = ssl->GetKEAKeyBits();
+   if (kea == ssl_kea_dh && keybits < 2048) {
+     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
+-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
+   LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
+         this, macAlgorithm));
+   if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {