0002-Support-for-NSS-as-a-TLS-backend-v9.patch

application/octet-stream

Filename: 0002-Support-for-NSS-as-a-TLS-backend-v9.patch
Type: application/octet-stream
Part: 1
Message: Re: Support for NSS as a libpq TLS backend

Patch

Format: format-patch
Series: patch v9-0002
Subject: Support for NSS as a TLS backend v9
File+
configure 211 0
configure.ac 30 0
contrib/Makefile 1 1
contrib/postgres_fdw/expected/postgres_fdw.out 1 1
contrib/sslinfo/sslinfo.c 76 88
doc/src/sgml/acronyms.sgml 43 0
doc/src/sgml/config.sgml 20 1
doc/src/sgml/installation.sgml 29 1
doc/src/sgml/libpq.sgml 24 3
doc/src/sgml/runtime.sgml 74 4
doc/src/sgml/sslinfo.sgml 12 2
src/backend/libpq/auth.c 7 0
src/backend/libpq/be-secure.c 3 0
src/backend/libpq/be-secure-nss.c 1038 0
src/backend/libpq/be-secure-openssl.c 15 1
src/backend/libpq/Makefile 4 0
src/backend/utils/misc/guc.c 19 1
src/include/common/pg_nss.h 141 0
src/include/libpq/libpq-be.h 7 2
src/include/libpq/libpq.h 3 0
src/include/pg_config.h.in 3 0
src/include/pg_config_manual.h 2 3
src/interfaces/libpq/fe-connect.c 4 0
src/interfaces/libpq/fe-secure.c 4 1
src/interfaces/libpq/fe-secure-nss.c 984 0
src/interfaces/libpq/libpq-fe.h 11 0
src/interfaces/libpq/libpq-int.h 5 0
src/interfaces/libpq/Makefile 4 0
src/Makefile.global.in 10 0
src/test/Makefile 1 1
src/test/ssl/Makefile 172 0
src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db 0 0
src/test/ssl/ssl/nss/client_ca.crt.db/key4.db 0 0
src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db 0 0
src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/client.crl 0 0
src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db 0 0
src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass 1 0
src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/client.crt__client.key.db/key4.db 0 0
src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/client-encrypted-pem.pfx 0 0
src/test/ssl/ssl/nss/client.pfx 0 0
src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/key4.db 0 0
src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/client-revoked.pfx 0 0
src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db 0 0
src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db 0 0
src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/root+client.crl 0 0
src/test/ssl/ssl/nss/root.crl 0 0
src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db 0 0
src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db 0 0
src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db 0 0
src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db 0 0
src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db 0 0
src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db 0 0
src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db 0 0
src/test/ssl/ssl/nss/server_ca.crt.db/key4.db 0 0
src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx 0 0
src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-cn-only.pfx 0 0
src/test/ssl/ssl/nss/server.crl 0 0
src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-multiple-alt-names.pfx 0 0
src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-no-names.pfx 0 0
src/test/ssl/ssl/nss/server-password.pfx 0 0
src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-revoked.pfx 0 0
src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db 0 0
src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db 0 0
src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt 5 0
src/test/ssl/ssl/nss/server-single-alt-name.pfx 0 0
src/test/ssl/t/001_ssltests.pl 155 134
src/test/ssl/t/002_scram.pl 2 2
src/test/ssl/t/SSL/Backend/NSS.pm 64 0
src/test/ssl/t/SSL/Backend/OpenSSL.pm 103 0
src/test/ssl/t/SSL/Server.pm 66 14
src/tools/msvc/config_default.pl 1 0
src/tools/msvc/Install.pm 2 1
src/tools/msvc/Mkvcbuild.pm 24 5
src/tools/msvc/Solution.pm 20 0
From bb4928ad54bd46d34ccc3d3101e965ba5e157262 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Sat, 29 Aug 2020 01:24:10 +0200
Subject: [PATCH 2/2] Support for NSS as a TLS backend v9

Daniel Gustafsson, Andrew Dunstan
---
 configure                                     |  211 ++++
 configure.ac                                  |   30 +
 contrib/Makefile                              |    2 +-
 .../postgres_fdw/expected/postgres_fdw.out    |    2 +-
 contrib/sslinfo/sslinfo.c                     |  164 ++-
 doc/src/sgml/acronyms.sgml                    |   43 +
 doc/src/sgml/config.sgml                      |   21 +-
 doc/src/sgml/installation.sgml                |   30 +-
 doc/src/sgml/libpq.sgml                       |   27 +-
 doc/src/sgml/runtime.sgml                     |   78 +-
 doc/src/sgml/sslinfo.sgml                     |   14 +-
 src/Makefile.global.in                        |   10 +
 src/backend/libpq/Makefile                    |    4 +
 src/backend/libpq/auth.c                      |    7 +
 src/backend/libpq/be-secure-nss.c             | 1038 +++++++++++++++++
 src/backend/libpq/be-secure-openssl.c         |   16 +-
 src/backend/libpq/be-secure.c                 |    3 +
 src/backend/utils/misc/guc.c                  |   20 +-
 src/include/common/pg_nss.h                   |  141 +++
 src/include/libpq/libpq-be.h                  |    9 +-
 src/include/libpq/libpq.h                     |    3 +
 src/include/pg_config.h.in                    |    3 +
 src/include/pg_config_manual.h                |    5 +-
 src/interfaces/libpq/Makefile                 |    4 +
 src/interfaces/libpq/fe-connect.c             |    4 +
 src/interfaces/libpq/fe-secure-nss.c          |  984 ++++++++++++++++
 src/interfaces/libpq/fe-secure.c              |    5 +-
 src/interfaces/libpq/libpq-fe.h               |   11 +
 src/interfaces/libpq/libpq-int.h              |    5 +
 src/test/Makefile                             |    2 +-
 src/test/ssl/Makefile                         |  172 +++
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 36864 bytes
 .../pkcs11.txt                                |    5 +
 src/test/ssl/ssl/nss/client-encrypted-pem.pfx |  Bin 0 -> 3149 bytes
 .../cert9.db                                  |  Bin 0 -> 28672 bytes
 .../key4.db                                   |  Bin 0 -> 36864 bytes
 .../pkcs11.txt                                |    5 +
 src/test/ssl/ssl/nss/client-revoked.pfx       |  Bin 0 -> 3149 bytes
 src/test/ssl/ssl/nss/client.crl               |  Bin 0 -> 418 bytes
 ...ient.crt__client-encrypted-pem.key.db.pass |    1 +
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 .../nss/client.crt__client.key.db/cert9.db    |  Bin 0 -> 36864 bytes
 .../ssl/nss/client.crt__client.key.db/key4.db |  Bin 0 -> 45056 bytes
 .../nss/client.crt__client.key.db/pkcs11.txt  |    5 +
 src/test/ssl/ssl/nss/client.pfx               |  Bin 0 -> 3149 bytes
 .../ssl/ssl/nss/client_ca.crt.db/cert9.db     |  Bin 0 -> 28672 bytes
 src/test/ssl/ssl/nss/client_ca.crt.db/key4.db |  Bin 0 -> 36864 bytes
 .../ssl/ssl/nss/client_ca.crt.db/pkcs11.txt   |    5 +
 src/test/ssl/ssl/nss/root+client.crl          |  Bin 0 -> 393 bytes
 .../ssl/nss/root+client_ca.crt.db/cert9.db    |  Bin 0 -> 28672 bytes
 .../ssl/ssl/nss/root+client_ca.crt.db/key4.db |  Bin 0 -> 36864 bytes
 .../ssl/nss/root+client_ca.crt.db/pkcs11.txt  |    5 +
 .../ssl/nss/root+server_ca.crt.db/cert9.db    |  Bin 0 -> 28672 bytes
 .../ssl/ssl/nss/root+server_ca.crt.db/key4.db |  Bin 0 -> 36864 bytes
 .../ssl/nss/root+server_ca.crt.db/pkcs11.txt  |    5 +
 .../cert9.db                                  |  Bin 0 -> 28672 bytes
 .../key4.db                                   |  Bin 0 -> 36864 bytes
 .../pkcs11.txt                                |    5 +
 .../cert9.db                                  |  Bin 0 -> 28672 bytes
 .../root+server_ca.crt__server.crl.db/key4.db |  Bin 0 -> 36864 bytes
 .../pkcs11.txt                                |    5 +
 src/test/ssl/ssl/nss/root.crl                 |  Bin 0 -> 393 bytes
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 .../ssl/ssl/nss/server-cn-and-alt-names.pfx   |  Bin 0 -> 3349 bytes
 .../cert9.db                                  |  Bin 0 -> 28672 bytes
 .../key4.db                                   |  Bin 0 -> 36864 bytes
 .../pkcs11.txt                                |    5 +
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 src/test/ssl/ssl/nss/server-cn-only.pfx       |  Bin 0 -> 3197 bytes
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 .../ssl/ssl/nss/server-multiple-alt-names.pfx |  Bin 0 -> 3325 bytes
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 src/test/ssl/ssl/nss/server-no-names.pfx      |  Bin 0 -> 3109 bytes
 src/test/ssl/ssl/nss/server-password.pfx      |  Bin 0 -> 3197 bytes
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 src/test/ssl/ssl/nss/server-revoked.pfx       |  Bin 0 -> 3181 bytes
 .../cert9.db                                  |  Bin 0 -> 36864 bytes
 .../key4.db                                   |  Bin 0 -> 45056 bytes
 .../pkcs11.txt                                |    5 +
 .../ssl/ssl/nss/server-single-alt-name.pfx    |  Bin 0 -> 3213 bytes
 src/test/ssl/ssl/nss/server.crl               |  Bin 0 -> 418 bytes
 .../ssl/ssl/nss/server_ca.crt.db/cert9.db     |  Bin 0 -> 28672 bytes
 src/test/ssl/ssl/nss/server_ca.crt.db/key4.db |  Bin 0 -> 36864 bytes
 .../ssl/ssl/nss/server_ca.crt.db/pkcs11.txt   |    5 +
 src/test/ssl/t/001_ssltests.pl                |  289 ++---
 src/test/ssl/t/002_scram.pl                   |    4 +-
 src/test/ssl/t/SSL/Backend/NSS.pm             |   64 +
 src/test/ssl/t/SSL/Backend/OpenSSL.pm         |  103 ++
 .../ssl/t/{SSLServer.pm => SSL/Server.pm}     |   80 +-
 src/tools/msvc/Install.pm                     |    3 +-
 src/tools/msvc/Mkvcbuild.pm                   |   29 +-
 src/tools/msvc/Solution.pm                    |   20 +
 src/tools/msvc/config_default.pl              |    1 +
 106 files changed, 3481 insertions(+), 266 deletions(-)
 create mode 100644 src/backend/libpq/be-secure-nss.c
 create mode 100644 src/include/common/pg_nss.h
 create mode 100644 src/interfaces/libpq/fe-secure-nss.c
 create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/client-encrypted-pem.pfx
 create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/client-revoked.pfx
 create mode 100644 src/test/ssl/ssl/nss/client.crl
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/client.pfx
 create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/root+client.crl
 create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/root.crl
 create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-cn-only.pfx
 create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-multiple-alt-names.pfx
 create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-no-names.pfx
 create mode 100644 src/test/ssl/ssl/nss/server-password.pfx
 create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-revoked.pfx
 create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt
 create mode 100644 src/test/ssl/ssl/nss/server-single-alt-name.pfx
 create mode 100644 src/test/ssl/ssl/nss/server.crl
 create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db
 create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/key4.db
 create mode 100644 src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt
 create mode 100644 src/test/ssl/t/SSL/Backend/NSS.pm
 create mode 100644 src/test/ssl/t/SSL/Backend/OpenSSL.pm
 rename src/test/ssl/t/{SSLServer.pm => SSL/Server.pm} (78%)

diff --git a/configure b/configure
index cb8fbe1051..8b7d98c2ab 100755
--- a/configure
+++ b/configure
@@ -711,6 +711,7 @@ with_uuid
 with_readline
 with_systemd
 with_selinux
+with_nss
 with_openssl
 with_ldap
 with_krb_srvnam
@@ -856,6 +857,7 @@ with_bsd_auth
 with_ldap
 with_bonjour
 with_openssl
+with_nss
 with_selinux
 with_systemd
 with_readline
@@ -1558,6 +1560,7 @@ Optional Packages:
   --with-ldap             build with LDAP support
   --with-bonjour          build with Bonjour support
   --with-openssl          build with OpenSSL support
+  --with-nss              build with NSS support
   --with-selinux          build with SELinux support
   --with-systemd          build with systemd support
   --without-readline      do not use GNU Readline nor BSD Libedit for editing
@@ -8100,6 +8103,41 @@ fi
 $as_echo "$with_openssl" >&6; }
 
 
+#
+# LibNSS
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with NSS support" >&5
+$as_echo_n "checking whether to build with NSS support... " >&6; }
+
+
+
+# Check whether --with-nss was given.
+if test "${with_nss+set}" = set; then :
+  withval=$with_nss;
+  case $withval in
+    yes)
+
+$as_echo "#define USE_NSS 1" >>confdefs.h
+
+      ;;
+    no)
+      :
+      ;;
+    *)
+      as_fn_error $? "no argument expected for --with-nss option" "$LINENO" 5
+      ;;
+  esac
+
+else
+  with_nss=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_nss" >&5
+$as_echo "$with_nss" >&6; }
+
+
 #
 # SELinux
 #
@@ -12174,6 +12212,9 @@ fi
 fi
 
 if test "$with_openssl" = yes ; then
+  if test x"$with_nss" = x"yes" ; then
+    as_fn_error $? "multiple SSL backends cannot be enabled simultaneously\"" "$LINENO" 5
+  fi
     # Minimum required OpenSSL version is 1.0.1
 
 $as_echo "#define OPENSSL_API_COMPAT 0x10001000L" >>confdefs.h
@@ -12436,6 +12477,157 @@ done
 
 fi
 
+if test "$with_nss" = yes ; then
+  if test x"$with_openssl" = x"yes" ; then
+    as_fn_error $? "multiple SSL backends cannot be enabled simultaneously\"" "$LINENO" 5
+  fi
+  CLEANLDFLAGS="$LDFLAGS"
+  # TODO: document this set of LDFLAGS
+  LDFLAGS="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LDFLAGS"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5
+$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; }
+if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnss3  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char SSL_VersionRangeSet ();
+int
+main ()
+{
+return SSL_VersionRangeSet ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_nss3_SSL_VersionRangeSet=yes
+else
+  ac_cv_lib_nss3_SSL_VersionRangeSet=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5
+$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; }
+if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNSS3 1
+_ACEOF
+
+  LIBS="-lnss3 $LIBS"
+
+else
+  as_fn_error $? "library 'nss3' is required for NSS" "$LINENO" 5
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PR_GetDefaultIOMethods in -lnspr4" >&5
+$as_echo_n "checking for PR_GetDefaultIOMethods in -lnspr4... " >&6; }
+if ${ac_cv_lib_nspr4_PR_GetDefaultIOMethods+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnspr4  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char PR_GetDefaultIOMethods ();
+int
+main ()
+{
+return PR_GetDefaultIOMethods ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_nspr4_PR_GetDefaultIOMethods=yes
+else
+  ac_cv_lib_nspr4_PR_GetDefaultIOMethods=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nspr4_PR_GetDefaultIOMethods" >&5
+$as_echo "$ac_cv_lib_nspr4_PR_GetDefaultIOMethods" >&6; }
+if test "x$ac_cv_lib_nspr4_PR_GetDefaultIOMethods" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNSPR4 1
+_ACEOF
+
+  LIBS="-lnspr4 $LIBS"
+
+else
+  as_fn_error $? "library 'nspr4' is required for NSS" "$LINENO" 5
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_GetImplementedCiphers in -lssl3" >&5
+$as_echo_n "checking for SSL_GetImplementedCiphers in -lssl3... " >&6; }
+if ${ac_cv_lib_ssl3_SSL_GetImplementedCiphers+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lssl3  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char SSL_GetImplementedCiphers ();
+int
+main ()
+{
+return SSL_GetImplementedCiphers ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ssl3_SSL_GetImplementedCiphers=yes
+else
+  ac_cv_lib_ssl3_SSL_GetImplementedCiphers=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl3_SSL_GetImplementedCiphers" >&5
+$as_echo "$ac_cv_lib_ssl3_SSL_GetImplementedCiphers" >&6; }
+if test "x$ac_cv_lib_ssl3_SSL_GetImplementedCiphers" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSSL3 1
+_ACEOF
+
+  LIBS="-lssl3 $LIBS"
+
+else
+  as_fn_error $? "library 'ssl3' is required for NSS" "$LINENO" 5
+fi
+
+  LDFLAGS="$CLEANLDFLAGS"
+fi
+
 if test "$with_pam" = yes ; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
 $as_echo_n "checking for pam_start in -lpam... " >&6; }
@@ -13338,6 +13530,25 @@ else
 fi
 
 
+fi
+
+if test "$with_nss" = yes ; then
+  ac_fn_c_check_header_mongrel "$LINENO" "ssl.h" "ac_cv_header_ssl_h" "$ac_includes_default"
+if test "x$ac_cv_header_ssl_h" = xyes; then :
+
+else
+  as_fn_error $? "header file <ssl.h> is required for NSS" "$LINENO" 5
+fi
+
+
+  ac_fn_c_check_header_mongrel "$LINENO" "nss.h" "ac_cv_header_nss_h" "$ac_includes_default"
+if test "x$ac_cv_header_nss_h" = xyes; then :
+
+else
+  as_fn_error $? "header file <nss.h> is required for NSS" "$LINENO" 5
+fi
+
+
 fi
 
 if test "$with_pam" = yes ; then
diff --git a/configure.ac b/configure.ac
index eb2c731b58..23c07cabce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -856,6 +856,15 @@ PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
 AC_MSG_RESULT([$with_openssl])
 AC_SUBST(with_openssl)
 
+#
+# LibNSS
+#
+AC_MSG_CHECKING([whether to build with NSS support])
+PGAC_ARG_BOOL(with, nss, no, [build with NSS support],
+              [AC_DEFINE([USE_NSS], 1, [Define to build with NSS support. (--with-nss)])])
+AC_MSG_RESULT([$with_nss])
+AC_SUBST(with_nss)
+
 #
 # SELinux
 #
@@ -1205,6 +1214,9 @@ if test "$with_gssapi" = yes ; then
 fi
 
 if test "$with_openssl" = yes ; then
+  if test x"$with_nss" = x"yes" ; then
+    AC_MSG_ERROR([multiple SSL backends cannot be enabled simultaneously"])
+  fi
   dnl Order matters!
   # Minimum required OpenSSL version is 1.0.1
   AC_DEFINE(OPENSSL_API_COMPAT, [0x10001000L],
@@ -1230,6 +1242,19 @@ if test "$with_openssl" = yes ; then
   AC_CHECK_FUNCS([CRYPTO_lock])
 fi
 
+if test "$with_nss" = yes ; then
+  if test x"$with_openssl" = x"yes" ; then
+    AC_MSG_ERROR([multiple SSL backends cannot be enabled simultaneously"])
+  fi
+  CLEANLDFLAGS="$LDFLAGS"
+  # TODO: document this set of LDFLAGS
+  LDFLAGS="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LDFLAGS"
+  AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [], [AC_MSG_ERROR([library 'nss3' is required for NSS])])
+  AC_CHECK_LIB(nspr4, PR_GetDefaultIOMethods, [], [AC_MSG_ERROR([library 'nspr4' is required for NSS])])
+  AC_CHECK_LIB(ssl3, SSL_GetImplementedCiphers, [], [AC_MSG_ERROR([library 'ssl3' is required for NSS])])
+  LDFLAGS="$CLEANLDFLAGS"
+fi
+
 if test "$with_pam" = yes ; then
   AC_CHECK_LIB(pam,    pam_start, [], [AC_MSG_ERROR([library 'pam' is required for PAM])])
 fi
@@ -1405,6 +1430,11 @@ if test "$with_openssl" = yes ; then
   AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])])
 fi
 
+if test "$with_nss" = yes ; then
+  AC_CHECK_HEADER(ssl.h, [], [AC_MSG_ERROR([header file <ssl.h> is required for NSS])])
+  AC_CHECK_HEADER(nss.h, [], [AC_MSG_ERROR([header file <nss.h> is required for NSS])])
+fi
+
 if test "$with_pam" = yes ; then
   AC_CHECK_HEADERS(security/pam_appl.h, [],
                    [AC_CHECK_HEADERS(pam/pam_appl.h, [],
diff --git a/contrib/Makefile b/contrib/Makefile
index 1846d415b6..cef7bf7f61 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -50,7 +50,7 @@ SUBDIRS = \
 		unaccent	\
 		vacuumlo
 
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),yes)
 SUBDIRS += sslinfo
 else
 ALWAYS_SUBDIRS += sslinfo
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index 90db550b92..961cb56358 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -8898,7 +8898,7 @@ DO $d$
     END;
 $d$;
 ERROR:  invalid option "password"
-HINT:  Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size
+HINT:  Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, cert_database, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size
 CONTEXT:  SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')"
 PL/pgSQL function inline_code_block line 3 at EXECUTE
 -- If we add a password for our user mapping instead, we should get a different
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 5ba3988e27..84bb2c65b8 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -9,9 +9,11 @@
 
 #include "postgres.h"
 
+#ifdef USE_OPENSSL
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/asn1.h>
+#endif
 
 #include "access/htup_details.h"
 #include "funcapi.h"
@@ -21,8 +23,8 @@
 
 PG_MODULE_MAGIC;
 
+#ifdef USE_OPENSSL
 static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
-static Datum X509_NAME_to_text(X509_NAME *name);
 static Datum ASN1_STRING_to_text(ASN1_STRING *str);
 
 /*
@@ -32,6 +34,7 @@ typedef struct
 {
 	TupleDesc	tupdesc;
 } SSLExtensionInfoContext;
+#endif
 
 /*
  * Indicates whether current session uses SSL
@@ -54,9 +57,16 @@ PG_FUNCTION_INFO_V1(ssl_version);
 Datum
 ssl_version(PG_FUNCTION_ARGS)
 {
-	if (MyProcPort->ssl == NULL)
+	const char *version;
+
+	if (!MyProcPort->ssl_in_use)
+		PG_RETURN_NULL();
+
+	version = be_tls_get_version(MyProcPort);
+	if (version == NULL)
 		PG_RETURN_NULL();
-	PG_RETURN_TEXT_P(cstring_to_text(SSL_get_version(MyProcPort->ssl)));
+
+	PG_RETURN_TEXT_P(cstring_to_text(version));
 }
 
 
@@ -67,9 +77,16 @@ PG_FUNCTION_INFO_V1(ssl_cipher);
 Datum
 ssl_cipher(PG_FUNCTION_ARGS)
 {
-	if (MyProcPort->ssl == NULL)
+	const char *cipher;
+
+	if (!MyProcPort->ssl_in_use)
 		PG_RETURN_NULL();
-	PG_RETURN_TEXT_P(cstring_to_text(SSL_get_cipher(MyProcPort->ssl)));
+
+	cipher = be_tls_get_cipher(MyProcPort);
+	if (cipher == NULL)
+		PG_RETURN_NULL();
+
+	PG_RETURN_TEXT_P(cstring_to_text(cipher));
 }
 
 
@@ -83,7 +100,7 @@ PG_FUNCTION_INFO_V1(ssl_client_cert_present);
 Datum
 ssl_client_cert_present(PG_FUNCTION_ARGS)
 {
-	PG_RETURN_BOOL(MyProcPort->peer != NULL);
+	PG_RETURN_BOOL(MyProcPort->peer_cert_valid);
 }
 
 
@@ -99,29 +116,26 @@ PG_FUNCTION_INFO_V1(ssl_client_serial);
 Datum
 ssl_client_serial(PG_FUNCTION_ARGS)
 {
+	char decimal[NAMEDATALEN];
 	Datum		result;
-	Port	   *port = MyProcPort;
-	X509	   *peer = port->peer;
-	ASN1_INTEGER *serial = NULL;
-	BIGNUM	   *b;
-	char	   *decimal;
 
-	if (!peer)
+	if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
+		PG_RETURN_NULL();
+
+	be_tls_get_peer_serial(MyProcPort, decimal, NAMEDATALEN);
+
+	if (!*decimal)
 		PG_RETURN_NULL();
-	serial = X509_get_serialNumber(peer);
-	b = ASN1_INTEGER_to_BN(serial, NULL);
-	decimal = BN_bn2dec(b);
 
-	BN_free(b);
 	result = DirectFunctionCall3(numeric_in,
 								 CStringGetDatum(decimal),
 								 ObjectIdGetDatum(0),
 								 Int32GetDatum(-1));
-	OPENSSL_free(decimal);
 	return result;
 }
 
 
+#ifdef USE_OPENSSL
 /*
  * Converts OpenSSL ASN1_STRING structure into text
  *
@@ -228,7 +242,7 @@ ssl_client_dn_field(PG_FUNCTION_ARGS)
 	text	   *fieldname = PG_GETARG_TEXT_PP(0);
 	Datum		result;
 
-	if (!(MyProcPort->peer))
+	if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
 		PG_RETURN_NULL();
 
 	result = X509_NAME_field_to_text(X509_get_subject_name(MyProcPort->peer), fieldname);
@@ -273,76 +287,23 @@ ssl_issuer_field(PG_FUNCTION_ARGS)
 	else
 		return result;
 }
+#endif							/* USE_OPENSSL */
 
-
-/*
- * Equivalent of X509_NAME_oneline that respects encoding
- *
- * This function converts X509_NAME structure to the text variable
- * converting all textual data into current database encoding.
- *
- * Parameter: X509_NAME *name X509_NAME structure to be converted
- *
- * Returns: text datum which contains string representation of
- * X509_NAME
- */
-static Datum
-X509_NAME_to_text(X509_NAME *name)
+#ifdef USE_NSS
+PG_FUNCTION_INFO_V1(ssl_client_dn_field);
+Datum
+ssl_client_dn_field(PG_FUNCTION_ARGS)
 {
-	BIO		   *membuf = BIO_new(BIO_s_mem());
-	int			i,
-				nid,
-				count = X509_NAME_entry_count(name);
-	X509_NAME_ENTRY *e;
-	ASN1_STRING *v;
-	const char *field_name;
-	size_t		size;
-	char		nullterm;
-	char	   *sp;
-	char	   *dp;
-	text	   *result;
-
-	if (membuf == NULL)
-		ereport(ERROR,
-				(errcode(ERRCODE_OUT_OF_MEMORY),
-				 errmsg("could not create OpenSSL BIO structure")));
-
-	(void) BIO_set_close(membuf, BIO_CLOSE);
-	for (i = 0; i < count; i++)
-	{
-		e = X509_NAME_get_entry(name, i);
-		nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
-		if (nid == NID_undef)
-			ereport(ERROR,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("could not get NID for ASN1_OBJECT object")));
-		v = X509_NAME_ENTRY_get_data(e);
-		field_name = OBJ_nid2sn(nid);
-		if (field_name == NULL)
-			field_name = OBJ_nid2ln(nid);
-		if (field_name == NULL)
-			ereport(ERROR,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
-		BIO_printf(membuf, "/%s=", field_name);
-		ASN1_STRING_print_ex(membuf, v,
-							 ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
-							  | ASN1_STRFLGS_UTF8_CONVERT));
-	}
-
-	/* ensure null termination of the BIO's content */
-	nullterm = '\0';
-	BIO_write(membuf, &nullterm, 1);
-	size = BIO_get_mem_data(membuf, &sp);
-	dp = pg_any_to_server(sp, size - 1, PG_UTF8);
-	result = cstring_to_text(dp);
-	if (dp != sp)
-		pfree(dp);
-	if (BIO_free(membuf) != 1)
-		elog(ERROR, "could not free OpenSSL BIO structure");
+	PG_RETURN_NULL();
+}
 
-	PG_RETURN_TEXT_P(result);
+PG_FUNCTION_INFO_V1(ssl_issuer_field);
+Datum
+ssl_issuer_field(PG_FUNCTION_ARGS)
+{
+	PG_RETURN_NULL();
 }
+#endif							/* USE_NSS */
 
 
 /*
@@ -358,9 +319,17 @@ PG_FUNCTION_INFO_V1(ssl_client_dn);
 Datum
 ssl_client_dn(PG_FUNCTION_ARGS)
 {
-	if (!(MyProcPort->peer))
+	char		subject[NAMEDATALEN];
+
+	if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
+		PG_RETURN_NULL();
+
+	be_tls_get_peer_subject_name(MyProcPort, subject, NAMEDATALEN);
+
+	if (!*subject)
 		PG_RETURN_NULL();
-	return X509_NAME_to_text(X509_get_subject_name(MyProcPort->peer));
+
+	PG_RETURN_TEXT_P(cstring_to_text(subject));
 }
 
 
@@ -377,12 +346,21 @@ PG_FUNCTION_INFO_V1(ssl_issuer_dn);
 Datum
 ssl_issuer_dn(PG_FUNCTION_ARGS)
 {
-	if (!(MyProcPort->peer))
+	char		issuer[NAMEDATALEN];
+
+	if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
+		PG_RETURN_NULL();
+
+	be_tls_get_peer_issuer_name(MyProcPort, issuer, NAMEDATALEN);
+
+	if (!*issuer)
 		PG_RETURN_NULL();
-	return X509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer));
+
+	PG_RETURN_TEXT_P(cstring_to_text(issuer));
 }
 
 
+#ifdef USE_OPENSSL
 /*
  * Returns information about available SSL extensions.
  *
@@ -516,3 +494,13 @@ ssl_extension_info(PG_FUNCTION_ARGS)
 	/* All done */
 	SRF_RETURN_DONE(funcctx);
 }
+#endif							/* USE_OPENSSL */
+
+#ifdef USE_NSS
+PG_FUNCTION_INFO_V1(ssl_extension_info);
+Datum
+ssl_extension_info(PG_FUNCTION_ARGS)
+{
+	PG_RETURN_NULL();
+}
+#endif							/* USE_NSS */
diff --git a/doc/src/sgml/acronyms.sgml b/doc/src/sgml/acronyms.sgml
index 4e5ec983c0..4f6f0cf353 100644
--- a/doc/src/sgml/acronyms.sgml
+++ b/doc/src/sgml/acronyms.sgml
@@ -441,6 +441,28 @@
     </listitem>
    </varlistentry>
 
+   <varlistentry>
+    <term><acronym>NSPR</acronym></term>
+    <listitem>
+     <para>
+      <ulink
+      url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR">
+      Netscape Portable Runtime</ulink>
+     </para>
+    </listitem>
+   </varlistentry>
+
+   <varlistentry>
+    <term><acronym>NSS</acronym></term>
+    <listitem>
+     <para>
+      <ulink
+      url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS">
+      Network Security Services</ulink>
+     </para>
+    </listitem>
+   </varlistentry>
+
    <varlistentry>
     <term><acronym>ODBC</acronym></term>
     <listitem>
@@ -539,6 +561,17 @@
     </listitem>
    </varlistentry>
 
+   <varlistentry>
+    <term><acronym>PKCS#12</acronym></term>
+    <listitem>
+     <para>
+      <ulink
+      url="https://en.wikipedia.org/wiki/PKCS_12">
+      Public-Key Cryptography Standards #12</ulink>
+     </para>
+    </listitem>
+   </varlistentry>
+
    <varlistentry>
     <term><acronym>PL</acronym></term>
     <listitem>
@@ -684,6 +717,16 @@
     </listitem>
    </varlistentry>
 
+   <varlistentry>
+    <term><acronym>TLS</acronym></term>
+    <listitem>
+     <para>
+      <ulink url="https://sv.wikipedia.org/wiki/Transport_Layer_Security">
+      Transport Layer Security</ulink>
+     </para>
+    </listitem>
+   </varlistentry>
+
    <varlistentry>
     <term><acronym>TOAST</acronym></term>
     <listitem>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 032232e5d7..4aad7a5123 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1208,6 +1208,23 @@ include_dir 'conf.d'
       </listitem>
      </varlistentry>
 
+     <varlistentry id="guc-ssl-database" xreflabel="ssl_database">
+      <term><varname>ssl_database</varname> (<type>string</type>)
+      <indexterm>
+       <primary><varname>ssl_database</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Specifies the name of the file containing the server certificates and
+        keys when using <productname>NSS</productname> for <acronym>SSL</acronym>
+        connections. This parameter can only be set in the
+        <filename>postgresql.conf</filename> file or on the server command
+        line.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
       <term><varname>ssl_ciphers</varname> (<type>string</type>)
       <indexterm>
@@ -1224,7 +1241,9 @@ include_dir 'conf.d'
         connections using TLS version 1.2 and lower are affected.  There is
         currently no setting that controls the cipher choices used by TLS
         version 1.3 connections.  The default value is
-        <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>.  The default is usually a
+        <literal>HIGH:MEDIUM:+3DES:!aNULL</literal> for servers which have
+        been built with <productname>OpenSSL</productname> as the
+        <acronym>SSL</acronym> library.  The default is usually a
         reasonable choice unless you have specific security requirements.
        </para>
 
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 552303e211..2343b5805e 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -250,7 +250,7 @@ su - postgres
 
     <listitem>
      <para>
-      You need <productname>OpenSSL</productname>, if you want to support
+      You need a supported <acronym>SSL</acronym> library, if you want to support
       encrypted client connections.  <productname>OpenSSL</productname> is
       also required for random number generation on platforms that do not
       have <filename>/dev/urandom</filename> (except Windows).  The minimum
@@ -969,6 +969,31 @@ build-postgresql:
        </listitem>
       </varlistentry>
 
+      <varlistentry>
+       <term><option>--with-nss</option>
+       <indexterm>
+        <primary>NSS</primary>
+        <secondary>NSPR</secondary>
+        <seealso>SSL</seealso>
+       </indexterm>
+       </term>
+       <listitem>
+        <para>
+         Build with support for <acronym>SSL</acronym> (encrypted)
+         connections using <productname>NSS</productname>. This requires the
+         <productname>NSS</productname> package to be installed. Additionally,
+         <productname>NSS</productname> requires <productname>NSPR</productname>
+         to be installed. <filename>configure</filename> will check for the
+         required header files and libraries to make sure that your
+         <productname>NSS</productname> installation is sufficient before
+         proceeding.
+        </para>
+        <para>
+         This option is incompatible with <literal>--with-openssl</literal>.
+        </para>
+       </listitem>
+      </varlistentry>
+
       <varlistentry>
        <term><option>--with-openssl</option>
        <indexterm>
@@ -985,6 +1010,9 @@ build-postgresql:
          your <productname>OpenSSL</productname> installation is sufficient
          before proceeding.
         </para>
+        <para>
+         This option is incompatible with <literal>--with-nss</literal>.
+        </para>
        </listitem>
       </varlistentry>
 
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index b932fdbaae..ce7cf7cda3 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2471,6 +2471,8 @@ void *PQsslStruct(const PGconn *conn, const char *struct_name);
       </para>
       <para>
        The struct(s) available depend on the SSL implementation in use.
+      </para>
+      <para>
        For <productname>OpenSSL</productname>, there is one struct, available under the name "OpenSSL",
        and it returns a pointer to the <productname>OpenSSL</productname> <literal>SSL</literal> struct.
        To use this function, code along the following lines could be used:
@@ -2493,9 +2495,14 @@ void *PQsslStruct(const PGconn *conn, const char *struct_name);
 ]]></programlisting>
       </para>
       <para>
-       This structure can be used to verify encryption levels, check server
-       certificates, and more. Refer to the <productname>OpenSSL</productname>
-       documentation for information about this structure.
+       For <productname>NSS</productname>, there is one struct available under
+       the name "NSS", and it returns a pointer to the
+       <productname>NSS</productname> <literal>PRFileDesc</literal>.
+      </para>
+      <para>
+       These structures can be used to verify encryption levels, check server
+       certificates, and more. Refer to the <acronym>SSL</acronym> library
+       documentation for information about these structures.
       </para>
      </listitem>
     </varlistentry>
@@ -2521,6 +2528,10 @@ void *PQgetssl(const PGconn *conn);
        <xref linkend="libpq-PQsslInUse"/> instead, and for more details about the
        connection, use <xref linkend="libpq-PQsslAttribute"/>.
       </para>
+      <para>
+       This function returns <literal>NULL</literal> when <acronym>SSL</acronym>
+       librariaes other than <productname>OpenSSL</productname> are used.
+      </para>
      </listitem>
     </varlistentry>
 
@@ -7951,6 +7962,11 @@ void PQinitOpenSSL(int do_ssl, int do_crypto);
        before first opening a database connection.  Also be sure that you
        have done that initialization before opening a database connection.
       </para>
+
+      <para>
+       This function does nothing when using <productname>NSS</productname> as
+       the <acronym>SSL</acronym> library.
+      </para>
      </listitem>
     </varlistentry>
 
@@ -7977,6 +7993,11 @@ void PQinitSSL(int do_ssl);
        might be preferable for applications that need to work with older
        versions of <application>libpq</application>.
       </para>
+
+      <para>
+       This function does nothing when using <productname>NSS</productname> as
+       the <acronym>SSL</acronym> library.
+      </para>
      </listitem>
     </varlistentry>
    </variablelist>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 6cda39f3ab..7d6188a794 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2120,15 +2120,21 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
 
   <indexterm zone="ssl-tcp">
    <primary>SSL</primary>
+   <secondary>TLS</secondary>
   </indexterm>
 
   <para>
    <productname>PostgreSQL</productname> has native support for using
    <acronym>SSL</acronym> connections to encrypt client/server communications
    for increased security. This requires that
-   <productname>OpenSSL</productname> is installed on both client and
+   a supported TLS library is installed on both client and
    server systems and that support in <productname>PostgreSQL</productname> is
    enabled at build time (see <xref linkend="installation"/>).
+   Supported libraries are <productname>OpenSSL</productname> and
+   <productname>NSS</productname>. The terms <acronym>SSL</acronym> and
+   <acronym>TLS</acronym> are often used interchangeably to mean a secure
+   connection using a <acronym>TLS</acronym> protocol, even though
+   <acronym>SSL</acronym> protocols are no longer supported.
   </para>
 
   <sect2 id="ssl-setup">
@@ -2148,8 +2154,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
   </para>
 
   <para>
-   To start in <acronym>SSL</acronym> mode, files containing the server certificate
-   and private key must exist.  By default, these files are expected to be
+   To start in <acronym>SSL</acronym> mode, a server certificate
+   and private key must exist. The below sections on the different libraries
+   will discuss how to configure these.
+  </para>
+   
+  <para>
+   By default, these files are expected to be
    named <filename>server.crt</filename> and <filename>server.key</filename>, respectively, in
    the server's data directory, but other names and locations can be specified
    using the configuration parameters <xref linkend="guc-ssl-cert-file"/>
@@ -2239,6 +2250,18 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
   </note>
   </sect2>
 
+  <sect2 id="ssl-nss-config">
+   <title>NSS Configuration</title>
+
+  <para>
+   <productname>PostgreSQL</productname> will look for certificates and keys
+   in the <productname>NSS</productname> database specified by the parameter
+   <xref linkend="guc-ssl-database"/> in <filename>postgresql.conf</filename>.
+   The paramaters for certificate and key filenames are used to identify the
+   nicknames in the database.
+  </para>
+  </sect2>
+
   <sect2 id="ssl-client-certificates">
    <title>Using Client Certificates</title>
 
@@ -2314,7 +2337,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
   </sect2>
 
   <sect2 id="ssl-server-files">
-   <title>SSL Server File Usage</title>
+   <title>SSL Server File Parameter Usage</title>
 
    <para>
     <xref linkend="ssl-file-usage"/> summarizes the files that are
@@ -2361,6 +2384,14 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
       <entry>client certificate must not be on this list</entry>
      </row>
 
+     <row>
+      <entry><xref linkend="guc-ssl-database"/></entry>
+      <entry>certificate database</entry>
+      <entry>contains server certificates, keys and revocation lists; only
+      used when <productname>PostgreSQL</productname> is built with support
+      for <productname>NSS</productname>.</entry>
+     </row>
+
     </tbody>
    </tgroup>
   </table>
@@ -2488,6 +2519,45 @@ openssl x509 -req -in server.csr -text -days 365 \
    </para>
   </sect2>
 
+  <sect2 id="nss-certificate-database">
+   <title>NSS Certificate Databases</title>
+
+   <para>
+    When using <productname>NSS</productname>, all certificates and keys must
+    be loaded into an <productname>NSS</productname> certificate database.
+   </para>
+
+   <para>
+    To create a new <productname>NSS</productname> certificate database and
+    load the certificates created in <xref linkend="ssl-certificate-creation" />,
+    use the following <productname>NSS</productname> commands:
+<programlisting>
+certutil -d "sql:server.db" -N --empty-password
+certutil -d "sql:server.db" -A -n server.crt -i server.crt -t "CT,C,C"
+certutil -d "sql:server.db" -A -n root.crt -i root.crt -t "CT,C,C"
+</programlisting>
+    This will give the certificate the filename as the nickname identifier in
+    the database which is created as <filename>server.db</filename>.
+   </para>
+   <para>
+    Then load the server key, which require converting it to
+    <acronym>PKCS#12</acronym> format using the
+    <productname>OpenSSL</productname> tools:
+<programlisting>
+openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt \
+  -certfile root.crt -passout pass:
+pk12util -i server.pfx -d server.db -W ''
+</programlisting>
+   </para>
+   <para>
+    Finally a certificate revocation list can be loaded with the following
+    commands:
+<programlisting>
+crlutil -I -i server.crl -d server.db -B
+</programlisting>
+   </para>
+  </sect2>
+
  </sect1>
 
  <sect1 id="gssapi-enc">
diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml
index 195949f55a..2fe6c70238 100644
--- a/doc/src/sgml/sslinfo.sgml
+++ b/doc/src/sgml/sslinfo.sgml
@@ -22,7 +22,8 @@
 
  <para>
   This extension won't build at all unless the installation was
-  configured with <literal>--with-openssl</literal>.
+  configured with SSL support, such as <literal>--with-openssl</literal>
+  or <literal>--with-nss</literal>.
  </para>
 
  <sect2>
@@ -54,7 +55,7 @@
     <listitem>
     <para>
      Returns the name of the protocol used for the SSL connection (e.g., TLSv1.0
-     TLSv1.1, or TLSv1.2).
+     TLSv1.1, TLSv1.2 or TLSv1.3).
     </para>
     </listitem>
    </varlistentry>
@@ -208,6 +209,9 @@ emailAddress
      the X.500 and X.509 standards, so you cannot just assign arbitrary
      meaning to them.
     </para>
+    <para>
+     This function is only available when using <productname>OpenSSL</productname>.
+    </para>
     </listitem>
    </varlistentry>
 
@@ -223,6 +227,9 @@ emailAddress
      Same as <function>ssl_client_dn_field</function>, but for the certificate issuer
      rather than the certificate subject.
     </para>
+    <para>
+     This function is only available when using <productname>OpenSSL</productname>.
+    </para>
     </listitem>
    </varlistentry>
 
@@ -238,6 +245,9 @@ emailAddress
      Provide information about extensions of client certificate: extension name,
      extension value, and if it is a critical extension.
     </para>
+    <para>
+     This function is only available when using <productname>OpenSSL</productname>.
+    </para>
     </listitem>
    </varlistentry>
   </variablelist>
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index 9a6265b3a0..2f25c51c6c 100644
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -184,6 +184,7 @@ with_perl	= @with_perl@
 with_python	= @with_python@
 with_tcl	= @with_tcl@
 with_openssl	= @with_openssl@
+with_nss        = @with_nss@
 with_readline	= @with_readline@
 with_selinux	= @with_selinux@
 with_systemd	= @with_systemd@
@@ -232,6 +233,15 @@ CLANG = @CLANG@
 BITCODE_CFLAGS = @BITCODE_CFLAGS@
 BITCODE_CXXFLAGS = @BITCODE_CXXFLAGS@
 
+ifeq ($(with_openssl),yes)
+with_ssl = yes
+else ifeq ($(with_nss),yes)
+with_ssl = yes
+else
+with_ssl = no
+endif
+
+
 ##########################################################################
 #
 # Programs and flags
diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index efc5ef760a..191266a426 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -30,6 +30,10 @@ OBJS = \
 
 ifeq ($(with_openssl),yes)
 OBJS += be-secure-openssl.o
+else
+ifeq ($(with_nss),yes)
+OBJS += be-secure-nss.o
+endif
 endif
 
 ifeq ($(with_gssapi),yes)
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 02b6c3f127..8f4197d002 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2870,7 +2870,14 @@ CheckCertAuth(Port *port)
 {
 	int			status_check_usermap = STATUS_ERROR;
 
+#if defined(USE_OPENSSL)
 	Assert(port->ssl);
+#elif defined(USE_NSS)
+	/* TODO: should we rename pr_fd to ssl, to keep consistency? */
+	Assert(port->pr_fd);
+#else
+	Assert(false);
+#endif
 
