diff --git a/.gitignore b/.gitignore
index 8632550..1673645 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,4 +9,4 @@ TestUser50.cert
 TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.27.0.tar.gz
+/nss-3.28.1.tar.gz
diff --git a/iquote.patch b/iquote.patch
index fae52b8..8d49456 100644
--- a/iquote.patch
+++ b/iquote.patch
@@ -125,9 +125,9 @@ diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
  endif
  
  ifndef NSS_LIB_DIR
-diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
---- ./nss/external_tests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/external_tests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
+diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
+--- ./nss/gtests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/gtests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
 @@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (6) Execute "component" rules. (OPTIONAL)                           #
  #######################################################################
@@ -136,9 +136,9 @@ diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
---- ./nss/external_tests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/external_tests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
+diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
+--- ./nss/gtests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/gtests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
 @@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
  # (6) Execute "component" rules. (OPTIONAL)                           #
  #######################################################################
diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch
index b2e41ad..1898173 100644
--- a/nss-check-policy-file.patch
+++ b/nss-check-policy-file.patch
@@ -1,50 +1,25 @@
-diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
---- a/lib/pk11wrap/pk11pars.c
-+++ b/lib/pk11wrap/pk11pars.c
-@@ -105,16 +105,17 @@ secmod_NewModule(void)
-  *   This  allows system NSS to delegate those changes to the user's module DB, 
-  *   preserving the user's ability to load new PKCS #11 modules (which only 
-  *   affect him), from existing applications like Firefox.
-  */
- #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
- 						  *other flags are set */
- #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
+diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-01-06 13:21:47.002952050 +0100
++++ nss/lib/pk11wrap/pk11pars.c	2017-01-06 13:28:18.972536334 +0100
+@@ -109,6 +109,7 @@ secmod_NewModule(void)
+                                                  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
  #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
-+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY   0x08
- 
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
  
  /* private flags for internal (field in SECMODModule). */
  /* The meaing of these flags is as follows:
-  *
-  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
-  *   the internal module (that is, softoken). This bit is the same as the 
-  *   already existing meaning of internal = PR_TRUE. None of the other 
-@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
-     if (mod->isModuleDB) {
- 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
- 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
- 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
- 	}
- 	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
- 	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
- 	}
+@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
+             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+         }
 +	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
 +	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
 +	}
- 	/* additional moduleDB flags could be added here in the future */
- 	mod->isModuleDB = (PRBool) flags;
+         /* additional moduleDB flags could be added here in the future */
+         mod->isModuleDB = (PRBool)flags;
      }
- 
-     if (mod->internal) {
- 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
- 
- 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
-@@ -738,16 +742,24 @@ PRBool
- SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
- {
-    char flags = (char) mod->isModuleDB;
- 
-    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
+@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
  }
  