 	/* Make sure we have received a username in the certificate */
 	if (port->peer_cn == NULL ||
diff --git a/src/backend/libpq/be-secure-nss.c b/src/backend/libpq/be-secure-nss.c
new file mode 100644
index 0000000000..fe6540852b
--- /dev/null
+++ b/src/backend/libpq/be-secure-nss.c
@@ -0,0 +1,1038 @@
+/*-------------------------------------------------------------------------
+ *
+ * be-secure-nss.c
+ *	  functions for supporting NSS as a TLS backend
+ *
+ *
+ * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *	  src/backend/libpq/be-secure-nss.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+
+#include <sys/stat.h>
+
+/*
+ * BITS_PER_BYTE is also defined in the NSPR header fils, so we need to undef
+ * our version to avoid compiler warnings on redefinition.
+ */
+#define pg_BITS_PER_BYTE BITS_PER_BYTE
+#undef BITS_PER_BYTE
+
+/*
+ * The nspr/obsolete/protypes.h NSPR header typedefs uint64 and int64 with
+ * colliding definitions from ours, causing a much expected compiler error.
+ * The definitions are however not actually used in NSPR at all, and are only
+ * intended for what seems to be backwards compatibility for apps written
+ * against old versions of NSPR.  The following comment is in the referenced
+ * file, and was added in 1998:
+ *
+ *		This section typedefs the old 'native' types to the new PR<type>s.
+ *		These definitions are scheduled to be eliminated at the earliest
+ *		possible time. The NSPR API is implemented and documented using
+ *		the new definitions.
+ *
+ * As there is no opt-out from pulling in these typedefs, we define the guard
+ * for the file to exclude it. This is incredibly ugly, but seems to be about
+ * the only way around it.
+ */
+#define PROTYPES_H
+#include <nspr.h>
+#undef PROTYPES_H
+#include <nss.h>
+#include <prio.h>
+#include <ssl.h>
+#include <sslerr.h>
+#include <secerr.h>
+#include <sslproto.h>
+#include <prtypes.h>
+#include <pk11pub.h>
+#include <secitem.h>
+#include <secport.h>
+#include <secder.h>
+#include <certdb.h>
+#include <base64.h>
+#include <cert.h>
+#include <prerror.h>
+#include <keyhi.h>
+
+typedef struct
+{
+	enum
+	{
+		PW_NONE = 0,
+		PW_FROMFILE = 1,
+		PW_PLAINTEXT = 2,
+		PW_EXTERNAL = 3
+	} source;
+	char	   *data;
+}			secuPWData;
+
+/*
+ * Ensure that the colliding definitions match, else throw an error. In case
+ * NSPR has removed the definition for some reasone, make sure to put ours
+ * back again.
+ */
+#if defined(BITS_PER_BYTE)
+#if BITS_PER_BYTE != pg_BITS_PER_BYTE
+#error "incompatible byte widths between NSPR and postgres"
+#endif
+#else
+#define BITS_PER_BYTE pg_BITS_PER_BYTE
+#endif
+#undef pg_BITS_PER_BYTE
+
+#include "common/pg_nss.h"
+#include "lib/stringinfo.h"
+#include "libpq/libpq.h"
+#include "nodes/pg_list.h"
+#include "miscadmin.h"
+#include "storage/fd.h"
+#include "utils/guc.h"
+#include "utils/memutils.h"
+
+static PRDescIdentity pr_id;
+
+static PRIOMethods pr_iomethods;
+static NSSInitContext * nss_context = NULL;
+static SSLVersionRange desired_sslver;
+
+/*
+ * PR_ImportTCPSocket() is a private API, but very widely used, as it's the
+ * only way to make NSS use an already set up POSIX file descriptor rather
+ * than opening one itself. To quote the NSS documentation:
+ *
+ *		"In theory, code that uses PR_ImportTCPSocket may break when NSPR's
+ *		implementation changes. In practice, this is unlikely to happen because
+ *		NSPR's implementation has been stable for years and because of NSPR's
+ *		strong commitment to backward compatibility."
+ *
+ * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket
+ *
+ * The function is declared in <private/pprio.h>, but as it is a header marked
+ * private we declare it here rather than including it.
+ */
+NSPR_API(PRFileDesc *) PR_ImportTCPSocket(int);
+
+/* NSS IO layer callback overrides */
+static PRInt32 pg_ssl_read(PRFileDesc * fd, void *buf, PRInt32 amount,
+						   PRIntn flags, PRIntervalTime timeout);
+static PRInt32 pg_ssl_write(PRFileDesc * fd, const void *buf, PRInt32 amount,
+							PRIntn flags, PRIntervalTime timeout);
+/* Utility functions */
+static PRFileDesc * init_iolayer(Port *port, int loglevel);
+static uint16 ssl_protocol_version_to_nss(int v, const char *guc_name);
+
+static char *pg_SSLerrmessage(PRErrorCode errcode);
+static char *ssl_protocol_version_to_string(int v);
+static SECStatus pg_cert_auth_handler(void *arg, PRFileDesc * fd,
+									  PRBool checksig, PRBool isServer);
+static SECStatus pg_bad_cert_handler(void *arg, PRFileDesc * fd);
+
+/* ------------------------------------------------------------ */
+/*						 Public interface						*/
+/* ------------------------------------------------------------ */
+
+static char *
+ssl_passphrase_callback(PK11SlotInfo * slot, PRBool retry, void *arg)
+{
+	return pstrdup("");
+}
+
+/*
+ * be_tls_init
+ *			Initialize the nss TLS library in the postmaster
+ *
+ * The majority of the setup needs to happen in be_tls_open_server since the
+ * NSPR initialization must happen after the forking of the backend. We could
+ * potentially move some parts in under !isServerStart, but so far this is the
+ * separation chosen.
+ */
+int
+be_tls_init(bool isServerStart)
+{
+	SECStatus	status;
+	SSLVersionRange supported_sslver;
+
+	/*
+	 * Set up the connection cache for multi-processing application behavior.
+	 * If we are in ServerStart then we initialize the cache. If the server is
+	 * already started, we inherit the cache such that it can be used for
+	 * connections. Calling SSL_ConfigMPServerSIDCache sets an environment
+	 * variable which contains enough information for the forked child to know
+	 * how to access it.  Passing NULL to SSL_InheritMPServerSIDCache will
+	 * make the forked child look it up by the default name SSL_INHERITANCE,
+	 * if env vars aren't inherited then the contents of the variable can be
+	 * passed instead.
+	 */
+	if (isServerStart)
+	{
+		/*
+		 * SSLv2 and SSLv3 are disabled in this TLS backend, but when setting
+		 * up the required session cache for NSS we still must supply timeout
+		 * values for v2 and The minimum allowed value for both is 5 seconds,
+		 * so opt for that in both cases (the defaults being 100 seconds and
+		 * 24 hours).
+		 *
+		 * Passing NULL as the directory for the session cache will default to
+		 * using /tmp on UNIX and \\temp on Windows.  Deciding if we want to
+		 * keep closer control on this directory is left as a TODO.
+		 */
+		status = SSL_ConfigMPServerSIDCache(MaxConnections, 5, 5, NULL);
+		if (status != SECSuccess)
+			ereport(FATAL,
+					(errmsg("unable to set up TLS connection cache: %s",
+							pg_SSLerrmessage(PR_GetError()))));
+
+	}
+	else
+	{
+		status = SSL_InheritMPServerSIDCache(NULL);
+		if (status != SECSuccess)
+		{
+			ereport(LOG,
+					(errmsg("unable to connect to TLS connection cache: %s",
+							pg_SSLerrmessage(PR_GetError()))));
+			return -1;
+		}
+	}
+
+	if (!ssl_database || strlen(ssl_database) == 0)
+	{
+		ereport(isServerStart ? FATAL : LOG,
+				(errmsg("no certificate database specified")));
+		goto error;
+	}
+
+	/*
+	 * We check for the desired TLS version range here, even though we cannot
+	 * set it until be_open_server such that we can be compatible with how the
+	 * OpenSSL backend reports errors for incompatible range configurations.
+	 * Set either the default supported TLS version range, or the configured
+	 * range from ssl_min_protocol_version and ssl_max_protocol version. In
+	 * case the user hasn't defined the maximum allowed version we fall back
+	 * to the highest version TLS that the library supports.
+	 */
+	if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_sslver) != SECSuccess)
+	{
+		ereport(isServerStart ? FATAL : LOG,
+				(errmsg("unable to get default protocol support from NSS")));
+		goto error;
+	}
+
+	/*
+	 * Set the fallback versions for the TLS protocol version range to a
+	 * combination of our minimal requirement and the library maximum.
+	 */
+	desired_sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
+	desired_sslver.max = supported_sslver.max;
+
+	if (ssl_min_protocol_version)
+	{
+		int			ver = ssl_protocol_version_to_nss(ssl_min_protocol_version,
+													  "ssl_min_protocol_version");
+
+		if (ver == -1)
+		{
+			ereport(isServerStart ? FATAL : LOG,
+					(errmsg("\"%s\" setting \"%s\" not supported by this build",
+							"ssl_min_protocol_version",
+							GetConfigOption("ssl_min_protocol_version",
+											false, false))));
+			goto error;
+		}
+
+		if (ver > 0)
+			desired_sslver.min = ver;
+	}
+
+	if (ssl_max_protocol_version)
+	{
+		int			ver = ssl_protocol_version_to_nss(ssl_max_protocol_version,
+													  "ssl_max_protocol_version");
+
+		if (ver == -1)
+		{
+			ereport(isServerStart ? FATAL : LOG,
+					(errmsg("\"%s\" setting \"%s\" not supported by this build",
+							"ssl_max_protocol_version",
+							GetConfigOption("ssl_max_protocol_version",
+											false, false))));
+			goto error;
+		}
+		if (ver > 0)
+			desired_sslver.max = ver;
+
+		if (ver < desired_sslver.min)
+		{
+			ereport(isServerStart ? FATAL : LOG,
+					(errmsg("could not set SSL protocol version range"),
+					 errdetail("\"%s\" cannot be higher than \"%s\"",
+							   "ssl_min_protocol_version",
+							   "ssl_max_protocol_version")));
+			goto error;
+		}
+	}
+
+	return 0;
+error:
+	return -1;
+}
+
+int
+be_tls_open_server(Port *port)
+{
+	SECStatus	status;
+	PRFileDesc *model;
+	PRFileDesc *pr_fd;
+	PRFileDesc *layer;
+	CERTCertificate *server_cert;
+	SECKEYPrivateKey *private_key;
+	CERTSignedCrl *crl;
+	SECItem		crlname;
+	secuPWData	pwdata = {PW_NONE, 0};	/* TODO: This is a bogus callback */
+	char	   *cert_database;
+	NSSInitParameters params;
+
+	/*
+	 * The NSPR documentation states that runtime initialization via PR_Init
+	 * is no longer required, as the first caller into NSPR will perform the
+	 * initialization implicitly. The documentation doesn't however clarify
+	 * from which version this is holds true, so let's perform the potentially
+	 * superfluous initialization anyways to avoid crashing on older versions
+	 * of NSPR, as there is no difference in overhead.  The NSS documentation
+	 * still states that PR_Init must be called in some way (implicitly or
+	 * explicitly).
+	 *
+	 * The below parameters are what the implicit initialization would've done
+	 * for us, and should work even for older versions where it might not be
+	 * done automatically. The last parameter, maxPTDs, is set to various
+	 * values in other codebases, but has been unused since NSPR 2.1 which was
+	 * released sometime in 1998.
+	 */
+	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0 /* maxPTDs */ );
+
+	/*
+	 * The certificate path (configdir) must contain a valid NSS database. If
+	 * the certificate path isn't a valid directory, NSS will fall back on the
+	 * system certificate database. If the certificate path is a directory but
+	 * is empty then the initialization will fail. On the client side this can
+	 * be allowed for any sslmode but the verify-xxx ones.
+	 * https://bugzilla.redhat.com/show_bug.cgi?id=728562 For the server side
+	 * we wont allow this to fail however, as we require the certificate and
+	 * key to exist.
+	 *
+	 * The original design of NSS was for a single application to use a single
+	 * copy of it, initialized with NSS_Initialize() which isn't returning any
+	 * handle with which to refer to NSS. NSS initialization and shutdown are
+	 * global for the application, so a shutdown in another NSS enabled
+	 * library would cause NSS to be stopped for libpq as well.  The fix has
+	 * been to introduce NSS_InitContext which returns a context handle to
+	 * pass to NSS_ShutdownContext.  NSS_InitContext was introduced in NSS
+	 * 3.12, but the use of it is not very well documented.
+	 * https://bugzilla.redhat.com/show_bug.cgi?id=738456
+	 *
+	 * The InitParameters struct passed can be used to override internal
+	 * values in NSS, but the usage is not documented at all. When using
+	 * NSS_Init initializations, the values are instead set via PK11_Configure
+	 * calls so the PK11_Configure documentation can be used to glean some
+	 * details on these.
+	 *
+	 * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs
+	 */
+	memset(&params, '\0', sizeof(params));
+	params.length = sizeof(params);
+
+	if (!ssl_database || strlen(ssl_database) == 0)
+		ereport(FATAL,
+				(errmsg("no certificate database specified")));
+
+	cert_database = psprintf("sql:%s", ssl_database);
+	nss_context = NSS_InitContext(cert_database, "", "", "",
+								  &params,
+								  NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
+	pfree(cert_database);
+
+	if (!nss_context)
+		ereport(FATAL,
+				(errmsg("unable to read certificate database \"%s\": %s",
+						ssl_database, pg_SSLerrmessage(PR_GetError()))));
+
+	/*
+	 * Set the passphrase callback which will be used both to obtain the
+	 * passphrase from the user, as well as by NSS to obtain the phrase
+	 * repeatedly.
+	 *
+	 * TODO: Figure this out - do note that we are setting another password
+	 * callback below for cert/key as well. Need to make sense of all these.
+	 */
+	PK11_SetPasswordFunc(ssl_passphrase_callback);
+
+	/*
+	 * Import the already opened socket as we don't want to use NSPR functions
+	 * for opening the network socket due to how the PostgreSQL protocol works
+	 * with TLS connections. This function is not part of the NSPR public API,
+	 * see the comment at the top of the file for the rationale of still using
+	 * it.
+	 */
+	pr_fd = PR_ImportTCPSocket(port->sock);
+	if (!pr_fd)
+		ereport(ERROR,
+				(errmsg("unable to connect to socket")));
+
+	/*
+	 * Most of the documentation available, and implementations of, NSS/NSPR
+	 * use the PR_NewTCPSocket() function here, which has the drawback that it
+	 * can only create IPv4 sockets. Instead use PR_OpenTCPSocket() which
+	 * copes with IPv6 as well.
+	 */
+	model = PR_OpenTCPSocket(port->laddr.addr.ss_family);
+	if (!model)
+		ereport(ERROR,
+				(errmsg("unable to open socket")));
+
+	/*
+	 * Convert the NSPR socket to an SSL socket. Ensuring the success of this
+	 * operation is critical as NSS SSL_* functions may return SECSuccess on
+	 * the socket even though SSL hasn't been enabled, which introduce a risk
+	 * of silent downgrades.
+	 */
+	model = SSL_ImportFD(NULL, model);
+	if (!model)
+		ereport(ERROR,
+				(errmsg("unable to enable TLS on socket")));
+
+	/*
+	 * Configure basic settings for the connection over the SSL socket in
+	 * order to set it up as a server.
+	 */
+	if (SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to configure TLS connection")));
+
+	if (SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_TRUE) != SECSuccess ||
+		SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_FALSE) != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to configure TLS connection as server")));
+
+	/*
+	 * SSLv2 is disabled by default, and SSLv3 will be excluded from the range
+	 * of allowed protocols further down. Since we really don't want these to
+	 * ever be enabled, let's use belts and suspenders and explicitly turn
+	 * them off as well.
+	 */
+	SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE);
+	SSL_OptionSet(model, SSL_ENABLE_SSL3, PR_FALSE);
+
+#ifdef SSL_CBC_RANDOM_IV
+
+	/*
+	 * Enable protection against the BEAST attack in case the NSS server has
+	 * support for that. While SSLv3 is disabled, we may still allow TLSv1
+	 * which is affected. The option isn't documented as an SSL option, but as
+	 * an NSS environment variable.
+	 */
+	SSL_OptionSet(model, SSL_CBC_RANDOM_IV, PR_TRUE);
+#endif
+
+	/*
+	 * Configure the allowed cipher. If there are no user preferred suites,
+	 * set the domestic policy. TODO: while this code works, the set of
+	 * ciphers which can be set and still end up with a working socket is
+	 * woefully underdocumented for anything more recent than SSLv3 (the code
+	 * for TLS actually calls ssl3 functions under the hood for
+	 * SSL_CipherPrefSet), so it's unclear if this is helpful or not. Using
+	 * the policies works, but may be too coarsely grained.
+	 *
+	 * Another TODO: The SSL_ImplementedCiphers table returned with calling
+	 * SSL_GetImplementedCiphers is sorted in server preference order. Sorting
+	 * SSLCipherSuites according to the order of the ciphers therein could be
+	 * a way to implement ssl_prefer_server_ciphers - if we at all want to use
+	 * cipher selection for NSS like how we do it for OpenSSL that is.
+	 */
+
+	/*
+	 * If no ciphers are specified, we use the domestic policy
+	 */
+	if (!SSLCipherSuites || strlen(SSLCipherSuites) == 0)
+	{
+		status = NSS_SetDomesticPolicy();
+		if (status != SECSuccess)
+			ereport(ERROR,
+					(errmsg("unable to set cipher policy: %s",
+							pg_SSLerrmessage(PR_GetError()))));
+	}
+	else
+	{
+		char	   *ciphers,
+				   *c;
+
+		char	   *sep = ":;, ";
+		PRUint16	ciphercode;
+		const		PRUint16 *nss_ciphers;
+
+		/*
+		 * If the user has specified a set of preferred cipher suites we start
+		 * by turning off all the existing suites to avoid the risk of down-
+		 * grades to a weaker cipher than expected.
+		 */
+		nss_ciphers = SSL_GetImplementedCiphers();
+		for (int i = 0; i < SSL_GetNumImplementedCiphers(); i++)
+			SSL_CipherPrefSet(model, nss_ciphers[i], PR_FALSE);
+
+		ciphers = pstrdup(SSLCipherSuites);
+
+		for (c = strtok(ciphers, sep); c; c = strtok(NULL, sep))
+		{
+			ciphercode = pg_find_cipher(c);
+			if (ciphercode != INVALID_CIPHER)
+			{
+				status = SSL_CipherPrefSet(model, ciphercode, PR_TRUE);
+				if (status != SECSuccess)
+					ereport(ERROR,
+							(errmsg("invalid cipher-suite specified: %s", c)));
+			}
+		}
+
+		pfree(ciphers);
+	}
+
+	if (SSL_VersionRangeSet(model, &desired_sslver) != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to set requested SSL protocol version range")));
+
+	/*
+	 * Set up the custom IO layer.
+	 */
+	layer = init_iolayer(port, ERROR);
+	if (!layer)
+		goto error;
+
+	/* Store the Port as private data available in callbacks */
+	layer->secret = (void *) port;
+
+	if (PR_PushIOLayer(pr_fd, PR_TOP_IO_LAYER, layer) != PR_SUCCESS)
+	{
+		PR_Close(layer);
+		ereport(ERROR,
+				(errmsg("unable to push IO layer")));
+	}
+
+	/* TODO: set the postgres password callback param as callback function */
+	server_cert = PK11_FindCertFromNickname(ssl_cert_file, &pwdata /* password callback */ );
+	if (!server_cert)
+		ereport(ERROR,
+				(errmsg("unable to find certificate for \"%s\": %s",
+						ssl_cert_file, pg_SSLerrmessage(PR_GetError()))));
+
+	/* TODO: set the postgres password callback param as callback function */
+	private_key = PK11_FindKeyByAnyCert(server_cert, &pwdata /* password callback */ );
+	if (!private_key)
+		ereport(ERROR,
+				(errmsg("unable to find private key for \"%s\": %s",
+						ssl_cert_file, pg_SSLerrmessage(PR_GetError()))));
+
+	/*
+	 * NSS doesn't use CRL files on disk, so we use the ssl_crl_file guc to
+	 * contain the CRL nickname for the current server certificate in the NSS
+	 * certificate database. The main difference from the OpenSSL backend is
+	 * that NSS will use the CRL regardless, but being able to make sure the
+	 * CRL is loaded seems like a good feature.
+	 */
+	if (ssl_crl_file[0])
+	{
+		SECITEM_CopyItem(NULL, &crlname, &server_cert->derSubject);
+		crl = SEC_FindCrlByName(CERT_GetDefaultCertDB(), &crlname, SEC_CRL_TYPE);
+		if (!crl)
+			ereport(ERROR,
+					(errmsg("specified CRL not found in database")));
+		SEC_DestroyCrl(crl);
+	}
+
+	/*
+	 * Finally we must configure the socket for being a server by setting the
+	 * certificate and key.
+	 */
+	status = SSL_ConfigSecureServer(model, server_cert, private_key, kt_rsa);
+	if (status != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to configure secure server: %s",
+						pg_SSLerrmessage(PR_GetError()))));
+	status = SSL_ConfigServerCert(model, server_cert, private_key, NULL, 0);
+	if (status != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to configure server for TLS server connections: %s",
+						pg_SSLerrmessage(PR_GetError()))));
+
+	ssl_loaded_verify_locations = true;
+
+	/*
+	 * At this point, we no longer have use for the certificate and private
+	 * key as they have been copied into the context by NSS. Destroy our
+	 * copies explicitly to clean out the memory as best we can.
+	 */
+	CERT_DestroyCertificate(server_cert);
+	SECKEY_DestroyPrivateKey(private_key);
+
+	status = SSL_AuthCertificateHook(model, pg_cert_auth_handler, (void *) port);
+	if (status != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to install authcert hook: %s",
+						pg_SSLerrmessage(PR_GetError()))));
+	SSL_BadCertHook(model, pg_bad_cert_handler, (void *) port);
+	SSL_OptionSet(model, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+	SSL_OptionSet(model, SSL_REQUIRE_CERTIFICATE, PR_FALSE);
+
+	port->pr_fd = SSL_ImportFD(model, pr_fd);
+	if (!port->pr_fd)
+		ereport(ERROR,
+				(errmsg("unable to initialize")));
+
+	PR_Close(model);
+
+	/*
+	 * Force a handshake on the next I/O request, the second parameter means
+	 * that we are a server, PR_FALSE would indicate being a client. NSPR
+	 * requires us to call SSL_ResetHandshake since we imported an already
+	 * established socket.
+	 */
+	status = SSL_ResetHandshake(port->pr_fd, PR_TRUE);
+	if (status != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to initiate handshake: %s",
+						pg_SSLerrmessage(PR_GetError()))));
+	status = SSL_ForceHandshake(port->pr_fd);
+	if (status != SECSuccess)
+		ereport(ERROR,
+				(errmsg("unable to handshake: %s",
+						pg_SSLerrmessage(PR_GetError()))));
+
+	port->ssl_in_use = true;
+	return 0;
+
+error:
+	return 1;
+}
+
+ssize_t
+be_tls_read(Port *port, void *ptr, size_t len, int *waitfor)
+{
+	ssize_t		n_read;
+	PRErrorCode err;
+
+	n_read = PR_Read(port->pr_fd, ptr, len);
+
+	if (n_read < 0)
+	{
+		err = PR_GetError();
+
+		/* XXX: This logic seems potentially bogus? */
+		if (err == PR_WOULD_BLOCK_ERROR)
+			*waitfor = WL_SOCKET_READABLE;
+		else
+			*waitfor = WL_SOCKET_WRITEABLE;
+	}
+
+	return n_read;
+}
+
+ssize_t
+be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
+{
+	ssize_t		n_write;
+	PRErrorCode err;
+
+	n_write = PR_Send(port->pr_fd, ptr, len, 0, PR_INTERVAL_NO_WAIT);
+
+	if (n_write < 0)
+	{
+		err = PR_GetError();
+
+		if (err == PR_WOULD_BLOCK_ERROR)
+			*waitfor = WL_SOCKET_WRITEABLE;
+		else
+			*waitfor = WL_SOCKET_READABLE;
+	}
+
+	return n_write;
+}
+
+void
+be_tls_close(Port *port)
+{
+	if (!port)
+		return;
+
+	if (port->peer_cn)
+	{
+		SSL_InvalidateSession(port->pr_fd);
+		pfree(port->peer_cn);
+		port->peer_cn = NULL;
+	}
+
+	PR_Close(port->pr_fd);
+	port->pr_fd = NULL;
+	port->ssl_in_use = false;
+
+	if (nss_context)
+	{
+		NSS_ShutdownContext(nss_context);
+		nss_context = NULL;
+	}
+}
+
+void
+be_tls_destroy(void)
+{
+	/*
+	 * It reads a bit odd to clear a session cache when we are destroying the
+	 * context altogether, but if the session cache isn't cleared before
+	 * shutting down the context it will fail with SEC_ERROR_BUSY.
+	 */
+	SSL_ClearSessionCache();
+}
+
+int
+be_tls_get_cipher_bits(Port *port)
+{
+	SECStatus	status;
+	SSLChannelInfo channel;
+	SSLCipherSuiteInfo suite;
+
+	status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel));
+	if (status != SECSuccess)
+		goto error;
+
+	status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite));
+	if (status != SECSuccess)
+		goto error;
+
+	return suite.effectiveKeyBits;
+
+error:
+	ereport(WARNING,
+			(errmsg("unable to extract TLS session information: %s",
+					pg_SSLerrmessage(PR_GetError()))));
+	return 0;
+}
+
+/*
+ * be_tls_get_compression
+ *
+ * NSS disabled support for TLS compression in version 3.33 and removed the
+ * code in a subsequent release. The API for retrieving information about
+ * compression as well as enabling it is kept for backwards compatibility, but
+ * we don't need to consult it since it was only available for SSLv3 which we
+ * don't support.
+ *
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1409587
+ */
+bool
+be_tls_get_compression(Port *port)
+{
+	return false;
+}
+
+/*
+ * be_tls_get_version
+ *
+ * Returns the protocol version used for the current connection, or NULL in
+ * case of errors.
+ */
+const char *
+be_tls_get_version(Port *port)
+{
+	SECStatus	status;
+	SSLChannelInfo channel;
+
+	status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel));
+	if (status != SECSuccess)
+	{
+		ereport(WARNING,
+				(errmsg("unable to extract TLS session information: %s",
+						pg_SSLerrmessage(PR_GetError()))));
+		return NULL;
+	}
+
+	return ssl_protocol_version_to_string(channel.protocolVersion);
+}
+
+const char *
+be_tls_get_cipher(Port *port)
+{
+	SECStatus	status;
+	SSLChannelInfo channel;
+	SSLCipherSuiteInfo suite;
+
+	status = SSL_GetChannelInfo(port->pr_fd, &channel, sizeof(channel));
+	if (status != SECSuccess)
+		goto error;
+
+	status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite));
+	if (status != SECSuccess)
+		goto error;
+
+	return suite.cipherSuiteName;
+
+error:
+	ereport(WARNING,
+			(errmsg("unable to extract TLS session information: %s",
+					pg_SSLerrmessage(PR_GetError()))));
+	return NULL;
+}
+
+void
+be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len)
+{
+	CERTCertificate *certificate;
+
+	certificate = SSL_PeerCertificate(port->pr_fd);
+	if (certificate)
+		strlcpy(ptr, CERT_NameToAscii(&certificate->subject), len);
+	else
+		ptr[0] = '\0';
+}
+
+void
+be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
+{
+	CERTCertificate *certificate;
+
+	certificate = SSL_PeerCertificate(port->pr_fd);
+	if (certificate)
+		strlcpy(ptr, CERT_NameToAscii(&certificate->issuer), len);
+	else
+		ptr[0] = '\0';
+}
+
+void
+be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
+{
+	CERTCertificate *certificate;
+
+	certificate = SSL_PeerCertificate(port->pr_fd);
+	if (certificate)
+		snprintf(ptr, len, "%li", DER_GetInteger(&(certificate->serialNumber)));
+	else
+		ptr[0] = '\0';
+}
+
+static SECStatus
+pg_bad_cert_handler(void *arg, PRFileDesc * fd)
+{
+	Port	   *port = (Port *) arg;
+
+	port->peer_cert_valid = false;
+	return SECFailure;
+}
+
+static SECStatus
+pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer)
+{
+	SECStatus	status;
+	Port	   *port = (Port *) arg;
+	CERTCertificate *cert;
+	char	   *peer_cn;
+	int			len;
+
+	status = SSL_AuthCertificate(CERT_GetDefaultCertDB(), port->pr_fd, checksig, PR_TRUE);
+	if (status == SECSuccess)
+	{
+		cert = SSL_PeerCertificate(port->pr_fd);
+		len = strlen(cert->subjectName);
+		peer_cn = MemoryContextAllocZero(TopMemoryContext, len + 1);
+		if (strncmp(cert->subjectName, "CN=", 3) == 0)
+			strlcpy(peer_cn, cert->subjectName + strlen("CN="), len + 1);
+		else
+			strlcpy(peer_cn, cert->subjectName, len + 1);
+		CERT_DestroyCertificate(cert);
+
+		port->peer_cn = peer_cn;
+		port->peer_cert_valid = true;
+	}
+
+	return status;
+}
+
+/* ------------------------------------------------------------ */
+/*						Internal functions						*/
+/* ------------------------------------------------------------ */
+
+static PRInt32
+pg_ssl_read(PRFileDesc * fd, void *buf, PRInt32 amount, PRIntn flags,
+			PRIntervalTime timeout)
+{
+	PRRecvFN	read_fn;
+	PRInt32		n_read;
+
+	read_fn = fd->lower->methods->recv;
+	n_read = read_fn(fd->lower, buf, amount, flags, timeout);
+
+	return n_read;
+}
+
+static PRInt32
+pg_ssl_write(PRFileDesc * fd, const void *buf, PRInt32 amount, PRIntn flags,
+			 PRIntervalTime timeout)
+{
+	PRSendFN	send_fn;
+	PRInt32		n_write;
+
+	send_fn = fd->lower->methods->send;
+	n_write = send_fn(fd->lower, buf, amount, flags, timeout);
+
+	return n_write;
+}
+
+static PRFileDesc *
+init_iolayer(Port *port, int loglevel)
+{
+	const		PRIOMethods *default_methods;
+	PRFileDesc *layer;
+
+	/*
+	 * Start by initializing our layer with all the default methods so that we
+	 * can selectively override the ones we want while still ensuring that we
+	 * have a complete layer specification.
+	 */
+	default_methods = PR_GetDefaultIOMethods();
+	memcpy(&pr_iomethods, default_methods, sizeof(PRIOMethods));
+
+	pr_iomethods.recv = pg_ssl_read;
+	pr_iomethods.send = pg_ssl_write;
+
+	/*
+	 * Each IO layer must be identified by a unique name, where uniqueness is
+	 * per connection. Each connection in a postgres cluster can generate the
+	 * identity from the same string as they will create their IO layers on
+	 * different sockets. Only one layer per socket can have the same name.
+	 */
+	pr_id = PR_GetUniqueIdentity("PostgreSQL");
+	if (pr_id == PR_INVALID_IO_LAYER)
+	{
+		ereport(loglevel,
+				(errmsg("out of memory when setting up TLS connection")));
+		return NULL;
+	}
+
+	/*
+	 * Create the actual IO layer as a stub such that it can be pushed onto
+	 * the layer stack. The step via a stub is required as we define custom
+	 * callbacks.
+	 */
+	layer = PR_CreateIOLayerStub(pr_id, &pr_iomethods);
+	if (!layer)
+	{
+		ereport(loglevel,
+				(errmsg("unable to create NSS I/O layer")));
+		return NULL;
+	}
+
+	return layer;
+}
+
+static char *
+ssl_protocol_version_to_string(int v)
+{
+	switch (v)
+	{
+			/* SSL v2 and v3 are not supported */
+		case SSL_LIBRARY_VERSION_2:
+		case SSL_LIBRARY_VERSION_3_0:
+			Assert(false);
+			break;
+
+		case SSL_LIBRARY_VERSION_TLS_1_0:
+			return pstrdup("TLSv1.0");
+		case SSL_LIBRARY_VERSION_TLS_1_1:
+			return pstrdup("TLSv1.1");
+		case SSL_LIBRARY_VERSION_TLS_1_2:
+			return pstrdup("TLSv1.2");
+		case SSL_LIBRARY_VERSION_TLS_1_3:
+			return pstrdup("TLSv1.3");
+	}
+
+	return pstrdup("unknown");
+}
+
+
+/*
+ * ssl_protocol_version_to_nss
+ *			Translate PostgreSQL TLS version to NSS version
+ *
+ * Returns zero in case the requested TLS version is undefined (PG_ANY) and
+ * should be set by the caller, or -1 on failure.
+ */
+static uint16
+ssl_protocol_version_to_nss(int v, const char *guc_name)
+{
+	switch (v)
+	{
+			/*
+			 * There is no SSL_LIBRARY_ macro defined in NSS with the value
+			 * zero, so we use this to signal the caller that the highest
+			 * useful version should be set on the connection.
+			 */
+		case PG_TLS_ANY:
+			return 0;
+
+			/*
+			 * No guard is required here as there are no versions of NSS
+			 * without support for TLS1.
+			 */
+		case PG_TLS1_VERSION:
+			return SSL_LIBRARY_VERSION_TLS_1_0;
+		case PG_TLS1_1_VERSION:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_1
+			return SSL_LIBRARY_VERSION_TLS_1_1;
+#else
+			break;
+#endif
+		case PG_TLS1_2_VERSION:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
+			return SSL_LIBRARY_VERSION_TLS_1_2;
+#else
+			break;
+#endif
+		case PG_TLS1_3_VERSION:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+			return SSL_LIBRARY_VERSION_TLS_1_3;
+#else
+			break;
+#endif
+		default:
+			break;
+	}
+
+	return -1;
+}
+
+/*
+ * pg_SSLerrmessage
+ *		Create and return a human readable error message given
+ *		the specified error code
+ *
+ * PR_ErrorToName only converts the enum identifier of the error to string,
+ * but that can be quite useful for debugging (and in case PR_ErrorToString is
+ * unable to render a message then we at least have something).
+ */
+static char *
+pg_SSLerrmessage(PRErrorCode errcode)
+{
+	char		error[128];
+	int			ret;
+
+	/* TODO: this should perhaps use a StringInfo instead.. */
+	ret = pg_snprintf(error, sizeof(error), "%s (%s)",
+					  PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT),
+					  PR_ErrorToName(errcode));
+	if (ret)
+		return pstrdup(error);
+
+	return pstrdup(_("unknown TLS error"));
+}
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 8b21ff4065..5962cffc0c 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1298,15 +1298,28 @@ X509_NAME_to_cstring(X509_NAME *name)
 	char	   *dp;
 	char	   *result;
 
+	if (membuf == NULL)
+		ereport(ERROR,
+				(errcode(ERRCODE_OUT_OF_MEMORY),
+				 errmsg("failed to create BIO")));
+
 	(void) BIO_set_close(membuf, BIO_CLOSE);
 	for (i = 0; i < count; i++)
 	{
 		e = X509_NAME_get_entry(name, i);
 		nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
+		if (nid == NID_undef)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("could not get NID for ASN1_OBJECT object")));
 		v = X509_NAME_ENTRY_get_data(e);
 		field_name = OBJ_nid2sn(nid);
 		if (!field_name)
 			field_name = OBJ_nid2ln(nid);
+		if (field_name == NULL)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
 		BIO_printf(membuf, "/%s=", field_name);
 		ASN1_STRING_print_ex(membuf, v,
 							 ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
@@ -1322,7 +1335,8 @@ X509_NAME_to_cstring(X509_NAME *name)
 	result = pstrdup(dp);
 	if (dp != sp)
 		pfree(dp);
-	BIO_free(membuf);
+	if (BIO_free(membuf) != 1)
+		elog(ERROR, "could not free OpenSSL BIO structure");
 
 	return result;
 }
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 2ae507a902..f39977b80c 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -49,6 +49,9 @@ bool		ssl_passphrase_command_supports_reload;
 #ifdef USE_SSL
 bool		ssl_loaded_verify_locations = false;
 #endif
+#ifdef USE_NSS
+char	   *ssl_database;
+#endif
 
 /* GUC variable controlling SSL cipher list */
 char	   *SSLCipherSuites = NULL;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index de87ad6ef7..33c3eebf48 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4262,7 +4262,11 @@ static struct config_string ConfigureNamesString[] =
 		},
 		&ssl_library,
 #ifdef USE_SSL
+#if defined(USE_OPENSSL)
 		"OpenSSL",
+#elif defined(USE_NSS)
+		"NSS",
+#endif
 #else
 		"",
 #endif
@@ -4320,6 +4324,18 @@ static struct config_string ConfigureNamesString[] =
 		check_canonical_path, assign_pgstat_temp_directory, NULL
 	},
 
+#ifdef USE_NSS
+	{
+		{"ssl_database", PGC_SIGHUP, CONN_AUTH_SSL,
+			gettext_noop("Location of the NSS certificate database."),
+			NULL
+		},
+		&ssl_database,
+		"",
+		NULL, NULL, NULL
+	},
+#endif
+
 	{
 		{"synchronous_standby_names", PGC_SIGHUP, REPLICATION_PRIMARY,
 			gettext_noop("Number of synchronous standbys and list of names of potential synchronous ones."),
@@ -4348,8 +4364,10 @@ static struct config_string ConfigureNamesString[] =
 			GUC_SUPERUSER_ONLY
 		},
 		&SSLCipherSuites,
-#ifdef USE_OPENSSL
+#if defined(USE_OPENSSL)
 		"HIGH:MEDIUM:+3DES:!aNULL",
+#elif defined (USE_NSS)
+		"",
 #else
 		"none",
 #endif
diff --git a/src/include/common/pg_nss.h b/src/include/common/pg_nss.h
new file mode 100644
index 0000000000..74298c8bb1
--- /dev/null
+++ b/src/include/common/pg_nss.h
@@ -0,0 +1,141 @@
+/*-------------------------------------------------------------------------
+ *
+ * pg_nss.h
+ *	  Support for NSS as a TLS backend
+ *
+ * These definitions are used by both frontend and backend code.
+ *
+ * Copyright (c) 2020, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *        src/include/common/pg_nss.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef PG_NSS_H
+#define PG_NSS_H
+
+#ifdef USE_NSS
+
+#include <sslproto.h>
+
+PRUint16	pg_find_cipher(char *name);
+
+typedef struct
+{
+	const char *name;
+	PRUint16	number;
+}			NSSCiphers;
+
+#define INVALID_CIPHER	0xFFFF
+
+/*
+ * This list is a partial copy of the ciphers in NSS files lib/ssl/sslproto.h
+ * in order to provide a human readable version of the ciphers. It would be
+ * nice to not have to have this, but NSS doesn't provide any API addressing
+ * the ciphers by name. TODO: do we want more of the ciphers, or perhaps less?
+ */
+static const NSSCiphers NSS_CipherList[] = {
+
+	{"TLS_NULL_WITH_NULL_NULL", TLS_NULL_WITH_NULL_NULL},
+
+	{"TLS_RSA_WITH_NULL_MD5", TLS_RSA_WITH_NULL_MD5},
+	{"TLS_RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA},
+	{"TLS_RSA_WITH_RC4_128_MD5", TLS_RSA_WITH_RC4_128_MD5},
+	{"TLS_RSA_WITH_RC4_128_SHA", TLS_RSA_WITH_RC4_128_SHA},
+	{"TLS_RSA_WITH_IDEA_CBC_SHA", TLS_RSA_WITH_IDEA_CBC_SHA},
+	{"TLS_RSA_WITH_DES_CBC_SHA", TLS_RSA_WITH_DES_CBC_SHA},
+	{"TLS_RSA_WITH_3DES_EDE_CBC_SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+
+	{"TLS_DH_DSS_WITH_DES_CBC_SHA", TLS_DH_DSS_WITH_DES_CBC_SHA},
+	{"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA},
+	{"TLS_DH_RSA_WITH_DES_CBC_SHA", TLS_DH_RSA_WITH_DES_CBC_SHA},
+	{"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA},
+
+	{"TLS_DHE_DSS_WITH_DES_CBC_SHA", TLS_DHE_DSS_WITH_DES_CBC_SHA},
+	{"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA},
+	{"TLS_DHE_RSA_WITH_DES_CBC_SHA", TLS_DHE_RSA_WITH_DES_CBC_SHA},
+	{"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
+
+	{"TLS_DH_anon_WITH_RC4_128_MD5", TLS_DH_anon_WITH_RC4_128_MD5},
+	{"TLS_DH_anon_WITH_DES_CBC_SHA", TLS_DH_anon_WITH_DES_CBC_SHA},
+	{"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", TLS_DH_anon_WITH_3DES_EDE_CBC_SHA},
+
+	{"TLS_RSA_WITH_AES_128_CBC_SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
+	{"TLS_DH_DSS_WITH_AES_128_CBC_SHA", TLS_DH_DSS_WITH_AES_128_CBC_SHA},
+	{"TLS_DH_RSA_WITH_AES_128_CBC_SHA", TLS_DH_RSA_WITH_AES_128_CBC_SHA},
+	{"TLS_DHE_DSS_WITH_AES_128_CBC_SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA},
+	{"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
+	{"TLS_DH_anon_WITH_AES_128_CBC_SHA", TLS_DH_anon_WITH_AES_128_CBC_SHA},
+
+	{"TLS_RSA_WITH_AES_256_CBC_SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
+	{"TLS_DH_DSS_WITH_AES_256_CBC_SHA", TLS_DH_DSS_WITH_AES_256_CBC_SHA},
+	{"TLS_DH_RSA_WITH_AES_256_CBC_SHA", TLS_DH_RSA_WITH_AES_256_CBC_SHA},
+	{"TLS_DHE_DSS_WITH_AES_256_CBC_SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA},
+	{"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
+	{"TLS_DH_anon_WITH_AES_256_CBC_SHA", TLS_DH_anon_WITH_AES_256_CBC_SHA},
+	{"TLS_RSA_WITH_NULL_SHA256", TLS_RSA_WITH_NULL_SHA256},
+	{"TLS_RSA_WITH_AES_128_CBC_SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
+	{"TLS_RSA_WITH_AES_256_CBC_SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
+
+	{"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256},
+	{"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA},
+	{"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA},
+	{"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA},
+	{"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA},
+	{"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA},
+	{"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA},
+
+	{"TLS_DHE_DSS_WITH_RC4_128_SHA", TLS_DHE_DSS_WITH_RC4_128_SHA},
+	{"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
+	{"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256},
+	{"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
+
+	{"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA},
+	{"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA},
+	{"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA},
+	{"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA},
+	{"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA},
+	{"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA},
+
+	{"TLS_RSA_WITH_SEED_CBC_SHA", TLS_RSA_WITH_SEED_CBC_SHA},
+
+	{"TLS_RSA_WITH_AES_128_GCM_SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256},
+	{"TLS_RSA_WITH_AES_256_GCM_SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384},
+	{"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
+	{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
+	{"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256},
+	{"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384},
+
+	{"TLS_AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256},
+	{"TLS_AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384},
+	{"TLS_CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256},
+	{NULL, 0}
+};
+
+/*
+ * pg_find_cipher
+ *			Translate an NSS ciphername to the cipher code
+ *
+ * Searches the configured ciphers for the corresponding cipher code to the
+ * name. Search is performed case insensitive.
+ */
+PRUint16
+pg_find_cipher(char *name)
+{
+	const		NSSCiphers *cipher_list = NSS_CipherList;
+
+	while (cipher_list->name)
+	{
+		if (pg_strcasecmp(cipher_list->name, name) == 0)
+			return cipher_list->number;
+
+		cipher_list++;
+	}
+
+	return 0xFFFF;
+}
+
+#endif							/* USE_NSS */
+
+#endif							/* PG_NSS_H */
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 0a23281ad5..f11ddd6b2e 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -192,13 +192,18 @@ typedef struct Port
 	bool		peer_cert_valid;
 
 	/*
-	 * OpenSSL structures. (Keep these last so that the locations of other
-	 * fields are the same whether or not you build with OpenSSL.)
+	 * SSL backend specific structures. (Keep these last so that the locations
+	 * of other fields are the same whether or not you build with SSL
+	 * enabled.)
 	 */
 #ifdef USE_OPENSSL
 	SSL		   *ssl;
 	X509	   *peer;
 #endif
+
+#ifdef USE_NSS
+	void	   *pr_fd;
+#endif
 } Port;
 
 #ifdef USE_SSL
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index b1152475ac..298d87ecae 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -88,6 +88,9 @@ extern PGDLLIMPORT bool ssl_passphrase_command_supports_reload;
 #ifdef USE_SSL
 extern bool ssl_loaded_verify_locations;
 #endif
+#ifdef USE_NSS
+extern char *ssl_database;
+#endif
 
 extern int	secure_initialize(bool isServerStart);
 extern bool secure_loaded_verify_locations(void);
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index fb270df678..31f808398c 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -893,6 +893,9 @@
 /* Define to 1 to build with PAM support. (--with-pam) */
 #undef USE_PAM
 
+/* Define to build with NSS support (--with-nss) */
+#undef USE_NSS
+
 /* Define to 1 to use software CRC-32C implementation (slicing-by-8). */
 #undef USE_SLICING_BY_8_CRC32C
 
diff --git a/src/include/pg_config_manual.h b/src/include/pg_config_manual.h
index 705dc69c06..c28b84126d 100644
--- a/src/include/pg_config_manual.h
+++ b/src/include/pg_config_manual.h
@@ -176,10 +176,9 @@
 
 /*
  * USE_SSL code should be compiled only when compiling with an SSL
- * implementation.  (Currently, only OpenSSL is supported, but we might add
- * more implementations in the future.)
+ * implementation.
  */
-#ifdef USE_OPENSSL
+#if defined(USE_OPENSSL) || defined(USE_NSS)
 #define USE_SSL
 #endif
 
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index d4919970f8..97821fb39b 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -57,6 +57,10 @@ OBJS += \
 	fe-secure-gssapi.o
 endif
 
+ifeq ($(with_nss), yes)
+OBJS += fe-secure-nss.o
+endif
+
 ifeq ($(PORTNAME), cygwin)
 override shlib = cyg$(NAME)$(DLSUFFIX)
 endif
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 7bee9dd201..2814eb8ddd 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -354,6 +354,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Target-Session-Attrs", "", 11, /* sizeof("read-write") = 11 */
 	offsetof(struct pg_conn, target_session_attrs)},
 
+	{"cert_database", NULL, NULL, NULL,
+		"CertificateDatabase", "", 64,
+	offsetof(struct pg_conn, cert_database)},
+
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
diff --git a/src/interfaces/libpq/fe-secure-nss.c b/src/interfaces/libpq/fe-secure-nss.c
new file mode 100644
index 0000000000..778393fc3b
--- /dev/null
+++ b/src/interfaces/libpq/fe-secure-nss.c
@@ -0,0 +1,984 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-secure-nss.c
+ *	  functions for supporting NSS as a TLS backend for frontend libpq
+ *
+ * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/fe-secure-nss.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres_fe.h"
+
+#include "libpq-fe.h"
+#include "fe-auth.h"
+#include "libpq-int.h"
+
+/*
+ * BITS_PER_BYTE is also defined in the NSPR header fils, so we need to undef
+ * our version to avoid compiler warnings on redefinition.
+ */
+#define pg_BITS_PER_BYTE BITS_PER_BYTE
+#undef BITS_PER_BYTE
+
+/*
+ * The nspr/obsolete/protypes.h NSPR header typedefs uint64 and int64 with
+ * colliding definitions from ours, causing a much expected compiler error.
+ * The definitions are however not actually used in NSPR at all, and are only
+ * intended for what seems to be backwards compatibility for apps written
+ * against old versions of NSPR.  The following comment is in the referenced
+ * file, and was added in 1998:
+ *
+ *		This section typedefs the old 'native' types to the new PR<type>s.
+ *		These definitions are scheduled to be eliminated at the earliest
+ *		possible time. The NSPR API is implemented and documented using
+ *		the new definitions.
+ *
+ * As there is no opt-out from pulling in these typedefs, we define the guard
+ * for the file to exclude it. This is incredibly ugly, but seems to be about
+ * the only way around it.
+ */
+#define PROTYPES_H
+#include <nspr.h>
+#undef PROTYPES_H
+#include <nss.h>
+#include <ssl.h>
+#include <sslproto.h>
+#include <pk11func.h>
+#include <prerror.h>
+#include <prinit.h>
+#include <prio.h>
+#include <secerr.h>
+#include <secmod.h>
+
+/*
+ * Ensure that the colliding definitions match, else throw an error. In case
+ * NSPR remove the definition in a future version (however unlikely that may
+ * be, make sure to put ours back again.
+ */
+#if defined(BITS_PER_BYTE)
+#if BITS_PER_BYTE != pg_BITS_PER_BYTE
+#error "incompatible byte widths between NSPR and PostgreSQL"
+#endif
+#else
+#define BITS_PER_BYTE pg_BITS_PER_BYTE
+#endif
+#undef pg_BITS_PER_BYTE
+
+static SECStatus pg_load_nss_module(SECMODModule * *module, const char *library, const char *name);
+static SECStatus pg_bad_cert_handler(void *arg, PRFileDesc * fd);
+static char *pg_SSLerrmessage(PRErrorCode errcode);
+static SECStatus pg_client_auth_handler(void *arg, PRFileDesc * socket, CERTDistNames * caNames,
+										CERTCertificate * *pRetCert, SECKEYPrivateKey * *pRetKey);
+static SECStatus pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer);
+static int	ssl_protocol_version_to_nss(const char *protocol);
+static bool cert_database_has_CA(PGconn *conn);
+
+static char *PQssl_passwd_cb(PK11SlotInfo * slot, PRBool retry, void *arg);
+
+/*
+ * PR_ImportTCPSocket() is a private API, but very widely used, as it's the
+ * only way to make NSS use an already set up POSIX file descriptor rather
+ * than opening one itself. To quote the NSS documentation:
+ *
+ *		"In theory, code that uses PR_ImportTCPSocket may break when NSPR's
+ *		implementation changes. In practice, this is unlikely to happen because
+ *		NSPR's implementation has been stable for years and because of NSPR's
+ *		strong commitment to backward compatibility."
+ *
+ * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket
+ *
+ * The function is declared in <private/pprio.h>, but as it is a header marked
+ * private we declare it here rather than including it.
+ */
+NSPR_API(PRFileDesc *) PR_ImportTCPSocket(int);
+
+static SECMODModule * ca_trust = NULL;
+static NSSInitContext * nss_context = NULL;
+
+/*
+ * Track whether the NSS database has a password set or not. There is no API
+ * function for retrieving password status, so we simply flip this to true in
+ * case NSS invoked the password callback - as that will only happen in case
+ * there is a password. The reason for tracking this is that there are calls
+ * which require a password parameter, but doesn't use the callbacks provided,
+ * so we must call the callback on behalf of these.
+ */
+static bool has_password = false;
+
+#if defined(WIN32)
+static const char *ca_trust_name = "nssckbi.dll";
+#elif defined(__darwin__)
+static const char *ca_trust_name = "libnssckbi.dylib";
+#else
+static const char *ca_trust_name = "libnssckbi.so";
+#endif
+
+static PQsslKeyPassHook_nss_type PQsslKeyPassHook = NULL;
+
+/* ------------------------------------------------------------ */
+/*			 Procedures common to all secure sessions			*/
+/* ------------------------------------------------------------ */
+
+/*
+ * pgtls_init_library
+ *
+ * There is no direct equivalent for PQinitOpenSSL in NSS/NSPR, with PR_Init
+ * being the closest match there is. PR_Init is however already documented to
+ * not be required so simply making this a noop seems like the best option.
+ */
+void
+pgtls_init_library(bool do_ssl, int do_crypto)
+{
+	/* noop */
+}
+
+int
+pgtls_init(PGconn *conn)
+{
+	conn->ssl_in_use = false;
+
+	return 0;
+}
+
+void
+pgtls_close(PGconn *conn)
+{
+	if (nss_context)
+	{
+		NSS_ShutdownContext(nss_context);
+		nss_context = NULL;
+	}
+}
+
+PostgresPollingStatusType
+pgtls_open_client(PGconn *conn)
+{
+	SECStatus	status;
+	PRFileDesc *pr_fd;
+	PRFileDesc *model;
+	NSSInitParameters params;
+	SSLVersionRange desired_range;
+
+	/*
+	 * The NSPR documentation states that runtime initialization via PR_Init
+	 * is no longer required, as the first caller into NSPR will perform the
+	 * initialization implicitly. The documentation doesn't however clarify
+	 * from which version this is holds true, so let's perform the potentially
+	 * superfluous initialization anyways to avoid crashing on older versions
+	 * of NSPR, as there is no difference in overhead.  The NSS documentation
+	 * still states that PR_Init must be called in some way (implicitly or
+	 * explicitly).
+	 *
+	 * The below parameters are what the implicit initialization would've done
+	 * for us, and should work even for older versions where it might not be
+	 * done automatically. The last parameter, maxPTDs, is set to various
+	 * values in other codebases, but has been unused since NSPR 2.1 which was
+	 * released sometime in 1998.
+	 */
+	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+
+	/*
+	 * The original design of NSS was for a single application to use a single
+	 * copy of it, initialized with NSS_Initialize() which isn't returning any
+	 * handle with which to refer to NSS. NSS initialization and shutdown are
+	 * global for the application, so a shutdown in another NSS enabled
+	 * library would cause NSS to be stopped for libpq as well.  The fix has
+	 * been to introduce NSS_InitContext which returns a context handle to
+	 * pass to NSS_ShutdownContext.  NSS_InitContext was introduced in NSS
+	 * 3.12, but the use of it is not very well documented.
+	 * https://bugzilla.redhat.com/show_bug.cgi?id=738456
+	 *
+	 * The InitParameters struct passed can be used to override internal
+	 * values in NSS, but the usage is not documented at all. When using
+	 * NSS_Init initializations, the values are instead set via PK11_Configure
+	 * calls so the PK11_Configure documentation can be used to glean some
+	 * details on these.
+	 *
+	 * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Specs
+	 */
+	memset(&params, 0, sizeof(params));
+	params.length = sizeof(params);
+
+	if (conn->cert_database && strlen(conn->cert_database) > 0)
+	{
+		char	   *cert_database_path = psprintf("sql:%s", conn->cert_database);
+
+		nss_context = NSS_InitContext(cert_database_path, "", "", "",
+									  &params,
+									  NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
+		pfree(cert_database_path);
+	}
+	else
+		nss_context = NSS_InitContext("", "", "", "", &params,
+									  NSS_INIT_READONLY | NSS_INIT_NOCERTDB |
+									  NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN |
+									  NSS_INIT_NOROOTINIT | NSS_INIT_PK11RELOAD);
+
+	if (!nss_context)
+	{
+		char	   *err = pg_SSLerrmessage(PR_GetError());
+
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to %s certificate database: %s"),
+						  conn->cert_database ? "open" : "create",
+						  err);
+		free(err);
+		return PGRES_POLLING_FAILED;
+	}
+
+	/*
+	 * Configure cipher policy.
+	 */
+	status = NSS_SetDomesticPolicy();
+	if (status != SECSuccess)
+	{
+		char	   *err = pg_SSLerrmessage(PR_GetError());
+
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to configure cipher policy: %s"),
+						  err);
+		free(err);
+		return PGRES_POLLING_FAILED;
+	}
+
+	/*
+	 * If we don't have a certificate database, the system trust store is the
+	 * fallback we can use. If we fail to initialize that as well, we can
+	 * still attempt a connection as long as the sslmode isn't verify*.
+	 */
+	if (!conn->cert_database && conn->sslmode[0] == 'v')
+	{
+		status = pg_load_nss_module(&ca_trust, ca_trust_name, "\"Root Certificates\"");
+		/* status = pg_load_nss_module(&ca_trust, ca_trust_name, "trust"); */
+		if (status != SECSuccess)
+		{
+			char	   *err = pg_SSLerrmessage(PR_GetError());
+
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("WARNING: unable to load NSS trust module \"%s\" : %s"), ca_trust_name, err);
+			return PGRES_POLLING_FAILED;
+		}
+	}
+
+
+	PK11_SetPasswordFunc(PQssl_passwd_cb);
+
+	/*
+	 * Import the already opened socket as we don't want to use NSPR functions
+	 * for opening the network socket due to how the PostgreSQL protocol works
+	 * with TLS connections. This function is not part of the NSPR public API,
+	 * see the comment at the top of the file for the rationale of still using
+	 * it.
+	 */
+	pr_fd = PR_ImportTCPSocket(conn->sock);
+	if (!pr_fd)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to attach to socket: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		return PGRES_POLLING_FAILED;
+	}
+
+	/*
+	 * Most of the documentation available, and implementations of, NSS/NSPR
+	 * use the PR_NewTCPSocket() function here, which has the drawback that it
+	 * can only create IPv4 sockets. Instead use PR_OpenTCPSocket() which
+	 * copes with IPv6 as well.
+	 */
+	model = SSL_ImportFD(NULL, PR_OpenTCPSocket(conn->laddr.addr.ss_family));
+	if (!model)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to enable TLS: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		return PGRES_POLLING_FAILED;
+	}
+
+	/* Disable old protocol versions (SSLv2 and SSLv3) */
+	SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE);
+	SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
+	SSL_OptionSet(model, SSL_ENABLE_SSL3, PR_FALSE);
+
+#ifdef SSL_CBC_RANDOM_IV
+
+	/*
+	 * Enable protection against the BEAST attack in case the NSS library has
+	 * support for that. While SSLv3 is disabled, we may still allow TLSv1
+	 * which is affected. The option isn't documented as an SSL option, but as
+	 * an NSS environment variable.
+	 */
+	SSL_OptionSet(model, SSL_CBC_RANDOM_IV, PR_TRUE);
+#endif
+
+	/* Set us up as a TLS client for the handshake */
+	SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
+
+	/*
+	 * When setting the available protocols, we either use the user defined
+	 * configuration values, and if missing we accept whatever is the highest
+	 * version supported by the library as the max and only limit the range in
+	 * the other end at TLSv1.0. ssl_variant_stream is a ProtocolVariant enum
+	 * for Stream protocols, rather than datagram.
+	 */
+	SSL_VersionRangeGetSupported(ssl_variant_stream, &desired_range);
+	desired_range.min = SSL_LIBRARY_VERSION_TLS_1_0;
+
+	if (conn->ssl_min_protocol_version && strlen(conn->ssl_min_protocol_version) > 0)
+	{
+		int			ssl_min_ver = ssl_protocol_version_to_nss(conn->ssl_min_protocol_version);
+
+		if (ssl_min_ver == -1)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
+							  conn->ssl_min_protocol_version);
+			return -1;
+		}
+
+		desired_range.min = ssl_min_ver;
+	}
+
+	if (conn->ssl_max_protocol_version && strlen(conn->ssl_max_protocol_version) > 0)
+	{
+		int			ssl_max_ver = ssl_protocol_version_to_nss(conn->ssl_max_protocol_version);
+
+		if (ssl_max_ver == -1)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
+							  conn->ssl_max_protocol_version);
+			return -1;
+		}
+
+		desired_range.max = ssl_max_ver;
+	}
+
+	if (SSL_VersionRangeSet(model, &desired_range) != SECSuccess)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to set allowed SSL protocol version range: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		return PGRES_POLLING_FAILED;
+	}
+
+	/*
+	 * Set up callback for verifying server certificates, as well as for how
+	 * to handle failed verifications.
+	 */
+	SSL_AuthCertificateHook(model, pg_cert_auth_handler, (void *) conn);
+	SSL_BadCertHook(model, pg_bad_cert_handler, (void *) conn);
+
+	/*
+	 * Convert the NSPR socket to an SSL socket. Ensuring the success of this
+	 * operation is critical as NSS SSL_* functions may return SECSuccess on
+	 * the socket even though SSL hasn't been enabled, which introduce a risk
+	 * of silent downgrades.
+	 */
+	conn->pr_fd = SSL_ImportFD(model, pr_fd);
+	if (!conn->pr_fd)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to configure client for TLS: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		return PGRES_POLLING_FAILED;
+	}
+
+	/*
+	 * The model can now we closed as we've applied the settings of the model
+	 * onto the real socket. From hereon we should only use conn->pr_fd.
+	 */
+	PR_Close(model);
+
+	/* Set the private data to be passed to the password callback */
+	SSL_SetPKCS11PinArg(conn->pr_fd, (void *) conn);
+
+	/*
+	 * If a CRL file has been specified, verify if it exists in the database
+	 * but don't fail in case it doesn't.
+	 */
+	if (conn->sslcrl && strlen(conn->sslcrl) > 0)
+	{
+		/* XXX: Implement me.. */
+	}
+
+	status = SSL_ResetHandshake(conn->pr_fd, PR_FALSE);
+	if (status != SECSuccess)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to initiate handshake: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		return PGRES_POLLING_FAILED;
+	}
+
+	/*
+	 * Set callback for client authentication when requested by the server.
+	 */
+	SSL_GetClientAuthDataHook(conn->pr_fd, pg_client_auth_handler, (void *) conn);
+
+	/*
+	 * Specify which hostname we are expecting to talk to. This is required,
+	 * albeit mostly applies to when opening a connection to a traditional
+	 * http server it seems.
+	 */
+	SSL_SetURL(conn->pr_fd, (conn->connhost[conn->whichhost]).host);
+
+	do
+	{
+		status = SSL_ForceHandshake(conn->pr_fd);
+	}
+	while (status != SECSuccess && PR_GetError() == PR_WOULD_BLOCK_ERROR);
+
+	if (status != SECSuccess)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("SSL error: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		return PGRES_POLLING_FAILED;
+	}
+
+	conn->ssl_in_use = true;
+	return PGRES_POLLING_OK;
+}
+
+ssize_t
+pgtls_read(PGconn *conn, void *ptr, size_t len)
+{
+	PRInt32		nread;
+	PRErrorCode status;
+	int			read_errno = 0;
+
+	nread = PR_Recv(conn->pr_fd, ptr, len, 0, PR_INTERVAL_NO_WAIT);
+
+	/*
+	 * PR_Recv blocks until there is data to read or the timeout expires. Zero
+	 * is returned for closed connections, while -1 indicates an error within
+	 * the ongoing connection.
+	 */
+	if (nread == 0)
+	{
+		read_errno = ECONNRESET;
+		return -1;
+	}
+
+	if (nread == -1)
+	{
+		status = PR_GetError();
+
+		switch (status)
+		{
+			case PR_WOULD_BLOCK_ERROR:
+				read_errno = EINTR;
+				break;
+
+			case PR_IO_TIMEOUT_ERROR:
+				break;
+
+				/*
+				 * The error cases for PR_Recv are not documented, but can be
+				 * reverse engineered from _MD_unix_map_default_error() in the
+				 * NSPR code, defined in pr/src/md/unix/unix_errors.c.
+				 */
+			default:
+				printfPQExpBuffer(&conn->errorMessage,
+								  libpq_gettext("TLS read error: %s"),
+								  pg_SSLerrmessage(status));
+				break;
+		}
+	}
+
+	SOCK_ERRNO_SET(read_errno);
+	return (ssize_t) nread;
+}
+
+/*
+ * pgtls_read_pending
+ *		Check for the existence of data to be read.
+ *
+ * This is part of the PostgreSQL TLS backend API.
+ */
+bool
+pgtls_read_pending(PGconn *conn)
+{
+	unsigned char c;
+	int			n;
+
+	/*
+	 * PR_Recv peeks into the stream with the timeount turned off, to see if
+	 * there is another byte to read off the wire. There is an NSS function
+	 * SSL_DataPending() which might seem like a better fit, but it will only
+	 * check already encrypted data in the SSL buffer, not still unencrypted
+	 * data, thus it doesn't guarantee that a subsequent call to
+	 * PR_Read/PR_Recv wont block.
+	 */
+	n = PR_Recv(conn->pr_fd, &c, 1, PR_MSG_PEEK, PR_INTERVAL_NO_WAIT);
+	return (n > 0);
+}
+
+ssize_t
+pgtls_write(PGconn *conn, const void *ptr, size_t len)
+{
+	PRInt32		n;
+	PRErrorCode status;
+	int			write_errno = 0;
+
+	n = PR_Write(conn->pr_fd, ptr, len);
+
+	if (n < 0)
+	{
+		status = PR_GetError();
+
+		switch (status)
+		{
+			case PR_WOULD_BLOCK_ERROR:
+#ifdef EAGAIN
+				write_errno = EAGAIN;
+#else
+				write_errno = EINTR;
+#endif
+				break;
+
+			default:
+				printfPQExpBuffer(&conn->errorMessage,
+								  libpq_gettext("TLS write error: %s"),
+								  pg_SSLerrmessage(status));
+				write_errno = ECONNRESET;
+				break;
+		}
+	}
+
+	SOCK_ERRNO_SET(write_errno);
+	return (ssize_t) n;
+}
+
+/*
+ *	Verify that the server certificate matches the hostname we connected to.
+ *
+ * The certificate's Common Name and Subject Alternative Names are considered.
+ */
+int
+pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
+												int *names_examined,
+												char **first_name)
+{
+	return 1;
+}
+
+/* ------------------------------------------------------------ */
+/*			PostgreSQL specific TLS support functions			*/
+/* ------------------------------------------------------------ */
+
+/*
+ * TODO: this a 99% copy of the same function in the backend, make these share
+ * a single implementation instead.
+ */
+static char *
+pg_SSLerrmessage(PRErrorCode errcode)
+{
+	const char *error;
+
+	error = PR_ErrorToName(errcode);
+	if (error)
+		return strdup(error);
+
+	return strdup("unknown TLS error");
+}
+
+static SECStatus
+pg_load_nss_module(SECMODModule * *module, const char *library, const char *name)
+{
+	SECMODModule *mod;
+	char	   *modulespec;
+
+	modulespec = psprintf("library=\"%s\", name=\"%s\"", library, name);
+
+	/*
+	 * Attempt to load the specified module. The second parameter is "parent"
+	 * which should always be NULL for application code. The third parameter
+	 * defines if loading should recurse which is only applicable when loading
+	 * a module from within another module. This hierarchy would have to be
+	 * defined in the modulespec, and since we don't support anything but
+	 * directly addressed modules we should pass PR_FALSE.
+	 */
+	mod = SECMOD_LoadUserModule(modulespec, NULL, PR_FALSE);
+	pfree(modulespec);
+
+	if (mod && mod->loaded)
+	{
+		*module = mod;
+		return SECSuccess;
+	}
+
+	SECMOD_DestroyModule(mod);
+	return SECFailure;
+}
+
+/* ------------------------------------------------------------ */
+/*						NSS Callbacks							*/
+/* ------------------------------------------------------------ */
+
+/*
+ * pg_cert_auth_handler
+ *			Callback for authenticating server certificate
+ *
+ * This is pretty much the same procedure as the SSL_AuthCertificate function
+ * provided by NSS, with the difference being server hostname validation. With
+ * SSL_AuthCertificate there is no way to do verify-ca, it only does the -full
+ * flavor of our sslmodes, so we need our own implementation.
+ */
+static SECStatus
+pg_cert_auth_handler(void *arg, PRFileDesc * fd, PRBool checksig, PRBool isServer)
+{
+	SECStatus	status;
+	PGconn	   *conn = (PGconn *) arg;
+	char	   *server_hostname = NULL;
+	CERTCertificate *server_cert;
+	void	   *pin;
+
+	Assert(!isServer);
+
+	pin = SSL_RevealPinArg(conn->pr_fd);
+	server_cert = SSL_PeerCertificate(conn->pr_fd);
+
+	status = CERT_VerifyCertificateNow((CERTCertDBHandle *) CERT_GetDefaultCertDB(), server_cert,
+									   checksig, certificateUsageSSLServer,
+									   pin, NULL);
+
+	/*
+	 * If we've already failed validation then there is no point in also
+	 * performing the hostname check for verify-full.
+	 */
+	if (status != SECSuccess)
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unable to verify certificate: %s"),
+						  pg_SSLerrmessage(PR_GetError()));
+		goto done;
+	}
+
+	if (strcmp(conn->sslmode, "verify-full") == 0)
+	{
+		server_hostname = SSL_RevealURL(conn->pr_fd);
+		if (!server_hostname || server_hostname[0] == '\0')
+			goto done;
+
+		/*
+		 * CERT_VerifyCertName will internally perform RFC 2818 SubjectAltName
+		 * verification.
+		 */
+		status = CERT_VerifyCertName(server_cert, server_hostname);
+		if (status != SECSuccess)
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("unable to verify server hostname: %s"),
+							  pg_SSLerrmessage(PR_GetError()));
+
+	}
+
+done:
+	if (server_hostname)
+		PR_Free(server_hostname);
+
+	CERT_DestroyCertificate(server_cert);
+	return status;
+}
+
+/*
+ * pg_client_auth_handler
+ *		Callback for client certificate validation
+ *
+ * The client auth callback is not on by default in NSS, so we need to invoke
+ * it ourselves to ensure we can do cert authentication. A TODO is to support
+ * running without a specified sslcert parameter. By retrieving all the certs
+ * via nickname from the cert database and see if we find one which apply with
+ * NSS_CmpCertChainWCANames() and PK11_FindKeyByAnyCert() we could support
+ * just running with a ssl database specified.
+ *
+ * For now, we use the default client certificate validation which requires a
+ * defined nickname to identify the cert in the database.
+ */
+static SECStatus
+pg_client_auth_handler(void *arg, PRFileDesc * socket, CERTDistNames * caNames,
+					   CERTCertificate * *pRetCert, SECKEYPrivateKey * *pRetKey)
+{
+	PGconn	   *conn = (PGconn *) arg;
+
+	return NSS_GetClientAuthData(conn->sslcert, socket, caNames, pRetCert, pRetKey);
+}
+
+/*
+ * pg_bad_cert_handler
+ *		Callback for failed certificate validation
+ *
+ * The TLS handshake will call this function iff the server certificate failed
+ * validation. Depending on the sslmode, we allow the connection anyways.
+ */
+static SECStatus
+pg_bad_cert_handler(void *arg, PRFileDesc * fd)
+{
+	PGconn	   *conn = (PGconn *) arg;
+	PRErrorCode err;
+
+	/*
+	 * This really shouldn't happen, as we've the the PGconn object as our
+	 * callback data, and at the callsite we know it will be populated. That
+	 * being said, the NSS code itself performs this check even when it should
+	 * not be required so let's use the same belts with our suspenders.
+	 */
+	if (!arg)
+		return SECFailure;
+
+	/*
+	 * For sslmodes other than verify-full and verify-ca we don't perform peer
+	 * validation, so return immediately.  sslmode require with a database
+	 * specified which contains a CA certificate will work like verify-ca to
+	 * be compatible with the OpenSSL implementation.
+	 */
+	if (strcmp(conn->sslmode, "require") == 0)
+	{
+		if (conn->cert_database && strlen(conn->cert_database) > 0 && cert_database_has_CA(conn))
+			return SECFailure;
+	}
+	if (conn->sslmode[0] == 'v')
+		return SECFailure;
+
+	err = PORT_GetError();
+
+	/*
+	 * TODO: these are relevant error codes that can occur in certificate
+	 * validation, figure out which we dont want for require/prefer etc.
+	 */
+	switch (err)
+	{
+		case SEC_ERROR_INVALID_AVA:
+		case SEC_ERROR_INVALID_TIME:
+		case SEC_ERROR_BAD_SIGNATURE:
+		case SEC_ERROR_EXPIRED_CERTIFICATE:
+		case SEC_ERROR_UNKNOWN_ISSUER:
+		case SEC_ERROR_UNTRUSTED_ISSUER:
+		case SEC_ERROR_UNTRUSTED_CERT:
+		case SEC_ERROR_CERT_VALID:
+		case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+		case SEC_ERROR_CRL_EXPIRED:
+		case SEC_ERROR_CRL_BAD_SIGNATURE:
+		case SEC_ERROR_EXTENSION_VALUE_INVALID:
+		case SEC_ERROR_CA_CERT_INVALID:
+		case SEC_ERROR_CERT_USAGES_INVALID:
+		case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
+			return SECSuccess;
+			break;
+		default:
+			return SECFailure;
+			break;
+	}
+
+	/* Unreachable */
+	return SECSuccess;
+}
+
+/* ------------------------------------------------------------ */
+/*					SSL information functions					*/
+/* ------------------------------------------------------------ */
+
+/*
+ * PQgetssl
+ *
+ * Return NULL as this is legacy and defined to always be equal to calling
+ * PQsslStruct(conn, "OpenSSL"); This should ideally trigger a logged warning
+ * somewhere as it's nonsensical to run in a non-OpenSSL build, but the color
+ * of said bikeshed hasn't yet been determined.
+ */
+void *
+PQgetssl(PGconn *conn)
+{
+	return NULL;
+}
+
+void *
+PQsslStruct(PGconn *conn, const char *struct_name)
+{
+	if (!conn)
+		return NULL;
+
+	/*
+	 * Return the underlying PRFileDesc which can be used to access
+	 * information on the connection details. There is no SSL context per se.
+	 */
+	if (strcmp(struct_name, "NSS") == 0)
+		return conn->pr_fd;
+	return NULL;
+}
+
+const char *const *
+PQsslAttributeNames(PGconn *conn)
+{
+	static const char *const result[] = {
+		"library",
+		"cipher",
+		"protocol",
+		"key_bits",
+		"compression",
+		NULL
+	};
+
+	return result;
+}
+
+const char *
+PQsslAttribute(PGconn *conn, const char *attribute_name)
+{
+	SECStatus	status;
+	SSLChannelInfo channel;
+	SSLCipherSuiteInfo suite;
+
+	if (!conn || !conn->pr_fd)
+		return NULL;
+
+	if (strcmp(attribute_name, "library") == 0)
+		return "NSS";
+
+	status = SSL_GetChannelInfo(conn->pr_fd, &channel, sizeof(channel));
+	if (status != SECSuccess)
+		return NULL;
+
+	status = SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite));
+	if (status != SECSuccess)
+		return NULL;
+
+	if (strcmp(attribute_name, "cipher") == 0)
+		return suite.cipherSuiteName;
+
+	if (strcmp(attribute_name, "key_bits") == 0)
+	{
+		static char key_bits_str[8];
+
+		snprintf(key_bits_str, sizeof(key_bits_str), "%i", suite.effectiveKeyBits);
+		return key_bits_str;
+	}
+
+	if (strcmp(attribute_name, "protocol") == 0)
+	{
+		switch (channel.protocolVersion)
+		{
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+			case SSL_LIBRARY_VERSION_TLS_1_3:
+				return "TLSv1.3";
+#endif
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
+			case SSL_LIBRARY_VERSION_TLS_1_2:
+				return "TLSv1.2";
+#endif
+#ifdef SSL_LIBRARY_VERSION_TLS_1_1
+			case SSL_LIBRARY_VERSION_TLS_1_1:
+				return "TLSv1.1";
+#endif
+			case SSL_LIBRARY_VERSION_TLS_1_0:
+				return "TLSv1.0";
+			default:
+				return "unknown";
+		}
+	}
+
+	/*
+	 * NSS disabled support for compression in version 3.33, and it was only
+	 * available for SSLv3 at that point anyways, so we can safely return off
+	 * here without checking.
+	 */
+	if (strcmp(attribute_name, "compression") == 0)
+		return "off";
+
+	return NULL;
+}
+
+static int
+ssl_protocol_version_to_nss(const char *protocol)
+{
+	if (pg_strcasecmp("TLSv1", protocol) == 0)
+		return SSL_LIBRARY_VERSION_TLS_1_0;
+
+#ifdef SSL_LIBRARY_VERSION_TLS_1_1
+	if (pg_strcasecmp("TLSv1.1", protocol) == 0)
+		return SSL_LIBRARY_VERSION_TLS_1_1;
+#endif
+
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
+	if (pg_strcasecmp("TLSv1.2", protocol) == 0)
+		return SSL_LIBRARY_VERSION_TLS_1_2;
+#endif
+
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+	if (pg_strcasecmp("TLSv1.3", protocol) == 0)
+		return SSL_LIBRARY_VERSION_TLS_1_3;
+#endif
+
+	return -1;
+}
+
+static bool
+cert_database_has_CA(PGconn *conn)
+{
+	CERTCertList *certificates;
+	bool		hasCA;
+
+	/*
+	 * If the certificate database has a password we must provide it, since
+	 * this API doesn't invoke the standard password callback.
+	 */
+	if (has_password)
+		certificates = PK11_ListCerts(PK11CertListCA, PQssl_passwd_cb(NULL, PR_FALSE, (void *) conn));
+	else
+		certificates = PK11_ListCerts(PK11CertListCA, NULL);
+	hasCA = !CERT_LIST_EMPTY(certificates);
+	CERT_DestroyCertList(certificates);
+
+	return hasCA;
+}
+
+PQsslKeyPassHook_nss_type
+PQgetSSLKeyPassHook_nss(void)
+{
+	return PQsslKeyPassHook;
+}
+
+void
+PQsetSSLKeyPassHook_nss(PQsslKeyPassHook_nss_type hook)
+{
+	PQsslKeyPassHook = hook;
+}
+
+/*
+ * Supply a password to decrypt a client certificate.
+ *
+ * This must match NSS type PK11PasswordFunc.
+ */
+static char *
+PQssl_passwd_cb(PK11SlotInfo * slot, PRBool retry, void *arg)
+{
+	has_password = true;
+
+	if (PQsslKeyPassHook)
+		return PQsslKeyPassHook(slot, (PRBool) retry, arg);
+	else
+		return PQdefaultSSLKeyPassHook_nss(slot, retry, arg);
+}
+
+/*
+ * The default password handler callback.
+ */
+char *
+PQdefaultSSLKeyPassHook_nss(PK11SlotInfo * slot, PRBool retry, void *arg)
+{
+	PGconn	   *conn = (PGconn *) arg;
+
+	/*
+	 * If the password didn't work the first time there is no point in
+	 * retrying as it hasn't changed.
+	 */
+	if (retry != PR_TRUE && conn->sslpassword && strlen(conn->sslpassword) > 0)
+		return PORT_Strdup(conn->sslpassword);
+
+	return NULL;
+}
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 3311fd7a5b..b6c92ece11 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -430,6 +430,9 @@ PQsslAttributeNames(PGconn *conn)
 
 	return result;
 }
+#endif /* USE_SSL */
+
+#ifndef USE_OPENSSL
 
 PQsslKeyPassHook_OpenSSL_type
 PQgetSSLKeyPassHook_OpenSSL(void)
@@ -448,7 +451,7 @@ PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
 {
 	return 0;
 }
-#endif							/* USE_SSL */
+#endif							/* USE_OPENSSL */
 
 /* Dummy version of GSSAPI information functions, when built without GSS support */
 #ifndef ENABLE_GSS
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 3b6a9fbce3..27c16e187f 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -625,6 +625,17 @@ extern PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void);
 extern void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook);
 extern int	PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn);
 
+/* == in fe-secure-nss.c === */
+typedef struct PK11SlotInfoStr PK11SlotInfo;
+typedef int PRIntn;
+typedef PRIntn PRBool;
+
+/* Support for overriding sslpassword handling with a callback. */
+typedef char *(*PQsslKeyPassHook_nss_type) (PK11SlotInfo * slot, PRBool retry, void *arg);
+extern PQsslKeyPassHook_nss_type PQgetSSLKeyPassHook_nss(void);
+extern void PQsetSSLKeyPassHook_nss(PQsslKeyPassHook_nss_type hook);
+extern char *PQdefaultSSLKeyPassHook_nss(PK11SlotInfo * slot, PRBool retry, void *arg);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 1de91ae295..12717ca720 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -362,6 +362,7 @@ struct pg_conn
 	char	   *sslpassword;	/* client key file password */
 	char	   *sslrootcert;	/* root certificate filename */
 	char	   *sslcrl;			/* certificate revocation list filename */
+	char	   *cert_database;
 	char	   *requirepeer;	/* required peer credentials for local sockets */
 	char	   *gssencmode;		/* GSS mode (require,prefer,disable) */
 	char	   *krbsrvname;		/* Kerberos service name */
@@ -485,6 +486,10 @@ struct pg_conn
 								 * OpenSSL version changes */
 #endif
 #endif							/* USE_OPENSSL */
+
+#ifdef USE_NSS
+	void	   *pr_fd;
+#endif							/* USE_NSS */
 #endif							/* USE_SSL */
 
 #ifdef ENABLE_GSS
diff --git a/src/test/Makefile b/src/test/Makefile
index efb206aa75..d18f5a083b 100644
--- a/src/test/Makefile
+++ b/src/test/Makefile
@@ -27,7 +27,7 @@ ifneq (,$(filter ldap,$(PG_TEST_EXTRA)))
 SUBDIRS += ldap
 endif
 endif
-ifeq ($(with_openssl),yes)
+ifeq ($(with_ssl),yes)
 ifneq (,$(filter ssl,$(PG_TEST_EXTRA)))
 SUBDIRS += ssl
 endif
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 777ee39413..fe265e2dbd 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -14,6 +14,7 @@ top_builddir = ../../..
 include $(top_builddir)/src/Makefile.global
 
 export with_openssl
+export with_nss
 
 CERTIFICATES := server_ca server-cn-and-alt-names \
 	server-cn-only server-single-alt-name server-multiple-alt-names \
@@ -30,6 +31,32 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
 	ssl/client+client_ca.crt ssl/client-der.key \
 	ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
 
+# Even though we in practice could get away with far fewer NSS databases, they
+# are generated to mimick the setup for the OpenSSL tests in order to ensure
+# we isolate the same behavior between the backends. The database name should
+# contain the files included for easier test suite code reading.
+NSSFILES := ssl/nss/client_ca.crt.db \
+	ssl/nss/server_ca.crt.db \
+	ssl/nss/root+server_ca.crt.db \
+	ssl/nss/root+client_ca.crt.db \
+	ssl/nss/client.crt__client.key.db \
+	ssl/nss/client-revoked.crt__client-revoked.key.db \
+	ssl/nss/server-cn-only.crt__server-password.key.db \
+	ssl/nss/server-cn-only.crt__server-cn-only.key.db \
+	ssl/nss/root.crl \
+	ssl/nss/server.crl \
+	ssl/nss/client.crl \
+	ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db \
+	ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db \
+	ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db \
+	ssl/nss/server-no-names.crt__server-no-names.key.db \
+	ssl/nss/server-revoked.crt__server-revoked.key.db \
+	ssl/nss/root+client.crl \
+	ssl/nss/client+client_ca.crt__client.key.db \
+	ssl/nss/client.crt__client-encrypted-pem.key.db \
+	ssl/nss/root+server_ca.crt__server.crl.db \
+	ssl/nss/root+server_ca.crt__root+server.crl.db
+
 # This target re-generates all the key and certificate files. Usually we just
 # use the ones that are committed to the tree without rebuilding them.
 #
@@ -37,6 +64,10 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
 #
 sslfiles: $(SSLFILES)
 
+# Generate NSS certificate databases corresponding to the OpenSSL certificates.
+# This target will fail unless preceded by nssfiles-clean.
+nssfiles: $(NSSFILES)
+
 # OpenSSL requires a directory to put all generated certificates in. We don't
 # use this for anything, but we need a location.
 ssl/new_certs_dir:
@@ -64,6 +95,24 @@ ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
 	rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
 	echo "01" > ssl/$*_ca.srl
 
+ssl/nss/%_ca.crt.db: ssl/%_ca.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n $*_ca.crt -i ssl/$*_ca.crt -t "CT,C,C"
+
+ssl/nss/root+server_ca.crt__server.crl.db: ssl/root+server_ca.crt ssl/nss/server.crl
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C"
+	crlutil -I -i ssl/nss/server.crl -d $@ -B
+
+ssl/nss/root+server_ca.crt__root+server.crl.db: ssl/root+server_ca.crt ssl/nss/root.crl ssl/nss/server.crl
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C"
+	crlutil -I -i ssl/nss/root.crl -d $@ -B
+	crlutil -I -i ssl/nss/server.crl -d $@ -B
+
 # Server certificates, signed by server CA:
 ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
 	openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
@@ -77,6 +126,74 @@ ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.
 	openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt  -extensions v3_req -extfile server-cn-only.config
 	rm ssl/server-ss.csr
 
+ssl/nss/server-cn-only.crt__server-password.key.db: ssl/server-cn-only.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-password.pfx -inkey ssl/server-password.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passin 'pass:secret1' -passout pass:
+	pk12util -i ssl/nss/server-password.pfx -d $@ -W ''
+
+ssl/nss/server-cn-only.crt__server-cn-only.key.db: ssl/server-cn-only.crt ssl/server-cn-only.key
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-cn-only.pfx -inkey ssl/server-cn-only.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passout pass:
+	pk12util -i ssl/nss/server-cn-only.pfx -d $@ -W ''
+
+ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db: ssl/server-multiple-alt-names.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-multiple-alt-names.crt -i ssl/server-multiple-alt-names.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-multiple-alt-names.pfx -inkey ssl/server-multiple-alt-names.key -in ssl/server-multiple-alt-names.crt -certfile ssl/server-multiple-alt-names.crt -passout pass:
+	pk12util -i ssl/nss/server-multiple-alt-names.pfx -d $@ -W ''
+
+ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db: ssl/server-single-alt-name.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-single-alt-name.crt -i ssl/server-single-alt-name.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-single-alt-name.pfx -inkey ssl/server-single-alt-name.key -in ssl/server-single-alt-name.crt -certfile ssl/server-single-alt-name.crt -passout pass:
+	pk12util -i ssl/nss/server-single-alt-name.pfx -d $@ -W ''
+
+ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db: ssl/server-cn-and-alt-names.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-cn-and-alt-names.crt -i ssl/server-cn-and-alt-names.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-cn-and-alt-names.pfx -inkey ssl/server-cn-and-alt-names.key -in ssl/server-cn-and-alt-names.crt -certfile ssl/server-cn-and-alt-names.crt -passout pass:
+	pk12util -i ssl/nss/server-cn-and-alt-names.pfx -d $@ -W ''
+
+ssl/nss/server-no-names.crt__server-no-names.key.db: ssl/server-no-names.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-no-names.crt -i ssl/server-no-names.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-no-names.pfx -inkey ssl/server-no-names.key -in ssl/server-no-names.crt -certfile ssl/server-no-names.crt -passout pass:
+	pk12util -i ssl/nss/server-no-names.pfx -d $@ -W ''
+
+ssl/nss/server-revoked.crt__server-revoked.key.db: ssl/server-revoked.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/server-revoked.crt -i ssl/server-revoked.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/server-revoked.pfx -inkey ssl/server-revoked.key -in ssl/server-revoked.crt -certfile ssl/server-revoked.crt -passout pass:
+	pk12util -i ssl/nss/server-revoked.pfx -d $@ -W ''
+
 # Password-protected version of server-cn-only.key
 ssl/server-password.key: ssl/server-cn-only.key
 	openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
@@ -88,6 +205,27 @@ ssl/client.crt: ssl/client.key ssl/client_ca.crt
 	openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
 	rm ssl/client.csr ssl/temp.crt
 
+# Client certificate, signed by client CA
+ssl/nss/client.crt__client.key.db: ssl/client.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/client.crt -i ssl/client.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root+client_ca.crt -i ssl/root+client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/client.pfx -inkey ssl/client.key -in ssl/client.crt -certfile ssl/client_ca.crt -passout pass:
+	pk12util -i ssl/nss/client.pfx -d $@ -W ''
+
+# Client certificate with encrypted key, signed by client CA
+ssl/nss/client.crt__client-encrypted-pem.key.db: ssl/client.crt
+	$(MKDIR_P) $@
+	echo 'dUmmyP^#+' > $@.pass
+	certutil -d "sql:$@" -N -f $@.pass
+	certutil -d "sql:$@" -A -f $@.pass -n ssl/client.crt -i ssl/client.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -f $@.pass -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -f $@.pass -n root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/client-encrypted-pem.pfx -inkey ssl/client-encrypted-pem.key -in ssl/client.crt -certfile ssl/client_ca.crt -passin pass:'dUmmyP^#+' -passout pass:'dUmmyP^#+'
+	pk12util -i ssl/nss/client-encrypted-pem.pfx -d $@ -W 'dUmmyP^#+' -k $@.pass
+
 # Another client certificate, signed by the client CA. This one is revoked.
 ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
 	openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
@@ -95,6 +233,14 @@ ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
 	openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
 	rm ssl/client-revoked.csr ssl/temp.crt
 
+ssl/nss/client-revoked.crt__client-revoked.key.db: ssl/client-revoked.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/client-revoked.crt -i ssl/client-revoked.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n client_ca.crt -i ssl/client_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/client-revoked.pfx -inkey ssl/client-revoked.key -in ssl/client-revoked.crt -certfile ssl/client_ca.crt -passout pass:
+	pk12util -i ssl/nss/client-revoked.pfx -d $@ -W ''
+
 # Convert the key to DER, to test our behaviour there too
 ssl/client-der.key: ssl/client.key
 	openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
@@ -127,19 +273,40 @@ ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
 ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
 	cat $^ > $@
 
+# Client certificate, signed by client CA
+ssl/nss/client+client_ca.crt__client.key.db: ssl/client+client_ca.crt
+	$(MKDIR_P) $@
+	certutil -d "sql:$@" -N --empty-password
+	certutil -d "sql:$@" -A -n ssl/client+client_ca.crt -i ssl/client+client_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n ssl/root+server_ca.crt -i ssl/root+server_ca.crt -t "CT,C,C"
+	openssl pkcs12 -export -out ssl/nss/client.pfx -inkey ssl/client.key -in ssl/client.crt -certfile ssl/client_ca.crt -passout pass:
+	pk12util -i ssl/nss/client.pfx -d $@ -W ''
+
 #### CRLs
 
 ssl/client.crl: ssl/client-revoked.crt
 	openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
 	openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
 
+ssl/nss/client.crl: ssl/client.crl
+	openssl crl -in $^ -outform der -out $@
+
 ssl/server.crl: ssl/server-revoked.crt
 	openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
 	openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
 
+ssl/nss/server.crl: ssl/server.crl
+	openssl crl -in $^ -outform der -out $@
+
 ssl/root.crl: ssl/root_ca.crt
 	openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
 
+ssl/nss/root.crl: ssl/root.crl
+	openssl crl -in $^ -outform der -out $@
+
+ssl/nss/root+client.crl: ssl/root+client.crl
+	openssl crl -in $^ -outform der -out $@
+
 # If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
 # chain, even if some of them are empty.
 ssl/root+server.crl: ssl/root.crl ssl/server.crl
@@ -151,9 +318,14 @@ ssl/root+client.crl: ssl/root.crl ssl/client.crl
 sslfiles-clean:
 	rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
 
+.PHONY: nssfiles-clean
+nssfiles-clean:
+	rm -rf ssl/nss
+
 clean distclean maintainer-clean:
 	rm -rf tmp_check
 	rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
+	rm -rf ssl/nss
 
 # Doesn't depend on $(SSLFILES) because we don't rebuild them by default
 check:
diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..e8d1510529438b26c31e0880163aa391bd1870d0
GIT binary patch
literal 36864
zcmeI53tSUN9>;g{B0Rz(pdea^ih_W;c|mxnJVXjc3=dIM#1J9|fmo6t*cK(C_-IA&
zd>vW@v{=DHMFd|}u7%duS*=*LQn6agDTRuy;;Y`wCLmJnohR4NT{{cA`=6be-_Cq@
z_MgmTHi-z6C^ZW1TvckaOv4pm78s6WzFaPbVQjD(gSBg60)x>N0DHWL{UVc%jV8S~
zL?^~F`2{mGChAQaOqZDYf&f|&0Ym^1Km-s0L;w*$1Q3DWoq#WkWn<%jM=Mj}73uQ%
zGG%;<S}oPaB`M`b0pWpuk%8Rc&<TOlxl|l?N+`EGp6e{*k^GV4n3Td)N+C%Wr%38f
z!Foo4itDW)7&(E#vKi!n$58pz+PFl8T+^+<d`7_#+gpQ2@<#g6SvCW^>Y-GtwTjek
z5ymqj`pDiIV&2FcPu$4H!2w_6r;)`aDY~<F8#IGXq@TYeuqOv)JXabXJlQWinmZ{l
znmaW#IBaSlJVU^g(20`ZfJm;N|CI1ZH?E8XD-W!EunM3}9e_u8@Q@e=#V{zQf-s3#
z2sa|QafcfZxDmsRC)~*3CJt;oDJfFFr4&i1!6WtOfhs%_%J4|2!y};(kAzA*5=!w%
zsKq0p7>|_0t)Y1O@=?lsy-g|eDP=yT%%_z3lro=E=2OZ7DwlxDC7^N%s9XXnmpc{f
zPQ|)YvF=o?yFQlEbf+{usFV~R9tDU`)s#=dynL#re5$lU5-fZkJZvzbu7FA{pi&E{
z)F6^dqE86Z2q{uR5}sQ~krGm*gw$Du)LDhpbrDf{MU<L|QWH^m<qDBNC=fwOg9&vF
zCajpjgl90Au!;r~*3)1@fCdv%)SDC(gZVTYg~xF8X*Tz+Z0=8s1I(`C0JEz&!0ajx
zFuQbt*;O21cIg7Mhc0Y0@WkLKY&ZrJwjP5Cn~=ebe`+e8nsd8Nsv+pp#yu@g94t<}
zNJhrTQN+dY+L9D@m{uror`j#wb0m+(vI%s+F})LcBMJ2AV`W;6iVDYe-@&oGZj%mN
zE$rW8uv3o{520zS-$4^ChyWsh2p|H803v`0AOeU0B7g`W0*C-2@W&y*W}1M?u!s{F
z(MhxuH;5+U90;HV5kLeG0Ym^1Km-s0L;w*$1P}p401-e0{#OaG=?t7Xcn*zaFmNVi
z3~DlB7z`F&Z>Yj(Ms$WTbC60(_5aP+V&)f!;pR=|Yl#{n`G2*7s9cBuB7g`W0*C-2
zfCwN0hyWsh2p|G~90Ea%EDN0U<&7hKSoEn3x|t|aq1JFyRVocPzz;sB&XuavnuJtE
zM3{sd5h3BGDnLN3R;p6C8kkhA1=HVI3_6B0`$&w@M>_OiMwT^B`ty9rar(-6P?h`l
z>LpK7DpE9Dxgu4gro9f7jQc`K|M|Z!MqDBCiR;8h!k1X}$7xNdCWrtcfCwN0hyWsh
z2p|H803v`0AOeU$-w^1tE<MYLZi(-}W-#H%MW2m0Krz}Nx{onAfM-ow>PH<+)#@ZT
zRH9WYQuY0REk<ZT@4t??OzbB<>Kigh1rb055CKF05kLeG0Ym^1Km-s0L;w-^lN0c!
zFT(%BPyV}y2@Jyp3_H3Q2mSdmaE62{=+LJrQe)+^(ehLc-H?Rp|HCBu83eBSogtCF
z|Gy3+t`YUbaiWDNC)WMRuMVm{B7g`W0*C-2fCwN0hyWsh2p|H803z^v5U`~S@kkZ#
z+Odq2p~{9I8a`ms!Y+q@oW_C?zB_MU4EWe2LlT7>iQYS2$69kDP(Nh=#<I#KQv&>4
z`nLwsKDo)>`S^`@<Z3!K2f&6dG=5%Q4yX~6ehD+PGwshRVZIAYv>*bA!2dmgr6e<*
zVQp@1*}EpzmO{)N{9%|mh_%c%!+Is5qI&0gnK1Yk68PhwG#mpHnqWq-d!F;b!2;vJ
z|K8QxMi+G)^<^A!jJB=!&ATW%Iby$cRIb=hX3sS%#X~K!hF*2Oes@BC;P)faH##pI
zmE?Abx$E3fRl)RmUaTQevFg*;8&qy7pMLrzHMH{DLiX_zPh)mtehFuYR(Gi(WbSUA
zS2;gpigYv6@{_9r%-@~-I69mc=l5OqhEWc_TaT=3J2@<SZ%s&mV}8_!Md=$$^L6d6
zm3B6>-l`Q>3T}?AsZe_MFYt1BFpry?v9cn&qu-&BJ#%>#K3liPl+^~!JmsG7!Gz_S
zDB<|sX7heHvtixh!I`F3>EYr*DN9$b{HY@^?Ak#x?5l4DZVP!uYgdn-HcWYLmtfq?
zzYmSDJ99^lgP&8ybyke0mn_Rd{4&hJ)qJVs)?k4d%!O`n#{^#!^Y@5=2<m#g`tx@*
zYYVoGQ)j^^+Z!i`IR90e<nvi$Xao+<5Z-geCOOYlezUYjwRK`s_`;gJBm7&+feB7K
z-%o7g<u&YHGI5&7CSZk%z6dsCG4_rWvwjv!mW2?O{x_GG<I+nCaAAQ%pq)N{ke$@g
z?MWStwT({0Y0s}U$zd70EPs9ZJr0hWGO<^OOWNCTz|TPO_#Qj~_^Br03>%KnofPtf
zhF~9@L5C0RS!|q%(RDb1kviOjrUNkcy>-506=U-oI-k+*x&y6i*jAUXyuR<J^t9##
z)*GBzO`E2b;C7#_S9)~*?Vzaa;e@>_?={&KynRPiNRuq|mMv4Twt9CyGL7~5-~;6l
z*#pOOH*9mA|5h$--Q!_AEIrJ4-GtMvww0>g+GQ&rFsAr^SC})=!8@@&YXO_AU3PQU
zhEtDci%+k4cUAr4)~dQHyAi>x`9JdG%kR}~$}M~S%l*2>O_^q{Rk&BZL&$u5&*GLG
zNB;o9xZ;>G{xe+<On-FX_`I!FpX6L@ZvHXD)45;!`JtOx3Am%c$@VXYj?&AE?~f_2
z9Al|CbzoD_#QU3S-*O&Y=O15mnSJ-oIPZknSG6THI=Ed+EJ$<G49ux~&5FS!={WwR
zCo^!V0W%z%M0(RUw7D!EzIOCaHyM+z?5nxrcroGlwS=66L#~M}|43fH<k*iZn~KjC
zxV>#D_2qqd&u)NvR4eoG4x77`b3&4H1!}w8%oBH}w#@k~%dT;NW98J^oNun>MpaKJ
z+b$`~7W)m|acDtF$cg&Sc5Uh1)m~e&3ry|Kw=7s5d#3VHn)|1B1*_NDx6V84vvUl?
zq~`H~ukGLb_Lxb%ZPEqX&vm1$M(>HrSoUa1)jjQ~!fEWl2b(LRB^Q?Ob9*wI<5|4l
zVeZ2_g1qahLwPM*E}e1An58qFK6pt*oXe1Vok!hlM${D+O%BS9DzD9M&T{(ZzH#~$
z=ZJK2JEm=3Xwf#CxrE*XZ>U#qkuSKlUj0Gg=e%Rabu?NJKWyFW<*}EC_*L-b{LQcY
zuqy1SAMT4sg~4lVPnQdAjCH9^ThG=xKMEROR+qtVKPl_ybL?}IYU0|VeGHw~Yh~Uu
zF6PMb4Cr=!u+?tB?LI@n=fCcCRZ_s!;B}w(xh3$qCxJKGOT+PAH(g&m72V6jik|hb
zq8TrmO$|!)+kW%U{x*m5o4qa=<s}Dm6O&p7wgwI4+&C^<TC}Q$Y%h(o{`}VdqGlsa
z{+HMDqO*&uvdK=DVHNkaRhosCw3yrcZ7y4;g-cx1KK^Rlhm*x`4v%uAbu8XROxfMP
zuz;y7SA=ph_oYeLZd(W|ul1)N6u;G6y6xQbM8O6|QTheiv69GkZA9(ouRS>Z#qRfl
zOb(m-u<j}2r6+2qDz25T_+r|Osw3=C`E`#3Z6c4fj-%08obbB}tN4TV8dhr9is6SJ
z?Ua`8x|Oe!A3iqrr_svF(zmaFf3L#hD~|8UNcEDUIV1j>bai9cwqOsw@0>bodxxE!
zRn68h#YVxaTcy^k3a9N66nh)Frra|7h1dtZNME#Ect5;gs{eD}fy4ekZkmgMf3zS1
zhyWsh2p|H803v`0AOeWM?@M4s3X2-+T!g(d8jf}L9D2yI{%`lX!Iy`F>VjVPe>gcA
z42E(*7x-uWU?@)O)zN$PQJ{a>FYki^lYiNVKlr_U$9_)cl8RxCB?ky)!|~*gE?iAm
z?X4)ZC)O)Atm<%$o0WRYVn}9nOfLKK4f!asOQTD4l4eZ)xuBcIe`))wg?Ywl;&*jz
zPVvc0R}HP)yX@;^)i3i2@fUWDUly43FLyG2?@slM0egNiN-Ey*bM;t><mV5cl*al`
zu%QQhdurwlW*OGcXh=iZEQiFi>g}hkV%j%aYGP-e-8epN|G4do7TuP5i!b9()-tvZ
z!GdC>;+Q$U1yx~Xw2iG63sUOR3N%AH&yQt3k!;C3k*ZCo+o+hixv4d?PGavd`~FZ_
z+2CEbZ1cwy$_woWy39}bIdYBcqxTt3ep=nZKo6(krjK7@?9;v~r(?l`rkbx~gj2ld
zx6|f1FQ$)~o)D7!P20+?xq&-IKHOaAwY2tR-Q`SE&yi>8lWj_eVYW2?TaNNc$CDpy
zx^TT<QStR%i_1A>!OPByS8!TH>u$emDc<(k5A4wQKV9#i(PA`mo0ZHPlZzb#b95<t
z@-FVwHcQW2Svt|yS7)x@;!NsH8rzo11_bOpG3j9@t9mVMXkx|0fcuFv)-J6LmYz~4
ziDEC67RYlPLfXvV_CDZczN-8P?cn=2gA#V1srWMGLXdo{)YiRUQRLb2t2b;@Ng6k_
z((j(KO4yaUci8>2>9ja@MZ@rp#2-s;M~8IUyB(9tt2sxj={07D{r#cyc=c8fK3V9C
Lp@HYkDZu{;Ke*53

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..44e6fcf5307a8b2e6cbf9878b157d7cb3e3a3f25
GIT binary patch
literal 36864
zcmeI5eLPeB|Hn78&9F@rDKaaS3ptx@Zp&R1LWB}s+88YoHjQo#xk(8XQYl@!AtIED
zQf{h?N_ADbQ<1J*b;*}Ys8qk5Gk&h?TaD}Y-*x>y$M!kzbKalN>%2bCbA0CPJe;${
zZ4pnvr39{xSi=@jj8IA_G#X_^p`cJG!th%>LnfTKlpT)Y8TwE0_d)_{4rE3o52EDc
z-BF6N<T`~K1)%~{zDM3&{?hjvf%Sj@AOHve0)PM@00;mA|0Dt-c)XgXCR(H?U~@va
zYq$dTe71l+GMBS;x3l)Jqj*@`EV84FtfkE61yB~dJ2+drdsCe3yeXb84sM=y6jv9D
zt*eXuA_rR!io4z7Mb@@<`V{fst7~YI8C};<4yR_TiAM241GrKA@DOp*j~yvki!A$%
z==;$|B7zMLr>3Tj_CYH62eWwrp?v=02;MrjfQuhC=ioBmZW#qh!WKp=P-e4f5M9>_
zi)buGG(y-MZpdgA++Q@1<X0L-y7sa-wW-=@KZ)%~&T6i|U{nM97Y)87{gnz0qUqXV
zaBAu!z2Wisk=%$;8QH(cNU~q4n9y_+Ezo#1ZEbX_Ewal-1x6#8VJXRO8(lx19cOLh
z>h7UWVMF4#c)zjf;<phTBP-xFG<cN>yl4V1njnjC6%z(rFyVp)7sha50vD!m!G;Tt
zxG+VeAW4ZRLa+u6l57W7p+T?=4T5!O5G+K4U?my^OVJ=$iw41BG{_$=hwVxHA<A?~
zj40C)WjdlvN0jM^G96K-Bg#fdD<h<p5z@*CX=Q}8Vj)=;l4T)T7LsL2vWO-N(KJSC
zB7A5FAUe`hIs~_+BR!=fZW)kxqSN5j!y&9|gw!@dY8xT7#Yv=!q#|60fskTA@U|HU
zDF#A{fozq5Y?XoR7ben{iKsCVH73&5pUX627%^eV;Skmx4&jashwv7LL%55>A>7a5
z5C%9L!W1PT0%bTHZHC|(UOU>1HPVbVYDXN7*b#>#cEsU`9dS6KD-K8Oh{F+Garh@)
z_?Uq=EM5yAIKv@)^bCjaAv7EYjE3CNFz|mv<Uo+r<&4_lz;*(dY$$+(5I2GMErei)
z>oSa3$Z<<I)isjAsV&g{-ViwYyXr?9jWOa+6gl`)g(!Zb<?K=77nlG6KmZT`1ONd*
z01)^a1a=yux5!Q;ku3hZ%|r_Z2_^m^kx(d-vU0p4N_i_PcH_v;aCLDSuJwPM#G)t^
zR%0dH9D_#l`5}h>Av|uVKu<FB^JmZTj}X9VNR>7bQpRCCWig5h;)((;Ul7UXMpzy1
zd1!l4K6;TC8qdsayo^h2vO~iY>IiDN_*Ic|Xii@5B`evQ8Qzl{tkNGcug^R;(QBuP
zHG3LG@fg}gNknba>*$}KVfSigRMu>vL5Th%Y~kHYYxgZ%WroxC^5ZvmTv@9hT3`Pq
z!lm?uP_FSOQ-a*RjGu_wk+F}iI0hESnibKbT^H}gD%Z8Cl6E+M@^+_jtY5}w8faM^
zsM+=Q`t<mUN=Mrn8D1yzqOy)<#CGeIPEqsSc-ExU==I#n5}xU#eP&u8R#A3FCzr(c
zPN;S)3#64;9LQgB;_L#S8?2y$`3V9qhGnths;=9ayS8X-R#1s@H<=n5mz><!o9_0a
z3UX^{H_{i<^3qZ)mrm#1Ei{_vbCbGc%I!b=(I_+&i)KNyaSA^qEKC?6q7|`d45ThQ
zQN?Ll)%z>fs|Ti<Oz+6ndcAc?&NLY`S~eCfSKDC5_}y&s(j>(NpBgs&=5<6X^e%Hl
zU@fiI#CprQfe$)nC3_59N{()}HNCpIfK|=MJSQ95IftgH5}Zvgoo=pUCFW@BpOM9!
z;@QTu2)KLHA1veE5+vm%Wp!aZ58zGC-#cir^KRLmrcdZ<POFB-gzb)wTQY7ecXVzm
zxrX1aqd947HR>(1%=q#8k0&O#7(BUJ{wi_efvm*-s4Jn^9e4Jxd+APpR8}*&w|eQG
z_BK4OZu8#5*@Fba&bJ!*zs33Q?+fY}RI@&AxvYVw8SWD&*!b&D_w1@?Ow)R)y0aaV
zt4VVU^2VQuxqZ1eEA4ajdScXLpI2VJzfr1k$sbobzuB+Cc)rQE91@-W1~{7c#eHD~
zEg4G#-I?euJFei3b8s*?QPLAR?{)pN((SER*j*Utr6^$svEerdS9@hrrdeXo-9<k<
zTWi_wap?1@!sv=ROXeHudz7P_eyd*GH1o!0r_W0TM(fgsmNq367qj9Ine3}B5!^k3
zcSx<ZS#!W9{?x&l-RjZxelje3ji({4ALr@~Ogf+}QrmdQ^FwZIWpTEApl#YYy$@0P
zkH76ZRc^X^`;1S)i8p;evOd>0XIss`BJsWBY-gLL=zRO6CEdBDr;eQU4W_xN40g$x
zU-hVRGlO>fgzRLL&3r7MHnGBK?Yg}cEBEh^iBEc>z;0YzK6KPPO*!tJ4`FdiPwH`Z
zPO`zPeu5u=+O73demU`0*TJdy$UDFH_pPf^jq|92DEsxM_hjN%1s50U*Jaq5S<gM!
zczAAgr!3`2p{?V$eZO>yX_-;9uyf7Y@Jjm)>&Z6;chyULYbQSK&OJZ3&Li|xuqy8;
z^En~NK^VXFQ`(K}r9uY{t=2b#(QOwsqjv{($<$p44LFixuGGu!SWtaI*1qYL9a`vd
zsSLI8ou}o+mV)esg7W<8gr~a~X8js`>}_ZgdVX-6m7d-8A7YDAg(b%nHT|3H3U;U2
zy}i+OZE)_alRul1K8lXc>s|D&@!P)9$-ey_&-SOdYMRV0zwwN^VEv&t65sn~%#FXG
z@}Gqq59Uc1bbG*MVSYt%PNB&wXN^ZHLLqVOyIb#<a95pJXy1~pq~PZ{H)uw7u7gi~
z2730vzLq%;yN-9aT+q(i8Sa(O^YZevtrPCEbGK+%e)K$Qz?H&RAnkqGHn8oCxlTG^
z=FTFUX$^V?$vPIznhC1j>6d~guk-DwN#9FZ`JZq57OHqR&8cv2J{0G3=SBo;k~)8m
zp2RoaFqWLBLtSnYbT=;DKe!+Lc|dMc@rC@`r#N$}FFy^byIP`m)b00cTADKYoJ}e|
zF?O`FF5=G&(>WKN`(%YfmkqBz&&aL(u!EUv81kh`S7F(!dQFX$7E`^40!xYB26wji
zq&QS|O$|%t*~gomp<atT{6n@y))M`WmB}}{9PjY9xA%lEyW|L8zefLmAKB$$2;%GW
z;un|z0YCr{00aO5KmZT`1ONd*01yBK00BVYUq%3rktM+2nM=<9hfw69e_01XcK`uE
z01yBK00BS%5C8-K0YCr{00aO5KmZ|t!Jr6|^ZyPMxdT7}1ONd*01yBK00BS%5C8-K
z0YCr{00aPme=>oo7z@Jp{__o-|NoQsEbtBp00MvjAOHve0)PM@00;mAfB+x>2#gYd
z&;P%7R~*Ute<zCEIa(h?fB+x>2mk_r03ZMe00MvjAOHve0)PM@@XsWmhG7uCb(dTC
z{{Jencog{{=>y4=SV~k-3{<$Rpdl|L+#wjqCE;J-=i&BZ-(lTki^SEy1PA~E|2_gD
zstVRRRvE?T1^M}NBLsdBljhG7KW@ZN^3)MJ9TLSrzBt10?VqtE$Q804T~ve^vXl#5
zsp)l}ooVS0y$+e*oXTFM$yNLCuAs~Fx%z^~Jk~|=?O$ck6i6N?CsC0h{5h7Te0*Yd
zYmZ;Dle^~RFZowvR10r4b?<4-IZ4W|-ZigP`H+aJEZrnD4wG+Vo~?-KH97h;)RpXT
zmRRF-bg-_1*h+je3vW0#K=bHWCbzHgSaK>nqu#Hh*rWDvLNwt`aPZ!H$KE7g;r$V2
ztE(o`o`AI+CK=3)9svpc9gwFVd7SWk)8{EaZwGs8O;~GBy$)Y-smt}q1j7pojd4rH
z@;GGEHS75-;{6*hF3++K+~X+s?8lr->QP5<hEWtHkAoT_Z6&E5$HURn_L`NoJ-(sa
zV?FmwSa|_)onX())Qfay^U{ixki49+JR0{9JA%vqC@2*=7*4iYzOq!N&CBao<1n6=
z|9t%*=UNe!{MF9p1O!0F;^Px}?vCj=cD8UkFC`q;IM9ATuZHx4_4|f-4|=jvGSeSE
z++ZKE02Mlx$<_DcrrJlx_@wXaUAusoqSCh}Y1yN)EezGrOREjIs`o`yl5~?M<1pEt
zJaEp3;P|RDu!yp*xRXTIQSH0&_(%0cH?3|PKC;Xh%Vd4BYOjOOu4VZaM;HwIr={;|
zcjw+uoGlYsXx$ZS>*Oh-5~Z5tFvnpsE77Y(O=j-EEX6<6=bXQE;JnM=IzRtkod_=F
z<$Dsp+!@QHAgom2+qSbJt6zug_$w>>^{T9kuiGa+ZHg*Vu6)?<A)+cuHOb_R!{n6a
zYV590y*EpCb&*wYnUfmz2PO#}pKTO=n3SrHt=c-4$!W9B3SOx+k~j3!T-#VM>+=KG
zW2&iF(q}dd9O5k7t)3>LDo8cSVT{9MCPuThRe0E{^x*E~U%HtuON(BpZ@wJ#xN!Z#
zf?sSO)Q)A+EAc|wW`}sYw9J<QF5zcyolGElHz^<TWe1-=hJMUQ7E$G;niM}$YV4uB
zd+0|MwB|XTa(u?%-WHG0Hcse3byd}BjyAz_o3TapSSD|0&folu>swQLwSUUb7hXps
zpU$$%yc4XEWUiO*7_nSUL?uWyDgNjg+vIDHh>|HaKd<(v+o<@uR|%tq6P5<F@fRkw
zPLH#Bc(s2llif{`vD_cRc+0&#-0lktN;9tOlBWAAJ}LW8&eRu9D>jL!a$lQd1u|)W
zX9%h^j&tf>@l3&OUrp(X6urVK3R;0t{@(t#P;)E%5R^HVNy{hP$G`v4JN4w-r8fD_
z$9*^5>O7M7`9N;u(0zPtquT=!6))Z7c!r=^{oZA_>`Sb#hB_adnD6GJ^dP$Oxy`vH
zCl>3J-XGF`KbFbmHJ4GUE8l3J3a*;LrZ6-cn&+8)GT7U7yy#9$C+*^Zh>DYHa$G~u
zBlPZ1I`niO_qx{s4~i>X1GG-_qOY}A^(>su>dYxpAIs#T_Wr)ryUQ7JS%+&+1Z~>m
z_oQ>Vwv(lPa?VTQ-QwmN5fv-d<hX{QeW4AC*Pov(s4m#HD4qEs(Ii^q1L+0-ZA6*h
z>)+HP;9K`g{Tt}hgq8O*<W#OHO^b`&!1gPwvdy$A)yuhE^SC~*YjUwbM3t3la$G}D
zIZAa9r_=w0NEd`J3x08SW?!SF^LvVYgAG13XUqD7W0}Nw`NWt9*BW@M2vyiu<FE#S
zD!V(ID%DUgKHn|p7lw(b7^x=5H3W6==|xnh8MGO<=E>^2Yc<`&5`JXUd#;>VmocG;
zo5L8(WMajBtpAT?+d3k<7{Sf1x*bVFU(`RHc~se`P<C%h%M%e*Mykni4M8Xy%IZmB
zHcTk;;I=$QShlWQZL`e+Z0?n{Un-ppA<|eTV<UU=V~S1hPI5C2pW~J{E4%KF`Kzes
z*>TkUt}6cT-uj`jnhcR#7@N-*u8j!r+2;AvgOhW4%?TaTp5!OEo&QCP2U&dM=^|b!
zc$5=l{P~wYf?Lwdik7GEeDuX$WR*hYNFSq5Dx_Y{Erss=<ZcUJ|5qViLy`N)X5^{l
zGvp}pJ#rS=o5UvBkXlIxNkgQIq!{8W;x*C?67Ju3;sbgF2mk_r03ZMe00MvjAOHve
z0)W6jjleXFHTwG(Z&akFA!SXBCDQtv7c3@7%R);3E&bOo>B&;lCM0QT4wEP?&EzOb
zOLG_s($Y+}ytFh6B7Bwp%U6GLQqv}QX=x4<CoRq7V5Oxw3|VPuCL1Fy&4OeUFq(vs
HZxsFqjRv_Z