  PRBool
@@ -58,20 +33,10 @@ diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
 +PRBool
  secmod_IsInternalKeySlot(SECMODModule *mod)
  {
-    char flags = (char) mod->internal;
- 
-    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
- }
- 
- void
-@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
-     if (library) PORT_Free(library);
-     if (moduleName) PORT_Free(moduleName);
-     if (parameters) PORT_Free(parameters);
-     if (nss) PORT_Free(nss);
-     if (config) PORT_Free(config);
+     char flags = (char)mod->internal;
+@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
      if (!module) {
- 	goto loser;
+         goto loser;
      }
 +
 +    /* a policy only stanza doesn't actually get 'loaded'. policy has already
@@ -80,10 +45,5 @@ diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
 +	return module;
 +    }
      if (parent) {
-     	module->parent = SECMOD_ReferenceModule(parent);
- 	if (module->internal && secmod_IsInternalKeySlot(parent)) {
- 	    module->internal = parent->internal;
- 	}
-     }
- 
-     /* load it */
+         module->parent = SECMOD_ReferenceModule(parent);
+         if (module->internal && secmod_IsInternalKeySlot(parent)) {
diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch
index 96000f8..aee646c 100644
--- a/nss-skip-bltest-and-fipstest.patch
+++ b/nss-skip-bltest-and-fipstest.patch
@@ -1,9 +1,9 @@
 diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
---- ./nss/cmd/Makefile.skipthem	2016-09-29 12:02:16.143413684 +0200
-+++ ./nss/cmd/Makefile	2016-09-29 12:03:58.776522901 +0200
+--- ./nss/cmd/Makefile.skipthem	2017-01-06 13:17:27.477848351 +0100
++++ ./nss/cmd/Makefile	2017-01-06 13:19:30.244586100 +0100
 @@ -19,7 +19,11 @@ BLTEST_SRCDIR =
  ECPERF_SRCDIR =
- ECTEST_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
  FIPSTEST_SRCDIR =
 +ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
 +SHLIBSIGN_SRCDIR = shlibsign
diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch
index e69330a..06c1fd0 100644
--- a/nss-skip-util-gtest.patch
+++ b/nss-skip-util-gtest.patch
@@ -1,6 +1,6 @@
-diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
---- ./external_tests/manifest.mn.skip_util_gtest	2016-09-29 12:05:28.858019733 +0200
-+++ ./external_tests/manifest.mn	2016-09-29 12:06:17.298681765 +0200
+diff -up ./gtests/manifest.mn.skip_util_gtest ./gtests/manifest.mn
+--- ./gtests/manifest.mn.skip_util_gtest	2016-09-29 12:05:28.858019733 +0200
++++ ./gtests/manifest.mn	2016-09-29 12:06:17.298681765 +0200
 @@ -9,8 +9,5 @@ DIRS = \
  	google_test \
  	common \
diff --git a/nss.spec b/nss.spec
index 547ea9d..6edbae1 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,6 +1,6 @@
 %global nspr_version 4.13.0
-%global nss_util_version 3.27.0
-%global nss_softokn_version 3.27.0
+%global nss_util_version 3.28.1
+%global nss_softokn_version 3.28.1
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.27.0
+Version:          3.28.1
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.3%{?dist}
+Release:          1.1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -99,7 +99,6 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch59: nss-check-policy-file.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
-Patch70: nss-check-pss.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -183,7 +182,6 @@ low level services.
 pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p0 -b .skip_util_gtest
-%patch70 -p1 -b .check_pss
 popd
 
 #########################################################
@@ -286,16 +284,7 @@ export NSS_ECC_MORE_THAN_SUITE_B=1
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 
-# NSS 3.27 enabled TLS 1.3 by default, disable it for now.
-#
-# The rationale is, while the maximum TLS version enabled by default
-# is TLS 1.2, some applications query the maximum TLS version and
-# enable it.  That prevents those applications from connecting to
-# servers which are not tolerant ot TLS versions.
-#
-# Note that this is a temporary solution and should be removed when
-# packaging the next upstream release.
-export NSS_DISABLE_TLS_1_3=1
+export NSS_ENABLE_TLS_1_3=1
 
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
@@ -405,7 +394,7 @@ export USE_64
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 
-export NSS_DISABLE_TLS_1_3=1
+export NSS_ENABLE_TLS_1_3=1
 
 # needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}
@@ -804,6 +793,15 @@ fi
 
 
 %changelog
+* Fri Jan 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.1
+- Fix incorrect version specification in %%nss_{util,softokn}_version,
+  pointed by Elio Maldonado
+
+* Thu Jan 12 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.0
+- Rebase to NSS 3.28.1
+- Remove upstreamed patch for disabling RSA-PSS
+- Re-enable TLS 1.3
+
 * Tue Nov 15 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.3
 - Revert the previous fix for RSA-PSS and use the upstream fix instead
 
diff --git a/sources b/sources
index 65c1b48..26a895f 100644
--- a/sources
+++ b/sources
@@ -1,6 +1,6 @@
-a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
-9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
-73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
-691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
-2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-e980f7c3bb70ca122e0f6f5e914ec29a  nss-3.27.0.tar.gz
+SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
+SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
+SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
+SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
+SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
+SHA512 (nss-3.28.1.tar.gz) = f10c8e404741fafe5e5772dc754ff4503ec1826942db5fbc13b99155fcac50f29e1405dd249b69a27f27ebcfef73849b1f0f636a2076ab761384e8a0ed9a2b8b