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt
new file mode 100644
index 0000000000..dfffe92b90
--- /dev/null
+++ b/src/test/ssl/ssl/nss/client+client_ca.crt__client.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/client+client_ca.crt__client.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/client-encrypted-pem.pfx b/src/test/ssl/ssl/nss/client-encrypted-pem.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..4472d88ab737eb98c25d0e5fdc5124533529089d
GIT binary patch
literal 3149
zcmV-T46^euf(%Il0Ru3C3=akgDuzgg_YDCD0ic2m00e>y{4jzG_%MP7uLcP!hDe6@
z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=IP{-*
z#)COp0s;sCfPw~STTR2AUN(TR@e}irSrg+jFPGMiP1ZGpyd;q;BMPI3$9Krg)X!um
z`khhz>9rQ&a*kJaVc@P>Ns^(jT@{XW76`|$Pu3Iujd=Mfkz^ftx+kYt4WK||5XqYx
z-I(7W_H|4wSQ281C*i+CNxZfR%Z6hp>`XCjW>{++4$OwmduI3&R`6M7LDkrVN#@$x
zzdDolx*k=Nao^uDDz@)A3SZZVp%4NYVBk*kSKV_CNC${;RoX6pRJ$tk{iJ7Q2Q-P#
zb%X=@tf3CE{-izkF8SsK>HL5BK>|GXj&jW+Y^s2A?92XG)!+rAG@Z}zxe@qGI^Ve&
z*_7oe#cOsIPG<B9C^V#Y(KB~7M3Pk^<3#Jvjyo}`#7c|2?Uh@uM09Yt0WapDu|3Y0
z@oDlgMiiec!xRux#(03ujC9v9By9WBGe2J%+o1_2LJad?+ItJ8iS$-%se=Lf+59sr
zd2pwygVkuvQ0bOZ7{{6$k^Ivj;K!2buOo%m)W06;iQbe%$lR}-Q_C7mn2*eMd$08<
zdWvg%VY6m4FcYc|o!&73hnVI{zvi2mf-R=0Ev2teQeGJE16gd%wa9Rhc^UQ6lPN=x
z5r+bV+Q}f{KDs(fD6G4%F4oJwSNzbeyiJ|9fnj9U-R0`ypSWI>h!BP?Z^*eSszKv4
zU;LMlWasUx3?n_pi6Qb^mZ+p<I2z~+)~nhzL^2BTCYtD(ZBBdM+7J7DdV;EF3enJ-
z4<xgh(ji<DVHjF~0op)qp6+Ra(Tiu#=*$uf&|pl$G=8S)cf(H`tc+Lc#r<n`t%EFy
z7$|Sb=^gaSG($Qqm!2W#^HM7Cp+}F~lBW};<mSy?ec2XZSg;nv408CmB7!l|y1`OR
zPgt$X5g<v7G`}mR|B&vb%VrC7XRsM=XYlY<+D^g`z<Mi3eLF{}4;%CVxdNo&rFH{v
zZpxS*%msEtiO{IcZ>vNFEl_@JWKi8w3XE~ERzhHqibkVQ(10UMwu^uRy{HHsOuD$)
zg}!<4@gm$z*91{17gM3Ff;9AAbToZmm_nvlfGzu3c%gT_$Kt12=7nix4t{Bsi`58>
z&07<uaHyY~mP+rrx{zV-y`UreM{1yQe{A4UGbhRYJr5x&I05zDEUaqI&inm}x$QB+
z76!U9Hxrez;CPZL>%7kn@m~qCDl;yy_UODX|Gl~>-BrQEvSZ(4P1k~8#3g%q{tbUR
zp#ld>-{Wh|&z=^nb6=U=%<&v{L+X>zsf&X&L(b8B5k;}us*OLL3Daath;DAl-YwtB
zZ0X@+FD!e&V@IXv4GkVLuCE+8;gibgKEpBR&=sP3W`b=xr#lPF-FLU{MULf83JZ5a
zCwN0XB^i?-IES2g)2LbrRotl}v<rUHM@YxtHCS-JE_9qO*zv%5m-@Zoo&hz48zIZc
z1RMY^Tn-J-<%O1c4}j|Ge)!k5f-?!x0l4(Ql-p-lfVP)sG%Z$Ys9L*6^$pRtx@aXf
z{E(HPftU|oEISTzNA29Y9E}AJj^(#I@-rj_5R9F?EkP7e$~V;v<9F?}`H;S2xnx*y
zeR-s3&dM%ZugFu1MhhRl#Q2&OJzmbEHr<OXe`+18I&vxSR1q&#Xi}Nz`(N*6v-qgq
z4L7U?5yS&cFx5!tc;&CtH8gD-sKU&Oa3=v--Dcm$BrM9`-r%_621Vy4=&W{prMWt+
zE}w6cF^gus0dfu)35?aNsHzNf_ag6&^DDVf{%-$huN&7`i5}{UJ|4vrh{Fc6&Ivdz
zZ%W7@OY?9x4DX{GFV_@noC-FLo>^rsS4)5+>OYj!D1SG`53*I2;%r$PAYeU-!1|Fo
zQFbPkUiG?)3G|I;tZi5ymdNyQ6&oM6Y4m7RoElxyf}rFk17|wrZSI8io!K$yXCgCT
zBS$A{6Sk;UjH+cFp?P<4&e;<F_a)<1&_XoQs)iGlqG#?zWGCTvsudj%5elwdVhTgF
zz5Hb-+Oc*RSwEgtE44i_SjQLNt`Yr8fV(I0%fO+coYkMU+}<#nPFu3k+wceWG7)=X
zwt8#<&EfZu_4J|hXfMLhi(x@Tw}IJql)FbpCI@rik)EItO3`}nQP$QCQcM^^mwcu?
zUzSk}5Kvn;X%#nxMHm(z&yA(^g}ZPUN5hy5Dhsj5pyM*v4H%RsFoFd^1_>&LNQU<f
z0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI
z0Ru1&1PEX(81tc7*|P!y2ml0v1jw+$&*TLQ+ZYq|=*91!X1;62I48zG0w@M#i6UE}
z1`y`YVeU9;K!u8??G!TJ9{!?^MEA7hG&ZpsWVTIjVN@OOU7JM@jK5ceE_55RrOkm(
zu>NJ)sx$M4)NBD`t$kgy^0UX;j`dw8EIgLex&r}d^_z>Dn??Gm_PmM$%24Xv(3GD`
ztA;Pi%<e4=SMZtao!z)4moAd2Jm*b#Lra^j#@=l|kNOW@TA}==cF5jqAvIgZglu4P
z{fT_szB00m*11%}R5<+j+O9C7Ng7UZP<3%p2JUoL+zk^;^h+A_@Ee25j6H2n>BH2W
z>RstSG9dzPqk7^c^^Gav8+aiwCc>fI-$xZ83Ve6V?m@K>qIPu(UCBM{T6rde4cKNv
znx<b;V^unQAZUr_1^aE&rp69vdJ@=trEjChu5be2+qL`YYGQ*0K+GGmS<d=Pq0xy7
z_h7u$Sg>8WHnNx#Em|6xY@ZjU*Q(SChNhhUj<GKfYx=>iWdoxM{3~C8T~F;?QLsdI
zFoHu7mrT)&Z0KAuEFp0sCF<P@-c|^sB8oFTz*_yQ!*yo`RWYcPOGy$jlrWr4*<I%{
zvvzx+uEs`I2;SpGlPVPnptdtV(z+meg>oqguCfo#+YvCZ7+&l5q~^S3HS)l{5TS_b
z+L*UG6&Q3i;TbK46gv8C(&SUHqR&{XPZMXes<DxW`>E%0LL7#`m@pvVM3bCt;i1T&
zY;wQu@c%nKxZgb8?&co)<#TvRMbPwZ6<x4LJ@27&D63PVBb>?!vv#GZu0o`&DM<bf
zJQTnC{(exqYJbGa&96*=ZOakKZgqnqMV<`5&K$M0eFnnn$I|_5NqNqoU;r<fuJHO&
z6kai2=z~X0Y-`T6@-}z!nVVATzG(I(iml~Fbp3VF^Kc=klnyS9?sR>y>(ej$!*O8T
z<EO2x|DVS(0$}q~yPRY!8Yxo}2jev#h>W{Nf{%vk246R06>gG_{^ZPtNjlUYV}VEq
zAD>Et3b;NezHNTkhRBN&jH&H}#+A}6*t<~pm~oOL-<AK;$HNepz{Odb3lReV8&+qX
zn9LJsQ!ugcMEHQhK2-e+5xlZh_PIZv<2Gi3ST8LsGKy0^%Q)M}fI<*$83vX{8$D8M
zdo5V*-obB<DllF)_@9(UbMZ^Z@TOG4`MdA-OYCh#na;Q){sl&7pEL{DxnOPdY-X&N
zOwKHQF?ssIRg*0j%onY$7M^0!W%y3kq4yPaBRS7fOYS>aot7l13AD!~{a*2)l=nB`
zL(8HMzGt?eF~rTg0FYE3+_)nc)|M6h!=X}I)DTP%x6B2}be!coOv}&^vzy<WwpEjG
zh}85^cPj(TiVo<$v|W&!&!t9K-~@9_!=E6duaZpE@Q_y@f1iYDAt?O5eME(<fjRG+
z>K0rd0#m(18Svgv8p*e)j$e1Ahu3~8l;}(nKwq}$cKnp60#1wICvLImb_nIjR^`Ub
zsZkP!lvvv|E8wZK#vnXII~t4su&1q)k7SN_<SjeRsV5ie(yh{$bG!bcg<P7g!k=M4
zRm<~wuS6Gkz~<cnE@^2Xur~>DPLUGdcK1UM9doT?Xjh?QHx}k)4);2#N{&lsX%jIe
zFe3&DDuzgg_YDCF6)_eB6b9Pvb;SsRDEvo1tHF6P@62HlJTNgZAutIB1uG5%0vZJX
n1QbcS!T0DPu-h=A%C7Pv$+ETVhL{8h(6qaqKk>lS0s;sC$L;MN

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..3cbd561f8a1ebf20905080adb814e79588c7ef49
GIT binary patch
literal 28672
zcmeI430xD$9>;gHNiZB)1Zq4gL_Cl~-AzJ>0ycnAQI2r6qD5X3BIQg?f>rwj!~>63
ztyC%Efm&MyE!s-8QtjhCrB8%cMQN>KTdTFcdQfelP-=NIlW@ofUoYCvr=QNk&i;01
z=C?E7nf;U9gv3OJrI_{Nc?M&K#w?Z+js!^(O0k$A2pj7PHfZ62lxx*+L-x>*k~YM6
zW|9NlO7LxeB<uzBDZ6UBTstM$!3!pU319-4049J5U;>x`Ch&(7Q1baAksBGGl9{Am
zs7uqNBxRaR>MU(~iq0k^S``$l5{E`iQOy#gJaJ@%xGP^gR>Lw9&&fRG5QiMnHClao
zR|)<@4k)j;gVb{hmoFOTMkb*8rYvo$UT5xd;63DE&F$^MGOTA1#TO0f>_>{pl%+Rz
znQ$L6v1Io4P_Ul)6G<D9n;W?<$gI((>$|FV369k#HYhku)ssU?l2{!b8XgoKFP^E2
z7so|}M#ZV%8A2i>riO)v#EOH0Bco$|#2N;yELbIAl|qdUz#}X?q=35$xT`?Bu!uqi
z6JMCfVd4i91xzNwL<18oNG2jH#*!jO270iJ<vh@ZWuOhqKp&QYMl1uJSO!|L4D@0d
zXvQ)+m|B}>X&-WySTu5$AZH13mLO*da+V-x338UAT2fR?ifTzwEh(xcN4av8D@VC<
zlq<L7B2PK;^g|^P9~J?Upq@$?SXY92DnYH4F<_Cf@UT@vUnwdrMWv;vG{{6nECpd1
z86qWP;JIaplnjxQp|i@+S!HNkd{JFr<mQXqd{JGU-d8G<`a(;qguYe@J7$&e3|0xd
zXqB*^RtW)GC8TJP2#Qs9S3`KLN4u-ZJFCgNn*(HLbAaq@4v?MA0kYE<$j;^f+35>p
z4_`QE;EBOeIB~2J&K|3TQ^+clx~0Bb&g+tBB3R05yPKnh%}MgrFiBcOTmi?HLD*qg
znN*JEtz@Dn%i)VuZX{s|BJ<P19etuE%WOdViCtH4BHJY?5NZd&aO(h89(O2V|G1rq
zf0kDVBwjE9OyDn1U>U<($aN74oqCgSagq^2@Iw$nkn6PEp6FEsW%aK0OZIuTSGR%k
z9Fo{W%!U=ghFd5hJccXQ6x?We(VGo8qp3=}MuG+Af!`9*7~Q<=edT-9uCqc{SC9X6
z@yxdmZOm;NDLGxh$;?eX*bvb|?Ndet<Oasyd2`;?l9~`l<FT4q0WnMe*?3%&>9TLo
z(Si|@=OWqGcAF5l=pt>5ykNT9{?h9Qw-()LSJr%HsCCglc5rU>nyBX3k)_0VS&4B>
z?P&9thrOw9x6kW{xbR@Ja@?JTw`Sa0#7=wbvG}IQLB++DYNNQi{iK)k)E{16Qg<b$
zFn&|sBGb8Y{!RY{mpIAepI@=y>=nX?8`;JWcT&&3z2!vVi3a(^Po{?Zuahso{q@Qx
z<919Q;JIgu&jtI6L&sMyKj74|IjzR*{NS`->A<7GpYJoKbnuS6_YDai$C7yjw|mHz
zI`$ftpBe!;Y(IZ-0ShcGl=;97&o*k;e_}#n(0DLPb}|#dr{cJjy>G1EWEL9@2D3OM
z2tH>Ps|_Y|vQZxs6(){}2@@OjV8>)iF=UF(u&5~u{Q2UL91_??_gskwq6FG&uClbF
zc^&1WnDoQ7_1S^$l7oAP*QO3nDtL9JR=;@3swvcBIBUlcFN`N#9%iuAMFyMtf0thd
zp_dhauoD~tlTw$SqR%uZ>NMkZMl+K~IWT!-a|s2y1%4R^zQAkc^p)Q^kfa@t`0cb9
zSCIpFUC2uOSSfhz<~v*DAd@pPR%YF0f>|Xq*)kq}Xgq%2P*{2)*6EFA6X<|@&xVsc
zg32Rl0vxyH<bf_%e(8Gu9f$1P@{tX@kI^aBH5rF4UQJ%>uixQHZ_;mGbKhJ0wDFeX
zi0q1l^#dAj=*B6$8oc7u%@a0WnD&+6<+~r<<el@F`bE`UkED!cYupbWUU50Y@M9XS
zI6JiAe6j6g`#l8Pzp0o#=*=H((s%7?t_TbZYks5S^~B&QA}Zwbx;Zy^WyC<65!Gc+
zyQS8fUj4v1p{dZxoH(bx@QDTQOn!Co;(Ka;MI+g<fxB%4F)cx@Ncfww_^qfiPT_6G
zXEUo76q`r1ei+E>2;2J78Dmy*RiS=P(UsfTRbj4vbKBfCWsjHM8oY7B4&4sdAzo?8
z&9Un=hhF1)1ZCw_s{A}g+dbe=;0oOB$OsvGKzg_{m&Z^f+0m037;M0dBwXLhzyIv_
zSB_jxkVX2ZHF2I9n?p^Ql{_Qkle??8tyk^wY%i*swCreYRb#f@M9+FET=e=#VlXH8
z)+pV~nvCyXxp=*J@viHoIr|;TLRZu)Ryo}CEx7lhlcMDPI|CwKJGm)%(M=oA5@(G+
zp;L@f<>zI-`O?RGvp!RQ=<MXd*;J9eY3o=f&$i+23eBL9y=P{&XY(sIaNJYNr-rnp
z&fc)>XsEi*l<u2&>Gfh=zT1qu!X^I4CJEQ<e~(l7+E>$(51cDMpLubbE>JyKK5%Dj
z{S#|9ml(ntHs7XN>YS5HjfY3J)i2~|2b5QjzMuN_?tAewT3vlkt92C)|EQpj*dGrL
zhL_E6pY`xc>W7IPYhbUPUQ`>AQhld-ACD8&7=2;^naAPuh@>umXe1T1<#tEXe&}GI
zv9xT?<Br3){&UYy*YD5-7QNE`QI6{U^lZg7iFoXd!!7B;Nl(S*Ysf_~mMVy~J|LDp
zL?Ph!4yA&&97`xQnbId%0?|05et{uPpJa)toLUfi4)+mG`vKWc2Gl{U3*%%7sCJ-%
z@DEp(NpJkgAo*8+nSz33Um?*L8X)v<tatHFoGQPZslG=XIB+=c+_{ZUZU5n#+<*BS
zCm-zl;!;^!&MHIGmVs?gD=sZ+KIP;7)u8`28HHO%1}a@0nbwUSIi7yuGeT0bUpSZJ
zwLVet{Ay9%Qvr=Oml}_*zh2~C&TM>dr}tj+>yP6SGB$r4L%AuBJvn@Kq4x)ohGUiA
zMYYCVWxsX5SFvsVjN>Z>msA-sg5zf+Z5>-wca)AthOs-elMdvnKmDw_@_E<!epy5L
z!4bKmzHC}KZoB@}ldCGHhkFd49G<NC*ZiR#&++spD(Ww<OWJ-huI}#vWJG&@{)WJr
zIZG0Ya<(4ySoTc85bu8%$CN}r`}WSXu?6$dy?B2_Gk85bVsiHR3fdN2WIXx;LATOP
z^bPt7ka)oaFab;e6Tk#80ZafBzyvS>OaK$W1TcX=0f7M&mxOPj@hl>07uPCwQb>RY
zj2s(^E8u}=Z0P=9c##lZq(=*{&`0QuKS2j^6EOiy029CjFab;e6Tk#80ZafBzyvS>
zD*-M=ki2Q!rH<rp|DX}KpM0oL?ot=BU*6@P4x9x2;beLLe-%N0N^hXA)0^m3cnV<x
zm;fe#319-4049J5U;>x`CV&ZG0+_(>MZkt~BEi40^5Am|ZofSzpr9RR7!@FR)ISAS
z?*HE<=vwgU|4-<X^t-=T53w&MfC*p%m;fe#319-4049J5U;>x`CV&b28Umfq46Ix3
zKxz#6&=(I;)*Q|dN+Ia`do(Qf|N9C08hwhsN$;m?eoaeo9ZUcdzyvS>OaK$W1TX<i
q029CjFab;e6X-7jgDDx=*O&NNJ~RMx`}!_Z%Vz*YluXc9-Twif3gGYn

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/key4.db b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..2a094273f3761c4c1ecc6a59b28f1147d13b7736
GIT binary patch
literal 36864
zcmeI5cU%)$+lD731VTw@ibyd;)&)eIgaiYk(iN9p6jX!+!qU-%rhq09QADwzU|~@a
zEQpG-Sk?mA7A%M;yHYHGA|PU;i6UQS0w24tZeZX4cHc8e&O9^EIrrS>n#l>1`7!Zu
za}0^*kb|PQ5v*vk38VyJFpwpg3_%cK_$8X56JAu}hGS%g`9u6yAptUm%@s-gkgS|L
zq<|w`lP{HzlV`}ilXI6V`>RG^Js<!G00MvjAOHve0)W6ji9ooFjJmcqMld~^#SZ60
zaH3hZtZ3HAT-L_j&dSq{>}h4~Xh$AdOV$qwB)hshI9a*-kbkiAA$vJHxOv%;U7X1_
zF3$Fj4mO@-cRN={D;ql_vgq&C2&#BSGngrhSGUo|Kp~NVoOs^Ka8c5a6%!qWF8ht>
z`%y<Cf;AqmuC9w&idF~+V}%4p@_4S?kXTkUM`qZZgR`xjHyKSL7Dg+O^;uMyW?(6e
zYAi-I!dYxi_-GaUpES_qR~jY;_Bgz{rY^=$Y&(V>$_a=b)sX&^22Y&+N`(qj4Q#M@
zb&ZkUgz$JV9PX$L?oTq}>{lvGs=)>ejEuUjE+*Xu-DRT!qmk6Glz6v|t{=~iv$A$^
z_cS82V9`so-&i!!%LIwh704PYvWkf;GLc0lx`<R^(vgCJ6sAZq3n`dLVTKeeq+p8*
zGgJx|m#89)Xi#DCb`TXRjL1-7M289^LR1)0qQZz26-KnEFd{~U1CVmqp4cC%OcTeb
zG7VLxp~^H=nT9IUP-PmbY=X8jL0g%itxV8XCTJ^DG;4}xP0_3=nl%+?QB6}+a~4_?
z<wHdQ(a@gKV5BV#?I{g)ONT`hjf$)u4iQ}ww6+Oa+XSsGN}^T76_Gl0loTCCwoOM#
z(NR)#bgOi9t8{d~FwnLPRE>eEG0?UF9EJ(qgn>v7hluWQh;(c?M7A&-B3&E~k$w(`
z2*BYGp(qYfD8u1sGZfG8+R<jFBh5@l?TEq=JECyJjwl?lBML`!Md64YQ8=P23jd&s
z95cv<MQf1*XE;QTp5YKVgoeYw(U3D52K|4C9th&P>`^;x#7-cC1qZTG;!I@U!YFp6
zF5ScwJ#J}c1}0K?_4&GgH3W{nSN*7?F;?`6B8z;gD2iSf*#(g32_`@Q5C8-K0YCr{
z00jOPfvpV8TAUh@$o$V%Y8G@NBzh2u5JXf_NmhVV)<eR?k;ia#Q5vcBUrr)X2$Gg-
z$`;MA7z~dWJ~JRZgcBJ(gUgAH3gZMC2XLbiZFnM84OYQpy>M6sc~P}!4lg=}$Km3#
zXwdiC%uN}sy<4VJEpD^Q!&)%N1m#0ZM9%~2(*lCl96Ocos^jgDdeivn>L1RY-obw}
zl~$P{70C}Rs&($g9<y|_;Lq`SeI}^sz%3gk?k~5zEj$EQ8!xjW)s9U(pP@^ObD{Qs
zlChcMzK88$nz3L?VZrmF>^-kPS>AdUbw`aep=kNdO>RA&Qwtzt`T_2=JKsgW{CPUI
zJ11z!`Qc!u<&4+yuNJ;qMV((f!RL+3#C`iNx^l@kKV3Iewg0>`>F#5XET3J%RlNJB
z@NKhW>!p4)PFNpX{TMRBxqQSsskkob+<PVKO0B8c6MLuG>88n@Z&Ma|?Vl@akiXaH
zp+d>&%c;pHRC+VRZbhpOR?aF=K5yN8j2ki}eXjHa2ExEXj47;-mp4pVkkY4!QIN)9
zVGW$xovn;V=gxmG`|jovy&{=Kc>O132c$3<oDd@$@v^z7yxeb}k?{RGSGVICcQjY^
z=5!06Bq|+iS{K?XP_;cPUl^V`sPt$t_x^Xuo!2uGUvHaxa0ff((C$k^&Qtl;H+L5=
zG|F3hwq#yi^5X6(-#u?yFYkL)ziM6Z;=OxydvmGDy$$e(#8s<i^K&ywG-_=POUsiR
zfA-Rd-_~Dxc`E(MspHS>u@g@;WU{*Ie{Y%^e?;!Rb^1Hc*u(3*^|qwc=1vmsY1gJd
z$trP{ty0dk80yFxTw3gz@owG0Jp$tu%SsNc{;szChT4-R+@ri_#5`xp`fJOZCp@~B
zxa37lP?P_u%N<?59S!~5%DksWgBNRzrJR{bIhWEiW@Mk4STLaAl78fPfe;pyd;^?T
z4`bRD+l@UR{O$WHd@O2|tlDxAaDt5-gAdUJ%az8$Gr7I+{z(@+50>qlUwtdRPN{o}
zjMBv0ymx7}45Mek#jwu1=|>$>%HL?+u1ixRx!p^p6od-mo18zDoVmH-Wz3A#Njiz2
zUM;?RW|NNxj}@*5#~hu~m%6Ob@&3#TnMSJbO7)-w<F?mTI|XHo_WI3d7*F_KJ9Fm`
z9sk)p#Kh{`z87y$>##9vA!U?Zkvf^55jCWd=PLFsM{&RvcGEQSe%jf(ir0LrLdT1`
zzOc9Y!mfgkZ`F04F*Q<-*HBFDUgfioyAAw$X;<RnmM_cp@9|J0G-bXCiQBhk?;FL}
zFYd_on4eEv_B*9_%|qG};rqpPP1Ak|uhwkk&fMvrkh5Epl4P%*IAieDz|;3f@0~6=
zJ23fDroDF5hbm^-wQ}wL%5VGLcV(B%;UdTDsr{IJQtdB?9!|IsA@<$;n3d~v&-UQ_
zyGb**1zk5*=umnPqLnulM-Q0gZ~9sl_g3$)@44B+{?s@22P>4!pjNoULBHrowsNF=
zO7%h;e$vBfO*RE(%k)ZAFY?of%~7cdj0j)&oZY>ZC$1aZ4b(W>Ty@nj!Pjoc&)cf8
zOXCN%w85!|60XZPIVeoX(w(`RI%(jAeE+w7Th!YmO-XxV`_Rr2A7Ss(yJfXqh1hrF
zXQPId+aop_l7>1fyctI)9}oRbclVKlD!Mn%5B|1vXSPqsp;-eifw9o<k%@er<{vMV
z<}W$%Ijuk1ETk)QLa091zIS?Q<;N|V=7CX<ZwEi><fXn)w3+ilPe6R3-*_SCv|(e6
zxBrgI7cEn-ISN+hC&*_ltII!6*S)m&#kt!!4t{oZo_Dv;w|)PFKcH0pxqi(TYpjlb
z?)!I}lzB76zMZ&nmXVp+b-Xz$TU0vSa|#RBbsci-QhKN0D_k^jjeY26yE?&1=HQ&U
zvF(D+!s7V)J7En0W{-M;9xeEVTbdlBb5?Fbjjy`B)_DUQ<=_YCO*?G-aUI{Wdt#r=
z+Uc8~`hF?yQ@v}jp<qW^=iLK?4Mc36{hU<cNx`DRG}B<GK8^jgtasBokn7i&|Mihw
z4uK%LJ}-KL2@n7T00BS%5C8-K0YCr{00aO5KmZT`1pZ|NWUx2_@{PIp{QomV`us2J
zAm|Pt00;mAfB+x>2mk_r03ZMe00MvjAOHxU1h80$AU^+p4w0S%D1ZPU00;mAfB+x>
z2mk_r03ZMe00MvjAn;Enpoz60{MCQHiO>IAAyVr<xre|zAOHve0)PM@00;mAfB+x>
z2mk_r03ZMeK#&HON%;0%am45UZ4jvqZ~_DX0YCr{00aO5KmZT`1ONd*01yBK0D*rx
z0d*{$@U6StBKQAS#mPXV{lo#Hmtv8kyh4zCxxAKK9HE9VLw2J~i_Bd79_b!wH(a5p
z8khh9K;Yj;KtNHIwi2p9ypSLL0yx}gKbQftI8?JhKk=`Q&}guL4==+LhHw8YO@v)w
ztI<UTn2sY$t=QwTwoRtHIi(`tVbzyfN2N){w)L<0#kGrLjkt4SM7MvH!jNG(ysTJ7
zitxu6M^=4gK)7boW^CSYr<|}M&Lng4hrtO$r`=Y4?{xGvEoHfYq9WNOJPwnM!UuMK
z72e$o;}U+#EK@7rSQF8*z}H{fm>qAwza;&`SSGa&)#S!U1#iFg*lF+Pe3jVy)$Q+`
znYu#O?O&bSk7~~s=qgLk8zvdXSv3MO;O~HZpdGmU`tnuzeR1K7gF8b~Cmz0W{8^TH
znCIr7UKZT?q&k+znMn;T8NX#6=2a(Jb}7~LKxu<TWrLc^ABnTEZ0N3oKvzkk$MJBy
z5ZiYDv$02P;>A?oq|@?ua@-r=``pszYd*am`qBdTcr1_Hse#Gi4HbEDn>N=?#+&w?
zK5}!_7GnWveX~r=ti@L<1r*ZPJDWje(L~25`nx-3<Jj3(lZyA<2ym?A<0n>ECCVmU
zT;Ux*_@Jlx1ns@U5v5J-W0?#{PMT%@pfq@4qyg>nscCZ#D`y{yK5=RGbFFEYw@m8#
zSwJC5Hpv`^Ny0s8MuGO#<NGw?6sio<KN|ED8J^fxAF=df742<Y>(jAJmPcR4$d#|G
zo|oHGkj`($XV$d##57VOG5!13znVS}AfPBpG|6U+!(_K@msjb^7xQoJ-0b-F?CRT%
zuGYmnmhoqp)zmi<=1oTK`7ZIjy_yhbca@>#UwSpKnSS4H?(6f@62rbf;@N6`dF@_z
z>CFO)f<%)H_Bc$+dhR}Y%;S{Vt`&`4$9BzDUv1Q~za*@wEqz!0v73W#&{!sy-Q4O|
zd~{9Cwl&4ixt5kqbYb1I4>hM9LZ>)I>`9KgBB01iG|8rq!(`>^pttGF0ey8ZpCwms
zR29#=@@nWnNwZ7p^5VV~=b_bOnXC=Bre3IP{(P$RS<xG1pR8t&pAPRA-db;NQ+=ZE
z7}Hlkk&|dr^pjF!59RRo2iG5}o>$%R<VOv|t<ycul`fz{UUHAK{l3RNXi0S%%cNEZ
zU(2qqVY}YOXHHt~IS;tZ2R91VwDkB7bQ!a4`9cAOAkn1hc!r=wi=^Rz=X0w9%zuy~
zPf-lM*xsL<7vQ$ij&EF`y3}*>SSEjLmn%B0L}9(G`jnSd5b72aqW!DR;2Xo^5&5CN
z`MdfHD6(IfGz&6g!hdH7YD<?ER+UDkh2PHZPn*-WdBCOJ^5lcJ&kqRiXz(o#&K%2R
zv9(%T@bc#TH;z+xG%eJ;jA?P#`$cQ!m;Sb3C@!TA7Eoj)n;g#&bRW_;>3w(DEZbq*
z{n9-VUD5M*Sf8h4uX#*3*%#Fsh1|GZ;=6l+mTM<&b*nHnQo-t}uUT`DyJE+jY^8Er
zbBp#B!G~50D0qn`$29~Q`x>Xu|9wv4{3<+NE^q7hOF6rZ6mNGv@gK_gn4I~zcr26p
zMfJkYmf6rH-KGA@=B+8dr}R0kzg~<vS990;efkV90YzG($#D%q=XPJ(teL6ndFqWS
zzq^nfHS}uAZ`8zJ+|n%{^{&#(ql{&;PDc=S0lFB~@Rat&VVa`j0D04cwEc%GG!r~L
zD_JrE0R<<~<hX{Qb8C)-l|0ha;m6j-mHG**arcF}9bChQIT!t0l$B@S7|Z12$q8i(
z<PCmanDTPU!GZ9SmXe_69aYAHr>Tb9U%Bz@1Qe`9lj9nKF6Zzr>`*&->BJ$`z3->%
zQQ<{x2elS`ezBq9DOcrbsQXwZuXW5jKFR4s=el&BPou?(my;JY*5*aNVte;5BFN@9
zc?&2~5>1Y42wGXmrtI@|z0~U2AFnaA^Fk44p363aV8v7Xs$KG7zj}^kvXkV@q*T(s
zOkHZXuW*yGv$?Kd`iuG(1jB=~%ly5zHTq$swdn%c6)YYvE{Yo%Unw_N)%JIFy|6@H
z%B(cP&TD0@u*EliT_mBzOq$=<UiG9Rfz6*Zd79}~$~uu3oKoT0nQJR*_bl96RJg&t
zAeV$(|5sJ4fJogWbCM?MEGeE;OUfeo5LrZP;$z}|;%DL&B46>PVg*r;i2wJU_<$Y(
z0)PM@00;mAfB+x>2mk_r03h&BBcOw|!u<8c8&!#ESVbE<4{iO;3l_?fvar%u(trAr
zo+L5NBuYxN8H$q947P%#G@C9jDa~NXNlKf-g#S$c`Kv!!iD{;cq%@m>my~9(r6r}=
XbeyC#gN2opHif0+vD$=@ZxsFym1*+x

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt
new file mode 100644
index 0000000000..67ce598fd3
--- /dev/null
+++ b/src/test/ssl/ssl/nss/client-revoked.crt__client-revoked.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/client-revoked.crt__client-revoked.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/client-revoked.pfx b/src/test/ssl/ssl/nss/client-revoked.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..1ddd9ff2823a5625b32e538ae91d029df841bfeb
GIT binary patch
literal 3149
zcmV-T46^euf(%Il0Ru3C3=akgDuzgg_YDCD0ic2m00e>y{4jzG_%MP7uLcP!hDe6@
z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=Yo38`
zIlJOd0s;sCfPw~S23g;}Iq)sgji27DE;uq{1$|71ZVoj`>?cbc+QQ3P2qSoDM#h+K
zuxci<6|@K=N#?$-o{WSQd~xy$T{&FwGrA&oU|1PvyQuk6{V*}$8U{I3igdki)KSb%
z9Jan(3$(IUjqV)Y=s`N@oJM{E$4x?0NtKnY)|d`1Lru|JK5NV7{DI4{?AGa(`)wdU
zhMMnVe$F<b^**|$SSKlmHXGE@Txra{LjPg^uSuxk;jud8g)IyugKqs@RDN$4gYOJo
z-D`aQ%!!HPX|665m(VsK@iQ6{7vZl_uUFE7Nz)ISYcIF9UGK2UEnXD(m-v!aUctEl
zxJM$5Rm%IJM_L?z?onz}5gglpm9FwSj%8&`SxSf4H-EK__v3tNKF>&f1UK9<1!XD5
zO;|3JeiT_)x{NgE;2^)Tw|nPD8R$d(>B!3%4}PExJmS4yGB^Rbv0O5uJfM=L$T@)M
z>KR(+wIcqFZgLZl2a*C(Uk2)iwsr^`@Za0b-jN%hUuB*=ZqCJ9xAjU~oUV)a0GB>^
zc?5}BzV-3Tj`1q|49zJ9kiJht?aovXBt(fO4T<d*4yK$ox^epopG|<#+M<Ja1_>Qq
zyUTSW8~op0j>nf~4++$-16*tqon+MBwEtwHW_AXVwban5b{sB{i=QSdX$7hx`6W25
z$U&b6X*Pu&-DOW7P+Vis=p;zd%n>#)6?V4S6aue^KDS}b#}^+QHe{O6#3Wu4WqxXD
z?z;=9d@@FA<e@^D`QvcHnvFI%<A1)Q#Tos+S)ytQhm1AZlA#5Ut&z~8CWC&ES(&Fq
z8uAGiIsSzcOhy5|<aDA##NDG(2=Dio<QpoJs`P6pnI6MFngR9oSo4JkplY-MHD*0*
zaDgC%SeVk_8dIs~WwM*(aG`+qulTbMtaLx`*fk^r&K>NI%8EPFA0oZ%;E0A_%QhL{
zC@@2P_5SE92a<*a0_iHyt`N;hBI*F3_8X7r_?uD@M%iktht9IKxH`U1gS$D9u?i%C
zYr1oWd-MO#XA~gc03+jU>hqa|OgJI1W8vP+tTaL!!TKy2_k-;gg1o0k_~{DCZTvQ(
zm$2O?oEtGa(n1#W`#ogY7n0rD=GzE{o%cd<4Z&cI?0fR8Vbn00L1kekkLr&Uki&pb
zynM{)RRkcTb2o#baf*H+!ge{LVdd;ForAkzwH&UQlMMt|1*o+|jRJW9us}%$)t4Mn
z$N}+E|E-sfS^VNQ+1)e2l$M}++6I0qu6`34JQdqaap=6*UgAAcE#nz%25{<98Lq$4
z>dV=6Hf={?|41FO5E*Jj$gQx_=_vfK%1!{gL8rX}FWC8FTAVQXQ9n5oJp=a4@4kX%
zmUp8N(N4HBSABwP>@N+XB2BD14rwKw46rO1gL?A*S3j#sBQXwh4rQiVmlkEPaoy9>
zNuM@epF_kUILUA332%(m+1k1ySzZs&uw!hxbPp0ba45{_;COFAtiGWioGCkXD>YF#
zS7LpES0+1~MpUKVqbBeb3FmmK&>!s+1H@}HP^uuA(}dVw_ciFBd%ah3biGwR_7f|#
zIC-2kqI07%ly(Q;G}w(KGb1Qcs@tsTgZe%HyIn=$it__H0LKFA+J{8nH+ZLqspO_<
z&0pp6N?PZn*;zgbWxMq1;jbCjB9(@zr(76_-;PM!SHDf6ZYg$$t8`+j!TznrJxXGG
z4{Y9%JP5FUDH9Gmjs+CQ@qt~Fv%JK#OR;To>QWiaqdRZvmB@Ilmgu8Lh8v5w^WnYv
zw7FC`H^$ZDJBRc1-!sepGOlJ`rl@?Mk~O(%Vk;Sv=G!w<f?;RdCE&U{0kngbQe(Vo
z?(goyOL{LUY@^j>;idMP9t(Nwm2G|+T0>tXK7p(<5~yYZ8U_<FR7Kq1!|)Q!lThU{
z66ccRRI&HoqcTqjv5h@WwAps4FurqEKW`_q&<d1p)RAx-+k`<!M_y8IzT;-+BCW1X
z!HtxMBR@<O09#cwhMG{MSh5QvSCxER+;IB{1+9iQ4Kaq6wNu^G(|w`c<4Cw$qwd<{
zfKwG!f37gjW@3?xRHPVDf0mjJtbqyQD7h`W?{*cF{X#x?5*XU~UymbN;LFGh@YCYU
zHHmR5-D}MT+ZDGeo!BTlg`7p>V6*1qcLRZLvmpsYd6j2Zs*nPvFoFd^1_>&LNQU<f
z0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI
z0Ru1&1PBPmH}ZkY><a<{2ml0v1jtdAPGI6bu-VGCU|2$ElrTui;d^>%tK{L(Md=FO
zJFd3yj!HR64IXiPul4_7t8ArH^lH(0Gze^@SMxcBsCQEARX`PP`pvs|r2b~dTF4bd
zWD<ZqVCCho2^$z2k-1fR8}WQ_P%Peaua|$FY=XI#TcWWhtq)airPFfagEP_NOM5(u
zKiH^Eq7GinZPly2#X72*^crTi6RP3^n3;a8L=2^J1Gy=Q#A&ZHi-=L|jUU;vQhZ6D
zEOjPq;z^AXlbw;`Cb?%lw?|g%r(c&=(>N!6%o+PI5W9bJ$xeZM=U4)r!0jDu78TF=
zJ$U(27v>;rujcUVPMcf0oA@g7lFmE=etV$7`b+pOHnY;SuDP?_VyYZXF}o}s*kEdK
zwK9uRsURpMwp2#14G=&4t=!r5Ae%itDdwT2+a#h8aPCzVuUVqVF+!S9BeW~u8=sCV
zae*a1<#2<Hm>S2<BLnD3AS@!28p-ZQVj@m8e0T*zSWB4s(0?O$^zA{P9spJ}Ov-#D
z#uR+{(}Hs`)ti>yJ+atdL3N2;a`nAuHmWn%oim)qD)LFh6jB!E5Lp^vxH)q6CfsvN
zbUc9%)MacDeE4{6tMg#=hu0Et{I&VwHKXohUEf2nFMDqnmZ}I&Ix)7b0x6&B7Uek^
z`Kw<4A;>PHub|Wxp(ZsI4iKphNJwv<dkL1g#T<gdL)`1?Q6hQa!`S3+dr*aL^tqCY
z^Hv3ZHbC)MyBHp3iV0IMAOHbEBo?t9mmR<QN7!5B6U&EN{Bipx3zOQ}sPGz8Qh8Qx
za!Y7RI%wZ1@tFyhw!R+j%N;-okIES;m)h9YtM9>vJJZWxs7dy6yIQD=Xd?_a@_MP}
z_(B_ot~o`V6v^5<FlOw5>YG~PX|#XxV`lTGIEmAd4_~mHKz=*kN!a{gtmY}6FSj9!
zfR}RLSU&*^igbg$Qd^f6uMc4AzMu}p9~>}b*oL-0^>*F6EV4M71O;Zg_d}j~1K?e{
zZRqS?iDm(iF`4^Y@4|U1fs%ukg`(dKls~U5ChNKk$Uhzz8M}O9(|mU?jTrz<5r07{
zF5hfS7WTOAiU|j5aybb@q9i4C<fpzU`%(;!E?Ers0`C-`(xHSPf`d?EL(k)E|G1#e
zy`EZhc%CqzMy%&MoLQbt)v`!AdL<EaSnaC%7#!5f7Q|5Jj}Z3xAEcKdiPUtBeEX<O
zzLEkkL>dGa&AU+3;8xq9dQPdRy~GX!2-8)x7?ojMaEJXqZWhVZ0yim|0YkFy(RV|Z
z%8CVXC-LxRyNJ47CuA}PieVLV-!mwVyX8NDBL`!#TZjr%zDw|8;dPS6%q~dB?sD-u
zH+R4lRz#Wz$_aSO-;sT8o|jXk5nRpMOv-j^^Lwn32yytFox{!pcngaDL6E~~;k4Oo
z&XI(T7=DX!)z+iXWUn2S(V7!-Pv`zX!JsL_`$#bkpMDBxHXOW5+{GMed&MEdExHE5
zwFO@H)HH&AX6FIIioaQR48O}i5g3X6YU-P-psN5bM5TyRF6T50Ua~U)3tE<3&!`!l
zfC*2QJA8hKU4+;{YdYzg7se^i|M)o~RV#094e+UWL)*TcELNL)^ej=V`v-`D;g>Nb
zFe3&DDuzgg_YDCF6)_eB6subt5E}$LUeicrpJ6?jnETg%MKCciAutIB1uG5%0vZJX
n1Qc4}45!Og;OB@7r{@Wt9jI+Glu`r;YIThTUQM(h0s;sC<Sfd#

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client.crl b/src/test/ssl/ssl/nss/client.crl
new file mode 100644
index 0000000000000000000000000000000000000000..ec061fd17bd11aad4eea2cb4980cdd9620be5f9e
GIT binary patch
literal 418
zcmXqLVw`8t*lxhf#;Mij(e|B}k&&B~!NAGT!N87<Ih2K&$2=spxJ1F(Q6VkANFgA<
zxFo$OH8{{mAvoAap(qu|DK5^;&r>J?sY=etOw9vQsYNBl;=G0yhK5GwhQ=larlwKi
zye4J_CWa<Zu7QYw5ECO4nj$o3FgGzWGQ=5uWWFNvib1cOm7QIfWA#LK*3-R$b#Zr+
zQzt9Of9Pf2QgXg#^7|Q#`?^;~od5q&E_3mbwX*KnbDH;uHx}8yc;&n*Cg`u>*0_IV
z2Y54&+qGrPUC4dt$>ZO*)%q{4x14vAo8!GyW3<{9)zs`N>D*O<h4!Wm&zYD%)*XAW
z?8h?G^mEIM=O3^Yk(m1JZpp$KRu`9gue$prUuR!%Rb1VVhy91s9M8Qw^)xx^n<TUM
zv3Uho7B_OK8=h5cdh)~l<(Z{@Hw(mAHc$Slv&lrgXD46g|EyT1`^j4q@6F3L%d)b)
nrK%&VUs_%AV!{6+)9&7a`}PORtmIRl{k+g!;Q6Fz-w|N|QYfe5

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass
new file mode 100644
index 0000000000..3ac5759692
--- /dev/null
+++ b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db.pass
@@ -0,0 +1 @@
+dUmmyP^#+
diff --git a/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/cert9.db b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..969d719dcc131dba358d25d9bcc6ba2c5db0ff6b
GIT binary patch
literal 36864
zcmeI53tSUN9>;g{B0Rz(P=iz<A_4;H<^|!Q@)W^{;US8O7(&D#4@(jRTTvp4k5&W^
zABPkHEmW{@B7(0fZJ|~1tX8aAsaUM#ltRU-_^P+F35eA8&X3$(Ki65<+5ha!{C4J>
z**`n8yCf_`tWe20i;`0kr78{|F+ori@#1h01ku;6#D-kxL`c)wV1o{@f6LTICgAQY
ztQTPz{DK(iV~vJQhN}#{hzMLD0Z0H6fCL}`NB|Om1R#O`Isq>RgUz-^BNa)p@-*2J
zsUkK>sg$T=5)?8$-%x+=aDPr<u%G`N4w=T88O-TV=Qv2YIB(o!I;k*=R7jA<$P@Z=
zFkVm~(*`T>$NAA1>^H5^D6+g#9TP8?srnV@FDU3z2WxO~?l^BMgFT|J9SWsVEl=qe
zp}ioYO&qKt;*QI9L-p9!*61d0l{6+n-e0`mpy+hMy?w;~134&SIg-%88Q!6hoaz3N
zoLRwvA+!9!5qxI`PZbCHhI71qW`>44bEG)2a*35ktbAaTJHQ?;*d+o{5r~S&D99ob
zfItWW7ZA9DKm-Ce5J*7~Lj-Q56s`?PMI2~waqV${3Ks`5TpZ|daUjISff5%7Qd}Hp
zad9BV#bqGWRZm+#Qkkc<No5|X%p;X~q%x0G=8?)gQkhSd;*+KLWGOybicgkuAyZw*
zR2MSUg-mtPrjnX2q^2vGljOrC0rAL|@^Da=N4Atl)>eQM3y%wS>r9}_Cv)@3+<Y=O
zkw|9IW(0WzBq;$7jx8Wb2}n``@~8sxr~>kH5t3zvq?(Xa6Ov_Rav@*97XnG033PQP
zXqe6fN6?v|i8>RsQ)dEzIulUTnj{pR`Mem3N4NKRF_*q#F3+n&n0?hD%)aUnW?yv(
zvrm^W`>I2jeY%7>Ko|5GaA0CD=r}qP^d6lFx{%I{eQwI1n~VBQvLk5o#yqc145&`5
zP>RRKki<pcv&Bj5Ag_S$LiSsp+c++T!S=UC5v>z>D}fl%M@!YJWHKJze+EZ$`%Nn0
zYMH>@f<ZlsJqD(}b^}bfKmw2eBmfCO0+0YC00}?>kN_kA2|xmn!2b^cCc}Vej2`w0
zg7sqE*iEbzyMUc0qHuu(AOT1K5`Y9C0Z0H6fCL}`NB|Om1R#Mw6aglchSIItcIash
zKL>`+u%na4sJ0@S&M2g6jhrls9+jp~AC;pa$N$FD5aVgsSmRdXeB&8d9hUfqY9Oo(
zBmfCO0+0YC00}?>kN_kA2|xmnz#oVJjf$Xp0kljL6!+pz#yuI-Sv0DVFkG%waZ-|#
zRUBV$@RB)4lB`t4rO3lV#GJ4&F(*Y%M3hQJauP=cvMSZYv+Il@(xDHL4sD2ZsDZRh
za}@XCdf}6`d|XLB{~j7yf<m68;>hGFDkWtap`<?)O4|GX9td^~+l={QH?V0~KIZWU
z>R7NUkN_kA2|xmn03-kjKmw2eBmfCO0+7J}mVh4B6y1Z&)dN!>LpEgr#Arh{Pe287
zlsBoK`uK3JIc}<*bud&a6TobXS}9M_j{o-{#B=|(SQqgIKr^-v+w;E#3y%&7Kmw2e
zBmfCO0+0YC00}?>kN_kA3H&Ju^vyKrwv6Fa90d<mI1vN*RC!9YOgcf9qN3}PX~U>?
zsP<_AT?$o~LK#MN&?g4}6Sb+JkaqmP3BlU2Myw30#5%A|*r`7yW!Pv)01|)%AOT1K
z5`Y9C0Z0H6fCL}`NZ`Ljz=A43y~^)g_Wjr(T^xbx3Ew}}z}R%!U;B&!NM%%tXZm_O
zzR~GV`ScdE{OMco%9M2Sp#hK@p3H4Oncf_%X!^0~LpmkoYUszQ+GhaRRDu4>lvzZ}
z7)S_WWNT>6xI}M3<A})XEE+RL8qM6;*c6ClnuuOa%lMVDn-dEtU@UM38@iRB!{5Vv
z!%&2HEaUZGL!p?PFxmFK1)uJ2nGxjhS4o2B=PkiuC~<_)fh#iIVUgn7)pf~*Q(Hrq
z)#V=N-Byf<voHT3zKfgNv~Sha*+RDOx+V1GfC`ShD?!X(#FA+u0JZ<!<<+<hk|Ma+
z5xa;lcKr3E5w4+H;Tj5K7nOoiUfyDy#n5+LJ8kU)7K$3uk=F-{Td`Th*O+j5u3SFx
zRU?AAY?i<U7jOl-=nx!1gW3$NHcCgR8Wclt4QfEq5Fie|bFpUwZO2<0&j~J?!=0O$
zW>>FGJNR>2YFixRE!O<j?Xyc!%g^%_uDzce5mr3*JFxyit7XB8yU9fq@iGtT8aboT
zqxXqnwC9H(Dn?5m*<QG5k>l`5rKEGetNxg@5dAHFXFDybllQ6DtbatC>Gge4_Ec++
z_{PkoOuT;0t@&HeJY66<yXn0RjZZsk8fq-<0vStw;>A`zXxN@pG3~2EnwISuMou-T
zd!u#G5_JE{j%-^WU;gBhsEI!FoDR=<a`@EZLbFe^FSoV*l<wv*tox$P4n`bm%eS}q
z%h40m%94i@OR6WD%Fi6$9x(Oc_WE}mMmG4w7GGuFe>=t_ZozeRDTRt6XsHQqj2jWp
z1dTGI(Qzt@J{!o4_^1hHC^8-Qplt1OTse00gr9HGre8Z)cg^;4+^P1s?6{*&@g4t2
z%wKi#r}eER=L?)ym`c33A3d-ft{mS<f4YZ#zj|R%Vh&$vnUit)?yQc5pJ!UO47aVG
zRiFKBdrm~HU&U^5MV83hX3x>3r9r0~d%M+T_cyxl%qlRnyx6gHZS=Y7C#f!<-RE!I
zV%53$m}mJ!nnB&u!{1oF{oP4}MvH_?7GG$_n@!jsk-p~1s+tGt@kO(l{*QK4MT#%2
zJ?Q*w0n4rAkoBU+clo(Dl8@$g?7VW$HhsRvaL&k8RWXjEAM~DZX4^Fs70(FBiKwj4
zYRk0$_Mv{-HHWY?d^e(QTV~R=fWC^_3Qnfi?~%W8YQ6ruaxeLNfNBuhKp#xH;z2&)
zccQQ6YX<vZ;@`~-r4L3azjnA!*-@C|0<XQ#?rowvi`<{I=VVN>;Z>K9YK|WjyJh#<
z82R!Q>-?ys!?i=+od6u}Kn9uS|7nLis;!U!Oq@I~Ov4ktmPL4=ds<(MQU;xEuiwcA
zIac9|j#W5!C|(#O8u0tB^~euaJ%?BstE$Gdlpe+uO{Wt7cIkTDMh|(B6_zjGx}nD@
zW`4?TlhGNqQ8~=3H)Z2RjxCOn395;C7XohS|E25e4*EI!soytr*~ccX-e6OGV9hs)
z$-gYYL|<CAd{toZMy0*}`*&;S4&VQaUP8&9d$p6q;(H%GD~tB=V^e*<J2USly#g7g
zH@c}}zIFV0<?gd)QQg~2Rnha#Z<~^OX!7pm%kM}$L|4&gn`wokk$@<PC~BcsK}|>n
zWm~7o(xise0@di=i<9Wj#5;3Or>Nr^w#n!1Xzk2s5L>w}cxWT77`gYhMc%|BS&`KU
z$0c$1!Z%6(_5sb_Tdg_b?`l8R@aZeKR;!xqo~4gk>%NH+%=B2&O<C-)k~(otTu|b-
zUF!>T{P&D|yraQ=b$xTg)eJ+oap$Qs*kxl73yRNeTiNteiI28lx>2ya<i_5Wm8^=u
zHRna^SRKMGciuA<?fU#jX7C4}<@=;}=#ATDCiOsMB3u7#P163{%jN1e$wf0$drE$7
zM*dC*Tw~DEwMIJJxBT?<#~F;;%@mvXs;RyY<L7Q(T^}epqf8J+Unwh)Wm^Yz8L#j-
z>~6fF@;K$l2e$&^_MNNxD(O;yY?8#nWms|e`6(N>?n)N7Z0)4pKVufRH|4;Xhv(BM
zG0du_u|4rWmEMUA>a}t{DUsE(PSjHCjE?#E04MbNy`H#m8H$emvTJ8lL!k`tq~-&?
z$nSX2zNFXmq&Zp7J?T)qG>oFZ_N9y~UFt@r#^Fi8l!}IQUU#!}nCHna3~I6VqX%gk
z_fZudb1!E{qUqq`)dAV)O!(3lD0u$IU1^Snz)85$7w=mV*R0KiD>^_y(ZOzX2vGe?
zNBSF2Q~yincwpnM3B^4pylBU5BP|-eaxV*;?GBko<cPebRve=;G}t85=DO33`+j-;
zKiH*hb67S$!TAb(?}Zb|1#=d=Ge$>5E6?6&N_I~A?6YSn!PV`{n5RnJ^qDPrrL56v
z&6TF0Mf)`FmAv$sk{xu@Pp=O*es9Lp$WU&K_xD*_$6I?99^cZ{JSOWvU68MBUc^Vm
zY1_*3G~G_smhAcO)QhV5w<gt9Dcs&DaJPQ6n3I#fzACF{*wLW<i?~&ug}b9F>I3GT
zaf$oTZ>=gqFlC?7;vdg#-Li6IhM`$nsOZh4)$7;)+>;y9egqHs`a8b!GH&tajZ<ci
zQC!%|pFHpHHer_M?#f8#IOqc-uQEq+;uAVXbOwxI-8>~-UA&<V?=Fim|Kj$c;x;{1
z-d8trBeP0svhZHVF;x%MHL7K%l&CwrU5-0vhl-t2KmL01M>9lkkBzXU^sL;A&D{4!
zQ2||1DGz3498486op)kp?)hgQmAundw(G*2c>Y#eaoQ!y$<pv{by)ouqaL08a^L#_
z2FHv&84nb(lGF9G<n3kazMMU`<~VbFUc(c9m(Vq}=R{;CEA+nHEcS?%ijfksZtSrq
z<&v_!xAQczV<#v5JV8-iw&KPQ52{?hW_dM-D_0dSwEJtq^=%=$0$q7t3meR>tjl|A
z+RUR$^a3|_O3XJD&EC&1@z8Thx^46eb`ZFXq3~kheE5yd`Lf|Z3daAa@eG9cg$pDA
z2|xmn03-kjKmw2eBmfCO0+0YC@b3{=jq5$1EgM+G+*E)V6F<bQTH?;IX_gT(XeNzJ
p8d&00ZSWuPi82)O-Y+Oj+yZ{-fR~sA18KzXpM5TdxC4lw{{*jR_*Vb`

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..bc2f47f7a1ef6cb4c6b0b2d0ab69cec35ad4a4f4
GIT binary patch
literal 45056
zcmeI5c|276|Ho&{Vhl56A5mkdD0F7ikg_XFMA^BTu|&3ODU`}cmRw8HN|xkOS=z3W
zF1bb0aucQGs+1^23zgR2oP+E3tvfuvf8G22eU3Swd7sbw^Ld@u=XuV2ICC&7>}>)f
zeW`w-;lbQUDibAzLZeYeR4NLEA_`V<!8*R+1p#(^L-36LOZ;~s5v2p^lO*4v2t)^z
z1Xl9Ac%68ZIGgyA=s-O8cbz~zAOHve0)PM@00;mAfWW_rK#-`Yf{F^7KQEHY3-S&2
zjpUkfBe~<x1XBld<CW&rmBuDE=G5_8sz!hhb-9D(GGhl<s<pW*)zQ|{-qD<DXG=A;
zv$e3XG+jw`FkfzCY-+AW75uy!Odow>XwE0#6--sosDKb3-{^?2AVJcLyEZZu+4dUO
z_o9zSVkUUJf`TgA9ckbl$PMrbiHKMp9<YuZ=_@*B&eGP*+=YrHVG9!ts2W^4#LzUt
zAsWtzMi7_h8#K`b|CI)k{6>SRX@SKnOjkvFjoMzzTjT2;IiZ33N+V)4{f!D8qHCIB
z@Cuai(F8<9to03_kimW>Gn)NIg+td&GC+$esH&pVO_4)3Auth%j7g0iwu$<w95`bW
zJBO88R4yb~1;>rc5Ufl%Mk?SMI$XtpH#zVo2ib(1a9D7`h6`P|SO6CsxX^<OE?n>g
zg&raWjh2Wa1Z&Wt(fz<GbO@HAL$D4Vf`#Z1tVD-kDLMpe(IHrj4tc}nn7vVdh%#d|
zMwA(dG6PX&Aj%9xnSm%X5M?IPi;47NBE6VMFDBAU7s=`(SzRQni)3|2vxufHqPYNR
ziSVH#fEdU~84%o;fsB-axMe|tg+Yg_$3j?_iL_=St(iz`K@w>)+7NETLP)V7c;769
z6bm86LiWl+_R2zz3mfUnM%37d8XM{B?aOAem~2>bEQEE(LU>?fA-spN5FX-K2#<3t
zgaM9)FvZajfif0ObVKlr)lPKN9q*<)VMh>-+YyB0b_C(L9YHv*D+tH!2*Pn)LHHM4
z_?&@vEU1M~oUsr-d&WZe6dDVCCPLqd(C^O>IT1$N@+R!?U^_l+F66^Qh;!g$3nAFy
zwk)PDa^5oZG?^lJg(a$gHw8|-R=wyGF-Gtmg#dq7AqiGAVL3|h01F@h2mk_r03ZMe
z00RFNfedZ*W~?lktnr_{Wer$ll;Dd@Mxn^k(g_kM>8+^v*zvEi=7Kcb>c3nBq9_z@
z#{E5lCkz@L5fL=sJ1D?6BvQvaJQCJ~<ms}IG#=xK#Yl(?(viLqk!vG-!;MN`-Z8Bu
z#@INaMcH}H_4xG5=4g096{Fk)kCUkdI)$&!8DZ<xT@@RQw%=i2nO!aGl)*9P&Y((^
zplzl2v<LGZy)nx&@0}gJTO&$4NUH;Pxb0kMj*GuOUe(Df;`c|5p;{pqE_?~MJ^C<;
z&|IV^M!1<(L{eQF-_dC0S01ll#)z?7z85Eb{((F>ZP_PR2RhHVCt;WNOr!mEI|i<(
zC7e8EWvZU#R8bhcyCf@qaNbcR1&`R%oTJRAi%wMr=*i{i&wTGs&4@{<On5cztkrQp
zdZoesgPuoDFLA%ByZVq>Vx$wxuw26bdCRUHo0T_-%S1bHriW}vNf~;z-Tq+>WZ&M+
z)QX}PW~LfCs|B<jW-fNWMq8oO^4c4XLPPOrT}T5jJ~we`;#(400*A&x6s)YznjHt9
z+%hBGFcrI)&uE>+)=F^{L8GzpXu>*_Y~%~7-GgVX?&XHD5;v`rtENdst#8QQL##i$
z$74j6lAm{Fpf7cEVQ-`R2i1Mdy%}mw4?XFujkU5AN24#<a~DGyXOs*!hT4T&{CNGG
zQ=M6Vwn0zvX0xMqamIMni;WK`*4=s$v9k+5xzQG+t1>PTtByUBIVIs@<#y<_q59Rd
z5^Wcq)y{s|y&{z07B!<t4cEPI2M(kx3{Mtk@M-s4o6iS!7AHEUI3Bw?_-1-K>6b*g
zN>`^r=M86qjDOpoX=R?Ft<F0|$aLIysN%$&KXg=2NQ$@QHkb9TuSp!b8Wvd=^-A$V
zv-#cqij;Gg-<t$Iier-Ehm#W>!@3*RZF{0@3T?tZhxosI2b@>T+pIXXBNo5sN-6C!
z=5@yGbS;9x@sn?<aud~Zika6RU%PcVXynjLr&;-*lcbhD9B6;Zor5iB(C+?hnAnfm
z)CJ|Q_~m`w8+r2E5%p_~(BD7pnWwd^oo%gK%*#z%Np@yg-AYa|NG_ypZTwlf;Z&)0
z%Z2KtAKGVf7GZ3XOe>oYByI7CoKs#A;j?vB0M##SU_pUuf@s6(p1$EyrOxmB77x^~
zR3dLb(=K92%;1mMGYZPijr!hO8g_a1{_|a%20Xbp3>JFdy}G1Z{AgmQ^dXB5h0o1P
zO}2%v%AUE`$5K}R;yRnRf!$e}^(9C0u`4=<?2i(aU*B9Vm0!zS+vfk#dHYVTU%{_^
z<bh{-(R*6us~pJc)h-wJ&T=d1Z64|25@c-D3f=2&#Nmv>Rt)z+t5fmnk@wvm?+LBB
zxN6<^eYfo$lJ?wRUTu;t$9xz3AWZzo>sO<`*9Bel*F~|*yi6OFn5PfdY%(kJQsBJ0
z_lR+%=x5C%*+b7OXS6694h>Y^_%e8H*v+OZDb0EMyNp0J^Gk^Y@6?xB+ujiB28xU+
zm9rfNM1QL-_+yKWr7k<E*-P6imHC9VM4U(*Y^~c@QI>bSTdAPXL8jfQtsvkN_w<{V
zwHx2*HykH8QJ?PmzVE{h$E%f{qInN4hkX86($bp{l;Sh$Tgzu>=iOkVK7*W#<{bmA
zgGIWAhmG_yEap9sly!4CRG;-!h0=U{<a~H;(r|wE2an|78IFsFPp8U<*D&`>cf0-)
za!+#JYR7DUDfuM@FI=KCjWTAmF4T+=3yeQ&*R|Biyn_$zd!|jB_rAP6CxJ63E-DBs
z*C}SD)iv*8$&6=bL_AkiEG|j9@qOP)x!S$l1F4*}{+Aa0wH4C_-!C6Kzp3tSeZ8)p
zTf^hEHz-tV^C}+S-e#GwA-ms*=9-x%b~6Zn?OB)W7fbnDSGCm6oUqzhadyj~^uvx5
z^wKVogmhFh$xi7x<$9dm5wG8xipxt43i3)!Ys>9Y^Lk7bh!mMQby2w^!wFf(E$Vi!
zB_?E3erX_xl2_U4mDw84NAGHDd$Ih5e%0-j@cnD_|M!_4zR8ak+@BXbzyb&W0)PM@
z00;mAfB+x>2mk_r03ZMe00RGG1Vk}dG5DSG(d++@D9MliV*>=k0R#X6KmZT`1ONd*
z01yBK00BS%5C8-K0fYbsgAyCP{(pp$d<38X0)PM@00;mAfB+x>2mk_r03ZMe00Mx(
zznQ>vjDgtS{pH)}_5T1$a^T-QLf{<`00aO5KmZT`1ONd*01yBK00BS%5C8-w2u#Ch
zh<*KEaYnEI`%sd76Rki52mk_r03ZMe00MvjAOHve0)PM@00;mA|4sr57?#-g{>v>+
zFdVex2Y688qfh_N@d4L>03ZMe00MvjAOHve0)PM@00;mAfB+!ycLa!v@cn-!i9wX)
zkfgrkbjd2oXvv$ByCq%8T(SxI4{|>FBe|9wM@l9Ikg=pjvKpy}R6-(443ex#+JC1C
z>Hz^j01yBK00BS%5C8-K0YCr{_y-V}fiXr$1g!S*_6?8pg4lFlUr0~SYxI-V84M+%
zX^5hNF+_R?`o@fR=KR@NQCJpI_(qz=VsHdLkk63UlNXxi$O%jH*s{XXY@Up;G>;`M
zEY0Rl6PDJ6r2aGQBS7l+=fEU|ra5F`X&##-EY0Rg2ut%=;=<BwE>T!o7ZUp>&GF-~
z{u~%VXqqD`EX`x%g{9d%oUk;Hg%y@&b1}lwx{!!CMn&vLZbU>>Xt)na@S;>iT|-Ic
zli!maNk>WI5`N<K;>yG*u^VFAgk;f&qKol+aYHye>|rbpvr42!L>?V3=<ttR_^OIH
z!+2>F{1X4}ixlF=K^}Oqu@AAuks&+Ccw$omVqvL2#ky(qt6#8I<Eyu5MI6YK?$IQz
zXxfndHaythp!jC8;KMgX&{T+sCyc6yi2XIjQrA5TxP3_?y%|Lb?SVR5XR0Y*%o!?;
zFHY;&lf9i5pTk#G5b6<{g2!Rw$7j_p;JmdXhV)PC6y<tAFJc~MDX?qy)9mm~1`U&W
zgl4u^cCJ+I>b6ZcGGDWxQ`H8&W1&Qm+|Cipxug$ODSVnd&UlRDpHt;m6V?<=me=QE
zh|B79uE-qjy7*irn2Ad2+x&^Dr7ychluX%oZ!(h!FSP8ooIUGRY%gCaMee*McBJnf
z)8p+xsGRck@RKK*e43nalbk7-++916Kj2?<;Gy!hO~HBC6)$E_e;Bi%Da_LOfR&hY
z$fe0lR-V6_lf29`_x_0)GrYrE5}8JAyWUitj7~_BJKG(|j^xv1g_`8Cr(jZNkW0#T
zlUcfg#<T7|i+WMkao92K2`kA@-qkF7QP1qjOs>_w{d5*}s|`kOW>%_`1)gJhx%KiM
z(_K0A0L~B5&`~~3MyN?PZwe+^Gar|Ri;RT1T8lIiLSH&*B)_dTbvvbD@gVnl%kg90
zlbPJ3IoEd~#ByGvM(Np5mh>~zJu0FtwpjZZHvxY`ZhbeOCN0z?k2M98HBFM$X6Jtm
z+@R`hTr0mO_iST*w}+o$4auhKo^;x~JCm90uD>LY3ARWW;q<dlJKQ8V%yDwn@V(u_
zEwO)F$a4+n)20bE$>vVMB)NTk&N-gw53%#B--zi1;=HyWd1A=@NsjiJ<f8={N>65T
zN#$cv&xj(IM}}$6n`M`rBF?IQa&6}JPxFVSE&f48Q<6`U5^7R+DpOE}T*42cM+)fg
zwH%(@7Eh|E+=D(LpP+cuz<$Ko&`P~#GLxpFeNFVP;hh$1%zt0qm0*dssoRWGct6X)
z@t)|rRm&ClG|6vFe*L4x6iDi>8+1RtZ%yDn%NKSwv;AYQ_0Lz&@eIsc@j@qIeR^;B
zWF{YJu21;fIb-W1vploB>9wZ5SImDL^s;4MUKKK=a=tQ~Pa_LAIh85ME-rU9wHQCL
za-Yu;+*%pb(fVs^{dIXL@?Cz+s>-HElbO5_mTELGG=26Tn>-(=Fz)V}$z$!xYFGZ$
z@7ZLo)$)rDpGFdDa!OOsYlHZh$asa^-rQLZfw$e5ILgL^x%K^Fq!+Ivn&kF|O=hy8
z$$98U1<I9*%n@a|jM=5S9jR2zs<}Q!p*z>FTPlX*(<FqNoYEBJu)g4@*w^NRmAk6b
zXXV+8tZcaQrYeWLuCRY@Y^o)}ax#+(QwWg7wpl61?Kcc~^=>O)k0Nieem?6<TeQn`
zg}5LeK22Px$tg`iDj_=z$~L#W>b;XDGTp5v^4DHUz@ay0{AHSHa}*Yzp-g7dIql5g
zMmxJaC$*^d;JAa-3upTC4?kw0^zUo?I~G|r@@Yh&CZ{w7aUPUe|K^{U-X*4f-&XSG
z)~GvKO^>5Ug8>xfoA1o!N+vUjVQkMBNGnoT)9p|%j@q($OGigpr-@FLS!Yh7`>BPs
ze43b0lT(_4+&4aR$a&h((9g!M<TNciK1=awOhD-$A5GTNrHXczF(xxf)+3SwUGB%e
z{FV3UmGULiCU36H4(bs~pLa5${@QUYpGNrB<X0B~Q<#Dt_sjP@XEo!!PBx;o4aIKx
z<y{xQb4-!C`VuoH<y3FmWG3?;@3U(95Nn|!vhLzfc;C|-nt#+gaqRM)!4j!n!y5;m
z@oA#MO-^MB`fMT96`LVS-*&C9*!QSoaR+8_N0v(oXIuW6LpchU(<d{T?)qd+c-=9F
zj(hftc7BL4={~(-Exvsb*YLfD8ML5ThEKx_H94gzXiw`4@iqL%4~snd3v4|J**$3w
z4&%S5j_gd#cB*PU`RimRAB%6#L-{JU##Ow#_`30_2id4L{<5+aZ<#*y`*jl&5k3tk
z)Z~<=Am;O<tDQF%zGf^w$ftx(YrMN$!$d;zL{?W{zAs&F<ITxTn%#*jKQ`>Fc!H8=
zxTX2v{1q;u<&3nnrNyQl3)gK9Ddp3!LQPI-3c7o@d0ADsXlD6}{qNt~@89`b)V!ES
zcjkC(SD1F<6z0;vWG0I=71PLgGnK3JOMBnwe~HWN+gFeuMl5W8Wn~y`pY@hc!w5Aw
zr75VJ^Ax+2t+Qk0yR8-133G@+5i(DL85>Y5N!4o>c6Vt`X7b5aZjX2PV7bVGt#_*H
zkN5Asaj*=xp{Xu!`=@&e`=jLeG!daDr!)l>izXya|NKO&D#j&qMs%9L1ZSI@nZ5KX
z@012*RaV>j$xKS8DuomE2IYQUxa%C5V&H(;DaxeSIYedlFCQ8}t*P@u<5XCD!uZwt
zaLD43&|zNT>rbZFf1_`>x+ZJcFk}E};Kj$TXeDrH3`D`o{uHX+SLGuX@UZ4%=6$EO
zkJ!D6Jb@Ri)CIGWmthiBZjmfpYv+%9Uc=Y_BIGKRq`RO13m^ap00MvjAOHve0)PM@
z00;mAfB+!yk0QXQDSdP8{`IeNOyQlmkye}@ad^RpWq*8VtL-oL@N_rnUvKc4%ha$u
z*Xn<dJlVB-sr2ra%~w?eiJtBHVon?5-bf@5YH-e-(9$BjSr(Tec>9nd+~iblvxv`E
zydFw|3<6`{;!4SVn(oEc`nOW81AdPTIAFWaW6@+LGdtg{4~r~!48B!Uv+G&v&B}Pa
SsQ9RQhx^7M%g+|xF#bPn-f=kq

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt
new file mode 100644
index 0000000000..190f880c0a
--- /dev/null
+++ b/src/test/ssl/ssl/nss/client.crt__client-encrypted-pem.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/client.crt__client-encrypted-pem.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db b/src/test/ssl/ssl/nss/client.crt__client.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..6c8ec171304048a2a1c7aa14965b30cb7bea2ec8
GIT binary patch
literal 36864
zcmeI530xD$9>;fcbA&~pf~XJ?1p#$)K{!-S5kw4!C@NwI5rZ6-Bnq~oL==x!1dGQ*
zi+~m?Sa=|USCzKVs`#u{tXip9tmP?%id9juzMV}#KzsO+zSqy|tnBQ6c4mG%^Udtv
z-PzeBBq%_xlyMd%CdEsX96n-*peW+b;UEa2qg{y&xzLG_rnSKa?PLF%se??wUD#L`
z!qEK%(bvK1^y>9i>$wvVxIhAs03-kjKmw2eBmfCO0{?Xa?hJ;hsU;dNPl%Q!OP5IG
z(FqELSQQl~momMAeLO;aIDUcNK65x^8fRu8r#GErE8*h2ag*t!!YooDP7)=H>&?OF
zr$D9+RN#;ErZG&1TcQzUd4(z}Rwh;UD$x5WXj2DjaB=Q94=TfSSWi3T3WZ9R)GI>k
zC!$Fls3GEx%Wy`Srk0lIW)Gz#Do)m0yw{*;bwWKn1AO{&kVkXG!G1G5g2Oq}eZo1j
z0{wz!`G6yM%?z9x;O7;}@$j4(9O}T4;Ka%$RvxkPflclJd$?ei2t-97Dk7sGi%0+h
zAqX5n-~<8@2%JG60YMZIIFnMiCL|Scpuxp8#{nu_9LR8Spu@$15ElnZTpUPoaiGP;
zffyH;f>2vMP5nq^p2jAXd89IrROXS&JW`oQD)UHXK3R%Smg1A8_+%+QS;~=2btF?A
z$y7%&)lrj5YC4jdPGnA!50?bQBU{SDL0KNzQXW}b0ZuGDF4(O#fi9oS%_np7$=pOD
znMIQk<Pngh1UNXhfFva#NeRfK3do}h$j?PcmKBm}LQ+jgmX*qcd;wnwB()~c)taDT
zS`!>WYl0?fP0&uQ2>@zMKv83oP_*XrVk92z-si;}dx|+euMT1MREIEoszaDP)gjCt
zUBc|C4q^7_5@sJ=&}YDbiM^oXXid<2v?l06S~L2&DSK`%>NUxZpvfEcygE^!I?+N2
z9vwvz7lF?fC$WRP0=^^JZ+Xt+xD<w|k0pv|oXDGT#2tO4M5Rn5<B`2*a3r_aq!O-{
z1>7yTsYkIVz|_%ffC(2!01|)%AOT1K5`Y9C0Z0H6fCL}`NB|P}{~^F)=n{=#VxJ&b
z7uJE@!kVy)*cl=U7f1jSfCL}`NB|Om1Rw!O01|)%AOT1K68K9IU{Pr(U5BxSNgAx>
zBN$p^I9+21D`{Gzf=U|9?i>n}O4Fe;yWb=4{|%-g2Gg)H22BPz1~af~EdDRmKv)?_
z01|)%AOT1K5`Y9C0Z0H6fCM0czYqZ$6+xN4v@}B$cjr#V-5AtaG^)NZRHjgJk`fb@
z94`;>k~v45s8Gfv$wGnxI3XbcoFo|$Q7Ghz2^=NJs!$Pg*BOJPLmwm^+92sr{b*?>
zDDKI1$0uv}IFWq*7#eAuT$Z5ZNM%V%1!Wqcq%#;wn&<zn2zDLYf_Y&#v1wQi=K2@v
zSg<OP03-kjKmw2eBmfCO0+0YC00}?>kih?z0F!Ej?nCA>!O+K`4Osv&+MtaSP=Op}
zIMq!DAIdesjWnYUdJ07x7;RB0WJ#L)|9uEC@4pIbC*A;Pzz$&h{<mP^(IEjy01|)%
zAOT1K5`Y9C0Z0H6fCM0cza@d5kp}ISF_em<U{Zy>W==q)R5C%Dq@-(;X+x-E(S9jZ
zZ3<-w)mDeN`Jbps1%)*C|C<r41*^k~uu`lQ+l-z5TT+INh6Er1NB|Om1Rw!O01|)%
zAOT1K5`YB$O9afQ0@S_u?iH_(byEVuP^R$x)3uDvXM8ks3_vQQG+?Hehus@(K9o;y
zvx=X-`HoaUCnpVn)X+q3%c+!xKzaR-^&iqHLDzymUZ$A?U`iF}yiA!*w2XlSA^O&O
zmW<2vMl^<qyw0LFW+c;03=E8bNSdMO)wB#=DZ2@=fC2^r2e6?NUw-hf5U&svA*N-#
z{%a@{6GN7%O;_%xdmCr?+x|lw=k|GHU<gVaA-L~~Ot)Pm|8`Av;_j(U!ON?&PVnx?
zhsD?we-PWw&8k1Jdg^SUsn_}?^c8>#j=UpAO!{L<GZcW@|K{>)Tn0!HT!s_7h#z)*
zanJ}?Q!Q{cg|UZ9K`Ae9G0tY_*sYtk?jajR_2|g!gT*aO*~HJ7aCuH#KJil{g1M$_
zfg>*93bfHdID#6r>RWA;j!@MohTv*cm!c*>9D4gw=SJGjH`Q(v9MwnKHnWVcU7vR7
z=j3J0F^o6a^P6_eE=0{g&yhQIeR5P-^2Gb#hKEh&xhwA_=1~HcyGqu|7`t7&y7eO6
zKKxKVO7htH;w`gG+fPcxZ52*BqmzSlwtAmyGb>L#pjx}(F>R*%_jwspEnQ>l(w4ID
znzgs*Z#(;Rf#}@kcQ@8OZL6%UG#~57Sn?Auy7Xb~j?9v2UmaFA?nu?QuS8wyEd7_D
z6{}h^tUbN>lM5mydd{;yGN=2<>BYN^Kh3z(-279Dv+a<MOIAA>F{m})#_YXgC#j_c
zk0utBPc)L9J+i}h>Z2VsZ`+Qj^^DHH#(MBplxxg_8>&JI6-CfOL)-w@C*}l=G^WvU
zDvCbq%Z&J_31%oV9e1T{Yqwi9X3K=1Z_}n<KU96)`bx~{mY9r~WA?GF|BlaDed?zT
zO$8Tn9ab8N-MJq<G#{!M-$sAB&-6k0LjU+ozQQ~+^~}9ltqVU-GjAMfT|TQO<J*?Z
zuqyA8y#XcZA`h#5$CeiQpQ-EWP!&Dc<gzP0SI_)X>(X_R=gYg7IezwlziF#Q+v4MH
z#S>||)lZLnWAWB^r*!Mg;x3zgp&oBMp&~40ZTITRhpO>;vspfmcb0_*TwZs`;n@PV
zbHQQDMNjVWvu-9H%WB<q^}Kb;e6`-35v$9h>_$E8I_Y3Kwl*(+hHqwAX-#@_n$5S5
zbds;zh9u*A5mobY!}bOA)zl_%GQEC}{FPJd_1~3y$^Qqa8lm;|!K5o5;1hl$`f9%B
z1s^P|984dKQeJepPfa5*y9Mt1pWWX~br899w`8VHvf`B&k8Fq?8NGGyx+vL-mFvB!
zq{AJHyfXnf+`bIbO#XC-E36;@6DLo<VR*vVvI!4#U*l_0%7C-&^*h-B$13daScP*3
z<Ap(@0l)29kN#lMd6=ELx@>e~;So$;e>(o3mv6*ua+T#-U^%jF8$0cz<|o}T9F<xX
zk;%GtOFCX;*Ju|Wr<|C5(f78_d+lGh($CvW{l2!{COUr2Myv9JYrlz4{ACFy`qI4d
zt6beTN^NxBzgIPPXvHtgxPpE6t0n~m-2doVQKYB0Db?${v-57zOOPSVQS~MBEn_bz
z_MS72=-6(gjGT92`;=veC+}Uc;;z_LbPavBg|>SX;u|3rMJ#mBtqdxmY;QAMnozqe
zS2?Qd(j@w`fL&Q<l2kFZ+hy~1HnpYJ23R;Pcw{9h8L|J4S@y&{X`aO}yCpIALpMwQ
z`2o$wL#00I<76{N@98VJR*TAv&ZUo=s=tX4%yeDSL0N3OiaK#ljDP&M?HhJy`s^F`
zWM{3*nwo~%YpHt9<1SEVm==vj%qX6BtfkXW$3Nb2`DX5lf}8tSm9k6x)?N^;XSWKs
z-hJ0dwCD35S%DvXmgAYy${e@HSmKIEMb<tU>V%4{E5)j2@g-v;8%j=9YR)cOT&>&K
zzE(2StN6_HC#j68EflNRvZ-E=V&`sIQ{yK-tB4auUM<R%W?1^S8?1Ca;$pC|^aSPT
z2e*A=4xBIhD&exPbduQ2aY%mXg(;i1?MV!1+}1{YaMn0xf6~Fxk1ixrqF811V>)Ah
zD!d!+-(}%&N-V8npRA%*>mT>@1WxGndp&XCG8i5EW!KKAnnLO0Nlp5Ck>Bv3JxQ<U
zNr|uNdhSUF<E3E~ebJXPuC}Y{SZdpD-zg=vDZGvb$q=_wU+7k0EyoVg)Gi}ST<2cN
z2uD-E#j7o{$${{t{V2Ho*{+oMjxqu#;Y#~Iw<NAv8wgi)kb<HE-RK~o`dvr*E3>J8
z*Et^Cv}Zzo=Sg?k3F~mPI`^zA!iKSjO~Nuo9uf<Vei0gIm}Ygu{^kSkY@Z*-CU3W0
zK0eOjDt-UOlZm-=7P~M;g+(gP-K<Y^NciltXGwwOEz4P_3!QaXjoF3lQ7ZM-djCZS
z)GnpGl$qk4bfZsi3^jOn#?$a%Zj{IO>D$Izy6--*wY_0<`oU^{FYD~EkMfhZ7iFtE
z?90tf=f7PeD(ByxR9z-_ek0e#^6_F$X3B=L^v)s2{3{l5%iMPFjVP({op;tT=0opw
z$}qu{1Nw`9Jil%0su8Jr#>v5=;R$OtZ1}k|E2!lt9`yBhe23-S{4JZN%pNVjxSv0H
z-oLCu%+KGGlFo6!2S#3Hj^M<`wGM0Z9mc+OTCyg8V>RAU6lL<oox}OfOl9_0H?zXi
z3o6s`F1yiXk5rY)<wlf<ySzPiyJiOm*f0C|>&YL@5WO`f%$m}<YCksfz#DnFba|;P
zkezyHSpdsn7iR2|bMA4$+s#FLF3ySNZ=>ZWU#6TY4DC>b)O<1W@wqP#yzi@f+`x_T
zP#!HlQ!`7}Qndcd*>fvTu*PTCcJteXPRlw^hNrQEAIOZOk6I`hNkQw!9Pcg`7wx~3
zt(G1?HR<OG^75jUH-C6o=JYk&y&+VwI)CBVf5hF`9<;~LiRZqs*2KcHxT~_+B%*-n
zx2a8RvN3OV1;4<RX`gUM{}=2Ka2bQ)#lZRSE1mOYxBn=(|3?jGAjBVBAOT1K5`Y9C
z0Z0H6fCL}`NB|Om1R#MwMqmxjd_G#%w}^?605Kr`5szw#C&NbR`pAHhG%~4giC4A3
jH{cUxDCDzWP?&fG{L&j<Vh{|Z5r2R8u^8eBAcFn}W#{#A

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client.crt__client.key.db/key4.db b/src/test/ssl/ssl/nss/client.crt__client.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..73cc753ff42454b2d6333afa7fe3470ef78d4d9e
GIT binary patch
literal 45056
zcmeI5c|276|Ho&{7zQ(AU!yUyMx9v=*_UL^(k8j?3}eZfq3DK2QtF0uqve*8s3dYz
zw~{Dy+i1I$_AD(*lH4Tnn{#m8Zrw4D?_b~h{e6x(pLw6p`}297*XMc8d^mG3em))%
z2|RLWY<x5)flNoqqtIxS9hr<mp=5-stZ*G)aKZpPz9D=@|0VvXPzE&vvLuiOP|`BK
zC^;<YyzE)o6|zj3UKwARx_{~f>Hz^j01yBK00BS%5C8=JO$4H(q|~&v(Sqp-9BvdZ
znwP+F;v{g!pQRmro$cp2ljqqxcsP^CYsp3tA!Kh~S5JFif3mx?KY6~FtIvFA@?0;n
z<6N)V9<Gk_$iB|r9`=sTrexvItI^caCz|n0X`Gs)HX0QX6T(a4FN+c;gE)x^vB-AN
zxPB0IJi<HRaB6D0=m4Zaa3m)pB!<uTj*nQ*N#IG1nRE4Wa$ZD6lCXt|24o`+6`~p2
zNg^5x5sfGgmlrkB1owpolKe`8Zaf={Q`6E#2aVcJ<Syj}CroHaexbo1O@F0Ag{a1k
z7@V5M_-G>d{6t>-gbelznbGW5Dr~CpIxDo4nyxN7+Yvcr69N;F#F*6RVVkHI=fK%J
z%=MjTO6EYqRe0PuG~r5zW26GEp~6*cc#{opvXM==37Y{IOt@gdg*jZX;lctgIB>xg
z78ZyUG+H8x5UfFkM)w1&P$5``3c)&52o|D3uo4x5rKk|BMTKB7DijQtWA;Y<A<DGT
z7*VDn$}~iohA7hzWg4PPLzL-AFFMkTj`X4<z350U7LsKlSr(FIAz9XF7SUuOn&wDL
zgbx(~L_<bOgW$e2WTZ62EdvrRG%8#@7Q(u8q%|FBO-EV_lSq@%hHx7OLW%*w`(_}d
z7zil_vR4MOR|axim`GnHqQ*qjm`LAX9+S?XGhxZG5Y`<F;em~X@E*oOc!*;mJkGHY
z1~?YN6h}h@%2+tj4Z$;3JJF3b-i<Y3M;MOV5r*S-gyFayVK}ZU49D#V!*N|<_!nLH
zoPl>Ntc6dUu@F9c#zOcM8Vf@vLf%9e`e%ro2%~Me6Lz?;oe(Am3gIHe+3>N25bSVU
z2AzeRw=@f5x&%(mMfabkz=_vt5OpHP2*0C9!{1d1!WAv;jS@b<0tf&CfB+x>2mk_r
zz<)#_#|)i@RVEUR{@z>Jia|sPzlcN>im0fVA%{|2i%MTL{x#NIn1);Zhl@}Yg_6YM
za)eJ9G@8$kni(7w!HY?l5geZYYeK42Wk?Z+nUBTD$qLg6JbpqVpBHa;ptserRwmhF
z0a}W=`%*nF`?50{UQqi{i-nJ48~4oE`>xIodv=<?dZXRuR^}ChlgbNn*!CP9vRo<J
zOI|>EI=$l$r#$E921x}*E6k!y?@1oIRTsN+QMe^ecR>)prK2g<G^U|pB;KpCeTDR;
zeHM7>-}CknbQ9C>HMxbBr&}JTCC~NVE~$9_sVZ@k=diyom22Obk#9EDZr9l@Z?5QN
z96RCWI4y6%k-bR;rFrQ+(<?RAmaO`fT}kh<K2Z^2p|aC*>R>oICpoJk<DEi{TU98v
z!fID>VA-!O0asaJ2c0q#7BFnf<-)tK=Wj`yk}9i|<jdBIS(BCZ{@rGu_S2Bhoi@7Z
z3hLh6jkXK*B5oa`+XOUI{4}rk1*1`DC>_m$jBv6hnR7Bf5YTdxXbhx*Rra~Hh8Ph2
zWK;CZSMBLGx0uH4{!|Gx8k>%mR-RV<;;2SO5j$ypPTvLd>?w10oP~;>SqGo)GF+1B
zrm+$$*`wrTeP(-Djb1#i7W*n_oq?|AUZ%D&PA|68v%_loz*Ft2CyvWYwt9M<?KiQi
z)J%PBQbgNLjf>g(yVa19L+y|r+GKS~ZOq{i?hMP`<(`i=^rYzS+8?pj$p&9^W96xq
zy{j79uzH~q-`9HvMU*+-#V4Lu2&!PrG#LEwo#WCjlp$v)^|$2YE&Hm9Y}IFF?>?=(
z*TFK)-MB4w|J#ndEk9j<7TDXK60>n|*$Ck>+WFoB*7l7py5XlE2E^(-Hfj7NEA)=V
zpzmYoX_MaIS(m)p%d_SzmbkvCqC{&=VEOt#qWowr%8;P?8{pbfx}})u18yGpJA2#O
zhpny3_;D~e!TP5sZ<IocMvGnZKk|68+ilbm8<mo$cE8&2Q*cvVdVGaUt>nnr^Cn$0
zdtWcR!Z_>EG5zX+V12BfCHZb(?YaAo&D(~q*`KN&X&(9B>EhE}ciuGw>F3*qo>_7)
z>wuw!C!<2zdUfhF!zPW|kb$1kzF14w_%O`sOk@3_Ha~~rz{a>hMv#-{Z-w9Xy;=DO
zUSdD1eQn!{J=Ftm4Tjp@Hjnxat!$zO23b4&ICatKfg+E?OLk4qYBljSTD)$h28I7~
zsB&MWR^`vHO#JRr+~3W9s@W1NUl|>G+*R?@dXxS8l*_AMyJWl!Q{MgDcAMj_9glB^
zL^jyXJ?$%hEY*;|<7RR74UE*#x>Kn|Yj>FGveNvePnzfG<nk^ocg-ES@F2UurY+n=
zrr6<#;M=}`^qAvxabJDO9J}LZQ2a_#u1`(nsP7xPpJMrSItRCgciEaBJtDRCn#;S{
z%6ikaq*4j`)2Do7oHTWOVp2wX-ErhfSly>7WziQb66e_)E>%oW%KDDqXH{jQXu2S6
zu}S47t7+UjBYpz><y`b#{kDy({jS@kbtfL)|DY~n;my?!itWbko3EhyhHq8&I%1l7
zj&uiKbTiq$u?(ePaYW(Uz7M(!jEL?hE6fcGrK+Uz4LuthOh$d%o2U8Ub`Xw`=U1RL
zniMj+X5E(4Tx-xD(tU8s6z4bJ5BRxy20w6HRo0jD@mxlR!r)r-O);Brafab)RR_w;
zT?D5&&n0!t-aDk}coizq(q{+6rY5;wziG_4|N4=+eb~cWGmAEt+zhO1)Ba#DUvmAD
z#ni+)LZz$1wzP|=v>Fs2<0NmgKWgc>eFq-*S^kFBs3x(-?OoUYC6_ali>*g}FPXJa
z{j*-UdcDJ2{*iUMH?kJTyhz(qTcx6;KU3A0K-oQ8FSm65z_Yl-nb!Jd!xfgAD^z-4
zFpZ5Jcb4v4nJcZQg1Q`h4d)krm~zFL6CfS&bF0ezH4V#uv3|V2Oil6oidKJ3lLJXz
z!JLKd>T~?FRy|yc-M@*a72lop2l}+&Dl4MVQhCv~+3@{q^#Avn9lptr7T%v1KEMJ9
z00MvjAOHve0)PM@00;mAfB+x>2mk{AV+5oySUmhr`RMik5Q;SPKQ=%x96$gN00aO5
zKmZT`1ONd*01yBK00BS%5I_iEFev=!^?wJ7)B&IX0)PM@00;mAfB+x>2mk_r03ZMe
z00Mx(znOp*#tQ#WfB80g{r?6<dh>4{A@B|e00MvjAOHve0)PM@00;mAfB+x>2mk^T
z1Qakv_%Ht}&gk|33l!<aL@N*h0)PM@00;mAfB+x>2mk_r03ZMe00Mx(zmtF(hJpXq
zf4P+u4hK#81P@Af^y%L@KHwS<00aO5KmZT`1ONd*01yBK00BS%5C8=JiGYkceE(ll
zt_MYWPqHLwk&cs+NWYT`Nd80)(Si7oSV$Zq))H3}))OL#SV9v~kI+ddB@pF$2<`;4
ze^LeYfB+x>2mk_r03ZMe00MvjAOHyb7ZA|F*rWLoVL`#X_=F&c30Xia3n*yxlhtW7
zO_6CxLmOj@^p4~uk9B5;{@GbwR2EYEyENO}oEj|jfqaI%g{sIjTSZiw%TyMXW^$E8
zrMV16QE4VeK~$Or$$yomGr9CX2SyT^W)nrFxlDqnG?ObQD$Qlcib^v%GNRHf2><uA
zd1$Z&^Ur}vi%henM5Vb*oTxODD=8|?Wne|6nH-F$Gz*fD#c1Q>IDGz!*!U2F@I|SP
zYDSR?iG#%Xgi3;}T&Qfl>=c<5_#1dL>Ge|WQZ~5llJ6zwVh>>@G2cs^mQY2<3p@N*
zE&^S3N!xTq6#NqZ=8F^(tcI50@M9lhD@larLiQ7zau5Scj!9d!{CQVts-nXqAEiD$
zjxphC3g`Ah{@zHBsZJ4!3xywIDS;+KGC1i`6$$)bV=Q^TqgwwnpDwkZ0&xnnHw|(w
zzrXur*E16@yRy2aZUqw41-fb?Jwjr5JT_zFr}dqgYUk(nIi70nKFlmpm|5rZMtAko
z;rh7p0<+0HR>x>>j?u1e`(xp!>Lrbr*sO>2V7b&|642F<en-=N_5zBkr2QDj@u~95
z2}=x<(LZlFKv1_y*+9LWsdBEwrJCzubd=~$^7v7vX=Q>(!ek~()(zeG=t+1yK=R1I
z=PPL!cN^xG#gPoHyc^`6(sQ>6C@P{&vc)iYKH*Bc_4Pk~%U?IO(XMvd@9eM*VV^r%
z=o<Q29KD-?QInZ;STzt^#4CJpA}0S#lHal9`Pv_ATGwQl^&Qy0{rHX->jV^KktVrJ
zF-(?4zv<KP#CufjT$<{3Z9_$W9M)>?$9dUR(rDG0=bpPyW^x1c6SOQP=v2GjfQ`3K
zs19qO!e!v@$-$!$D{uNQQM)LhD2X)5<ceW3yw6jsqF+8wHSLv*jkyQ)!O!OJmQSmS
zBz-5Ltvg$fG?~fRUyU+H(wtVAb-u*BaoHu8_Q5}9&V`^M+R`?y_{O3^0Yy=yNiIVS
zlewQBXe$oO&#*nAP_6U4bzkJ>`0U~*&i#4eroH}84^DbcUNAZ6P&5*e(m_*D(J2Z!
zrK_4v-^aeU=KJ549$(x=n<=0uh&0LMh+)!j*Xz$RCtqCgc6xt6@}b)z>t~oQ^2OKh
zx8^iGNp85FG8xH%eT@N$m~LWeaNE}PVF$X01^lV5#2Na*xB|@``G=khDDomrvc#E!
zIs?zR^xi#~UkL3?IX9DH^;2ZcjO-4VqJ5fAB=>g`-%V!nq1D!=c2rc;5i^hK-hxba
z%<j(1HHifCGLx(8l#V3%2q>hlO@8sCg%~88eLtVLu&KZ1zO_Q<J0E?&OPtoOg05t>
zef{^3=??pHCo{RNc&l4y`wt#_qXos0Qrn*voT7CF+~&T*V6klx($zNw6ryO8;!Ht7
zkV0-VH8^dsu}rn8=VfNU#8JalE4&HwcNZq9J2LJ~X7aVqi<XNjVJ^vi%?-DdPV1d6
zB*uK#UR$lTN5&TFxlR&L2qI02H3b#7XxmMHm(nTuafjEnX1Bo(g7waa*32MI?x#B)
zk6tdC%%p{H_Z0VLmHJ+F&c@zW#RRqaPQ1Xa{Ub!3<;5rLLZbx~IguvCnu4$>o!qQ*
zZ>@aKRsT{GVApb4%g^sb!7(gb%Eoq2ahl>}CjEakDv`?V*eR1W%fRb)6*?m{)3Z>?
zcM&>hc<C$s-<bl6tVok$O+hErxpmKG)!l!Tt-YDt`CDrBu=)ksi|UGb5y5+MjGR79
zW^$xQV!{14YLWcx;l><K-8pVH9mSVOv@)Fyjx2{CEExidj7XDWO+oV8o$@c=K68#j
zT7Fb7xBo)-#<K+ujn$hrRyJNTk{x_GnaOkkHgEO)<BBMq+S;i*WY;rXKT)^XDA-(B
zc|&za342ID!HYC0))bWVR{8Y#6na4NMXU2@LcGr_<z2DP?{CRT9GBg5V_QehWG2JV
z#tWL->2U{-t3J?Ch)>^GV49(Px6PHfs`AeHm$exJiu6||zq|+#V+vBwT3ntZb)}|*
zVDv%P-=MbV#qKg!gXGV=Jj2rFl^;STGx_7E6$^IlaqH39T6wMhSe}9=V_E_Gsr36O
zd{29E2v%M|krHiEoGGaCj7t1`-7G%7zE@5kR~DMD=iXSf!!BGQ`*l*nw7AyEOqQ1_
zK|v0g_kKvdr|kDjroCxlYv~;esgiTb@d^5di7NyYoJf;mO+iz>8-`Y2^SZJm)a4H|
zl`aYYy0SC3W<TsVR}Yh}Z%Njg%%nn6b~@>jjdLR3{8A#?u6|&J@26?9{K%x-m)qAk
zJZ=+EBt@DOYYGaL`cQq!C1kkp2L7Gh-Rn}HeWzs@lx(Sg5Pc<brDtp1WG0trE>KZf
zRwd_AA~O`ltVw>W@FCJBNjE)-Znv_)o%BLL!HP5~))Z8=*6+zlhwgwMKVE-Q^>eMB
zTzfO`(_w5jr0Tf%(PKHo$xKEDAC}6o*YIZ7=-ntRS8G|$yVE<R;7+)$M7fuAOzTGh
z1tZd=SX0oo84ddk?6xi6bARnsb0?`PQ_OnJJ=7r5`O8zACDs+XO=j|D+%JaPeP(P<
zs5jbpGl?)q-#6P-wc+TAk@-<2>b34a2`CaGO^P)I9obZ!=AV@`v*hHD%dq&qL+iZF
z>vOuEFR}A{^m$>PFK;rF`DWp$#zp(*Y}wSAm=b>_J*M2x`zUX)`<#8SVx)8=AqXw0
z%@9bBU#+X?$ILx;P*%h6^11vtyFSC?$y?+hE64~ZJ9b4YCyB;D8d&A2+ZL6|*m@_n
ztd8`1-<@*Sf|?U6^n#W5{@{c9)gb+<!Ooj9j7RM!;Ol=0;&BuyKv;kU5C8-K0YCr{
z00aO5KmZT`1ONd*01)`EA|Rk>es%5s<*#yx@y^`HT#fc2!t_@<<+~CF1i3F8hvTF2
zT<$nN-e!C77giX4vTOI3B;qp5ycvor4bPK}qw>&ZUON^=4L3L(Tyq?ESIt8BmbQjy
zlj7WFIn=gt^Uag=UVBZGLYoD-5_TtUH-s5g9bi|ysVR<9Voho?cS}w=3;TAb`b(K-
Zvrc*RxPLw*z1dFh*QOKE^1i+;{|DZOS-t=O

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt
new file mode 100644
index 0000000000..3f0a9ff5b5
--- /dev/null
+++ b/src/test/ssl/ssl/nss/client.crt__client.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/client.crt__client.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/client.pfx b/src/test/ssl/ssl/nss/client.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..9c5f5bb3e5ce60d158e87d7b9b114f29991a7d32
GIT binary patch
literal 3149
zcmV-T46^euf(%Il0Ru3C3=akgDuzgg_YDCD0ic2m00e>y{4jzG_%MP7uLcP!hDe6@
z4FLxRpn?XVFoFi00s#Opf(Dfa2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=vT<nr
z^f?&&0s;sCfPw~S7nR_B@WxU3_I&rLM4Us~UndX?S9>_5bdAZV%CD78oZy;co%SBw
zCYO`RQ=EMxZXc6FHAat!eT{bU+Lk3#bSG9VL=z(?M1@^XG^E4_@@oyN;HnGuKoyn{
zz@~}rQ4bgXom734{+-@F1>^dS>3(mimK=kGFWnr}k5qH;WQLs@?<=0HcXDlb*=@d4
z>gA0*)v{`DUz~}_q44vkYaw5>bv=Hb>u`aH#Pa~IeE)^!c1s7x5XdfV$=bvD{0ybX
zbWO%Bf(u)2UxEN_NZ8BZ6^|*<&Z$?+?(;o010@C1fLmV#zS{cdmk|r~83$JkHAraX
zBI^4#m7M}uzHc@A&GiA0411PxX5bbzWjRkP>JF;!Z2ct`1Khpm`o2Eo2i%kyuX}-q
z<hegw>cGe6M2_DqKlu*>0Pvn{T%%3+=%4Vs&quu>24+z;(;RRE$Hcn7|9Jf-%W!c1
zBefgZFU%J~RG-pICiT}4wmc`0n?!1G)`SB@l;(%eZy#9nxC7W!-3Y4ybi*8sF2qW)
z>6yoIRpieiYVl6IrLdh^6h8=3e7LL~0WwQ+^S}Io@1`Q*bLVo(mjOFon!xffToTjr
zxEi>N=EBA+dCv36M7$fPwGmLfjAVv^>AbvS4n;e;qi0HPA~Jmy@e$FJ;mhc#Cal0A
z2hoJ8WK$;CXh+~WF%0i2_u3q9ft=#PWj#`AeF$HTuea*=1a}6o8|jVQLSWViKT+Ru
z=2CpS$}m%|lTIyIqjG3jfj3zIC_klaC}Kbz9}iNK9ZUzD--@cM<Bxo3)$*kLm>*wA
zZ!p|qAu}@{_o@CA-J{1N3s%y$cW}{`fa*neZbhEvwq?(#*@71B6&Q?_<zefh{)+c?
zYhwL-ff^=d$m)`LXP)Jp{UnGE=R~%r41h>gTu~*?RZjj;l%6JLs`{~Q@ktP7c^au=
zhE&po=UD42Kg8l!9{E!!3*}}CjPYi7D>!(Ri|^}M6Vcw%;{gl&sdSS?eA9fwy^k?C
z>aumcaLGC6=yPL455i;*(fD&SiUEy3v!~rLR1}q>+2}=OeM0vQAN?k%Z@8#<iuHDG
zFYZaT)80hR<|`#=#U7?jA=c6ZJny80jr0C9E=%*ho&&2F>uBIsgU5Pz(=o}+VWwde
z|LKok=|<7|6a^39^W;!2f2tHz3+MnpILOFYUZ*Q+fcOm!v5Qo*kiO|7<I<n%Rm?B?
zelsxD*xmwT%iQLf72`qyRQoys$=+TYI*$l?$232z%JmqEB$_51sdEbu4*@m?cuW|4
z2<Ou+VrJ<pIUIy&UM;eqlweHyi-n;;{r|H~R1Zwx1PDJI%WjbP27+0)@=Wr>2EMzF
z;4ol?zrhF``KQVQV1&YTj9h*ArnlUqxm*hK{sR@`^Ypmjs8`A17~s^XrtN7II_Peo
zU5<@dUgI1}25wa!V%<w25I>a}6OUiX)PpeVJ%7w(WLa&ri<}&M^c?3^TSC?@-hcAN
z+C`ApIe9b+!hmg;fQO2qV&?*x^xK$a3uY6eeac8E4kpB`KJf1QMTkOf97D@kWYZNH
zqE)S1!!ImdQwgre2VBLObqEo~%5h*f#TqCA5WktIR>^V*`R3EGu$3pNPL5A-N(E~o
zAR=EiaZXcDxmI|EOW^0u0)ruG#Kz`m)twi$`!Z|G`LcD^<{?|y0NEFrI-w%4N_EcT
z0|v3ER=``8H$s4Yg4&6rH})Y?rtS+|I{ry}`$Uv;u*D<7xlW@EQBRFeuLg<7ragpG
zFx<Ka0(C`hmJ4b$LkR@t#=?mrZH*Qn0<TN?j}SR6z+GN{__e|SC*J4?nk><7PVw*7
zb$SANL<F9{n^kX2+q3JjXWHTV-aG+-0cd2p>U)trZ2AuiAk&)zU0CrQUTG3m)-G+#
zQ9NwBnX{H3J2L+JilV!2nJqA;x3^=PYl`3OCVEkWb}&V)`HfmYWURIpCkXky@7lp(
zEJj)Hx;md-)u;}^s^j$98@~XwyO8CZxbr)~H|5;p`*X0`JW_=aNp5|-nNNk1B3B}E
zL0Dkzt$QY7*zF9ebjuzfO~3gFt<jmsf|4-CUBdC?+C){;vmfQ>w0omZsgf_o@CV-i
z#_4TM6)i~r)~%IF!Il4)%%}=%(sx%lpD|6<bYMkJlapR(%C$mjFoFd^1_>&LNQU<f
z0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI
z0Ru1&1PIeAD4PW)W$6L}2ml0v1jzLFAr5h)zjXY%ody3`#{~Ru&*fIEy8J5`9*hc^
zJ>@f4=a&)PN2*Of2@Fz);CqFNJ|&tf{me3>4C#y%A(%1KXptEvQiUf$!A1vq+}wsL
z??}9Dg|a+}HY%2B;b0cS1`Sj1<0;@DoXiMu%9Z<km>lK9@>I)&d}q+SWj*UR?_5r>
zuwcKooWzf8PK;i6yql^tP3fN87`lnc{&|5y(h6C74}u=+dmi+y6Cj|ZH`sM(lq-$K
zc1IS&PjPf$wOgeByDkL?qSYPzY43JoCSYt&bMeJpJ5$tfPAXr{b2`?x?m0h9=n>nB
zT|JJ`g4Vuz)kyF=yU{Bi)c;c)m`t5>g`P>&HNF|8%MSX;SXzZ;Z&;gCx0Z4Vy(xqu
zi|7`iAWr(?qT}nSvMyXGKQ;j$W_l^Fd?!8`6Jo=0%Cr;T7Y0ExLh{0XyJb>bLVGFw
zq2G!@kSRLoz}SP0EqXG~Ez6DlR{@MM=6YkaWRd2Um`vImuN8gLKz^BsU26EtGJw=*
zFI`{$l~+Lt1*2q_VmY&U)tvR}3&Ug?7h4B=*8?$1Jhd!Y-s7Kr%k-fjC>pUO6x27i
z+mW;EUa`oh5z9|0Z2N|ee|je7hL$ZP5KA#VFEhLq&`Hcr1JULU^>eq|`z+|cND;?3
z9;@&)8%Yicp%XQ6liAjeZLi@lkIcN5pBvldrZE>1Pu<n-jXcPaSlZdglqOrN(a1bf
z_HFcsc@B1cA#KoAK`hogC_tG6qsuY(Wi@B?vjs#L=^OE9g|C>!veak6Y`hnJ>$mnS
zq*qzuE#+woZ(skhnWyaO3(J_1hEk?P!R8(EuSwELIeQ+|xN=)n>h*=Wb$E&x^jfF%
za6ns1i2H)HNR3M9q4bwa2^|>!2|TW}-uG2n50|*h<Rpq<M@?&rjuJnmIK|Ek9xiNh
zHc66<SU;xwNJ9j3s>8?K9b5tAsDT%uK?qRtcp@;}jiPx6_V;;$VCX{Fnm%En>^t%W
ztUtIq_4M*!P=zk1EBq8nuNT<;eiw6!bM#ecPLmdt&n1x=l$LY0kj02}fHH%6o?=eo
zTSe5Fi2`%}Ck7MeFfto<AD@e9yFfH_V!*g)Ve>bB*qFGurhGP-VN}eCal<W_-Cbhv
zCDwj9p7nJ?liYcm_%v&zW>uLbyRU~jA<-LwL+g8JJqefsrGrx1BgwgW$|h2QPC;GF
zKSBUzWuK6c{Qqoh?+pHnG8FWnHQezvBR;xd!nFR{XTi2XCrD#9X%BNOJwySm>}cHX
zmmT^R{oGV;R1UgH<Q4ulhUyIn4`}`zp(r5eV*2rFUjE95^egPppHWvQ&S$mm#G1>g
z2$_>E_@9SHif->wdYM6!l)YhLL~w5xM>}Lt6pJ7rZ$^RkWBX(smSJ%b&T@iqY;8US
zrcS!!>6`R?JDNi&4xw^0>ookA7=K~#RKQz#VMW)7h)p=Ok*3EG)f6Q+&}>Wl!mfqm
zIDV8H+neS~#wP$i?Bk+<god0HhR|Z}Hdh~W*_<?s%k=0cjR>X$4MPvpVo*NyOWw0^
zq!UVaEOfOtWt@;FUa8K#3E+mX360<HOMx`L&Qo7y1xH{)5k=WVjU=tnAkB2U;LkB7
zFe3&DDuzgg_YDCF6)_eB6b9Pvb;SsRDEvo1tHF6P@62HlJTNgZAutIB1uG5%0vZJX
n1QfmTC>Qo}j^)PefUjG>%Kf|NcOL`@4Y=)^zkWSS0s;sC45H)f

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/client_ca.crt.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..710f74aae2716883ec8e8bc4f8490b5f37063abd
GIT binary patch
literal 28672
zcmeI43vg3a8prP=Nt>4R*0vhhmG-u%r4`}ao0~MHf_)HbA(r&Pj0I~qNw3|Mw2>rb
zurpRD11Kt>F0f8jP@Ym0MJpoXqw3aC!CmXtWf$1lU07iR%fe1~!3Xu6lbf_<+#Pmc
zc0j)~JtzP3`rq&T?n$O6X;W3<^o3RNo<Ok49TqK2GQ+Y=p(rv8!{Z!>b2RC(&_yfw
zksYT0ljNC+XtGH-%NP>QGoy^cZxVYF7bO<r3M3!^1b_e#00KY&2mk>f@P8*zXfT+~
z8ElQOxn5o9o#*z|H-|#57LVWOjVq~i6jeLKvhrz;J4M<j&MFsU{o;7Hgyfv5dg?Hn
zI{4il)gK#S7~w$sE_ATuOw$?6KhI!m>HJWOr&0BWV-ETe4qESp9uksrig<&0OmrQ-
zP^d)>#!Pf0Od_2Zdf26$<@s!!IU|EzSrm4A{Az4^OmLb{by2a?F`R?1UUXHK-BDCo
zBhGZxh_lPfDrP&#6-s86Pj{A;REtH$vns16h;D?lgtLsZg=pG9S|rkBCsjMC+G&*x
zu`8solEOxcJW|+6kxvRYDLlByr&cIZQb$BQBow(0agh+Qkr45b5HXSvagq?Rk`VEd
z5HXXGmy}v~k@%>y9MRNSrp_{TmZ`H$on`7QQ)dgEWudbybe4tAvd~#J+H0e|Hri{W
zy|zd%^|VpXJUWu{ktiUUu2e>3u1r@d(`XfhlPr;DO%h)V9c`hbEp#;Qq(dSD$ry!_
zQV_YeLP;r<ltQnn(5ou+zF6s8D|NF{H!Gd%Rjn4qVkMTEB)*y?3)3XIf+oolHA&W~
zNdi!lgknTeD4HCaM)7E^L(^>0X||zou#AR-Wi%Wtqv2o~^~Ew84wg}0EQk4$Jwq;x
zTgk@JB-uThBwI+6^+Qq}lJ~?U-3XDfo}q9&B%FGy8`XO#aXY!Uh+-#W6^o7TTRA^R
z;tXa-2FpZVMCSYPiN4O=5)ROMUF;cLC&eT=+sBiaTNBP)!fQ<89$Y{I0zd!=00AHX
z1b_e#00LJefp&&ls7p&qN+HoLPNokRA869W55*(Xa3T|ulnLZPuWx$qld6&`mf6hA
zL50#(bgO}%t>Z^otJP3g3<d&Wv80H6peDKkp>RV`t*UT}RaH(gsNzZ}<O?*5VKOw-
zf`3ovSdPVZmBTahow-)Xy}NMx;J`|Lf_?J0M^?2>$&z2%Hg;d**!m|nE%T_Y_dhs|
zZ6ye9Vjh{uq>W^-I87m;{@3)sLAbyQLwFZA;g1TvexKSLuJgJldV^uq&YMs>JFtPr
z%fdg%WH9C~yM5WeO)Q(JXD*!<N;jME0a%jrBnv*ITIZNeiVZ1}qE%6`REVZV?nfTI
z9~XBkBC8O+YA_ta3&<KCIICy)c2;0;dji*vm%R5_`k6hZwnaO~^=*7Z@b!Gu^zwnf
zHauLQu1^=%sB2f8x!H49@I-QETUYI>_(NZKZ?Wh0<<|JalOF$l>6gY|_5b0x{?qK~
zfA8+ku5VhhBI~7BmmX{ioS!GyfA_P#&pHyW-H~m4=AT`2uG@7!&i~xzfvzb|=fI1D
zTkDFanfa2x?VtOFzLU8oF0-feu8hXs(5By})}C6I60V!uyY99Hd!}w`Z9VNOupeRv
zSL>e6WJ+sY_S#<*cDz#2$*nt?d~b92f{t+J+0Uow2c1tn_HnSKp?jS=_sPR2+q#|U
zd3T@7a(7<8{lw_UC$0CcPal&zuVJ8irTgVAy6mEs_Pvh0>>Crm<9L=~HzuPbGzya*
zo2t_zo@EDzGs8C<Gh><bSC*f-_v^#E57sKP3g(^SemVXDe$t%{Gn)R~|IpK`9Gi2#
zd9r)*lGpcjA8Jd?&*|mwFmD~ljOL0@+~A%0QPbDIK5(?7^|_<lAJ}2)EL+-Zf6#Q?
z`o!r+Q|uc)_$t19%lm7J?>iosvmw=8z<BL9IF`3J?|STy+gkqO`aCryn_JV>w&tnv
zs6C;tf2sSrl5HQ){HD#&wVKOn+&R7ET;rV8OI|N??GO2_b${C0;a#3Fqd)2Xf;T27
zt=RE4w|C2zr4289y7RN<1Et<6uF<w@o~`b^?cuc>0?xj*C;5NvPi@#9e0AKp-i4ee
zerL~(XBz*p@pR3Mv*{B)ba}f>?{x9IN4;5GOrAEEzU#>|=`w8W>VS0Q!~6D?`+C0W
zd0x*|9IAY40h@p$<b+d<a26MkfB+Bx0zd!=00AHX1b_e#00KY&2mpZ}1A%y6$C7t2
zxj0^DB=6!y&j0fnVUIBX$FM+H0}ucLKmZ5;0U!VbfB+Bx0zd!=0D&ulK&ftVGJ6^R
zCSW@DF<!b)<ov&j5q1f?uLwR61P}lMKmZ5;0U!VbfB+Bx0zd!=00AI?3Fvr+<!;w4
zPBUJPe+r14|Bo@kDd8C41p+_-2mk>f00e*l5C8%|00;m9AOHleY65Y53X8w5giGdc
zGLHDlj>!4{2qPR3j$hR)gy4Yy5C8%|00;m9AOHk_01yBIKmZ8*v<c8Z7%=mS@rS+u
F@Oy<<VN?JB

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/client_ca.crt.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..13d47f000664f2003064ae9110f2f5a07013494d
GIT binary patch
literal 36864
zcmeI5du&rx9LIb6-rCXekTS;DU57$pz`4D>UB{--mGTICmhluRw`+mQU~KIife2KP
z@z{Vcc?A~0zziq>V!}&#4MYaPD2Sk_QNth;kw*q7qVb;7TMHp{``7Wi$vyp^^E>Bz
zf9G>f?{>Rn9bK5?3wY_NrR6jE0L@C`B@`tYLemn7L?)au!Wll4f{=$R!YlQJex8&`
z2B1N4x<4f9Sf@lQ*PYZH(^P7>*t@aL*yGO|1noco2mk>f00e*l5C8)ICjuoZl|Ctn
z3ib=|?h@}zZ-5`l2l()-+U|7NiX3#2Ej!0Shg<1BJ`Y{s9GPo#PM}9QCeUN@Mi!27
z(D`|^JwI<)&PaO^?Q|66*zArpTKIi+CKGxw83(GBdV3Nj@y+sh=lIJ?grJMB2$Yh#
zE9~!L!YU?PsnqLJsMkq{;u*ZpGt2KUDEGa^2fQjVxsiE89ph;d#3@8N(0zCYnT$ge
z#A6)sDB<1Sl1LZjQywJvj0bBRCRgecQz%y`?F#ps-r_*SL-CY{KNNn(g+YwbE>r3g
z!n5)D{T1Hwh>iRyn^5!_7b|0|%A!>IloV>Eoh(_zAflwARcP5F?QK~&TXw#)D2?Wk
za0=_jn}n0anl#`R1~*x8)rzZDQpH`YW?XQ%u;3yc7gk(k;DX16TPQM!6$+Ka5n&Go
zg|35L7=&#Ygnbx<jTnTT7=*1DguNJq%@|aSOEJAre#F@n(!|+BoK3{pM4U~;*+iU8
z#F-_dSTc$wqgXPEC8I1PY9UbziCRe15{eQ}3-L@RJqaI%05Xx8nh+jqA~Q9SY|ThG
zObl)oCH7@WZ<h3CNpB%Yx`aC7K4wD7jPSM1gp`?(GLx&C$yLo{T{tq9BW@gV<H*=z
zFUOi$4qJ*6`-&1zOqBQvqQp}aC7!1!F+fpbiXlm$h%z#a;1OFR!z|%pmPk5+45uT=
za5{nvrz6O)uOP$e2r}#|$R~X9p1~IuTJgpaCEh)v#9K&|o{02D<kbHp*$AP&?npXr
zoQ{X%k;hGlTk+Z=f*toYvlg;%O&La3s?-lpdEPBB@?Lc@5sjbi)%d4M94_K<0S6EO
z0zd!=00AHX1b_e#00KY&2mk>f&|V3|;)%iYe|ueCm=_QL0zd!=00AHX1b_e#00KY&
z2mk>>0G|J0BLD#)00e*l5C8%|00;m9AOHk_01#;Z1mO9<{jV|15C{MPAOHk_01yBI
zKmZ5;0U!VbfB-!I!yW(vKmZ5;0U!VbfB+Bx0zd!=00AJ-{t3YIfBRo!m?01V0zd!=
z00AHX1b_e#00KY&2mk^6|NqsR9unP_4v#vFiQ5~e(N5Kz5E|eB0zd!=00AHX1b_e#
z00J)<fuKRHu)Whs;`dE+6?@AAF2o_u;wff@8u{w43=~|5CMje3E*Y`pVH~CCfbx+o
zQq>}}oZeZTRgm)Sx!H?P6>dD(dHVhb2|El&`(FHbsP@6#9oJfVODRf9(I{4_4!KBU
zp44*s?X-jE>Q{fX_&b|6Z>di=KYrP(4V|=!Uv=ikPgY<3ep%3<ik_sk4M}G9Q|BH%
zbf`z|Qf5WwR`1OVOLs1=8~^C$jf8b|^L0~lTT4>fapjHtl8P&3duH9&4L&*QcIvj6
z%vbJK*QHi>TT!BI3L2DAlXP=!Nb-D5)tLvL-&M_X{_5VOqDB-sYF?Xr>#WpgTxTz=
z-*Bb1B=^N<H>9trdbj1DmnRMU{KNB!>lMo`oalC0vZsD~{ifS-L4zV{lAOB@NltVb
z-wW<tU$=Jp#?&eIt1mrln7lQ!@kn#_t=LXYvK)15Np?;9=HO52(UW>KPi-FeE3%B$
z9w@j|=qcPhzEQ=LW@iQs@~BC=&230h`b#el8<$FFxi;_#tG6|_9Pi)bZ;j`TiuWtO
z9yK7XuC*l3%&4!ipWA(^W1Qkg{h*A^f6lA@Aa(fM>_w0F)FfW&KR9TRMNLxpR=d{U
zILE4vB#*tCoHwzu>E1%^#0ILNcEPT*o38IW)1NJCyx%IxrooNe^jovHHupLFV1P4s
zjl5y`+9B?S+Vt+8w5x|sp9vbIQIoWwHY8b{wLLk;&}Dbo;V&-icirw=V12x6b1-{v
zvhH|U@uGgx)<~Y7_~qP3J$E|?&b`LmInZfwdHm0-jaycw|Ms}6^N`}x-Y!a!WDcrl
z^L~G2X}QNWEl{wgXYU0&bB&c1_b%S<+-347C=2ybYQ$TRRzb;7g1k%8ie60%=dF{z
zbYp+1qGi?cllQL=7IKltf41Y^<ru0%V=q>-WE1+~Rs8pVwJuSjYtaqTCF=I;=IAcz
z*6Sv`V7GdhE)W0$KmZ5;0U!VbfB+Bx0zd!=yto8<%52p0Kl)Qg4O>;w!fs9(EzG$U
Z(ZX)CJX)CJWzoVGB-O~0V#1#&{0kpicC`Qi

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt
new file mode 100644
index 0000000000..212e72edeb
--- /dev/null
+++ b/src/test/ssl/ssl/nss/client_ca.crt.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/client_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/root+client.crl b/src/test/ssl/ssl/nss/root+client.crl
new file mode 100644
index 0000000000000000000000000000000000000000..1d345a098f4488bc747deaa0ef788d7168beb7c7
GIT binary patch
literal 393
zcmXqLVr(_YH{fOC)N1o+`_9YA$j!=N;9zKHV8g~7%EHWJ8j@OEqEM8dU!vgbsF0Rl
zq!5r_T#{at8XV}O5FG5IP?QSf6c=aa=P8tclopp}mZXaF8d?|{8krj!n;4jyMv3#9
zm>HNDnn1Z|)-g9RGBVUyDtwyVe{1D7zqPZ^SxI)Sy>~!W<pJaJ+>*6S@zp;+c5W9+
z^Lod^S|Z)bS@}Ni`Tpa})~8e$KbpomWoGw<j^>Bllh2*f__60v-OkD9uJ?Uw<TTk{
zmS=us-bBmDYa3p6Z@O9bv+~Z)sT{tk*KH0LCdCP#6Le5|<94^kM*Ttl{XHHp&#Ok?
zW?0u_DpK*4O>)g*jb;m5?;Xo@d|q+aiUfUo7iT?{_rZm4@7YV92Ulqo$lkcVF*#r2
zXz>Ca$%>3A*Vis^H2dH0V&i6PQTN~OPHL)m2G=s5-}_AU9$7i>`SIuP^gnIp_kxXH
dbZjc_b^6{}Z@>M}ghR)eg7;aw?eLl=1OPoRrTqW^

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/root+client_ca.crt.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..480e281015f26cae72cf86ba29e62a4fac1288bf
GIT binary patch
literal 28672
zcmeI43vkm#9>@QWByC#S^eCFzQ~H;y(n2Zwe<V$5hiTfTPzY`5gNGtDNka`3LYqX2
zqP97phkEolPp60sT0n8A+5zNIaZcnaK1Lnygz;6VaCg(=I=~zbEl5vyH~*vsA2STx
zjXJ-b+0A$VyZhbWezN~eHp!%7w%y}*3yZuBOC5eeW)c{dW%2}pVHh6gD4fGdi-jg!
z!H?_+{X>#xGSQSc!yu!J`7bj{Z|IJFE4C>%4_6=o0U!VbfB+Bx0zd!=0D=EIfjphg
zXiQ<}dzRI>8(m8ro|<JoUs=Fe=W#_9l-sP8Hletr&^Aw?Z9-{@5NQ|E93qm^r)sG~
z6?Ld{INf!T9=a<WXxr5ea(bagXZ&>vdk-D&3pf|MUH*uJ_6i5J^=c0hiRo5eXS^l6
z4v)_la5qFuG*_5}8n5=Si0LiaY?Lu2g<Ws;JDhdy$nc2ZRG&&~zTGyGgQrF)D=(g9
zEuSyUw9OZ)N{VM!*~kn9r6oo7;(|)SnqOL8nISk3&LYkd&N9*T0=XiROBPbKkgA1N
zNf(Pk3KJ>Jq{t$Lg%sJOaFD`@i)?CzLM3%X#6v`(d5DXMh>eJdkBEqoh=`Mjh?R(l
zmxzd&h+L#p!wbbnou!bb&JuN&sIx?!CF(3uXNfw?bd*d-$#j%VN6B=QnYNl~tC_Z%
zX{$NZN<GcgGmG}5d_)RJqAQgU87tA1N;Fyp;UtOVvMPzMOnb|;w@iEEM%pFRk@Qh0
zDFu<a6-r8>q!c=<LT6Rz^J1c7P1Maq-Ar_>%WaYs*+eW=NqkjF7N$xvgDS}qRY}&V
zN&--ogknfiD5@MDM)9auhliQN!_33sU>Obv%WybYhQq-!?2BbM94y1WSdQ=|dxlJm
zuab?UO0s)YNw$zGYlfwJST2f4x)DNsox|ZcNjNno2dZ&W;uiAUB8r{#Rb(^Ww^DYx
z$mxu>6qX6Sh}75N6MeNK;P=vcb>t4N79*0J?W4)dZ5+;A%qk}KkGOyY1b_e#00KY&
z2mk>f00jPr1cHfNqh?He{Ae;qbAsjCri#C&?qhHw1LBno@}P~f%>AIEpn_$#Gk2jp
zaVpBy@l_grl&R9~^9v1LuU{yzlCQ;tGOy2H+u*L4Z5Jvk>_USZSA0H?cbVWPU3~%k
zZkrpE5N#Ykxash=qqAnDJzZ9pd*o<I1&e1WADNk%X^T9^f4k4Sxu~an#l8)Hmj3Oz
zrFQ&|=NF$5H@x*yQ_)<LvEX-0*arv|#5`WcjJXm^bAm#m|Iu`9T&}XhT;||Q_&Y#?
zV4|ze<6h>kb~!R#4Sp2l$D$yodzR-|?)z7a;&l26Yp1Urh-2AUEpz=~(O6>~KJkiD
zmMG&>sdASwPB9}zRMhGXm?6lH8yPmMW%wX#U{H{a;er^%-c`r`^QdNHeK0rE9PH{}
zAD#HciRpX4YP`R<R#zXlpr>u_RyO&_lb)=>H(xXD{JL<@x`CeLO%I*-ZsF`JavW>i
zy3IL*mt(7QUwqMXyW>*o$Nx-fO?$JWtbbRQ{x^-Y^-mOj*q_wteJQYJ-6c(F-aodq
z6s6=W?rvTljrOlOz2K?$hZb5sT>tw=yNCLBAKIOKXR&U{IjN>&;80uZ&gp+U5IoxU
z@TiHq*(u#AGnTNs9_edI%`cFrw%;>3|L%!h^DcM2d*9~7!!4io_MTgro%XA<$Hr~c
z)v~Gb_@qA_e1q?3zc{(QbMk2S`(16*iY~V8UzK+2q5PWXzKFi?pfjg-;g^A}9M3ZB
z)&vxfM&VoJwnU8<@htnzNM`t{#>`k|Cd%QSIy2#sJN}UQ)oIPl6MOfaNd2_--BYzK
zwFf6I?)%r$C!5|mx2~uCubVO+8eNtrzC4h8vu{$rc4)itLg&3RmbS{i<kpAZJ73jz
z?~&%@qc^8^R_$*&eyVlOtA#ta*>|qCSjTNYxP0r3_qqqq241-E*pz2hZ;DMm*0+3Z
z^+%nT?>GPDg8bMMWBc!WJ$J`sP0YTbuFuClc=DZ??xea;lHLwZO3d6fXXTp9O}hsI
zleWx_wq4rz%6$7LYxib+voJ2Z{Xoj1ug}XH{_Z`vq3@Z`K1yA=AQ(IE)}~jS6K)?E
zd?Ukn=b<gn&6?Iar(^%>-sbVgFX|glq*XMcZA_qdMZ%ed+9tk-+)UTMBY)u5y6zV#
zU5CB2z&hckej9iAbo7p)`o~>9HU@{x8O}0>L0mur0zd!=00AHX1b_e#00KY&2mk>f
z00e#s1fqEjOFsMLqIiv-eApK{|JO5y1BUuv!UACpKmZ5;0U!VbfB+Bx0zd!=00AHX
z1bz|(rfHfJ*c<R8fg<dqzkZ+4`F{^%*kd^Gli&kE00AHX1b_e#00KY&2mk>f00e*l
z5C8&{fQDyS?uMTKPcnwnhLeC72mk>f00e*l5C8%|00;m9AOHk_01)`O5{TkQv-nR=
zxSM#S|L&i9gueej#TZT*`hKn}gt&nK5C8%|00;m9AOHk_01yBIKmZ5;0fzouz{o55
J@B0J5Zvjw2gWLcB

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/root+client_ca.crt.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..65f7eb7f0b7bf0b581fab253b06484fe09083650
GIT binary patch
literal 36864
zcmeI5dvHuw9LMk7cd}Va(IteNn3RNa?!9|A8x)((DwReA^`3P%yV2FilHJr}ifpx%
zC^J;sXi?9W*3goap#-DD80wX&dJJkX9x+}OqSD@T_HLIkHu<;l+nGK4z2|q%_kPdk
z+}-3RGs)mVS>Aw$$@dja5CaTPHKk~p>ccP;MJc6cjPwjYG?Gw-52RQ6Dg7d;q`IQ+
z2IE6Y7n@7Psf_#dyY-XxLhPN`+}O$&O@e+P00e*l5C8%|00;nq{}X`%t=5!~KnFVq
zL|1`lf+rwmiUBeFs<Y=hY(pH(5L-r;g9-OCoxE-)C%6CGw%ifS0LKVsXm<ZWLmkY(
zY{ot?yKh#1`w%AAk&|V!JGwB^_p1}w&<mH+O{X#06KKj?==MzUPb!d#PO&)PBgf9L
zzmpBCm<)}^WJ;t*kpX${iC%Z1-=9<DeP0ZCv~sxq*_n>v3@PFWkpWC6kwsieA2sn9
zMm!2cm!}{yMDvUXDL&`Hr}R~6Ol=ZrXDD{DYrH2f5b;ny<KYjLpL1amn_^dLOs&JK
z@%sJ6o}!42>KU6*^*I+Sn=+>-tu-Yk(hKZl%OVC5rI4*c+ZO3>$i~?+2Idaw!iY$E
zO8X{q(v!!Ubl@HqcUkeF6(3s3As%8i<3_-Z1vhE9vEn8jHzICaQj<=sP^cx22z#(7
zbRO)&B5cDV?872##3Jm(B5cJX?8PE%#-cpj%JD+^h%*<`#F-<`9C7A|Ge?{`;>;0e
zp3LIOES}8b$t<4CvXH8UR4t@xAyrGLN<1yZGmVTSd{_dABP-<)p39MyawM%8Ne_<2
z-Lk~KJQ>ZC(L5O~70Hm$Ks?4wNSP5nx0#SK6H;b!Rx>%Pne2-|<_g43AZ`Mgo97XD
zGcRCESz=#V;)Tf)pFx&*iL%7&lqCizOH45&2^3jIrV%`HZ)BP!Jk1h`Bgt?aNrvM{
zG8{*eVP8px<47{>E6JyP@il`_EcN0GN0#{NktM!_Wa*AbPekVbC&`5n8taP0ap5>_
zK}2pBA#TNciwJf+*34VTb<3rv@CuFT&BPad1V-MgPBx<Py}b^9RWabEDQ@5a1b_e#
z00KY&2mk>f00e*l5C8%|00=Zz0<m~uaR1*}w-?q01b_e#00KY&2mk>f00e*l5C8%|
zfDnNDf4C5U01yBIKmZ5;0U!VbfB+Bx0zd!=G=2hb|KIrc7*+@bfB+Bx0zd!=00AHX
z1b_e#00KY&?*HK$00KY&2mk>f00e*l5C8%|00;m9Akg>;!2N&Y-(y%I5C8%|00;m9
zAOHk_01yBIKmZ5;0sQy>b^5lHaYd8bCPNLI4f?oz{T`_U9zXyH00AHX1b_e#00KbZ
zB_j|_(y479zC!uE<D7Y(qJR?#D2=xYY0?q-*I(%<Sb|1tVp3=Kn_Xj|)lJYqWQ!ce
zA+w6Pb=kY9*^+<8_^DI;+5zsZig|(f;f2?(HD5CS>#~)tt|@3*K{F^;qYJqxVxHD2
z#<2F`dE>Y$Z9?*a4kKrFOLgY|l6=}XcFnAcOx4trj^4o}ZS;`V2866#*`l~)!PWBG
z?dpn2E4CPao%s6AW$grg%Lhrt=kjkKsV`(EH76654?24Lo63=2om$qZ?$ov>2iyZn
zt7<ML$Nj0D9!%0i4e1gZ5Yq5k#f~wjZjCQ2*?Hj04j;@s`g8KmR*Op$*U$4=58vE7
zt-g?N{B`unjlz=ohvH6b-RQrPUXZo(pl{WQJM-z?B_Dm(F(#O#jv7*MH6Y}a+UDPW
z_jvO4>lap^rB=CiRL$DBGb1m<`?q4Ny?Vp2EA@q3p6uVeP4O{zYp!AY=@#)V_iem7
z?7@t(oF9rx9;0f@hG3E^YDky40U@nrE8-_!c=b~Cx{fVo_BvN}VfT*q_YU7I9r^h=
zRDDdTtS{smUqy{?bLZu~mO6%An9)O1Al@}x{wckE-Ib-aM^FAv2a}XhLrVYEuKqX9
zw7Hwk1UD^ee)jD5+aDE`^;&H@|Hq#A>K{w@Z?g9j6KwT`Jg(s0?U?;Z%7RIbCC1dH
z7dN!sQ`V)t=D|YW+FgSy4G)7!il`wir~x65#kA>XJD4`%QOgmUCFKgODb~NP`f}>=
z<A*kW`gq~N8})_!ZOf&Lb5B0my4pfdnUi`$;f~+mIq`0Xx>l9D{Hh&SyEtief;p(0
zDEj@AeMRm&m1A7fbD9_P4|nJF@c62x`QAB*dZJDmz5Edrr>2#twW`IVnzL_Fd-=fn
z-rKs3<$D~NUc0!flttCF?$JF%d9xeGR^RV2byVHxGx+!aI%6Bkc;DFF*v434oMNmp
zeqkK(l6};}a)AI400KY&2mk>f00e*l5C8%|;N>OIPHCfG{G&fz)Us6@t?Uvs(aM5L
a9j)v#tD=<!Q5mglK?=PxAtwA2g?|BX=!#$f

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt
new file mode 100644
index 0000000000..bdbedc732b
--- /dev/null
+++ b/src/test/ssl/ssl/nss/root+client_ca.crt.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/root+client_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/root+server_ca.crt.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..cdec09a0dbe8b127c8725dc180b281a355da3530
GIT binary patch
literal 28672
zcmeI43sBQX9>@QWBoGk7iESut<zJ7hposf_Bm`j`0t7`PAP*lsD@`EMC>kM&VryH-
zshoXCy<R(b*71sZXGeNv)Dz^qX|1L9F>R-Jr_)}GQf+TI%cxU3f>zq@ZvF{qA2W{L
zP22hH%x=E>-`(&2_LKc*vPmXobM0=QOIYHmU+(Y;G84zJER!P$48!m^N8lVvS}Zi7
z3Vviq>F<*~la8jv7={>K)K|<Hy`d-iwdls^99)3}1b_e#00KY&2mk>f00jQ;1afpb
zqcMqH=w4CnYN%S~a96MJdQ1GyT6a}MUa8GmZW9WN@@)$Q+9nhi3E_4j#UUaob-I>1
zR8WUnhtpLX?xDNNfwo=iAgAVQbjI70*n8=Cuiv@URpkpiXs>cmTd(yHk(g@bb;jF5
z>u`I$eph|iM01r%u<=?Ci<sJ+$wnBHlGsgFpTk+}3J(tpPW36b=GtweIk>BZlG4IC
z*3yN-Y}-PiqNs3gg^kRRS6ozJFU%_!thvRd<!OQg;Vj}T;VctPFOVxDxnv<#3#nRY
zm2|Nvq%e`fOo|LrSV)mc3I{2ixX7edC|FWQL_9<koQJrGh}ejT_=t!YiHJCfh**h;
zc!`LZiKvQ{YIwo;sIwH*)LEj=5_OiSvqYUG>MT)bnU0d_D4C9u=_r|wGSgNwZ8g(Y
zGi@~oTdAj+dS=j`l#fUONpz(WB4Z`GQi(>ZAe<zTTvjFVm1%F8_LgaH+(^3wJCZ&M
zC8Z!Tw?auNl$1heRp_h=eO^p-tckjrsGEt7t#X-UMK%#jRT5uSl7*>~%%DoLL{*Y?
zs*(UyC7~FU6pAWGhEY7~)sbQ5&@l5zI9P_l!7>yMmZ5O44EbUi3J1%OFP5Wx$(|t-
z<Ev!jsFLg+Rgx{F%IXp68j(xFl5T`xU*||TP7+SF$$_e!l(>aFw}@gVeHGbE_pOwf
zDsnobEs14<FCuld_(Wgn@cTTpUKzfFE5)!RXZuL<avOs)7qym&{v9qL0RbQY1b_e#
z00KY&2mpcqA%Q?V*Ps~}8#|WF(G+L7zNuobtNS>d$beWSjXY>|EnV-F<(09_F6JJT
zBTh%zI=(`~k1>_Iygs4c<M9c3R`Ru&P~!3WYU*8ObL~P|nO&%N;fmMm_N)+mq^sAD
z-)(c_;v$U`hqfNsd2G(Cls}ZzW*<FPRL0^NN=IjAcFGd>iQja3wiWc2uI}9YlJuGT
zwwj5%|Frb1xcRjg8Vlx|jCsFZ#y&u(Am;HBX57_Sn&K1^{ST(=<8qA^=F*8T;qL$m
zg2`T2{VG>|WtAhns@{hJ{CE`LbbsVImiz7%qZplj(uSEE24h$@TFcxxSTx=kgHODo
zlp)IaRI1!#j8V);5f!z16J`jo6Gn&4Y8gJj8W<E{qqqPDabWH7&mYxnsS9MMn*-eg
zn<C>sIyv*e7Y(cWYIJomi+Wq<?_d*;KJCsJdgX7XJzwVU-#FNtxb>k6p6#4{b(Ukj
zOSdg+=t^{D_VdrX?{ZvD{?~sJT2fwVFB#aIq5oyWT>Vq|?+zq%cwX?Y-*{P5ob&1S
z=7OZGr9Dk6BT?7-GmD;idw8+s-AzwC+A}<`@9@6Fy9;&8&P&zpgNIvN_RRd}!N9TB
zhsR9b$4=`>nzfAG`$&Ita&DeHz3twqxxb#=z2HjsoA+;vKhpd`U*GvPnJK?GcYMMY
zT@9NoPfYmzp_lpgwo6mnI;M_wz1`h9qu^3&*V>dj4(C=s_fh1<2c20pi$C`7;CPl{
zcf_GsGzQ-ycgAb9h-cZaM>E4uHD<;#vr!iJ%-Kng{OZZ{FV1LYpFGfcGWmm=H&53z
z*BqL>wEw@$pKg5P{Knq4e{4;AXlzN2_?N-NTfI{Tw8OiM7d!5owY)|4Cbm5M)`g1x
z`;Imx9=kQUqoS+%#OaoKf6d>s)4pe&#X4cvp_Mykz11^x&j06&k4<}a-PY*D<NYf)
zRKC}7WtI8Wi}GVnjUTxG@7cSjYN9%ayFVQN;HfvFdJ<~iPk22rB|d%cyfy2uH0~Sp
zPuV^{(sp^viwo`VZ#a<l_2QV!wu4DazPuoB{={==bN{pdelK~=qCoV5I~refPP%Jw
z=;buy-G{e7H)lr6y!NhjeN7WjT+%n3Oet$XI~jl9>bSFuwT*l)xtVT!M}E((b;B=G
zx^{bUo^{eK12*o+naJJ4b&pqh*(e+`XE?_ghHwE12mk>f00e*l5C8%|00;m9AOHk_
z01)^&5QyY8Ecxt{i{LeS@?l@_{9nfy4jSry4hw`e00AHX1b_e#00KY&2mk>f00e*l
z5cp9Ln4xKkV{gKb1PZW^{>FWR=l}hTVZY(vkAe>b0R(^m5C8%|00;m9AOHk_01yBI
zKmZ6(0veuSxtn_aKgAf%7)}9RAOHk_01yBIKmZ5;0U!VbfB+Bx0zlxWN+5zC%i=#d
z;cnrP{@Z`*5&ZuDG-Ehz=>Ms%5aI>`KmZ5;0U!VbfB+Bx0zd!=00AHX1Q_~r0VA*I
Jzv~YGzX1y<hUfqQ

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..d7704c2b80a3a607f026118c205c48afbb98bfe8
GIT binary patch
literal 36864
zcmeI5drVVT9LIa1Eu{tOW3wWl7hE<_hUebiTkB(L#Ud3Hs4zubx_e7;D5ADinNDX>
zal`2{or;fXVkWrh#Oc&wobNbwzBiN2XEGN2LrFB^V~&{Jb9%dKjD>%Pza~BX-t#->
zd%x#%ZVML@7@L<}>UGg2)7(=9FKtwGQc#p)7)>h_ig4)}DLn%ZwIq~*1L>7|M!!sk
zE7H)wX#Hb_Mr&6@DfP#6hjg=by!M{fu08y+Nze}jfB+Bx0zd!=00AKIe<Dy85n)J3
zpnQG3f>`F7>hcOB1g{Wy)uh|4mV7InZyBC#r31Zma%nN0YqyQI*bC__Yav}Q#+FxL
zrE|v6={aLEvTf=4wB4GUZArJL($e><QyKpYo6=9CHl!y|iqi68SA}OrnN)NLGriNu
zu_NH`U;-*~xLR#6BvM6WfOCpaT3qh&<hn~|30_x(9L_dogmpYkia0`W0G%u_h)o%$
zA|B(2N0}hH%7R1G&v}sI3m(Rl45iu-mq<DMv1f{tT~2S%L-m}8$6tQIg+WY8dbrvU
z8(2-L$1~IA4%#T6v+-A7a4|C}O9oRBhQvf_c{<s$pg~ZD$yWYt3--5X<1E8-?D?s*
zfTX9iZvrbljaZWo+{555Gd?uqLo+$VL(Cj*c-)w9(;qix+zh~tfE!V21`sRcZ;2zq
z9t`rI2fHu`+b{_GFbEql2s<$dTQLZGF$kM6$cbAyo<ARPX8oEtv&5Mt&Ma|ei8D)_
zS>kLYvy5bxk<2oZSw=F;M5-oIHIb@`R89UW@iY<7{$wQK!w^6$St*O~T$ZeqC22V%
zJy-^J%M$w<$!H@PZ6u?mA{pWzh{te*6o>G+IYNpfq&RX`j+~Vv`@)mCJaOZR8&Bps
zUA&Pq^4L<A*jJW#VY0+$kR@KCEb%&Ji2=$IQ}jy$MV7&71drSsoMsA4GX>*FG7v|S
zfjE*3#F1pcSCWA^k_`At@)=)z&EOMDz4*eBCBAxOi7z2p76+v(C`<m6<U;U|6@zg^
z9H*EUP_ameoAKTvf*p_Lj3#p3vIA0#VQRz3#Fu>p2H&d=CaCefy#{|(iN;MQ+`t0}
z00AHX1b_e#00KY&2mk>f00e*l5a_4`w0L1~|KCx!7uE#?fB+Bx0zd!=00AHX1b_e#
z00KaO5P<uCxDbE<5C8%|00;m9AOHk_01yBIKmZ7Id;)O)-|_btRtN-u01yBIKmZ5;
z0U!VbfB+Bx0zd%n|KS<{0zd!=00AHX1b_e#00KY&2mk>f(D4bt{eQ>bV^|>&00KY&
z2mk>f00e*l5C8%|00;m9{P+Jgx_E_tQ_Pc?g6N&mx~LM}5vc<nKmZ5;0U!VbfB+Bx
z0zlvuBj8KYs4SIT6rR#a4yViQbs!#@%q5~(IwJr2YXI^sKoixGeX2669z|2C7?gu7
z!NVxTDQO?~_R`2f*_}rv)=v4Yv1*>`-a9e-swec{c%%Ac<*k3%Fp3JJXrxtZ{4QaU
z&uS%I-+JQd3ij-GwZiXNyXVeX$zRL6aKC2Nf+6~Car3utedtSy2p!Vgj*us){4LJo
zKmU-sVDV?08<XeUx;3tg<LR8Vr#ov~kJ?+}+X`8J*R<&N(S#!Pgd<LRUbl~#swLdY
z+8gfmElun9Yz-^&C8<M(6!~_9tS*V|O3hk3|IEXN_fFK6B<9;P_uWkUb#iL{;p@7U
zz3STvDLgrI;qKUV4>lj@S|7h`d+m?SS$5~(p~X!W?bgDPAAavkQiTl3i|q*c3;WG1
z=fe6ai#qpq<z)3-TW~nfJfop{_4*##OAqUMz1dbs%U&)wUU%{2{BtWc%l>AQXnXdj
zm5o2O*7Uu$KJCj5t9?nzkRe5`9U*r;+T*TU)hDBDhb8aa<MXF`eg4%S%^7Uj*Tc(3
zx1MhHwiR+)s+fMaq~`db#Yf)SRdsWQ=XzfBCm#%~>O0wbwf3(`Lw!l%Awx?4)voO~
z&JO46jdLr$r3~7o_pY3~u<-br)fq#!8Egk9-durtrp|9GWPQ!zrOMpPb+%)pFZC$D
z-$<PuSMU8(+^{LGqW5a?is(xU3mMXc+7WVCHeLDd?uMD}1Bc@4VizbAj$Akq-%@d>
zvc8+`YAHXet&sf&b$@bn#K`@+Sn=Y(bBWaWjP2`^n<9GKPsQZz+;H0Mpi~K*PcvQc
zcxF#?7tc69efh>a4H@~ixy{k1%pV<l(v*n?qhz&C{s@XvQQ;_7`C6l`e-x8DGUJU&
z{1-*n^7_1Az@3q@C_7EM(Ix);{w>slgVmWuncZ*W-~Vg$aSDBlexN>1zgJ(OzpP)Q
zFMP#5>S4J+00;m9AOHk_01yBIKmZ5;0U+?|66hIjp<e!@KTXK8IU-b9<kg|dyr>FQ
Y7CB|8GB1RODw|N4E<7PJ@Dqi90gcpt>i_@%

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt
new file mode 100644
index 0000000000..5d04ea23ce
--- /dev/null
+++ b/src/test/ssl/ssl/nss/root+server_ca.crt.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/root+server_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..433b1b91c6a7891f52cdcd3f87655486798c5b99
GIT binary patch
literal 28672
zcmeI42~-o;8pmg{Nk9xDuTflx6crF*CL3YVvb#lPcNYUhK#>Ru7}P33SzIdRxjZd(
z#r23AT0o1f8(Q^=%d5Kxbt_n&OSOOs&v)-l*mAI^uX=p;oIB^to$qe{`^|5@xs#bB
z6A~nk(<lYgR7o=x8i9zgAV`w%5(o%_V1u<2SeqA^XEkTQmTY6c&14hKl)E{vf#8__
zhv>}Zm6@F~OEdEV8N6Tum;fe#319-4049J5U;-bUfES0u=i89u;}W8k+Nc?dxab76
zIxsmhJ}#=0Z?M02sJ~$NXg~jP0#qj$Gg{D6FR)k8l+a-a8!3b#g?L4zGQOn+r=0?-
zGgc5e_^~+ro;KuU)L)$(Ib9j0X;EOeQ!vyTYtR(!;LYUldo=GyoLZf%OllEfwG+`-
z8f(aChb%X;6W_*$T<)z=M8+#yy0;h%gHEWokKDg4hq!1#VDRu!-ofJqBmKt<!bT4d
z3iF2}_>LJJARq1<D)9Ch6CCO!P*7l{!72o+2->Isme8<B2D37lm7y$bA``<z0uw1r
zTwx-Ei5pB5Fo^_-8<L{*DN>}M22JV5fhsfwWoQcO&=eG+DX2tKP>QCY7EM7hnu>y{
z!9BfyNLi@2k+Kje3z4!ADGQOZ5Gf0hvIzAOp<W`?ON4rfP%kN}m7-cHs+FQzslFCz
zN|B~3YKi#J2#^r%sgQzwg=kNO$XhW579kCb4JOnTq1GbQT7+7IO4LN(5VjE`Qep~@
zEk>loh?E$ODn_G<(Q%QWz7nJ+L244zH%ciHiA549X)vL#!Gt?zFyROW6YiqHg!^eQ
zAwYu(De6rG#bCB}LwF3Ot=*)}-K4GV0JGU0U^cr0%w~6h*{lo9W_N(utP9LGx-e$o
zz@QWcj=_Y{V=!R|8O-QbQ`u@xYcWwE=-WoNx)TZAiIym+=tx9d29GU;u*0@ukrc(P
z(9MBnaQOZ<B%z-~663)geS{)eqeA(JmNPhlZZVl)sx^VrtvOg(>|KP}a#O8|4KVP6
z319-404DIU5m=PSN@ZDf>0(J_1{(RMvob2^Als#bGJTPye)IMQ;8}3r8PVk-zCk3h
zm6$-Klj|v67G=)iI%W>btT!h~Gd4l_&|cIK4l|6!?Cct<RBHsj-tf7yAW)^&#3U(0
zg5-jb5V;^p2{LMRoGL+}fvwcaq!eY6AWE5}QS;5g#~WJcN{hfp5Xl6-xmZexX|W+o
zSy7e@l4I1!$PH#Xcz``~;^N6Q`$e11t<;^G5b6>>qkqrL5bxN9>(*3$b-?#zAAVuo
zsKKdae|Pn^xOmCE=)_R&;Y+r@6OSB?msaiy<}<}ROXPco4*BNO{-*hI$MsQp{jW^6
z{r9c#u<VtRo1f+OUom^`=BoS$Z%ofTY)nsZa8b{hJ2d+jtxw#brp&JHe)~7QNFJP7
z5$({>YYbQS;7FFdu0d4r8zVY9wrsjm_CsNwRobPLhN;sko^N;Cv38jM)gqIB`fIa$
ze;azauGrZs>;C=Kmt*I<+~foi*EbB@laiddtwyn9iFW6Bt{?UIUQiA1e8t!qxd$zu
zs1v-bw6Ak#MXWkdoc?TWXr0Y9$<&PZaV$u1q=`l0%;uQuV-!C+3!{P#vTqNmKNNG$
z&)UXZ2Bk7O)|3}Lg!0sfoCJkjl1lZ5<1QI|Ofrfk<A7@);V87`xe0#F%elF;X!P#9
za`zrfcHcSL&#sExK2x)s5i$4Wv&F@h(?&dIu{Aw2xT#MPe*XUSw!P6>(cRVTm1~z?
z%wG7D*^2VB_6?<X=O0>8er<W3jw>!sNpL;6KG$vh)qOQf3vZ;nOuc<*mB}dOHO~`?
zkyE;rclENZ4XBvsIiN~aSvsudLcfW(h&{_BR@&b<Jqq&e7s>{YEZOEHe`NN#RdC(o
zDITlLt1i|(>7@BNWRByk-q)|~k5Y9nQ*U(Yp^aU6ZTCiR>6;us&j68Z{+l7UmCBK^
zrrYGNzmquMb@wf8Xl(jNW2Wn!5Mgz8q52D-`o#-AD?a|^@l%YD?>quZMy$4ccjhRt
z(z`LV`pFE0jm|>WLGb)e(c9yyqfS;}f#qGqPH@8()La2^6{4TZ-Z_LARu(4w0S$R4
zwp<xC!v3qkc+b;UMu(7Kgy6O-G17io+?|ERs&xSs!Ly5VzZd=z*CS@Yj&0K))48X1
zrv;3a@O`sY<QzyvMl1^?tlDGIS%{(czq|ZzT#Tdummfh9m_F6&co%pk4b;!g5m5@~
zs3Z-Q&g?^_GdLTW43g3DUcdMAlj_s%3>CM(B#0-xdo+TJnQdFQNj3q_a~=W8O&Rc7
zQZ(=CuS-~K6VpANrRj%jmz#9ET{*1ig*K%shLdPMsbbC8eA4>#syNq%<KIelz4kk}
zxW2+V@AK!X4Gj5g4@HKOv(BTT(JaDq=gzpkidS|&KJ1=jf4m^Dw$PRPsWyna!tX+D
z_kF6}$r+1ZvBr2k*pL-q<1xKVH_L=7$#^tr_4%eLvJ1<<SW?zhd*Ijs>;A(zGoA{g
z3+j)p$=NmRUx(7KteM|=-~rOT%x1(4vT#9lmYt8UXvpTtE<O_n9v;_t_-yRDZYQ#C
zR8>7qb+hmK<f`pjP7G-$8qj@Z=}~6E=9ey;_qkXq&mUehG~nf$l6m&Mj`>7yx@}T7
zH_{_!%1_Dp3?@mC`4&_csxz2rdv{~8DJDt2Y0C^;{n6YwlJa1ze(boQ-<QrW9<fGN
z78O_8-H17RFD5Idbl~*rnwhK8&OBXQvH5bI)903fUi6-N>rd2!YS~R&`E~oIj+mJv
zQd{TDKlePWdg^JN^_5TT_Jx&X-MN<&{*B+RE%IH9WZt%0OK0VeI9Jy2Bzb$?QunVH
z<(XMut)7(`acN&;iu7ciXz7YRwXsJ$cet=ji<=JL>NEH58Pl@v@z=ZmkUprJb76RD
zMq}E6`s6_y#+vxQTDy0={CZ}Q)0-*gZkrF;Ond!YlzU%Qnp^$#%}aKvlhVz`^-9|t
z>Dafv;iwb8|FI35Mh(pgFDO}5r5kYPC0AQ%AEKqU5Xn`uEgnx{r!gzw3H9y~`Ib}b
zohK?zfqaawx8vVx{TU}7ne1pvTo$D!O@YfSUIoEx;633z1O{F(0ZafBzyvS>OaK$W
z1TX<i029CjFab>9uSLLw$s*x5H!Qv3{EUeV@cfg}iOJ%^2Y&kd{}_T7&x_$5;wApI
zb`X1u319-4049J5U;>x`CV&ZG0+;|MfC+q51XxUhWWj_vl%=yE-@}gt0)P(p-F5W$
z|F#70Ah`RF=h=Q#)UY#{049J5U;>x`CV&ZG0+;|MfC*p%n7{`kFr1~cBHza!>R9jT
z)}INVBQW0U{eL+De*1rica>NE!LZ_iFab;e6Tk#80ZafBzyvS>OaK$W1TX<i;7=0h
z#I%HOS78~pOv9GZgDK;7{8A77_y0Et-aT;te}h;3CkMveFab;e6Tk#80ZafBzyvS>
eOaK$W1TX<i;Qv9O^&bc5=K|oJ#@vox0Qg_va81Ji

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..065152e027a94fc9ba48159ed8cfa0fc22a131c9
GIT binary patch
literal 36864
zcmeI5drVVT9LIa<gF>lwMy-m>3o;e)aqjKCwcukGs9J_RDk224dP|FT0wOIUi5YZ8
z1bjq|=(5eJ$uNr}nfiwsb?S7+ZMsc^I?dbzH+7E9Wk^&s;_f-UT{VWnzr$aXo__E7
zo%6ll^EtPL3kl52$#8pJbn&u^Qo&0bWCLXsC7VgpGMP*+J|o0u;Gq(QB5)wSQqSm~
zq+B)$C2MsLW$H+qEJ~p}tvR8o((sZ0MA{-x_B09lfdCKy0zd!=00AHX1pZG1O2WhS
zF)@@c(JMGgT%|6rkS2JAz^gjdW-;el=v;G3hJ_CF(&OAtI@@NQYqk~8Z&(WG`I*+7
z`4&1WlTOXboRwis&82OY><n|NWdbdJzgo)pU)Y4nYLz}UhLX9<oUWCg<t1X#E>wD#
zkz;$n-_8V7M2bqK*T+(YWI)kU!R;*bc(N<pD+I4ATncB+Ota+Eq=+K~2higL2C)e<
zmBeEK@hA}-u9Dyo)pH)C_=1NaVU|LrkB+76{@9g{w_HWupoj7~50Ah6f(wI~gjBgo
zKRmD+x5rcIstDRBp0n{+UvM!o32UcO;riHEYGW$dvY<gwg-KTaZ437IW#h~#S+?8>
zw1C8?xNib0J`Grt4&1}wE)za9;X@NS#6wIRZg|`naWe%sCfp?9M!=0jY?6o-^0&kh
zVGjoR&x2hUgl!mveHes|7=)b|gsm8ay%>be7*vE?DV{$cac2FRIJ3l=CC)5yW{ERP
zoLS;*AhQf)mVwMNkXZ&Y%Sft5QZ<sQkyMTTD)BTD&naXi;lmI>ELkaw@LZOxlqG37
zBtBRMcS{oc8pvn^8Eqh=#UdHvABe|rgcOJHxj90LBcwQTR*syNBm2UWxjb>>i5pMm
z7P)u>XW+4=B(bj~@xmmD&mc*>L`mXxN)iK<B&O(>1d1es(+D1^H#p50m}U&d5oI8b
zC<Ads8HgjwfUhV6aYPyL73DL&_?p2d7JKo9BT0PqND^N{l5_^8D=3TqljK71k97p&
zIB*;%FCeFb5I5nyMFcw@%NdO1x@D6R3}Gt$?AV?@0)y{WI}_CS-d>Hrs%UXD5I67u
z0zd!=00AHX1b_e#00KY&2mk>f00jCgfk?bCxc~33+Y9Rg0zd!=00AHX1b_e#00KY&
z2mk>fKnTG7KU@ev00;m9AOHk_01yBIKmZ5;0U!Vb`ac1<|L^~M3@ZczKmZ5;0U!Vb
zfB+Bx0zd!=00AHX_y2GW00AHX1b_e#00KY&2mk>f00e*l5a|B|;Qqh=?=h?p2mk>f
z00e*l5C8%|00;m9AOHk_0RH>`YRyQQZs&kU1LkY@X*E&Bn$N`!cmM$)00e*l5C8%|
z00;nqmyCcfPOUV*Gf3ufFSZxCD!g{Yv&fa?<i#WMufLLzuNEy-MU1bTQ};kiDF>h|
zWDXuiAx=Sm96kF%*Xk98Ti&f2ab$N}mUY*4efF>$6H422_B0M}yA(!IVHAxbRcgOW
zSj4khL0`YNkULU!{6<Wohe{s1uA=eYomcMaHl)RmT$8i}?H%ol3lAOA)Q6Dw*L806
zUc7ud{7&=o+=3lbzgnC&#l2~2OZVfP!eg!VmA!?mzS(p<G3V|)_nwTJtHOvvYSL5Z
z<-MCqIydrY>)oFceQ~OgAsu`lLQXH=dE?wX@83(u<c*qfW)7dy^kZk(wv-bo_sa4w
zgg01w3t2WXVZr&<&hLM|^J`h1<NS^UYw?s(%THy?zlmKtq<M+n7pDvvl6UkW<dEz=
z8HXH)uGFMkFZr(B%Dr@LeChkie>}N)pnhrk*z)$?LRzafv|P-xD{fspzV-a7hh-0n
zE^Qm$+QNMi)znaZuVIWYP7yMsgX=>`Q%!Ac<^KHNI<|gPo3?&pm$}5YcWjq@b$i2S
z?bFla*Y*~&X~UZ*FXWxoHn-U1RL2i<SB||}l=-weeb}w1HFbyY=lSB~Aw!D))vot9
z&R_HG+K!~bjYHJao!Ui3RmI0jyPl4oty_6+!it$m=yq=*XRImvZcfI1&$4faT5kNV
zP3*dD|KtNrTjA*X7JlR7!!^FRu#h2*s1G4y#x?yCVOuq1^7y<fTw8(e&*rnqA6iSd
zOnk(BJw4^^^}U6>vMc^|W&WMl)|U?YG-JR9-R`qrPP?#4Gq-Jhc4Fgf`6)Z4jNyFh
za>3)NT2|qFZ`9`YW0MzYw?Apl8*xyu?mZCSji#Y-Dvk6J6s4r(Xt-i<_nNpfhJDKJ
z*2PEb_jl~C$tk}&RLr6nh`8#){4~Yprla*KyS5`I{{6pN7cJ9u>XLQQx`Vovy34xl
zx`LPNqaKzE1b_e#00KY&2mk>f00e*l5C8%%FM(I(W~%2O{i#EiP2r)+4qg?i%sZ5!
Y$_`Eus>}=WP-P<u)5v2Y0zXms7q(k}82|tP

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt
new file mode 100644
index 0000000000..9e34f7d8ea
--- /dev/null
+++ b/src/test/ssl/ssl/nss/root+server_ca.crt__root+server.crl.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/root+server_ca.crt__root+server.crl.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..dba82085f965c11ae464328fb65e8017f3b8199a
GIT binary patch
literal 28672
zcmeI43se(V8pmfcNhBbKBHJjnGPNv%517d$A*gi;5D<;>_N|ye#2^|WL}P6&Nfp#~
zrPRm4QtJxZ>XBM27L@8)twn2Hx2wCd))ryc$3e@gySji6)}4EkfUxM<J$m-k<9E-Q
zJKuf%?{|Om-8q@OQj&D0d?P*AoVP%qPjiG1L6SryO%ntm<c~i5;Z7pnKy~g!x{b%2
zg+wSb%3In_h&}&B^p!~KypDMlct!FBNI(Dx00AHX1b_e#00KbZ|4txMESAXv$Z4j9
znMPa2e7z}ip~aGDHRPBw`a~ydHK|%Ueo~BfDvjIdgh_N~I~}ZN8F|Q95mrdU3ORa%
zF{iVKxSIlQ>#4wn#0bT*mjcLHc)Z1G$Tnu=cPfawDY#mDYOo9&qM^jHf$nvfEEcOV
zuTw<WO~l#QQ$x*$6h)AIWB~!>T1~#*kYnr|-f0M2I;ol{o%Uf4rc639Iewxhc^W-I
zJB?186rYr)MKeSvOp4XTN2k)7sD$Ly5wxD+50*dV{J|j`SD+deRjE-?jf!eqL|xPh
zlqpfBLRmP<)F_KUnI2^ZK8wIoj5EiI4ANj3=R8P-WsnTZARU%LLM(%nSO!V44ANp5
zB*rosD0jK%^bae`oi<jMV`Vv3mSbf(R+eLBIacQIC=QR}@F)(C;_xUHZdKt{6>e4G
zR+Y0AYpSqjIPQu0uo#dWuT;*Uv2wgpIrdh;@JY_1YL|(0IozAWy*b>QZ^T`k9Z??z
zCZ%A|+zL!efk`RwtO`7<0$&#;9;?J^O01^DV>66OPQfXWq{~FQE)y-xWuh5eCR(D)
zMC){!2%yVE6rCo9;xfC2VLYzdu3;+oFjbd3yy<p_H{I^=rrRCfbnEh_+a2C?>+<G9
zx+rGQ#C$CZ9G8ir$7P}ra+#T3rm@SM+iBuJaP~EHxnn@?WGeMcrU4UIqif4x?5MAT
zQ{lLkM})8fu}m9463&}QZVvxMpRTv&n{he4a|frhohHTKYCX{H)|)>l4<X^T*3-tH
zAOQg&00e*l5C8(t34s;4)KZ~ezka?%VPcOZ+x>b}^iu5COP#aI*Liw$2Z9jM2J-hQ
z(Mcq+otVxz$d4F%5#ueE3@aR0*yc@=ULt~tVk4QcVk%8Y^$kxoTJq^=4f?=>PBdHc
zv+|57Njf?uMMviu`GUn_GB2d_Q7?-zZ?Q3t&M@ZXTV&q+>t<FS&T{-~Tjg|_w?f4z
zScR*|_%Xf$Qrx3c4>u?W|H;UL8LMYq{hZr+a=rc7^whA)^MhV0Owr7Hdvj^y2UXEu
z50>q1o%q_)y7$91K7Tkps`_Z0r1tcX=oyC&=cpQYCCezq&i%UGabv%DHOR9<H|(Q~
zvY@lGhWzb^$!V+BE6@L`Bxv1|W#vs3mmheZxN_gIFeJ?K`m(rHKiQ&8BRdLT7!~vR
z*4x(C3L7#*+6N^_?3WJ}=~~;l%6|$nSIw)-HmbkbTjp1AdU5-lxed2IiP*7eoVLE&
z<9Axys+Ye^J=0nf>Q{8>(#A9MmWQ1eClTki4Bx%jTKMr*{f;%Zozo;S%=L>&SEZ*K
zrpzzd=X=AlFw)O<uVhjBhN>FJ-#4YU2K-q$XXVql79@YA2}gf{%^7oijM#nDkBp&S
z8y*)?|2e>qPpGz^Vgx#gXi+#Haw*P`i)6<#W1PXI#KDzkHviWVX60XL3;cXMWJBA_
zj&3_UaeVLxi8*7ApPiI~f;#!(gP0IJ*L30S8uRAZhU6tRCBK#bWEz+?bjQcp*V&R|
zpBBVUQOcrMnaS4?6*cj0BH`B^i`_?oynk%^-?;RU;<>2!Dn80BmYgtzVYqV(rDy0v
zGxG8o2Q`>+2*kgk1f-z%RrlC3%oD?926x+(itamCG5smb;2?)Q>^3PP_?<2#_<ND3
z0B!l|H|qbfMz|^0F(y>ysBKy6(f`NBan-kNi<`2<x!yAyN~cti{>L|%!rQ<4Qn~A1
z%)Zra4gO_s-ZF0y=$4GuuQZA`k8Z#3l|E+YPSY#;yMceYGN3s4tIEWdz2TBqZAp@K
zG2gWe*kk_Gx^nehVM65PEk&^bqqFPmi#(Y9E3eJmc&cNz`n$EiUQ^f6Qgx)tKPX;2
z|E4^%vh7G|@vd=yJm5H6y1ei3Dsog^!1(#(-nW{I0;8h2vE{SEqGk-QoqE6a+j*P&
zA1(U6sp;m@h~O7))DPJt&LRW3p##<*JWN%V-w7+<6Xt6?Ra+Vtd#7~&8^ME)L}hOM
z(W7;lVRY8)zgQ~-6iJX3K1@HRFTYJ*?k^NE6iGgKm>GYQ#&^dF%xJ;J>%-pq<$IyG
zuL&nKR@XEJexLR2#jK*NgTu3%uP)e7aN_3bhVnCIBi{5)jAVDW`M+ox*&^!LE^FO0
zXZ(U<&f;IZ{N$~)<~hgh{%2nd+>^Gy=)%R~$zR0m+NRsJLaiCH{otaC@h9urZ&*KR
zeP`5%E6Tk5>zfx9rk~z(f3fQ8R_>j3gIneu8nYuz=vmWI`@`U6e?8$@Hz4QSfNvZl
z`-kqGymaOLf~q#_$SqSmw0AdsHcfY~uzJLU+1?T52Lk5ayTz4UG9N5y{_y<iz@;-C
zUQ-7Zd}bK-N?ZHk5wf5oTeeP&E1q1re?^mh=!H8HTVrsFjoC(6o0j-opDik&8qkJ%
z@`!xI)_UT-B(BsYL~DlqqD3n>dd*`;NA9~B7SfY<nUY>1r0voh{0R~e00KY&2mk>f
z00e*l5C8%|00;m9An?o*@SubwdZ(Ro8lrGPA4(`eZ}>T%|8odwj`V;u_nBQFI1U7W
z01yBIKmZ5;0U!VbfB+Bx0zlwrLqJFoBo!yL`;brJO9HXHj^xR8oX`K+gmfSO{Ga`^
zK?RNg0U!VbfB+Bx0zd!=00AHX1b_e#ct#1t3+;a7)A;=qh2BRHJk{s_dO~_ddO=$M
zjG_g%fdCKy0zd!=00AHX1b_e#00KY&2t1br`cS^;UsfpBSul`NOM3rP59jCq7YOM^
z{`tT8xr7Ca1_D3;2mk>f00e*l5C8%|00;m9An=S6z`r=aUl-v2dREfg9{~Ov#4Kjo

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..de0f7b37cc0bb1e6b656089aea58a8916d64b3f1
GIT binary patch
literal 36864
zcmeI5d2ka|9LKZCCQX}`a0n4fbXyQxK>GGd(}F+<p&Yd>p%rR{uxSDY%hjZSgD{4p
zfG}J-1;LR^K<#jdTppa|urk9Tf;f(Vj#3y9hC^B{4DNf`7#N1M|5|=KvoGKGe(!zv
z_df4s+f8ShA%nAh0WULZeCb#z!0@W(DvDC|W*C)9rIF8A`3xUAS<vB%{7OBfpCmP^
zZYVRsSf|p*IaTqrvC6Q|Fxeo+-Hda_?SIlBXa@p700;m9AOHk_01)^;5h#g?F`3O&
zuuDL4mw3l|15#fpAcbG`cBjLZ?_lz6eX<=)xRpuqd6+!sfLCnJLS~SokSWL+Fu1_M
z<mNE;+?;;d1MK;X(~*~Lvpc#n^6#r-+0YA@nx@y8>}E>k8|U#(@lPy~gD$BoFrL(1
zVSg7JR<V6_I+H1hDk2?<-;{iwaejYZsc(`L@Wv>~4an*17{-twP9f5PNs(B@rS{em
zkD<h)L~?seB3*Qkc#z;@9(-y)T4zd3qFkZ0%iLqU#es;2_7M+%DEycUi`Z1VMrUdp
zo{i7%FY}g0Z0JX9Lea-utZeF>9#o7eDT!KWCrcJFh$yvU6<W4Pdt(;P)+g7Q-<6S&
ze9G%4aq`JyO&V|ui<_*tYQ<G6sp2kH0T&`JEVxL=g%uYWxR7w+mWvExg+e89MA(Bx
zq3d857GWC}VILM@BNkyN7GWzEVJ{Y8GZq!&Qb{kAA93bFnmBXBnIp~|aps6KN1Qq0
z%#%?(8O4)PJQ>B4Q5F)lkf?=3EhK6QMTw_{c&3w{gbzyqab%_(!ecoyQ;uXSAo<`}
z+^k6K%ah(b>CKbga*%Whb;NxHLP|jR+5#aZ5K;oUsz9zPkaZEsSdqAi#7!h)i@hQ*
z@FKQUB=%J#o|q!>6%>i5s7O3dMPh)8#1uo4Kv8657{Q~oMuu6!!z__>WEoCJmf>_{
z8BRx*VP9E>(~)J^SC$X?;yr^eEVtr~qe#4a6p6QxB0Ul5jmS~|NwN__ech3C+&CSN
zC?SuV5VzvBMFczUEASSwZ@G+AUad1_B|YgD7<sR{*oel@_ImtNB>@-BaRCPq00KY&
z2mk>f00e*l5C8%|00;m9Akb6^#Nmm-^M6xaUYHjU00KY&2mk>f00e*l5C8%|00;m9
zLI9rsVIu$mAOHk_01yBIKmZ5;0U!VbfB+C^`UK$lzv-_r%n%3w0U!VbfB+Bx0zd!=
z00AHX1b_fM|HB>t0zd!=00AHX1b_e#00KY&2mk>f(DVtw^MBJ{W0)Zj00KY&2mk>f
z00e*l5C8%|00;m9{Qv*;hW0Ass%HN*D@fRyV2B@OI3PE`0R(^m5C8%|00;m9AOHlO
zG6KP5z1B9PrONLc?JD+`23$y#zj;mM)8!iZ>aPqGd<VU*i|t(Azq~eq(l$f6$QG%_
zBY|dqy>ZA_zr^_C9ABDi%$k{Nuk8usv|Zg|r><zkw3R{U?`n!tQw)mJ=|e8+*oQUE
z)YP51e);3NKZG5~HvP!{)!KI7T>Q$g!TcUQ@36LfZgMa=CVG<AMkHA`QN1F2cG`s#
z{Eoe|G6Sd1&g9DKN7l6}b(*&I>72zjl;rN>#O|MK2Od1p_j>yJkFtgrE~H#rM!&dz
z<RW|ZvE5y3gUPz6NxH>GBq>!a7<b!Vb;r|cN58ANu9Cw$({6Mby20+=W$AqOi<PGv
zO7fC^9bNctX4)nH-fx$-o8-*y(Cz5(TYKhB**r6gx@%DfleJNk6y1$TvV{KHaeV8h
zn5Azl8||n$ld-rg{$!!__G|r@i=Q2yuw-RJNmlNA_H>IYwKw%eE@=aEvs(SB`{kjP
z)3+@-ICpz&MSOZNnU0#ITWCa*dB>)A$#$*2(*8^K>Xq)-DmnYqWgS+1KO=Qs?-LJ>
z(M1g<*<$CKpHHl<?lt?ZiU(=;E*}4>YTEPfSFEV2J(U#S!?o`3V6rA^lJd9OHT=dI
zQGcZ4t^-y>c?a_k#Wf=xJ=(ZdY;?@uNX-~RYctO^Nb-Y@=4vG5_L7bmC);KfR~>pm
z9MLmw<J6<C?r*b+zpyQstd5$b1vMhc`HL3ZZ+WQo<!<L{CJk><w5EF4<jktS0(qSd
z&Dd5j=p}VSBpv-u3$#gBaDMe~w>_C7w+zXf^hwVV+gsl|N+(kDx7N5Qtyu`_CrEz(
z<ng7RyF<q8|1+iarUfTEja__jU8+O9eKG2RQgjC878I|gG^j28j9OZ5n%h!i?-n=u
zyZW|w^E>%_-jQ>mn^&Iy<<{m8yIj_;D7Or}ZytvK{;xMCs*HDxnZ`upPU95g8RIfz
z;Zt_2hv@<VAOHk_01yBIKmZ5;0U!VbfWXsB;5m(rdh$nq`lw-ROti3D)I|%6Zf&%%
WTcD$bMM)DaY(Z*+#vB{|MB!gEICTvG

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt
new file mode 100644
index 0000000000..b54121fc4e
--- /dev/null
+++ b/src/test/ssl/ssl/nss/root+server_ca.crt__server.crl.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/root+server_ca.crt__server.crl.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/root.crl b/src/test/ssl/ssl/nss/root.crl
new file mode 100644
index 0000000000000000000000000000000000000000..1d345a098f4488bc747deaa0ef788d7168beb7c7
GIT binary patch
literal 393
zcmXqLVr(_YH{fOC)N1o+`_9YA$j!=N;9zKHV8g~7%EHWJ8j@OEqEM8dU!vgbsF0Rl
zq!5r_T#{at8XV}O5FG5IP?QSf6c=aa=P8tclopp}mZXaF8d?|{8krj!n;4jyMv3#9
zm>HNDnn1Z|)-g9RGBVUyDtwyVe{1D7zqPZ^SxI)Sy>~!W<pJaJ+>*6S@zp;+c5W9+
z^Lod^S|Z)bS@}Ni`Tpa})~8e$KbpomWoGw<j^>Bllh2*f__60v-OkD9uJ?Uw<TTk{
zmS=us-bBmDYa3p6Z@O9bv+~Z)sT{tk*KH0LCdCP#6Le5|<94^kM*Ttl{XHHp&#Ok?
zW?0u_DpK*4O>)g*jb;m5?;Xo@d|q+aiUfUo7iT?{_rZm4@7YV92Ulqo$lkcVF*#r2
zXz>Ca$%>3A*Vis^H2dH0V&i6PQTN~OPHL)m2G=s5-}_AU9$7i>`SIuP^gnIp_kxXH
dbZjc_b^6{}Z@>M}ghR)eg7;aw?eLl=1OPoRrTqW^

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..6bccb020a17e1825bfc26b0de2213c63422bfe8c
GIT binary patch
literal 36864
zcmeI53p^F+|Ho&}jpH^#9m(Y+g>sqWT+r41PDDv19mh%Tawyd%&L-U@=_cJ&l#-H?
zYJbs^?weh0Ey|`^Nk}&-{AcDIQQQ7@_s{-!U;BTiX3lq>%V(bFJ<oj2^UO2nczd~p
z#0r`7qhccXu}n6k48bsD#biPdB#*6hZ0%jBm_g~?!9L-B_HUW;kO?|o5$S+va@~*u
z9VwTukWZAi!gjy{2mk_r03ZMe00MvjAOHybpA)d6(HIOJ*e@h9NEj~&<A(%AibS4q
zf#D$n8QW?0);{)3XAe93nM@*%In{&tF`j9_XQ5_>lc|KlbV4DVA1Dm}n1c3+0ulGQ
z0^87zLSu~3f&Gd6qPW0Np&<670`(IGY3%13ER<zvO{Ou1_tqmsB#INpd=#O4A|i?W
zT*HE8m|_XbFm!a_jn=XJz;NNm>>mx1RL95K#?8Jzhmatq=QL+`>uG*WS9?F^bPs2*
z>Gt>$Y^QoSxH;SUFs*H-PV+Hh@=<JMVXGOovT>UTz(ZJgkOjVLf$v%nyLb`{4!+^y
z8y>zf$2S)E#uDG~@l7DMu_UBW$(B$=aSawKIS#JELU9=uitDgYT!@9@N-PwYVxhPe
z3&q7)r~uzeizg``p=>6x31u@v*^E#&Bb3buWivwAj8JA1x!6Q5Hj#@><YE)Kctk9Z
zh~*KnJR+7Si6u07gr+%>lHkK40GSarHAC^dW<*WRh|+RUY%ycu!BP{~WfQ5{L~1sX
z8jB>7ND|^{I0PvUiXWRpkm3-eIK)vo#8ElKdEpXyxr7>*P~#GL1wt;H!{*|WQWMve
zns~*eCVm8|iC0l-;`Nl8I6$e1Q<Rtl6sg&ljld%f?aRjN&Bp614rcZi2Qzz%gPFa>
z!OUJ=%<L@=X7=i0W<OoL&EN;dLh*(pHSyLXHSs1SHG}$0VV^nwqe(ObN!q}^;soNw
z3F7k6pg@AS1%7T(0z00T!{!m~*38n7MWQk6bzn&1L>7i)J^BECTx=AvAMo)C4q$yW
z$(XB^#oaC5sfUsGxJj3M;3ilA0YCr{00aO5KmZT`1ONd*01yBK00BVY-$Ou_Du-2u
zjub#h2hxf>LF$knkZVX8auy2$3m^ap00MvjAOHve0)PM@00;mAfB+x>2>eY1WXTkm
zI@F3vCk(a94q2)3Rz_m@UZqKmD^!W0_<|xe+Q@{VdSg9FhD@PTRd1{#`u~c>kYX`1
zTB%McL&;r<s(1l8gGBsI6$FO`1ONd*01yBK00BS%5C8-K0YCr{_=Et348e3qN|G{+
zTCpah6KUk>6tV)>M<|MA#zaNMGHtE#m%5prQKH!37@@b98`Im{jTs}vc0{6(s7Pik
zo>UZv%@vm&BpsPS(xDBK4t0=pD1)R!cBUk$!Ke+(3Y{!DU*^R5`h%xR7_&$i!xRW(
zVnrk;Oo=`iN<{x(=^TXQBLRqt(j|nUREY#3g;)?+00BS%5C8-K0YCr{00aO5KmZT`
z1OS150s$Ga3VaZnMaPFiWCzr>7KDcgBV#39YZ+W_&_*C|G0K3-ChFJiC*yJ?H%gKw
z9d%%7qnh|Ag1o}eeuF%HqdF`-R97;}FhUR&5fK$>9LbLmnnVX1i$vjgG823wng5>z
zA!$e+atWLNUyYnYvXM1N(m&x8gE9aDfB+x>2mk_r03ZMe00MvjAOHve0{;>My`vb?
zPuU^lF|cGjB0#`55yZsGNMmRSSr^8qc1Xji(r^l%Lo!MrjUh{8NV;SfI@Z}YmBbng
zB8~ZxLB{;>SYjwZgsV&X|IrZAfRrOSSik=$vJtt8G$PUe6271sfB+x>2mk_r03ZMe
z00MvjAOHve0)W8ZKtP?$fggF5(bJSy!$*oXn)pRFPHJqsT`if#fXDhou^O%{x$Y5C
z@x0<NmE=`B?VClCNeOr??Wo&STkEkyo9#)Lnq+gk7OoeFsKhJ-Joa3AS5*6V-T~Y>
z47KP=W_C{Fa!4|1fI;TazjRzhi~$uo0?E&ln@v-r4#CWS=(0M9x|E`(q@)Y2_k`4v
zlr8#|GfA1#Z|}>d(wBq(SSVG^_X?I0`)$O2BQU6#tc{9Ew7p~!Od_c%%QEykGA|vd
zc6Tw@=@~xpa<zvysz{@cUFEduts)G|Q=x&stAlDY6tSNGVVRk;*x1i>aAq+SIXslZ
z;z)M~;Rs?_w|}u=Dnu5;2!x7ZIg%J7aQdq|?Q1DJ7K$gD@Wds}8)a2%A2^+U6~CxH
zn6^-HPTh9jY*^!RMu>Sw**R|Bd%II>-qvYkE`J%dhvc?+0zX+u%bL*fK|WyO;lm*#
z`JH+{JW)?IC_C!eeA1jgD&C8pZg;C$y&&pXT=JSu%2cbzdr};9CWMwJMa!ba$xU;%
z-sqZZackp-wdGySg{6fWW1MMWZDv77-<EDq&2#$xthjo6g2K2$czn5zOBj4|MPrJd
zjV*ifet%P&+2cxPeki%RAWQX9%Dwvfwk4JZLt5|X?w|$3dTf35E$1(ikM4hGy1&3w
zMR=oRyQ9Oq?ZsaiXqMUp?W>i2vn+5z@Z6u{vPonZg0q!TB~$^MU!$c;p`v6M?&;4A
zJJlF77;;4?khZprT`_u-$*U%c>x0v09_ZZ*zS<C+5`2DKXyem}jKnK#YwGq_Wg0D4
z@w8&)zttEfGH#}J9b~*InCB9a$`)y)CR}?ty>Z^<B#r7}dIi&qQ|>pU&M30WJK&bL
z(!yHz;Q8ommuux6t#LVT){Wn_GE-jTPGj_{fZGKh7V*A)!(NxJ-Mrw!#9UK~+?lSD
z8tr8dugI0Fhu>AN6dS9WoSd;F`9osi+c@JrzOwe6JC6Ig-CcFssAsOC<^Hoe^WVQ@
zr#*@~pVqkRr`vi<=7{BIY9<~J96R!D$3-K?n9@D_+#OSA94%g1pQL~P9X<Ymfp<K5
z0E(+$tlTn}nn<q0FRp>N$ltiM2K?UJmwYKKhA8p4n^D2bo}^5C;N~A&{+yFh!xmgu
ziDQI+P}LM)-1N5fh9PWP+aO?rVHlH})_;Y{7l;?u<ZQnCT<M<aGo8(gAMcyn>~K*p
zEwMa5y54og`cbPWr&rsN2~Rr)T5p1T+WriZ)c$f$tJsFIz%HIo#<VeCtB84^*Aia~
z!=GJk1E=-7j&%@T+rujG-(BlNmqo)PgC~8n>Dbuk;f4XiXUDG4FXu<9qHPPfP4=<L
z3#lt!)vKGZH;+-&yx%=y<4mM5w93jRZ?WT<aD;wySNj%&QTbX4JF9cwnchq(nyKN(
zeHP?p$*by`xc<kqu%bHqQ(n(xiVCY8x_3TpTgKbTZyM6xGU{HG`y}$M$8I}bIJKR5
z(|Wc0Qq#sFzXc@w_fT`Lk&TdR3|mLd^t;_<zRftq{`!c+uD*iAjkmVmxpLUB)9Jv)
z#5>*<Tbv_Xonm&c>B*v)Qo7$ezcLj1a+Y4=wp$KA^o^_XLDHq>rN-GtN9H*mpvr%x
z|Da-dUR47;Tih{y-`={&<doceeM-QeaIJoG40&6+oXl;V!fLyGY;$H*=4;GY5mvam
zb@~h8?PEi-3Ko>@KP}(<-E{ly?v;%Ov34`eOP<J$dOGK}%wdC`dx^H$_oh_dKC2!e
z7xv_W-jp4|^QLgpPB<-R%Th9b<ek6MRC@H6AyYN^JFXpwPkYret+jLOY{tF~>lUV`
zji}G!JY7AS|KgWbr|iePtXX?FfcdlTh28ZdeOnhisxh(L@RQBWJ?6r)jEYpvdG$3H
z<`2D@-1&4H*VO*qkqfiQtK(|CbhQE+l7&0-o{8l~q=Zcs7t`trO43(eNf<t?oZ<f<
zMSR@cIV7V&;X%gL`5HE5qqEACubuCjXL%O#jiVae^uis+z*{{DyOIW>VSnkq6Bd(5
z{XD5!e=mX;{&$vvc~a~vuKGObAXE_J^lM-G*ge8)$}fI~8tpr?YTiFa>gU!b?S}Lf
zQ|zamut@XRnGMzKTcZUNzSITUfMUM%6ADS1f3+{gzTgYPjQi66{uB`Nt{&K(Ebq6x
z>mU&PUH>{r6Pkb5$Ci4jbk2LdW`hq!xWVLF(zhXI7D1KOE1LZ;ZV5iU&LV`Nwd&X!
zyIS2-8#t7+mE&si+NQ{RM<PngcNg(I#?3L(Tmr2YwI&UHKceT{i~Im5Q+@PKO83h6
z>z78Bx$5RWR3V>V-W^b^&{Ebg@9Yl7FVh6H(X~IF3rK7?mo4XR-J2N|cIS0^{N%_s
zhrGJQFIHsg?H?9cUZ5>wqP!~T!KCvonvqxB8=j0)->0edxWaGPiT~uP_?OrvIT$Ya
z@bVqB3~usyd@$#9#E%{B(aSc;80+pzr)tq2y*s;ljIaXgwh}k=c)7Y~d(1AL-dX4T
zG^MPG=cVMKuuDW5ny2Dl{<Fl#x}wggBYyijgo3?|F4n?+_>yJP`(*g@N#aDb*>6UF
z_P3b0^R<4MGI#y{Lr)&Zb<237+m4m#HRi4?{O-Dr=Z_8^*KYBj-L@2LKSCRk-Z}n6
ze0&cta_GGbdV!YjXqmzX*_&GTR*VVcq?DIJ%XF75t(|?)Kd#bQVbhrJ4h)Tmy?WAP
zo8Fw8lZH<mi&U#T$+CNpWwbk=Tr%nA^H+yelddn<|0>o{J#KGGo?wPf>h-Uzysk}M
zy7wWqB6m#F4>sQS{YI7Tj?W)<@%6*u{)eJMFQ@vM7OUBGmN~dAlaD(s+Puxmd{)k^
zlM9TSFS71>Z~wtZzu-u_vR;0YQ_jP0J9eFL{60D}_fp-@s4PXdD!szUxx*nJZg&%z
zrmfg8{@la{uk-a<y0~{649|)?=s~(NzSRAP@%}$W<~gL)B$rL!iy2@61ONd*01yBK
z0D*rOfv-_|UyrPR)znltkP`L}8;Zh4zEoB!K%e#2h^YQK{;Z9EXEBzCM2v0WnXw_R
zFW!(~9W6W#`~Uy_MjabvhOpsC*}hZu=}_DsI0XaiL}TAB-Peg8@MtUcjO5o{=q`po
zGIp-jk)GEZ$wn6AKQyE!Owu(g$kn<Ysuh%eU{#=S>GIWfGJofAWaV27G}b6TnUwq4
za3txoF3`XSW<KjKb3c8~!=3fN?OXJJ)%kb3%IAL3Za=G-ka&Dlb#@67QgJon#ND5R
z*G&-a(MB?aTi3Ra3!D@4OnGENk$<Xe?Gu5q#n|exe&MmEn}2X@qHk&Wv5|UP-{Em-
zi+)hV*K2hPP9@hwM0JND7T;-9f1fEg^r$|4_sgPL!%lX~gzrE2x@eM{+w1(EoB$g;
z2HE!EjoDAAdC(A<krjD!bV92{2X3kQw{BC34VYcEZOWpvlMgIi`oeR9MJ?R3iIO!E
za`gAK@SkUuS?HBV+SaTb9a*|4Gj?Rhok`Rlw_R!1V&Z~Jw+UzOsB2Crb<;MV`%agi
zr+MU=`exHTf<4;9$A$&J_SwikafqUC9Vb3#Z>~RDzUxm6M`{<Qv`2T=ovHEXOq~$c
zN?KsBf^0f7*d^kA%bKiI`-6t>ca)C*y7+o&ZGya|VHMe(kuwTXC)qsH6S!WD=-hty
zQRdS9kB+Q3s+i}TTxGFZv5}kpVuOms-pkKrJq~@FVY8%B#&EAHe*z@1(6dhwN1jZ(
zmm62_c}G=6pOjIQkg>}E70Xq(B=d*a=3aAspFk_xMA8jC?qK^abk?S?i=91hh{Cx6
zKjmZ!QgmEel$K8@8LzbV=zmD(4mCLjAG>}0`^dYFf=Qn0ydnF1s-~>lx;M(LdTTTJ
z%?;JyBQd8&y{n2R1<D?;7~LM)mi@xdr9<23il?AR@nRAAjKT#Q8{8QUywzhqVlW!^
zmmZ<RVpUpyPul<S@n7#reXkCtC;j51=3hHkSA+Q>_rE?9mE}-3ZSk43|Cl`s86K>k
SdnmMpl~!>q(ZQF?u>BuKN`Sfm

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..2d3a91e75b37e4fc925ee9cdf4053fe8fbd9a7ef
GIT binary patch
literal 45056
zcmeI53pi9;|Ho&{7?&ACa!D?Yp^HK@V}_w9*W8k8?lI%iaaS`Tx)_y9q#GeZNh+PB
z)S;qqigcxvL^>#?3rZzP|JfVI+uM0(=6Rq0^Zd{Meb+X#=C}86t?&M>&)zM2&3>|-
z9BhNw0ffMa^<fM)K?fm)Kq3*#2?PWJft`GFKi~z!Ezy%P^nv_`_+N!sgf_`QLUIHl
zD(;BDp(X3FSFq7on)r~oqxjW-)d*|{1ONd*01yBK00BS%5cvN@AXG#|URfE*S;S^A
zLj%GB*bFlUn=$n%YU*fi>}*bOHa4*}CroW6EC})^*gIOSG<I|+*qFN$T<okIT+9ip
z><Ff->?~}pOq~gi=JvM6rskRi?)7RIdE$eju~-x%Z>o$$1cmzt#IV+da+5xc4eSVb
z-DgVQhddRDnP4#T@~TKrxPo5@Bgj9T#j;-?6vbc%h)kNZvNJPxBfv?>!gK|~0tT5x
z(O51FYq-K1p$uj~=yVm#4;patCk-793p7SvQ5ESkVS58JIKYoRts(q_25TbylM0zc
z)-Xk3<Q1lR6U1U|2v|QYgZ@EgBKwmHove|x6e%LFs)|fEg%8=Zz;q-uDK&A}rnd`n
z;EYXHIXY_+7$okSd)ycl?pp_n;SJChGPH>ft<s@YI=l*1p;MuP1{Jzcp$8RosL+QB
z22?P)g+44rnkZpK5~M*UP3#9!A(J2(G6~WllOQ272~r}HASp5l(jt=}F*3;yDktqt
z_=A-x6EUnzft4w+G6hzqz{(U@nF1^8z^!!PRyuGi9k`Va+)5YD>cUxFII9b1btkg0
zrY@|h2iJu8kYPX+xTh2n)RqGGlmfe@lDG?n3~inaAzdA~whmld2d>Rc!c`_JLUpJx
zDJlutHx(vDg-KE2y;9-5QsLu5gWJ+zH5#l&gWLKA&~&IeG)QtXgmfoEsAH2Mw1>$M
z>f&Sw^>Z?W08WMw#fcDxG8s-cgYismoo=Q()l7HV4mX^#!wskGaKkA(+;B>l8&28b
zhEuxS@E>%ca|YTmcPn(_Ooq_eGZ{js&}8U89R^H?fq#bZi7-)@Ic<jt+3}|_Nd8Qi
zI2}5+Bp5qXm#U)+pSKi!4ILqj{0h~7H3UxoTlFDN$0+V^6jA86iUjwK6qP`5Utj?Q
z00BS%5C8-Kf&WGVyCabtBw7ZKxBlne%W#yacm($ck4GTz($d>;2<aV&giTXFll8f2
zsMf!^a77UaVcF%-O$HPa$zp{rW(BN|3Rth@7p}z!_t#>CvbDmwQ%RP#-+DH*6Osj4
zg`|W*xuCH)S^EeUd+quFCkI;sJAlO|ur_cfgJg9Q5z3=*ihdDcVG-f5fOh0sEv`IN
zO&cnD9qPpPN+lyto=?|y4}WR+a<I7-2`z|Xga`Lk>mWVq`!QvgGdf_G_D#<3K@_@w
zW9!y8-d8i$UPz?}$tx%Rnqt;Ltk^|GS2ZqrQaZQ{>l7}D-<*G5*KU!QrqV`4GHZY%
z`&IG#rJ>V4mW$_;9wv=%kGWN^T4zH%-7Sr}ym{QG68EmI$G0j+zR%GQGq<Dtl2815
zJ<)5l1BJN}ArC+9k1+}#v?%S29@?6#engIW?Tm_uwp5~jm*M4iO5rzF_Pkg$>#&mY
z^Xu+%<yVeNdtWr;SZHh<`|t%3hwOKLUR-h^?9s@|$hbWsTEx8l!pfN5FICC&0<I&*
zmnZamcd%JmWanAwGTLeNDygnt*8y*b%VP=2mP&hH`vZwUk`j=*qy-r4!bHo&&k{(S
zFcL*lK+7DQxlet*25KXHq}P6rVs{<3@{e^wNF+J|DZ1iS+!xot-R{>O?XW=DY{OkP
zO|0~c^xx=l-6Sv9Yjg5EI>Ab7Q2e$9wj@4XO8a*O>13;;={6NJ3`*q`o>2U5%(r<Q
zyjiGc(frF{2d`Yt)G19^KCH5`@)c2h?!KJamTFx_vb8TGG~Y;smhR~9e7!30)vD%O
zZe6pFW_!I=>4@z=QGe~)Z1q{jQ3Fq3qa({coN||JIzu{_uBvdZZO_pDJ97r!_Dj(f
zHWh#Gc*?1xRcgIGOAvh{-##4V;!*Ja(QU)r$G=vid}1Fu*s3`bqEm00EZ7<KC{1Mk
z$<Nn~?iV?>xS51iOY6ryNf<h{^Wxfey=Ath4bGdtX;-G9#>#SrN9%@=b8P%bob!JH
zPH3m1d3U42qDY#&XH**UevzTkA_yEO*{sSqw%UKz+-(VWQ|`Rk=W^U?^Va*P4-E9x
zB2~ke7)YLK%lx$Ua8_d1Nfx0r#IMH4^_%XM@wfVt+AZ|*(~3tb61P3slCvhXc|gYG
zcy>lPWsXB}+}Zq7$wgtLQd~{u<2ucfL&*5W89iSTZneK02$4#=tx#&2F0J6<FeXOU
zc}=R++wX2^_1C^@XS&3l%{*}?YeUiPQ^hkwvh{{cCVU_0bXubkoxkFblC$2S54MqP
znr0bZ@9-F1n7S>fZ*E4D|Jqje5oWMtl>f=q$F#adjS#<fwZ1t^sO>(msOgcz$05QK
zCz-b=5Naky9dkpY8kQzpc|#~N^4ouY@I~&cJN^kiYw=ND?e?v2%6y7HU6Xn{Djsui
zp>kAKTe<zQo|6hsYW{F}TzT%~U;9>U4>9f-?MW6N?mlz2Ch5?Q4UK9Oz89;fOU>y}
z&OX$=L<gO0UM%5qNR^uD?;eKzcH<Ii?<}n~XXA3&>PmLLh0O!$iN`Ntwv8uzGW&LQ
zcUX1})!r#BLr;usHdf&C@;4dlXNlF}_FgrG9;LPU!NPX)->+U?)#Gv$zomZIwAQ13
zlSbga`PH7Zm;^ol=UX~<SnHTC$Alt@E9t#U{@VA*LY0{gp3$>Kx31}4{9uHtq#xft
z;rsW?xn3Cy-8|K^6ctZ=Hz+aL)m5WQa1-v`UGD1=zG(Y0;yIlX;kzZaTd$XXzd%#M
ziQ#{h-(HY-pzd=L+L@^ODAib@?cVj^R*yu7>;bKC6GQD!$8SdD>{_$7TY}hdr(H@W
z{(ODgHO6nQ9&XtO+{fc?Z1^73_btrvX2X?ljYgi<nqxx#K8=6vyS%`k{rK|;<3(k?
zI{D4^E>U!4-GuMEr1|@LzQk9zSZD-bK8F@6c{Eh$W)zMaz3Na`@xDi4JX~oWwSB<s
zk@t?@WQT0O?rlpMa}QfE^TCQ{$ui?AbZnIK?xY#N+&YoEZM@b%ColLzPJd8FYLg!E
zOvY?%ip*`<eF*BqN7rJH`sKdrBo11ewH(^B#&msvO3Jr3XN%1`)^wb$(>x4x{~Gz<
zKC+8L5V-f}xi7E)0)PM@00;mAfB+x>2mk_r03ZMe00Mx(e;5G~6j}`Ws(oVqKZcMT
z`w#0N=nfzN2mk_r03ZMe00MvjAOHve0)PM@00_VYP$-1h#QgspLh>Ad0tf&CfB+x>
z2mk_r03ZMe00MvjAOHve0)Ha{wrGx$*#Fl5e4Cj6cOoP^|3*CoRsaD&01yBK00BS%
z5C8-K0YCr{00aO5KtON;M3l7{pTD9rG5>#wkbEh)ET{<x00MvjAOHve0)PM@00;mA
zfB+x>2mk_qPXh8Ns@Pxsm0Mx1U8Lk!$TW81<L~JoxB>(K0YCr{00aO5KmZT`1ONd*
z01yBK0D*s(fcPxv{=X_t4k0-#X&|X6c|kHpvQ;um(jCvho8UX~1^6+14L)8XSt1CJ
zmbi{rlXxysf-A%AkywO#D`72x!`;EraB{fyIOl)Y184^b00MvjAOHve0)PM@00;mA
z|F;BGP{v4B&{`kAfc0!25{*pbJ~5u=Gw}d&3PqJ?nnX}WErVN!1Z<pYO#QR*99~(H
z%0Ej}{pf*ot`GQ8>-x$(({v?XX(mmPSDMD0%`45MD)36v7_)e#bxHC+rD=M8j6XXj
z$1_cr<&|dAWO$`%%$dB>OsX`mG>tKXS6Y`O^;4SUA4vYQW0E}6bUd##lP19{O=IGC
zrI}PLuQZJz&MU1;68q=0j-Nl>@6V2j@=Vi3c%_*%46iheDa<R)q@sDHX$%yvv@S^q
zi&7SgWUyG#5$pXWxC6~B#4Utm0e%$kB5_6niwnfoVwJ?B#ahI)M3Y5&M2s*w!o$L=
z&?nKtC|{vVLUPD;+y;Ncg+rVrY@8sC_{Wj!hw+0!;>44@Fk+L>uocFWR*{USS8*gN
zn(!Wxe<)sdg`vKIZ&Qxln;HAFb?Fx+6zAM?Y;JNly}yF{3`-#-fh3L*olp@H`^Okf
zFi7*SUS<2bky3UXtC8C2jk9Syc+xtVRE;dmEIFnr%^}M3G^tAxz@+rM4ZcT<BIdj>
z+Ky}qwYtX~q0MU8vu<qR;@Ku^JI~wlGkGmd&Nkmbe<T>QZQiZci<e*0XqlJonk?N<
z-7S+%^IF0o%KdEehXG3flkRact<RL*J{^-j_Qt*F<~z4Pnuj)0wjA<AnLV|>iZ116
z^0nar=IDJpNwbfk_rD%2wq2p|QFil|!s|z3$)T^-thV70WqF&V3t+PE{m3w`GnAzu
zRp>)0Ni3N6RWUik^2C#p`zB9~Yu!cpnf$nWv6rfLSgv2yt=q1tY|T+mTfavhhQ8jl
z-^Jgr%&X)OWq6uo(gZMRJY%m${+6{j(<=LJ*}p2gl=<?d!L4}zxlu+ty!E#)S<cU7
zZf)K<=Zf7T*vML~C&pv3VYs5_A*r<^_w5{A1D?A(afmZ{nxruWFgc#zD>QiW*o_5u
zh$i6=TE6TvFQtu@QjWX5V^vTRP}=-V?zH-4FwE%FO$V&#Z)>A{UW9EL&v);VQ6`Gi
zq#N6JD|3j_JWVpG0+`&CVpZtzT*5sjyY-&BVqczP(~48lN6CXi+6p00%ND)jXA&8X
zBHtX3m9Lcxp&KM=<jy;+ak5myG*Cq1z!~<#5@!x^22YbTL53iA?4yDGTZgTVh#oj8
zV?C4otItTO=HAxzRMY(G_a!f+`I&TQYurtah<3A?r+quES>>`yfd*Pu6l)wZW7(sv
z&T_wSh*CUF3N!>^7W@7ZL@#zrk3kKHukFM1e=||F>VL>gl|4V&R=hWdpUM4!O;4L*
zMjwwvFaB*Q`DoJPjU6MQ#a?Fbw|pqxqlIYW5G8*$`NO4!0EfFVceS>%?S7)D_5xeK
zxRRVFbFscHj;`~qM%Uzho%MSJKa<NwZRR)>6!)dH9>yo#f0tM9-in!XYGZpa$$yP$
z-Yjzt5zpJCAVZMa;gY$@1)bJMG?(98ENqrherQIZrgTp?C0FXVs--tR^D}wy;ymLg
z&M{27Z`VC>@x9|o&&=x!9vn@sN%M(3t40gv5G8n;6le%)@5$@ZXmY>|1TB8%=vgva
z$hy5G-r?w~AY{8x(yI0i{7j0R5EEs_yY!$xx?E^XT|?~<x@d1@{Ec}m!QSyXBX5jD
z#PKvK&=9oHO=@g7Wy8}C?`C6YS6HTEai~)5&Cy+#=cicAXg*!T&tza-qod&_R#_Iy
zs&}@Pr^F?_-RYT|_V%eLmb*IWe{10ou{=!*Gz4uiP2JmoJt<f5`KCzE_QB{DsofW<
zY#!U@|03L6(-@k|&!pbqg++438?di-uZ}JYYrPqKQ_N#D;#o#E<5H$VM13rWD9+QQ
zKts^EXRVzcy=3g>-}{b@(`u^+q9Y4l?=4R$TzTNIlYKe#1ah8NL2<T4>iZgc4u9B`
zvLd5KxHo?^Ok|;!<Ll=;82Xs+Gu1gnF`gy`8iH!9WGl9fD=i$j-<$m{^P)=36{R?_
zz?tm4PwTVs->`hIg2Z1cMQlpPe-(Z<le|Uav}*vSs><#4y@290*}54AdtEt1(VtBI
zI0+D72+EU+p^uEtDtCI>*LVC{Xs|y0!tr&QC2Czu<U9gmzLfJLx!<5CTkBiakZeV!
zb^95^kl9U1)qDMR+<Me~E7QC`mCYfF@HQ#P5Olxyu`A^$m0jW}wZ+?Mn@L5@=NH?%
zZm-y?e`mkFxlAZOlbh7pmG_Pohep1}{vn+yGFJm-miOtk?R(PD?sH{>_6Imb3{R5+
z4M8c#4Buq-+%T$nXnb{!lWLu|L7yXgS;lyk^ND`hhR#ZUCcjaAEaeG~_DAe3dL_OF
zr>@y5^<ZAb@~tY3t9n06zw_o0g?XA3Xb8If-1wk@Va?95ox6y^nacgab+@l9AT-a&
z9+;<^7v&qz&*Y0cS6{sO7+*fD^kF`&%uSb-(X=p^kt$>9&s0)1a#rCG(L7BGGz5kC
zoG<g(f8l#$LMr_?<vr}D`JW>~?^?KKe%e@i7g<rw&m`8HEz~>Y=y-j1u*^K^6Qqo7
zhjC5C`M82ptGn&u9v$TnQ9MlwGz6*7Ho9Jw-*)D3^Z1kP8#k2<g*{=BBw4Yg3v%Lp
zD!q^KGr7E8xkB}1{gss$8di^5jL5gl5k39luANWXduDsAWtc68D8$pGKts?HH6w4d
zSe7Fz&R6R}RXaJZ%K1T`{XvO%(Xh4R`Ukf1GimCYO>c|7nv!;-yg$$I!x^kQUU=8=
z$<1PY`Em;m3GMVj3M*4NqEoZ=tkvQ!Eh~1ejBOvUA+eU5q7a{JNJ~izFxbf{ElwDT
zA}OF{`fcR4T}_x*GIQ{qQtpC|<r<N+Q(P}-skR44-<%^;L@SaNPq$`B6QKFOm^cj~
z>50F9pCJ*7Yrv^tw~DuOH-QBZ00aO5KmZT`1ONd*01%iUz#*#sbm{!#En)#C#<FF*
zm`T1jE~tGN#-Hf7KERY~c=|4|rUKip9W?T6-YtHY&hIouDb>9a6=%e}Ete(gefW}b
zMPc@mdwMGLkw%?eEjk<`fwxIPZnVVQZF|^)*q8shJ-E^m>0Ee8&iK=LcY})#vXOVG
znd<ZSnY1g~{h_-*zFHW)rpR9B!S7w3vs-KIq=oMIO0kx?z9n%~=Lj#Gyk+&5x61_p
zIU4k8GrLU8!>Cz*xHC}fY}UiK6+&_^2CsC`$d2a@CiC<7+;VV1pO-wl7un#uxgaL=
z0_&6IfQ_5)MjaVUs}xF?qpHHwqaYmfEnG-Xs-j%W3?=H@yxyjp^@r|C{MI=d-zXn_
zwdiUpKaT~U$eu~b78aL^aw4x6;mv+s8tT5`Dk~sN=gfUMht5kJqVi7%`-fY9`T~F~
zvVPoBwvR(78l)M$e0LFTa~7pvf7t1hSIHmi<Z{9f@H43`8u@nU-rjoRs^Ee`gBzRf
zFVVbpC2MBDIa!;ua~*N%9HJ6$lY)Fzv-(I<aL?^=e520xEEBH_{avecl|B@n7>EnG
zeS4@l<1#;!zG%E<N6zM}*2}$=LaKMTpCvrlsirpPOJ#<Cc)d*30Eei^)1*LO)x1rA
z<&?YE*-1V2OqO4SYnyF=5ZbNK{$@+;ff*i|p7;2fG|;Il*7O_e+;1B4apd5V9X%JH
z-;8Ow(=>PIz0%L7-C-Q!Y@Q|s`l_a?Vb?vQXX{4BgUDj#Tf$B$Sc!_MoyVG6U8x@a
zcuUKJpGoSX#9eIX6#s^`i^ii)oli^|i*d*2Twk5~YR-#~mmT+UhzdMS3iMUYC?Zj7
zX?WZH@}45y2fv3uBRA`%WGQ9c`_L*X+&1=v?>T8&ZDboz+`o5ye(qAsZssoO61RO)
Q{jqP?6(3YvVN%olKUb%Z00000

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt
new file mode 100644
index 0000000000..bdd10448f3
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-cn-and-alt-names.crt__server-cn-and-alt-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx b/src/test/ssl/ssl/nss/server-cn-and-alt-names.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..b75c8b1df5d958af6e508211fd2f29534fff4d21
GIT binary patch
literal 3349
zcmV+w4eIhRf(;P@0Ru3C4A%w;Duzgg_YDCD0ic2m$OM86#4v&kz%YUbcLoV6hDe6@
z4FLxRpn?ZzFoFkU0s#Opf(Km&2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=7Zv*1
zdts^p0s;sCfPx1w17*qEmzSjlcDUywg=oJ>MX*7$OKql}Yp^V%$6{>nNM%ZT3LBXq
zdmRr!f;79~DEu+XbEqooAw@$6oE2G1>wL3zPGDw+^JOI~9{GLS9$HQ2c%Jw$X1Pvj
zf^{R9&yo||?}I(_jg-Dgvlg#*2vaK6b7V&8ZCJ<5q*m?THn+@KLvBA5ju!QybwpuI
z?_q9U0p{w@j&vt{Ybn5jyeh-79NV>xiw)%d9m&13i6ljKmbB3%W#^@FU{kWTf+ry$
z=SB7X@7~k^O3-BC@dHy$on`F}Ry{SN%gnPy#-Om2*VvHB&w(imnbg}4W#nI;J~<T_
z)n>6U4sgsF2DsK0jko~{IC2`yRJeYO8=j_ats0iA63G^2g}-?Y*KD9|3yo*_XvN3{
z8LoXH?LIy1oT$1*%di=s@8wEZ@26@wRaQ%rvcQqs07>zTstj#bFNw{Ns_ZtLVTqB?
zojO9-PK!Mc!6xm{y%^Fg8B7|m&5L{}5_Wb%m%S**@#l&JQOH5(liGR@n8p{ml7$60
zjb1QA<FOms@U<b>FAcVaRN(R59&RI0seRG9MH|!AgHDYA%U@MJQ9|ma1&4-2gaKyh
zjIh2fV*vKR#~|Y9zg_LBA^v6LaVtmc>uvy({k^P>VV}NWU@qAx#pu#$N>Lk$VEE_N
z5;;+zv_!^>OWBj2`P(J0{Zj#KSnJ&_loWqUMUqb?(N@5O-52svAV_fIed?^QUHZP`
zU6TWGs#K#9dcpGsznGas0qMM5CWVJgK$Wl+L9rwp01j86tPnc>O&|X248u-98JiN+
zb<6SoUt1E-@)S+NbF5+-?UGoHOf`bV66yW0ZH^)tF<U+0aOCo&=PTBWRXA?f?4Qq3
zkv){Vk@gkQEz_a+aOZ5c_o)$D1uWnPMM3C%3?GL`r*6Z*1!x&_n?FzPx$&btP@e#Z
zUaQjfz2$UyQBN>_L5(P{<#i~Au_fg{dp_nIS$x-e4UyZ@1u0n+u76SjYk!6E-y~m|
z5U`n#$>H5X=~EU`3X<G*E(WFkeYsBh6=i#0mc7QZ!Vs*7+6332^^G?}AIor+=~hQ`
zZ_NQ#=mj!NK)}FdEU>Jf9#2gczC2@@!Jy~s(GM+e8u=AHZ^>0^iv0-3L#NXx4^@c4
z0rv(5IaMv?x0J?yQOtl*BG9`6jZ)M*Gf(#+w}!1`TiY@{gJD@*44ID9*Crvr5Ah@P
zawsEvYX^zX5`XS@=Z%6ghBfC-AuYP2t5(qQO9RzVZ_VfCQS!*?u!gS@>7lqTT3D$%
z4(BSXByfnlUK1}A3SzR>Vi0x}-}}E$h0EsF=Y2>wE12_;y437m{C`U$U!wpWjb_Em
zR`iegMi%G#|2$kmcbshiSPARI|D7(xcxUkO@my=&R1Bh(8w6#9&Q!82UG%Vd14H2j
z?w<}%<Q(7mR<Pd6-ca%fq~JElH5mH^CtvKkaZoRn8h?4%-s{f@Z(90w{j_N^GpX#d
z?Sv)~J`68cja`dC3Cg-`(G_!eTiz(6g93z?r#<w3H|I_AL5zOr{qHimodRLMw@5Pn
zRMe`gMkoAUt`m%?@+Wdz@zko1#+a$c8fT^wpI}Z<IczE9M>1m(pO0WGf6J07P{-L`
z1?M;4s6^*kKI4~o>H5-L2VIhQ7wgqfsa`!Iwi4kxgcQ3cG|QBQaze+S<}hhRpynDw
z23w&H{i+cR@69Ugi)W`JB!~=`Q{U$NCZ)zec&?|IrD<Xq6&qUtsr8wH9}Nq04x1p`
zz)m+JKq~^3ZOAMY{Deh6Xda|?sI~ussBO_|r9oM#fHtEwNdQ{+Lkjt^RJ(UeYfFa@
z34v}RcS*g-5z;fsobJFg{wcWlVV{Y}ua_fST{`uqMaYy92B_8sv-yk5)1Sek!S|JE
zQ!b;vX2%W*sm;aq%nyE-1Z$nH;!kqV)jm7FxWVt7*XQ^lzqBYvnwE%^Ua8S^Q%!&B
z|LC}7hvV9(T2P%`ys53iVHwCB0z+uwn#0RV;cw8V8g@bUdz!9uwaNR=SkALq>_`y=
z^DcZukv`A!088>1TctBJaPU?wi=U6?Yj%P)^r{ABmhfWu>|#zJK_Z_mCcbQUy#iZo
z4T5U}W7@vM6uGw&q>1fLmUGQLUc|YH(81?1HhJck)<_iNT@r$UU2Jp|Q{ftmO>}?F
z6bhRgnX)IHt+lE%a(=Px*5{uDV^77TUK(S*fmgZo9{_?CyE<;_i@UL;6T7butU(0Q
zx%&K`0qyq@(JFeBBy(8bid&dhD7{l>{&w%!%O*2@+?KCbvS@50=n0H#On<~3%_`&z
zN)>ikriLX+=hpjF0%7qWNp>LIYTl=Kbtp|J;l|SiFZrcCo+%}vYOZv|OM+Th7!Eb#
z&#_R9d9o<spsQjICTP8*6ScO&PVY<|4G9KZflkx)FoFd^1_>&LNQU<f0S5t~f(0@J
zf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PD`{
zj&I)8cgO+)2ml0v1jr(rzo<7Uw$xkTF0DpLw~=f9_;vRp=cbn(N8ug7a6F#8@v1?*
zud6~(Cnr;Da#h^zPmYnVnli_NHKP;wx7nHy!?weO;VJmtGf{s<T&spfK3|=E9Y{I|
z_L6ck@%~jz_EkqYjs9tU52spldw`d@Hg~fnV@GX5h2aoh&wQgQPUU`r1VMy6lugF(
z?I~g>&PM87-V51g`cAWDd2nrnMgc{5T()Cs<bul4jtzIDpmP?TG;^V62(j)1@Rerm
zY<bh)P+YX!cHgA}0)6A(<DbdRTG4*HBzx@jmX)BXahr8jqebK2vVYjOc9B-^SCwEK
z9M;@#@f2~t0N}KeLpd75x5c(#=c-XHeF9)ukl{2mX@P`7(D6ip45;1vU6(~?o&2WE
z0aX*&Uf;onUzV)sfN!epr9uXvE|_e*xI~s{l-g97SOJY+#VGvkBrj5Ow!QVh3HOeR
z$uwYMyD_L1P)``F^`XYh(qeuxN?D=F8#ypx9X%zTW4u?<^qh!nTBU_M*ow_C4D7tS
zI!y`iY$ts_W6e6|TUI{WBAiJ-t~YK`@1cqnZ0~f+%9lIh&wG6o+U^=uX?K6YV7RLI
zVc&pcYjP$>g{|P`pE^6~d5e<{75zHd9$}u~e^tFpfnNHV!r``}-uq^*HUy!?{TZ;l
zxs70f>stDDsG3OD-)+DR6P2xMn~K#&etL<%3DHlbTP}=!?jt%B-+XvFQA(fQ6$VTq
zVx5&1iUKGQ?J_0i_y%&RI#bHBL<L@i^LKjNS~r(X`eLPF#|wA0$fCz=?7HXKk_SkX
z{O*Uoo;mFbTkdhtDjS~>C|&o6k6;gfHAk-doP?>#WBI@PSStmu<SKtM?7u75*Xfh(
z%bt@rHnfOIeUz+SkWbo`F$^&{GW_ZT+&p)isP@GU5{37ML}+(q=p9Z_zs9Krqt55V
zPqotAU5f^QLz-QdCkX_Sx{_$w%fjgtBi;uabp)vo<tK<Wued-gCUwh<aXkKc=WvS$
zLvlLa2lt;u6&xT%Xn&)t#SW_r;wAGT_WU3?ZfdRMCiX@^1E3b1$SOawdNXaDnmAsm
zz+_%x-*QtrK|!rxJv{V<?d1kwa|#T+u*^{ye&lUwca}MHC0j<uV!yB#-O(VFLC*!s
z%w2$?q-um~5@14dPqYN1xM!>M>uI%|JHhOW8ui)ob~_E%M(yNNQW=W?|LLReCa_^N
zP`Z1{prrP7z>)t5egf(@rhgkeyF}%u5G|2nc~ApbgFgb3;b_OB<*W0pa}J4#VK~t~
zjr#Z}<y;4OGG>~ZY^^dj%QsNb{EBQY*_`cDoN}mXm|<{<Oxr4ihCHfAvI#v?_4nWF
zzrCZdit&cRyBI%P8z-pP;2?-FlOud&kQlhH$Anb4T>EiJR5fM*$*pP{$h#1k))~5$
z&O)wBdTXN^skdbH9)R^uLCV%iO}2DQ6@7Mx(hgX%r9Z2ye)&*dN=E*7J9e(Kr1Pks
z{wq?y1Q!?;*Y4BUl9w&6i%0N7bXFEe$K)M_ZiieT$Wd_pn|l{XDm}l3Xyk6Xt6FAn
zIqT!RETMckX48r{b*NK2Q7Is0;2|Wa-4eQvoe0|#92lg9=R1lFpL;PSFe3&DDuzgg
z_YDCF6)_eB6y;5AQ9tKdDH`&co!k5658z(hfiN*JAutIB1uG5%0vZJX1Qf~;7i68=
fKDl*;qP6n_SUGWZSKI^$tx$05lq5tA0s;sCF2PD6

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..4ad867c6d8c55be766ae060df33685bea252b12e
GIT binary patch
literal 28672
zcmeI430xD$9>;fcfLvKYT0l_ZMM)9ZO*SFeRxZO)@Zc&?u^~Xzlp{idwO$BT!4`QQ
zRSPQhtT(M6#H-q8vGBA~TD4j!Pw*%xN~NGaTNUigBpmYWtNoPc=k@buU}yicGxOV-
z@67(QyV-1Hc$h}77EaY>rm6Ho2{Di$Ny1ksBnZOPxPTQ3d=T@DHe8Xt?B6m?2@iUV
z74<V=V%|wuno*S&RTc{@d_e*SOaK$W1TX<i029CjFab>9nG^6eF|o6ACgU{e$?922
zDJo5Jx=uGKD=}4*WEv2m@QYFiLne$<#0pWKaN-1EcfQb7#n58WSUysSMhdB_M0IL+
z36sYZP+ngJiD(?p#Lm%~oPz4>vJ&4^C+WKt_>U<VbNgyAG$Zokn%FsX^+Ti6WvMf}
zMR<>i7&7~6$Qe<dH)(3;>`WH==~aoT>h9{@2FIuq<>w!!=*>ZsESwY(GTtvDP8h0)
z6Gl%636EC5Jp@dg5EvE`5GC~UpBND}TBxGI!hl5#774V`2DpWRo8&Mlhe<g~!Xk1O
zMp78bVB`fOIgGqvq=Hc*h`f;$ZHSQ~4K*0rupg+x&`^e<p$<bsA%=!Z3=O3i8fq~#
z6l3Tl7#o{sXdhA*8*HR3M#^HOEJn&=q%20tVx%lVwIryP1l5wDS`t)ChH_;nSB7$B
zC|734MVd0C>4i!nJ`4gRMm-hNu&x;ORE%27(jbT#xY=kzT?r~JL8T?AG{{6n3<Y5s
z7Lj6UxNjDbVi748?UhA)Wzo1uQC%rglOi=Ks+**iN?3^$N*Yb5YcyfUj3(TJ(S%(z
zny{Zn69P1vkfOmvP>g0zHH62wwWpe_tD3B*Il$~{4lui#1I(`G0JBRMm|e{QW|uB7
zd+EYC19uFz!ii%v;p{P*a0(gC<Q`MqV@~Zh(L^wmP3&n-B5Y2wR7EEzBI0s5wlu;H
z%d!#~nzv$a5yLUDQ#g}^!HHy~f-8EZDod|LX=V2jtYo@PE^xI2pu4pK3!i(4u=vz`
zzloNg3QQa@0Zib3oxnnxKZ|E85ZLr>sI3i42*4jf2tcmQJC;PBA}FhGtv{0H3s%B=
zfgF<9O1us$g4Lmt%Fy<Lmh8{BIjtVHXAQxs(#DV=z&!AOt}N>I$Xg!DU($wJZwnvv
z!&y$<0Jn*pWo5P{FTGS<#FV^!cw9n^&(M$EW{f2AKRcFgUo`82Pe!SD)b}3V=kqiY
z{tG7*mP^yv%O$p@^)s%Lanu|~o81pLy(n6A@B(+fUrFP)<|*F@Yu#2wzIXAi3nM=^
zTo}Q*QYWX&SC8rpczADPmfO11x5DPMX31vWz8BIsvu4!L2MdFm-d$f5Ids~v2Gh%L
zbT&#kE<&e<iYfO+4Rx_YoC$?u?~hm1noT*IeC|YSd~`Q|*V41>k!d%N=lT~E%xSAy
zy6kkvT-W-&V+sX-&$qOB-KFE?M-2(>Yj^HhydnOuX30l3yNU&zTgpQuxLZo*61<)v
z%Nf{bSblE=;IKV?umu5@7O<n?iZ5^rs)-DUMB_pGGGpnNO}NoKuB9|et<wuLwOYL}
zzz^OA7EaRY^wTock>O#&$jC5ZrWz!4I*m46sE0*$S>V%!14b6eMf6^X%IUcob=y{4
z_)$>ndDD5tTa6pvXbC(va`}SF(ixXRvkOKn=IzfP$DIvltqW1$LD)XdAjg)4P5qDI
zk3r}o1t0{1O<+>$)R{BYnaU)UM^dJq&gELsx#ZmqTn@<rJ)^Bm%wAj^y!f6KNm}rU
zKTnGuYG(yb+ZeGIBLSyY?CW+`tc+$E)|jOI8DDy=VLZIhcs%7$pk4@*)R}r6=)mya
z4JY{oH<zRcu-%-K3%Y#e)tL_I(_Z;(*`61FOcg2BH}{-0`$uW|Ao{22(i;l>q6~ia
zolEu}k`*piPW7FRg|SrGn`eCecfA#KAeAz!S=au)>xj}J^NY`I|HZQ=uRL~eob+aL
zxVP*~$IAuZEl(-GsMr^N)3m(oTwrH$^G|bR#i|?D?YBnMYRA9A{kk!%s4e)X1OICM
zvh(<j!t%K39K{2oW&3D<wbY&T)5gY~?(kaUu2EDw?g))ZT2T1)>hmXei0%h(Ikw<@
zWYzm2>8-(;B}*Qy=XvrvAB5ZysbkpL$EEGw4j+9MI&drJc*|_}&7*fF1a0A4%zdGu
zYTm9hSINn_KSyuea4~&R-uBWLcuEcz9D$n$(gNBNkRCFK$EUd@`KUKDFxY?@NyNpA
zWbbzbdj$li{Ieq}VB2daN(aA|ol=(H8r`Noy~ld}C(|o7?YC(8CR*{q_!HM%_2XXi
zI^1MFqB;Jw=?>RNwF?3^*ZQ0|eaK#Ep3-!5q)*Yb1Rr+!-r#wX0lc-}$&Q@A@%ip+
z))SpnMW?pRT7KtNMC<+4lkGMxeJ^9>a>q;S+2;IFs<vy3_bFU%*S)(#DZD)VXvw8v
zF|E^osPph%`n`Y6hhFN6RaJj;O1M;abn0_8i|#kCk$NhA*?Dv_H$ST`eE1OM)kW&!
zT{m;h9rIEq<{mV;_{rgw@0^_P@O-7+l!m<AkG(=PtFBr$tom~5VE>9y>njGHI?|Eg
zeTaz3;=9&_!^7s!&w6+y^~1#ebY+LO{hLUoG~Uj3#tGr(ZP(`kPs-u+@}#!U)RS5@
zH}`nbe&`@@I{)rVXP;|b7&88=J85qm+_>r1q55?T<J-Pc6`XtM*tjYu^39_Re_c?%
zKZ$&)oG7pazVtB)IZpp=UuxBS-RMhosh$RZ>YkMDu1!yU+u&3=4}tIb0ralVA=V$0
z;&(l2ATyM9f*#ev^0{6gXg!}`%t(5;!Q(n6Y17iQ>F(*OG_}W!Y3@2*DlFy!qu=$a
z|L^BD$gB1lVB|wrR=v7|tt<Slc(nFP`|+vE0!8*yM=rT?C0<@oe0|Ic)d=Nn^Go&>
zzHUB|%Z9z<xNmp$CksNh<cB^OyLZU^)baDOH)L#ZXx?)7$iXFp$}O4(+sDW1${QrM
zWmQcJ&wkKysxo2CBu?_qd3kFmxmdUAw~x8t>-pT=yr%1uKWx*ftG_+FcI&AXi>T~R
zMNPG5?pYuHs_>p`e2d5JQbkdu^W2b*2l8>Z9cC@7C`_~Xy#8qEKG9ZAVyI?(Nda*!
z!!!2sI%}r1?f$*i*?!s2w|_AuaI4?3#`*j8Rn<ODrPt2h<xlBUhR;5*m~WDiF(fYi
z(Meifzd7UW+J=;C)jPv=`){NnAKE|Of$pct{KQjqbI?#e^({gDOtn%?)J0(8fC*p%
zm;fe#319-4049J5U;>x`CV&ZG0)GJl1GqdAen-bQ7;Zs4qY=nO2DpRCG3D~i_~0HM
zy8ahjAOshvQG$!q0Seu@_zQFrHxU!S1TX<i029CjFab;e6Tk#80ZafB00ekkg5(GB
zat4xr{z)cYKk0BocsaKH@=z2f7$}+b$CEUM@Bd>6s+3Yv$y6B?gQpKBfC*p%m;fe#
z319-4049J5U;>x`CV&Y%B>_{e4GDhs%7?chc>Q+S&xLZFFkX(6S%3W~z;OM4grKUy
z)Bp9<7u1ob>>)0O319-4049J5U;>x`CV&ZG0+;|MfC*p%&xAnNO$OtdXU%mXAA7SA
z*O<d`;L6Rwdo7;uo({wH|89c1N>x(Vsom6<&!p*iCzt>xfC*p%m;fe#319-4049J5
mU;>x`Ch!{s?71xYq?h;^o-%;BPkLFZ;h_OLE^GFry1xQ;bT|_L

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..b49070fb6791118876f04e1bb84a73c4165c7507
GIT binary patch
literal 36864
zcmeI5c|276|Ho$^GnlbOvNR@p(wR+Ti4bkd-X6^`M79`&lBp~ua&N^qWowg?(kjY&
zD|ORNyA%=CO;OQT3-z6IhM#-Cb%*bL{QkJ#`~4g<pLw6p`}297*XMc8d^mF+&bYfe
z1qcN+ztHeto{+{uDWK43)C?L8g+h^rp5hl|A&5)dPz=AIe-r;vNJ5!H7V^{&C>gRF
zN)AV@ldY1CmgSJ&lHJJFf7A)o0|I~mAOHve0)PM@00{gy5eOm@)wHzGqRB!YKS&TP
z5b|d7guLNb8GAPeTMq}ChpnBH18umLW*Fd0b8(w9-_~sjZJxstn&*N!uAUAw=LIx-
z=LL>VbL>56ZVoO^w)PGtH1Xf7!3@a@(`c#;LCszZjS2|y6|9X|6C_T0^CE?z$h!Bi
zzBgkyBH0lLYHB*@Wk>^`)w}@TkcbGE@PH_uP(U0qH)p|2hs87`30oLxKr`eqAg0j_
zJfg7((Fo%41wkWC2*1-nlHX{sj2v+UH4PoKx5RcNKTzN!9MQo4P9s8+{zioXF^uf7
z1U2>H(F8<9L<+)3WN^Qekz~J7;WCVpt<Xd@9UXMKJ+jM21V$pvkd$P%jnt22$JyFB
zyLp(<c#!xh-fujn_{oA}qynyCz*Ss$l?$(OkyW?}mkk#jxG;l@X>h@X3v;;O!3AGj
zm?Kh<q(l@USc3scwgam$AXtV0!8!~G7GglK5(9#z7!a(*fM78O<O7#O_9XrgWu_!X
zl$nS!6H#U&%1lI=i6}D>Wfszlh4f+}y;w*u7ShWM$(kWqGbC$<WX&X5MAHn>oQAYS
z_%IMaOk|`?2=2>7M#@CovLW%pWWd!!A*{<nTC<SWETpwKi8PTkgxjzYQfvs`HX9+u
zMo6)dt+J7=vXTA5LHcqKH4dW2LHha#I4m}c14|Btu<lR@4{Ruew=fjKLmUd>aSnwr
zz@ZSPC<zfLL*Ym_1kX_INH??LZe}BP#Nn_VaX4&891hzNhr_z!aM+GG9M%<wztM${
z8F<6uTKK>j3gM$?D1;B8q0o0E6pVy^{}&<$f}|~f#10>}<ICYezI=o@7v8rJf*o$l
zW|<+!Ez{hHg(0ZT()pt)aOAz}%@~QX;@>DT@NX4)@e?hhiV{D-0tf&CfB+x>2mk{A
z(*(BrqeW<(3WdV`cMK{bO*RE3{-ID%D2kHOW;v8nB5LEh;h&-Q;xydqPcC9n6bet-
z0bgyvqR|l%K~p0H;ZcI{DLx@nLPLULOnt(Iur}n#(1tV#SWld++&Gue2%&$tz}?k}
zCKN;nX%Ug)lR<_qM2GWOISrrC;NZ}ZDIwx>QPVL0DPmQ)nJHYH&%HG7-L_X7Y6>+o
zb&h4B*t}p1G`ye=qLzvucTair>UNuYe+<@EEOb@wxQ%I+ne2?oIHi(nX?cA&BR8ge
z=E_Aj+Q%n{>7r69t3$@`Ui-jiO$k%)p{e=3<Ny}lpx!|)EtuVwt5VVu_7uH@8mFOD
zJh0E$D6#ATHr_V3^A36SO<L3BUGAxm-|I8D)pVL0roEX9oypYuVn5Jd5IK2oW4BXW
zPo!B?Z~vUms2h6PpEu2Vwl!zBySBehE3wV%OD6}TPt$CzUGd4NwRy4DM3jR=>Fahu
zz&_DFn?ARKukTZirrl;=@b9YIXt!-!+}q1(8I6PM3|mSq(kWFba!O0}2d^G#UHNX$
zkz+~u%gY0{98x-(O~G_~pGTw6&_=WwWJr)TPMV$6FOQbPqp^@WPDNqe4{jghI%cfa
zvaV2=t5bBkIou9|M&mZ3Wkhc>D-)dy)CF=IPyYB;-t&Zo>U5W152Ev&yKlK($~%)3
zS+Qld*XkC#bxY8tiQe4gyMr36pr`v@spO8|(NXLlc2c+f{o04yZ^r4=I8hEIAG9cl
z93NBYdG*c&cCCT4A1{j%+8G~WkE2#kZ$*3g9aFpf!~oKnm!#LB^|feRo`*BH%Bv=I
zKicL)sVGS}F3{xDrxPDf&w5L+6TYAD`E^3itPDq5oo|W5iCcv$Jx-kDT(~;%{<GMe
zq*_zRu%z5i+2q_d#X@wh)fxRsZ8cjh;yxVrYTxW^7hZYTUL*cQpkn(H{x*jx?RT}`
z;$q`#?$bQd26Hdv%|3{l5Nn0n6z6ZO{a*EODI_}c9dL(<=gGA-GMRb02}yMyw4=Wg
z!>wU(qLh{<8KblYQ-_d%7<*kSQOHGJ(CuB!>#3D7?hg&#mYjKMx1!U}xIoj?*6~1m
zsVc!}pQ+pqn)hYee0<%S85SueghUQgLp!i+SM08)#`~9a9@I|Ko7aokyOevYR;Ouw
zYFy}mj8gBThtnd|GnX`ZDui5rVQqL|!obYMEAm@pHKJz|Ck`mxT=;$8UH4wcFU!vN
zv|jY6qUS*d=_AoPN8(#<+?iLuUR=TLPJMCCWP|7Zo-OATc0aZxG;rVM{Zcu}bovjc
zJZ<B%ugu!8+t|mM_tn_mXgfXM2gTaa)$~%dr=@#bbn?&hjc1=JJ!(*+88c(k0l}NI
z7x>c+ERFUT?A6J{h-Q<%q*<jON8NawRXQzga|x-@^>jd!411APm-a`O@s*wm8Y!N!
z-}gPUb@GN(|D1&{Y*U}D*DZe9es<MfiEpcfiXT+XsvJT*E;m%V_$V!#?;pNqO0dQX
zeMfBU?uPof@P~u;dw${0Q8So5*TG@u<x1rPas7g};P$L^-<=)kD=Q8=6h0XE)mA@n
zeNQ->SoQ>aSmo~S@W$EzqRO<>Tx+>C$!d0kXQ#d{(sl~pcQ2$@mE-YbL-V}Nzj$tF
zUU#kuoqc{Tp&{e@zKzqHUg|HJj<L|dM~U(@?k;5M%1C@`lwhrJM8@*6N7&B0?bNr^
zbKGcIu8(8$<C1+N*SzB5k8Up*w^FOr;IeN<6lqS&DZh*Llipu3FSnh)casg;`h-GI
zLJ@Pu6*-?~jaC&!NZtAnbm7aC-MdY4)KX90diXv^3o1>z_VP#v&NAc9EKKeUw^CNd
z)j4%vV;`vZZW!OAiJNtBSzN{UeXmscM~M6M2E)g<Gj4}>U!O*Pu_Zy`dvMi${*P@(
zMRRPP_Y?Bw;>ct?B(ONL^Xrc4yT{}ruO6jiTxJXPiaYyIzF7|-_nVl~Gqp)oiuqcL
zYCB){H$4hrhnJVz%R{Ti_p`R!9PI1YyBad7A-8;~%{u+9ZjTSD&UUPwy49I}d70zG
z*dn5;(Z&OrN5+|ZYx~|8q-R#`T&0<$t>m){zJ87VU!U2@Fa+`SdGP}*fB+x>2mk_r
z03ZMe00MvjAOHve0)PM@@HZns#NtTsC+w2*{{a+r;BPiSFdRSt5C8-K0YCr{00aO5
zKmZT`1ONd*01!Y3V6iBY<oy2>ih2q_0R#X6KmZT`1ONd*01yBK00BS%5C8-Kfxi#|
zC!9!=^#AprZ<6!>XDI5kzt9MQ6+i$G00aO5KmZT`1ONd*01yBK00BS%5cm@W)UjOB
z_wS-3IsbowqQ3YOvY-nf00;mAfB+x>2mk_r03ZMe00MvjAOHybr3k2D*`)8?<rcpG
zzcP-9qUKRPQ9R{O$ji$4$=1kflA}qtNK<4|h);>ugx&b}cvoDpxEWXg0YKpIM?geZ
z#@lXGLPZ4ld;18&h29Vc5}30fj<@7nN0>}VlmIO!kcMvmjHf`(knPB-9K^=a$_w-M
zZul@eGvUl~`GB~Y*Jk#G<lQUR^va9rCpzl>>>|GXD+W!2$OIXQ3WoIC7)L8^UPiPV
zER6BAtW#>>TI{uSSryEaeg0s2^<wO=^WSQT=t|N}LSrzQG<}_EJbCNR>8|q*sSB~8
z`u-Nj-ebBri4(T9H|Zuhjb?J(iay!w4(rN){+xZvy>0M7$JGyA7Vi%HYK=SSYvc6p
znn*_xZ!<)4wIF5~B>O)B`Bih*rq@44sBZ5fb{0_HO*E{$w;db54x(J%rB|)nwtqB_
z_Lr)%t<DX+o^rk+X1jX4p7OIB%~KEg?<}st1Xzy~DvERzq<S0+$A21L3XYnvHY~#p
zC+iT08`ycxOZnxFj-Kbii9f$`WPTdWqlNQ|fvAV*-V0u>RN)M*>(jJ;uw5vd)nz4I
zH+Mawu0%wqe!H`oeD*Z)@riuzj`<jNwn5G~l2(x(Q{&pX19@RRv^VNIXJw-=UD(<&
zKVn{4*rd@+ZV}{?n88#}+s@;*nU$I5`SUpKm{%W;X1f%$8EpA-P(-IlH_07?$)-Ug
znZ+HspUWJ=7bb-skDO)j<c6|pTYy^kpda4(C45(Ksc#!r_SD4BGqWL!=rni7;H+G7
zeaJykh1aVEWJ2=x>vQ@=ba|;J`J6GB{Cvwe*?;DF8`C!vP8`18TIBdqS6!8wW0A7?
zaNt}h-eNS90j;O_Dl65<)hUS%G0v1%x62K!H}bx&Dz$r1cJj0FHW6J;s!0xi3?_9d
z(huxhc14lpTYUlj(4AU-#4YZ|`1Vs9WBV&h49OoxGwJ$nS%^=w;^~Gus%pL8=a2RI
zRqvwK;GdER`sJC`$DfGkvQka**<&!dj7o8P%)e97=hEG5XN-%_X}o!)Cu+Ta+CTEN
zA1Swcjb`$P)uuWMzG{;yf6;1)?LXh8R<=Q4hps#JW%&!!il}!#iRfghCdFSVHTqP3
z+Fc}Avnu_gw=OojjLz|IEx4%o$(v$%@7XEVql@&LqnT{kTJwQnO}kgzQ+$Q=D80*|
z{Sw+F)+Fof%>{=Vql*@c=p?Bo&BihXE!*Td{_@mWDuMg=HdO{`yz5OMK3VM89pAo3
z-tB_p(~8kdT88;=i6UR|B`f6DOt?kno_rkLWZ|;&{o~isZ^(VkCL+4bHzs`r<^uEo
zWD5GgI&4?tW%W~<V|Nj~2+FjGJdg7mG~pGaUH6=LI`8mkCL2-fH}b3c`fPuie6u_L
ziKz0vm+_S6Gx4jVo+u?K36({3qI8pEnS$yb+U&hjyKlqAj``QFncnr_T&WJ*p|vfr
z=k=_)jfKnM8_r9ef(k>+5=|iATNwsh8vTM7r0hvu{rs+-VH>_-;rd%)T$YGVkZN*F
zQ&34^$%N!}*CrM`DZR8WGOXjq#Y)$Dy)|u*rp5o1lP=#rnn_oJQ(0Vkb+Kz|%=#5&
z59@N4zTTo}-XXK6RxTTw7{L|M@ls8WX$soar&M9S!sv^>?$SF2^*y`tSIhLuS+4YO
z{-Abl^8MME(M%RT_1C-f&y2o^t(TvVFP<^K)J<VEbwc*p6UVs<oAR6QiRd_~CdV`d
z(HhjRf6X{oF28G=>zNCok%Fd^C3<1>sym;9iQd^Q{iB&IF73KP+&($=RF|&Ijy>U)
zORP*(K6eG4JguOyC+$E9Q$)u~H94j!D5UoNfSkdPbauVnxlLx9HGEZfD4VvgI5OC?
zX^(HR4R17)^Q;7w39b{k={d(5g>rH0k9M3CX*RW9$i-F7_n_>F7SS<MO^#^_GWU0D
zp{&`GjqhxkzqEJBJD0<b7N>U?RdjDJsmofNNEpqe{1lPa{<DEO_f#JE7@Jk-Y)&uk
zWebW*+q|c{olTUj@J8dc*dm!QUPMH6Xt=KkmBC)C5$JwVZb56-*4mW)+Hc5^)px#K
z<e<E*kJIt<`*m}Ax_^nU@V}uaqKUoW6z(lNzsxB5d2je(N@m)^*hu*Lzp{KiirPoD
zplVRhQrA-NQnRQ_C_IWC<uN6XGC--MB*;IPuczoz2!Fp5A21?701yBK00BS%5C8-K
z0YCr{00jQq2xwz%(SLmLMp<eaQqscOAickP!9r157E<^|`gb4FQ>CW46lrNbM_yW*
z!<Unm=Cfs`r8zvZw6qyS`uFtjKl+oAn&uLvrTH9!v^0m0mzL(UanjNp9#&e~48q7_
KwMfICDEtdt8Pm1^

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt
new file mode 100644
index 0000000000..1e4d3f5fef
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-cn-only.crt__server-cn-only.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-cn-only.crt__server-cn-only.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..b0f30f7506ed349ff8119b5029a8818cbb04b01e
GIT binary patch
literal 36864
zcmeI52|QHm|Hsdnjj<hDk;Ej03TMm=BQ3TeQIQskG?-)^4Bb}Cl&GXsDrrS4Nl8g{
zZ|c%sH>F!wmKKskY0)OXbIy#Y>-X>8KlgWkulsvWoipF_ET8i{@AI7R>pb6cX1Ke#
z1V#xMbA^$i{3r$sQifm{vSu(K2$IKEI<|H$RLr1s?qHvAH~Zh2@{kESN)dSn(d0fu
z3Us7YzDzz&-WuBh3m^ap00MvjAOHve0)PM@@E<2&O`~aO=)#_XVg7;ze!=`e|1gor
zHQF~M&`-v03eRRLkKr`Qp69_J@)(mRF}~z84Eapd%xEl?P?$z2gz$X@Azw<+zEU9a
zzExlu*;8m519f3<qP{5FH%Q<Y^+kdDm4Y<)TMZ`4G_oPnGzN6`BTyuY7DRp#p?oDG
z$^2G>%QQ-~gk>~zb>S47D86rq;7j!{21%+j)yCF^*PTP4Kf`s3(?pvoo(yN6Cu7<q
zC%0)l{0MfFCpow{*-d5G*iN1@btHq2Vk;9{&9Ie)+e8AM!o-uf_%0XU<r2Gi5iT3w
zaPW;ezOleJTzq4RZ}|Ae7u#48QmAB0D5AIq6O|kXS7D;K3=_q5m?$p9L~$i1ic2w3
zT#Jd~VocNz-%6V&X&<3%Cb0=+GeX&nP&Ol!%?M>PLfMQ^W)ZbmL@gFki$&C85w*;T
zTyrAVoX9mNa?K^Vgr+&6X+e}E_%I1TW<*cTP`s`g(Ni;`wQLky%$Rtx)WmgJL}?aL
znnjexGKnIRf_ND=L5hvy$7U0x*aRsyaa1;OR5o#5I7D3zp~fN9I7D4P0f)tAad1hg
ziR(&Dykk-mKZ4Z6yC^mBeo9Ropwz@EN=yQZ)a<H8;E|?wRWt9bX5Q5t%<OCqW_C6Q
zGdr7unVq_r+1VV-?9|1~Zo2rG!4Hh3;sZx&;-g1u;zLMk`gfUvE_3b|lNbn+vc6r-
z@x`0t&*7u~z65bDer{0$J6@K}GAG8ZnWYhvMAP8u!jQy?M1){7dLMptl#tl>`EmvO
zFu#~&%+<=`?iQca!^lV6q)R?<6D)uLAOHve0)PM@00;mAfB+x>2mk_r03h(sAs|bY
z!#YDp@*(6M(t^|@Rmg4R3UUrPi6wyr5C8-K0YCr{00aO5KmZT`1ONd*01yBK{w4yl
zWC~1G?5{v4426tpS*cMaBQZQ~)1<~Ns>DF*C{p7wnK0zbX(Smkg-(?(m(2eaiy*}!
zWT;Y=Qkv34C92{X<OCA>H+2vk77zdg00BS%5C8-K0YCr{00aO5K;SC^6fy+U9Vzk3
zFlx;li;kv|r%}iXoT&m)6eCh7jAGc?;9u%yxC%v40g(cCHy4Jxy9*;yfbEDxfx<9G
z6kb#mjlC-_+ebPweWXL{BOPiV=}`JehwMa&SBFtsrZqZNa=t8x^YsT$l^}AyAd=xH
zh>Q}E#$!tKzEC2b|0|t>kUYc(QB^vRXeeDo{E-4I2`qpBAOHve0)PM@00;mAfB+x>
z2mk_rz<&b)8L}$82bxL8Lm{%gnp*pX1Pa2UBvWe{T&~X|5V#nnS8Wq@oA#4&Ig$${
zUYm|OFm+IEJc=N%(63vNrz@(%)JOFsQHFtj!q8A*m~j|CRA3SwU@Q`a;KfYvjpY6R
zRS>cjIfh)tz5!5;{EXxx>ycIe4W}5i0T2KL00BS%5C8-K0YCr{00aO5KmZW<rxEB3
zXGlL~Rmj6&Nnpaqk8k1^86_jlp&?{F7=On@nogCbQ}7y+aDg<3EX^SeAam*1tlw0U
zYwQ<hEDQ@-h>J?*|KSkw2q{JOAuF-De+trogd>;#X?#I{00BS%5C8-K0YCr{00aO5
zKmZT`1OS2m905%-8$P+C)VVdeDYj&v_NKvyHbZQF=qSls40!HTA@k9tg;ys9mOU>!
zKqa}|pYr2;$x8`%E-lw(vYpNFeoZ{m`9|6O?Ged-A}aBg0iJtmL%Xo`7k3|ymxg-y
zMMl=XhNY0?r2!2xo8HrL6|t^UVJaklO71vKNDaZv|Gg#2pSp;muB4;~CA&iE@ygt8
z2;!C5-S&Dmm3mJ8W2saHk6Tzt?9VQCi|L?ZvJNUH(RPtZFo~qDEURJgF5`T5#l#7Q
zTU|p&U#OVmjw;gV!&i)7(WVH)@>HnzUjssQG!(JFF2XdkV6w2k0K%TBp~yBz*-W-{
zw-1gWhV{BP8yjq7F^oW{7?vZ6F#^Yz+-Y4!NskbZHZd0$H>Jp`-LDyc{PlwQwE?sU
zMX#zYGqPZ<3u%EC@6Mg#<b1S0wz92CD`V*^;ZBmv4_5pH0d2e0yHD~yqYoSi9L)cq
zf4g3Dt>L*`*QTQu^dSq}=o{>BG->7w4@D=e{6Lv(UAHsQLDwp%G(KDwElOzg+H|db
zHupx#npLIkO$8+dTEm=Z!7t4GbK6R`tj!sJ>!i41ON_#Z0(exZ?u20YXlz5GzO5Z=
zY^JxV?W_^S9-oRY&)cqcKJi{{?Tdw$hAJ(0^wMbous+K`bK~i=<lM~nrkVMss)B39
zTO1wUZz)=0s9j>~zx%%I+r_?C0ka=OXOYM-1ZOFuN~i+%>dqiF3Kb>8a7TA$*r~>t
z!H_d*McULnJa*_hlh=(D=bGauYV_{~Tz(Xg7;t(-P{Y&Ew75$zR#s(}XN+8`>T1o*
zYt!m4GH#-_@6mXhKW9SdT9!y_ZOoNd(;DVnh}Wv<ub)4yD6#s{+UbS%IoU2b%egjs
zdrpUEO}J9}t|fZk+ts7CEzgkGy3-K8!sllGr}^eTzh$l7pwl$(%;^256uA@a#g#gX
zA6}9x)eO0-c~NYvW^#1;!h}z81#QvBJ7>u9KBOP^bh*3Y_{fggik6utb?1J3#Y%lF
zJe}IG?YEoy3%$hh9@=q-eTNTjdv|uE#;}r|yC*uXot|5?yf)sT`aOL?jiLJjG#iSp
z{Xw~THZ_i1g<o8~ACdp&((3hB>Uwh1uo$8&z}<{0-u8H9;sZDT*z)I`j5@a9x=QSk
z_y<)1sk`oO=MF>I8*_bt4TfP%Zc6tRDxD{esNA>y?sKJkrq6WO|4_Gkc9X+d{nWV9
zyzpA**yJHAD94lR$%LmJ1|^%|p0+!Kc=f;B(;|;C7TCq}Rg@g_wThSrdL!|*F#OHc
z)_Yptb*z2xjX<me|F>&>IAQ*Puz)c?t~)gRd5DpZ;Mt)|^b2`mYUqo3oJL+$LIgGT
zb*-ieYyB`q?ds11Q#_D@pmJ;5oF5!dgdp_m+gdjo4#^u7v$bOXd(-QQg&ta-oM--S
zmgeQ{qmzG44KA$W9dmmoQ&>>p@OkUg7mLle@*7oJn}^&JP8>tNQRkBWa{P-EZ(A;Z
zKHr#9=sAzX`v^7dA89M#7{fL~56_$J7MqO&c~=J>aGv28mvUp%ol6IdK8(*k8+XUO
zY@<_H%lOD0D?7GROevo~I=wa$%wR7%&uO(Bu=hu2<vpbHO^b}PMjo8wm`#;mVo+1I
zG^hL#JWKp;+U{LdVF`)*^9(3Hf5NqTdKsB-Y#(o7H$M1&`&7Gq(=X;}O^*#ONNSn(
zQgHK-%J%$u=Q5AWH~lh=w`JnR2E!=(=@!NHazmba-IO_C*l{n;F6-X7i#Jbd`p5;>
zpV1$e9x!JdJN3x;r7T%W#;@k5?=+U=K2e#h%}>9Qy&&~<^OTkkn`UY3Ub8x4L+ZfV
z?d+#XL-{YCtT@IS_NsE#0UyQ#y)!#%2hV7k_qfu;a?NkH*LPY7&ZU*D)t*yZd1h|E
z>j@v8ZswTs-XA<Oi<}f)>83Zx=TU-SYtA#V+`z=($>JhfRete?<(Fax^e@%$u1ORh
zwr~ned!$g4c6qLr?YW`b&naIy-9E?iBs3$MYIxlZcNo1N^(5>{>VtvZ(=9D5CXu>%
zQuXd$1aJIzmfm?%?ANopJZT?v5WB(qy)Ru<(Xz~G;<eYIvx|0THlM8Cw#@70HGXo%
zr-5~8@$NxqnAB~KNwzTIOSw?80_ID<q7bkBSNl@zx5F^ZxG(MTxgvJ+`U&$%kFnl;
z>reZD*>^o^AH5y@U9VbEF!hywvx(39P#u+hZfcKjkt$_JOeU=>P~Tx?bv2#2V_~uV
zoEhVE4vz@ehmw9g8>X4Q;O@AHJhP#{nONRQ3}jIaF7g!Cgt8y(P|vFle*}9XiwCOa
ze##tflu&e+9AmSi?zUX;FN}L5(%e^9y&1;jp4DSaAw8_*qJ^7=ezyD6wmW*nwwui^
zi(8`2=f7%ms+)g(sLsb_j`gdyr@QL}46c!RF#B^Ihct|#U31R+gHcVT#~@vZ$2;=;
zp&&3bK6BjbDZ4w~B;~BR#XcSI?7Y}EIeGERvNh{&wl6WPJ~Apr>8B(G)tSTEFYT?F
z)0%Pc(28AN#epmLs^)A}A~pM*B)sZ3Cz!ZB-B32+0J}2f*R3Ok4_nXAUFTq=Iahz>
z!-rnn<gE>(*7Jw>yppTcJZC*(ocp@L%Lg9Iy_z5Al%3@KaqN*nF(DI|#_o#PHQ;IX
zo6|)r)e7b7wKTmvM1?gh^@6hcWw*98T`8Tj*_GsfaA{(O>oAp;sQshvTATJ;l33p`
zYv)Um;OgyL8GEj*Pe5W%8P(q_Z&NA0meOYE)nxK2kC*PQyTqyeBiH`bfCcN$rG(0t
zRG-N^X0(Uo>l`?7M>6yz!qnrzHWg;x%MWcWi)>>1xBl$yu*c?XUCi;Qva92?^Pb##
zL-qdb<F@F;3MwrkVvuK8$0d|oofWb0UQO_ms|Vdg#~X=X&+7~KhhIN^G?;su{=@kE
zpCa=dQfidTqVK{CumA#p03ZMe00Mx(Ka0RJl-@OM>fSYVRW_uA{lnr#Sa?cxxdQaf
zl#0meUgOW&_-__tbx1@23a^aCp?bU_!6Hj|9`^r#{oWc21w&ZOP`2xoeH}0R1E-*O
zGhOW0rMqUjy$*@?IL~d@@J5Euwm#VLCWSnbJL=P;wJ~G#%<}gSx*9ade?#^PU%{fK
zN%k^-XUs4I4>e<h@~d}ozlj<CZjRe)THnlYIbT1F;mrL1&Mmrs)%m-#+fz?;T2Cs*
z#2p?|kyVTYmR$}#a`!>NYAeA`9VAV#X;te8U$4k#%7bGHz1Pa#ulF<N4zC#Q84_i>
z{<dQyePi>l4b+<k4s|8X2L7STR_Wy*OQ;MLehx;szi3t5%8=`qYe3)es&Hoiqn~9$
zGWWbG9OL5hCa+_kkFC81+3w-BS@qN$NJVCFS&o-(P`N1khMITFX4NR4S>>C@%|AId
zd(onou2$UpaK}2z_Q8;&w=36sj&(+XTMlV+lX7@i$^49{!SC*jp?0`zOT7{q9Z<4a
zFe|;PDW=3l$71$-J${b%!DpK5O?Ue3)EO{5IN;6H6#kLD6a$-R@hP5#!BF}3KM^z3
zDM)M$|4?<J(wjZmD!7F-&oGv3>Jcy@w7Pla_O-k{Mjz8lMlCD4T5>-|-qNU?JW*rc
z5J;0``%K@@`EuxoEq5PhEXsU*Fg8~)$0?zlo21yl+3<3WDtFg~=dzRb{+wpJutCOX
zmm1#+^5g3B62)OhQ}6AMu64bmrfNV+D~w6oW{8UADw-4c{q6Q&asC)XD_lp?3p(sz
z_daOmx@AR9uGd5%9G~CzW%woPPH0wIYE?W+X;tn|q*Hqv9Rm*CJbWwcuA|==S50%3
z-BZiQt=_at=u)w%iTw7OTEM}`V?*ATFCh8K9xfZ&8uTLTrRRiqIwLQ+`V}gkEhL{%
zIAd#zJEOjc8It;9VE6P09Tuz6x_i>@&v^fOPwH{IFFk3G&x3y-M07Ts8(6*UgmAk<
g)s!Djr2b^~EO0=8!T!BL&CJxYLvao>I2v~U0)w$;9RL6T

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..54b86a5ec169812a42836dff088af74ac922aaa2
GIT binary patch
literal 45056
zcmeI53pi9;|HtR%K4v7B<Tl1FM0>`}G^h|d?j$88%rGt?ca@YzC5lv1loX{-AxVTf
zkvd&Y(uHnHE=8g!l#2Mz9vr8)-kEvc_y0Wq^MBv9&8+$D{afq1zw5Ji%dEYh>?Mos
z1EW|3ztD&fMijviA%#F95oQDe0)dd2cym6ui!i6eOvLa9@-Oi}3ndT+kg+8GGeT6{
z1%bujuS!%)td*dOe-L*OulZ+<z;-|Y5C8-K0YCr{00aPm|4#&hMMUJ4m62?{C<Zf_
z6~c;QSTdp*lb@m%E>`BQRs>h`h4xm2$*qK0fxZN17aIq27k7f4l{;anqs`)_Rs<(U
zf`yagB6}MPSAvU`v%R^6)ocRi`)UYj{DZ7BM^sqeLK%q&T;t1H7a1PRNqRA&qe8js
zUX%J>q{&EZp|G&Lyc%*Pw}MX)BhYtEWTbOMU<@OQB{E^o#?jJhIf0vmElgD)%wmur
zvW}S$SHq2~5zJt+f~Tqof2YAs{-9x~vj`(Buc(If8n+$IT+Q-{n$i&ZP9t(W{eub#
zBI#J5h2<3{dlMKL8O@5AlEHi@GoJlHg-+7hJ`X7(ucn6FWx+jUQvy>FYC>xKuuW|j
z<iMFPbaHW>O<+KrH|Mx9$egz!9CJ6oTS)LGI=o7USLxhUxC)&D7gV^Q!Npv-pu>d`
zTrl8*$tjGuQqXwGRfJ#-5;VRaScL?^G9(DrAwjSZ34)bK5G+N4U@Z~^i;*B7xSX&z
z?vJZX9*?=oWUexqt4!u9lex-dt}>acY{+e8$ZciFZDq)9Wyozs<7R2xERCC`akI4X
zELW4p)tt+%$>l@h0wQyJN`~OJWNuH%T(=a6vye&f=7|v2HRRSd<kmLi*5)L+RmLmA
zbtqg?6bRlog-eRUB}L)xmBQUCg?n76+_qG%8kMU?<+k-<Q4J}ER9JE%gmouExMLF`
zyoZSp?&3rU_j4kI0ZxQ4#qp2}Wg?tv#>F$Sb*dR{vKej44kw(n!wDztaKcGDoN!W?
z6HeOUgp<0Q@GrXXIRo#QvlTvZCPMh^nF!%iXd?8T3RzR3-=87(L>RBjoU+4&?f6m|
zkS~)<oDLsbh>IPrOEIKz&s(yQjv-1|{ui}>HUv)nTlFGM#c0lN6jAuMiX`Wa6qQ48
zUSI(P00BS%5C8-Kf&Xd(Y5qty5+j4d(f<*H3|onULvVg@I0OPGExi?skluz!h@1SG
zsLx5mwf@D0BZ@!>Ny@=@Akau;WMuH1NLEA)D?;CAjeh8w;PnPR5mB%<w1}hvDG8&O
zVkEG#&Y_V}{t>Jti|q+ftjH)rWHe_oNYa3aa2}0S^a%|K30<SVhBFs62=mwHsKV6@
z;G#0;cf0<SxA9j_D(zP*I)I=sLX45{g2+d#;JhA|x(;ac8hCvPQJHpf@$^>>sAr;j
zPN?0bGC3wDby=jG^;MSMZl)^5dSM!fq{}sHW@N2<Vj6yitl4B>^k{pap^)}XD{N{A
zr7cJ1%!{y>NO$}OMd`wkJYAh_6;IHc%yT*##e?n<p6X>R+1dP2i$t#>5?oO2&*)Iu
ze$7#fk)hmZz3ltF_8a=5X)yysHXSkbnkvIve(BtCIBSWDzgmk(o9Ac;6{ST`YN=iI
zRj1|Ia%EM7l~u{Rc2-~>JI{2`C3oy&QbB41<&uBT)r5s9DH}dqPu+e0TimP{CC0mO
z)k#?C6<XhJooMmyKXke%@u){tVDbs+f`d3zuU91!frJu}G-#Hvgl?jB;*cZ~D}+Qt
z3K$t|YBkQSy)Q&|-i0fP-Nw$g2c3mbNF*i!DXKWT@=m?%wB0UB4BgMuL$ZC0H(azo
zK{8G0aKGEQ1CyP6Z*{HRk?E^bZxK5sohr^mNp@d<R=MX7q4o%&<8&(_jqB^@;0C3)
zMPC?WKL}|G39%R3n^rz3tN)z5Fe_?_-0+P%u1v=-qONy68~e`&R+=3|sejyN>sJ|G
zMDZIeQ|NI?#0KfM25P6Zcic}uKj2MVRJ0R4w9`6spHJ3`t-C^41vG{24H@d2s|r=4
z&gyK37OdCyAZcJpY(08)o`dz{thpJtj}@BVDz7`axWl%<Vz7Lf#p~b&9gl-A4qwNY
z>?rP^uShU!uYM*~GMgQs*!FStJ_DUu8@82J9k4PO$+inYNd+HW0kO+|0`AFbml3k_
z{>}|gPW6vuNY5Ufv3oBJj-9l-OvxmbFd)>saqRNl>LXt~D(dq(H*aV%?Y@GU?Q68O
z&3U1FU6Y7+@<^6i+`x)}R*GK10qn~8jqko{y=}CWe-KM*4)O@Ed14kRD&+Eh%;96M
znZa6OWYADAt42*N+IXQ(<1S>G_J#Lm5pFHvI)&PP&y37wzdF9xGt(-wD*xNDTCdJ+
z1N5K!UVG%we2FzjMbFI>qAcy$Z*pXR>dJB7>8fhw>llBmkb$~Z>6ex)8$9+f>8X^D
zD2o|X)bz)^)C|>-u-RuAN~(18qbI$?S_dw)9J>A4W6bMZB=f1-)tNN6hph))U6yaF
zDwom=qsz(dV2Y=iY>fSA+|Z_5^&&uVBpn}K0QGJdFx)y4wv1eI%rZz*`Q{?e0_)`s
zDX*$_hzF@w-0~&-+;>=x>qo6k9>)!#&+S3c4NJcawapy&jr#ibNL@zH@KB>&9?C<y
z*wS{OxL%YJW6{^~+9dwa#mXuY>WOEkC1b97wiMx-EI#If*Js<kTBWleICQgooV*%i
zy$;tKjJisXd0e~mdQp+rs-{6-t2ULa+AE#j)2AoT+qsf76V<<b&j*b8hX5!`Ia>C-
zNQHj&#hK|J2F9w^EFHt!3BOJJx$h;iHaBB?BQ|*+MxF}~I9aj#xo-KmZv~=w-Q()=
zZ0lEf)}MWk>=Dx#4zLX{(Ka%r`PJQuAKr*-Slusj?b#WWcfm3x$hyN?=V(x2(v>61
z_l5UA8>~%Bop+S=M15nB&6%+0?RA5i`iCUiU2M;F+^U~NJi$D*FZi9$mAH@%_mAFd
z-uFsfwaj6);wk5EIQbZtSTFT5s^79<wP#X&SAOpM!>pN?Tyz`_6!Y<Zuj<#94Hp&V
zjr;EJm-m*Dbj&{21AXl)ew;k=q~@rxrD!OkmCnMO_=(6v>4)lmwP@Z%6M33Sy<|MI
zexG-ybA`$Aq7jW<H^dw)+Omh^zE${a)hvGZIY_6xqA0ptlW4DGCA`C&u|aBSw?xy2
z<ZdCFLuRz)8MmkBOQn+htkP%n88ji3vo5;NKkiM>E!12u3g5p*{<n|p;xGix{dvv{
zEPwzY00;mAfB+x>2mk_r03ZMe00MvjAn+eXKm?5ugRiiU&;Lgd_>upx4ub9g0)PM@
z00;mAfB+x>2mk_r03ZMe00MvjmjD`#5F4NWmm=_`016-g2mk_r03ZMe00MvjAOHve
z0)PM@00{hz2-suTN@D+8|MP8p{@;nfcm9of2&@1CfB+x>2mk_r03ZMe00MvjAOHve
z0)W83KtKUa7yJ2N(HWorcOmdy|AH)N0tf&CfB+x>2mk_r03ZMe00MvjAOHve0)Hz4
z@@R_K&;H7-5XU7FKMZ@782|WN*#>3+0YCr{00aO5KmZT`1ONd*01yBK00BVY-zFeF
z1HS*ShLuC$2l2*uMSMAa9sVKy0Nx$Pz%9fz<Bs4)aF=nLC6goraTv+#ICaSm$&=V(
z>~2Xt>^n(YNi4P=OU24zBe1UjwizG*2mk_r03ZMe00MvjAOHve0{<rjRM6(g$UuKD
zA67(^7es}8Ni@jEYy1J^WU?C1G(=EFn{rzRvDQyEX8ze&l~)#0`A2CVBc?Bl<AeLC
zbt7e-X}S`xG?S{xD@|q2<dtSp6nLenj2XPrG)Vr3G?ng4`LknkJkxYpUTG#(hF6-(
zoX#uFq)78hQyJ5ErD>4V4{6AcMg6m5c%ErGj#rvVmE@JCGO@hUOo{}rG?gLFD@}vM
z{xQw;B}247J0{9AO&8&nW>STDrKwCIUTG!;!z)c?pn0Wf5K02AEEdLyj9eQU;Va1*
zUuGcc5cngwueha>XC)=DeiBzCl*HGHJrL6uO%i!2vOqXXXi&%ra~dOr_C{Sq$sxlz
z4gQ7;n>a(rJV6@q*OBYH@q+=eH$xu6ViV7>6~aMIkonXq7NTGXt$}A3-0*Z)lydos
z#=PwKR8n0Z;=zz<+1gKwz87-v2Im=;C?o+A7Zx2?L5ck}#t_UkC3bv?E({1g;r(e@
zRLm*akOe)c&wE#vy$U?fqQ5@QCd%_PNrMD1NtYx_Jv%)&y+u6Th5kC_Q0W~H8*xv{
zH@b02!e~^k6F-ylXC*w{hQ3oGH-FUjs$6Df3Z_4Lz@DzYMYIsHaJ%mfHc{?Jliv+k
z0+^h)3hBGo^eO4CVxBVI%>0|nW(s0BzGNQx<*j04g&}`_CXci|FAQ-sqj!4NG<@1o
zRh;+Y%D3Zw;kQuJn~JZ$-mc9i%JMeJd4et9!(ARsv>iH_r-^QRMa1Pdd!!T*_UW%#
z^b*(3T8n6T2R|Z~=iyfEykpX5`RmHEBW=-gN^Ljo8q@-;q+~l6uSdMmUcWh?O_bqj
zl1UZ7Wc8MZ75%ac;(y19tPy6XH}0&x6!IJ1rswzSzGK~SOig|!FV;>QHI06JxM0+O
zpl-{7o)jb@YrA`_@`?|Mr?0qq&1Ms)^E63i3SbgXLvEez$TCLsksOCg6Z@WP6$C|G
zI#cJy#+*D+y2_59Nei>H>$5X-@SWrvh40LKeWN5(_N-JCXFRc?-d?|({X3f|&C?{4
zB7n*E2Q@MFx+KTbN&a2wL#*1upht2#3i>5Y$d@ZTy>FWEGkMMCj=0DO>g~Jh_DxSI
zC6$j4+4cBNTff-)!JV<Yt~nuW;xwKnse%kaMHe$`(oL>1YBJpBEKpMvd!}^TJT~J9
z)2O@-<$7Cn8b6bN9ITaSQIr?Ud3<2HD?(4>%~d@+twE8^#QZ^}GzBz=q!dq+0u4bf
zfwygT4?(9?y?m;Kholi+r;^CmkhaF}+?;5o^olrsCVxLWlDRrf+}bO%WIbso-Cfn>
zo}7_uw_6SARbIlHN-H)I|D(z8zFG)yxYzkp>Z<b2NF6LcwRM{64JDJSU58}PFK-_V
zLa%x+`zo8CNksN1nrFZrAA7sr*b33LjQySsgY&*I&UI|Fo!1kw@G+Z+<84xqA?SMP
zu+YcLt;q~4w1j!zsmwz5+(OfLub0)F`gpzT=phzAlk2>?9oEbkovWpv<GOC$ic?qJ
zc3!hExZo2i%=-46JZA@+D9O{LKts@lB*x8H)^8H62*Z;mX9l)7KDA3<ttWkFbFHLD
zg1W9AKa(P=SgP{tg3^_{M`AW*KpF|!mlr5++IHb8VRxD6BNUoV#PT#L&=AzjyxSbp
ze))cmAF^Av;Y2`AeAzTaTHh+Q6@BtG=j6}vGpU$6FG0p3Z1vMpq5W?x0^4(!d^tH<
zeS#Sud`-5wO{#}Yl;CMnpdsjh?B*?ReYV)032S60tL%FE1Q(F+dE7u2xhMCei)UF1
zKa<7hj;-xpqVsKab4G62{2~06IFyCH7PGXre(lSZx4TxdiQ+s>3N!?b#SQ3oGmFpV
zj_ED>vau4W8Zuwe*F5}}u_(lhEjxZo<YzMcYQo8m<JZEUCpjN3U<{b;FFkYVQ|iV}
zE&HB1mj+3%*+em(CIuRTgqJ(gntYn4d(*}o3Y2@lW<2ybuxryF%S>d#$*FJGU*cyn
zJ?cR`{nz__6{q3`G7mI(%M`9`y0LX^LtKwT3;Bg^Ae$)qgURnF0Rjv`d-1sk9aAFv
zzRtGFy=au4bKq;?ZQ*a;>fVerL-Wl3xBN`L*vq)kv7{n0Ps(bh@=n@XA-@^P2|H2g
z6&_G_=9^y{*hCTDCIuOS4(=Dt3LF$)Kt76cHhW*MzB_x%shDR~gnccgOjH2k3qO+*
z_m4gp&f0Q1y;;Nxackd<q9eYkJ;z1Qp0m4Io%U;fDVr$F)1*K{(7{6bGSPD1Jqq{d
z7vC<!JkAS#^~a?z$?`NWLP2x<VoQD|k9~Vcd}+a2;VruTdB|b(`&8qv*nx~ybw&I9
zHs@Hlr?H7bJWUET1U(@r+KqWRULN#!5FYUiy-f_dWYeMO=`R0}PIw%3cRD|lk^4dk
zG}FY>#0SH3f-`+ezrBgyTPYnkwyLi7o;yXIGX!CHniOaV^00QFJGSm)e1$N!B_&nm
z@nEfdm87ZGbsL>VrFG4fX8cS>`3Idx`fsXITUCuc_N(QE>l(NBMftWT+H6tW?BTAL
z%qF6FniOaVN=`9T4n16_Lr>msi0pdMqgGpJEiF&&y6(PwwDYm$8-6CQQJ;URL2CDB
z7uXn?s7@>MX6HxUPyXEX_2Z&ln-<pVvxz94CIuRT!p>MLFPlHu;HK-Z>*92Jr0Z;M
zNS)S&Jw|&!_o%<wh2m$DyzSiluEgK&cKKbtn2r<LzVO4^Cws&l@G)OE4cM2=ZS+D4
zDO1>@le2ZdIQ`?l4X?Agx=`<EeDjV}#~mm3LGz$l!V(ixTC5Nf4Jlw`FdHRb<};kE
zNzWNUW{*ioEkmCKju(v7`c-RBpKk80Sb6M`CDr_W8$ACP6Q?5ZD{<wxX_CR%8(4LT
zc=0CACa?ekfB+x>2mk_r03ZMe00QF#*hIA-zB+$@i&%h(@!Zi}MysugtLm|`E%n=8
zhCe(ZX4-w|YF2Y)LyTkdoK5_`I-?DDe}3}FOm~<rvD`p;fT<#RBjlvm##|>f(r^Eh
zYYA*3fwxIPZnPxM+(V>=^%@L>4j45Tucjcn78O~<w!D)0s=RI5;$J%XnSA;BkKPYa
zU7JUreo|0-^oA)W6L;yeblNn-=gSq0k2Q3&)l`K{CvI8&^me%bAjw^<{afbCjiDBw
zjuU=^w@rGFE^6)jbPo|>B9XQ{`2;_YcbDY^j1ccHOm2DTd?+D6H2W}XskY<j+oa-F
zzgcZw%h+lvJUt4+ap?xE{&Zuk_J$KT-!2^$jShNe+T1k|A3NY4woX2=LzbV%!LFF=
zn+9)^J~V}_cEdWq&^6TF75eaWYp%+od~x$?3pP>thlBmytv@3HK+dqw9bnVsniGbz
zlRWM?46zFl8dY8@ubfXLATZ6UV*E^g?5(`uHGl7;%8KmJ)4ILUdo)LD->lMz&<;#D
zvAp!QicM7FZBmd+HM09VpDh@vf7uk#5&G+%;lkF$Uk*EcdVs&1P<Q%L+Up1WOh#A8
zWIL3EBBbp5mey>3+o;Lf+g>BauvIUf>Gw7>Q<_aw<Y`i%OEn&>L`}tx%`Ky?v3S3Z
z9r=5-A7q`lVEX*MY5u0#k-E?POwQBvc#p|wR2b~+mFrg0y!pYg`1n`Li)l6~2UHpu
zE=6qOOr9nMx>SR8nH_$)QTX6898)8X(6~Ttpf&!5$NX5a#m;UyhW!!zOhyqN<*)5(
z^|d<tC3DbsPtpvj-?NJf(?<4~c*M5I@8(?6R^Vw;pi4Dkv=!&-^44JPX-U7EN%tR!
z%O|l!H;i;OoOg@7q2W}=*JPD-m)EJ-%BXI9U3ew&qg_V$N$e(@VP%S)k-o-`hyMdO
Cb&rYw

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt
new file mode 100644
index 0000000000..142748c1c9
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-cn-only.crt__server-password.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-cn-only.crt__server-password.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-cn-only.pfx b/src/test/ssl/ssl/nss/server-cn-only.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..ba5bdfaeda2e17f36e42fe551cce074910c12a62
GIT binary patch
literal 3197
zcmV-@41)78f(&^A0Ru3C3_k`5Duzgg_YDCD0ic2mFa&}OEHHu$C@_Ks-v$XPhDe6@
z4FLxRpn?X_FoFim0s#Opf(FF~2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=H|rXs
zC_izS0s;sCfPw~?4sHegvie4Lh%${?LSS!e;vB(tLN=5?b$c9aFqWTgJ{T0be)uG9
zQy|cfFzMP&9XSF3zM4@g$1n;Fa24)t&SB~n4F;)IJInWTH$eLl<eDQHm>$j^i1|(?
zBc`K{SQ9K_IpyC;_{rS>hasGZNl2EDx@XB*bJHGc<s9bv$u$aJK5*mNdOBB=mafWW
zZf)p#b<YIR^CNoxsi`oonm=OZC6$m6AkA~9z$akK?XRHiCPNwcB_3K)9(TJ1yo!|9
zc8)gLZLS^q=MqL<nx!2>9oF(iV<a{uQFW;%BX%M?lY}NrqjGDs*KRnX57UbyS>mQ5
z`oVtOr1QD1$RiR@(&1tmX5S$d(M3)h>b1$$T!pK7z<=g?j_MBJ0K!PE?hWjZ!$I^4
z(54{SsgPtBg7cjs15TBuknd4BuyVy)rqr<<k`Ax=@YTTO)wIQZQvjU)A%>w*B-HZ7
z6TBVzz3nWK_X@HTT#X&}G2Xbgsu8X?$+hsM$7yujHqvp>ZB((rhBVo4i^;;T7!0z1
zjhkHna*Frv{~X=tYAIOwUF&UZjJYCHiOtO|`!>{RM1kHJj~D!F3%E8Zw-bKtoZ?7g
zj7hSWBKcE2uOmwNTQDTbjEfOSFl_hvD3QWChqw+2VIO;g;TWh4yy<#CRpQmEluznq
zNQ59wNaIlp7~jd3s72{)@k{2}8$1H=ia{6}y6e#oUrZeODMy3l<W?bpwVTuN=*#R3
z%-6bgWt7tXz)jg3H93q~h+1x(fVEhc(%5YtDG+wB-fgn}I(DH|4bXgj5_<Ro`#CHK
z_KRv4Lyz$dbca%g#0Z(Civnv)ox{=h_vl6;pn3OVmp0odByy0_+|4zo$0|Ejo^?1|
z!x#&!;PQoh*2`^d9d{p^;n!Q$4@+pHn65}Ch**zpe0!{+x;*u}PImaf_!Yd`v#_JD
z^gN6Fb5Xb3wK62kZnSuI0pt(VXD7#G-27Q8z940h<4EOKMqCgRF+euLZ4qm+T-HMZ
z8DM&t33=yE<j}(X^ookyw?wwX{xw;m-gfwKpX^Uk@;0E{Z1BK|6oILNA6&9xD$bu#
zr84JrRwc_%_=IqOH8(}yYOpZ}$_A;)`v9u)|5nU95YA)5;K`QsiwzMV8^b_9X(<BN
zrJS<D3!s3ruYs<C4Mluc)RREz=gjFdt^+a6H_9F$VH6uf2SIgugOH=RsOZCq1>|i=
zltRV*_es={zZ8`f?y<*d*Tt<p(*j6DdaC7pE-hYNXysK{4>W0_cgT^(nBWXw)ZzjF
z1OhlwNdJDOXfbQ+#4Kc5ePs%C;k-ZT(w+@jz_6(_c)0(N=6v=+swz#xBb@o7Hiz5U
z#W!^WmM+6ErxJSj#oHD*`j|G^x9PI*8C=q^mly!6ZUcU;bgw}2uF1wS2n?Ji7LLz`
zqjD=$B=76rL6lm<Mk>@WHGYE2I#l+yzd5C1#~rsG1e&|jp+ITJ!^tju-PSD)eH~>c
zxZQ<wQMUXauwI;6Z8gU*-)OUhMGd}~BRv-kjP+V}?Z|LX%WCj3k`e`FOjhj$YxIFC
zD)X1`0p|7VaT_nKE4Eu9{*1Ek)IMR@_p!!Klr;4H)*3<}A`>9H_D?uw^Tp>r7drXD
zQNzWA4|wH*I^Ht`ZqfarUvv+(_==z&YbU0sK5UBbIFrhp20?jUIOXH88Q)|mWt6*`
z$&nnbU+6S#aI=UQMfhVfZp$2~r;h`IJwhf%i^EiF@%UyKv_uH`Kq5g!9-zqzh3pwS
zb}}De`0vI?m=0aX%FFUP8`;df4<W&UHRm8<D#_a*=XNXRBOe>Z+V=*?*kTjQlcb3%
zN84bN27HL5X><e?A<en34Fet{Rc2+cjKJ$}lsX>tB0;#buFJ}n*U?SB#4OoY{x_@0
zO1OybNj*{a#!5Y?C8&jqm1>wX=lH`<7e$K{U}*SI`~s!Rnb*XgECapf4#!zv5R$#t
zC(vr5--@JDx_p6f8=e|#oGMpr@x-&;mrttF??IWAjHi_Ic80^$2SA)8SKaqq2X3U2
z3~b%0OGsqq=azR#n0mM>+M}m~t8SiVHdG<xlexGQFF0F3v9QkhERo}ggTe1ymf!Ij
zFOX$<)wfY+A3k2n87`)+VS3i8_VXWyDP*4Eo|!&LZ+DCmKFn82x7<3xRDJ6fB1`M(
zbWXGNX6H9afJhk=sguFu+DyH}kVW-Q&z<<DECPzqC2UplFoFd^1_>&LNQU<f0S5t~
zf(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&
z1PC#dq6!ZU{SyKL2ml0v1ju{{ZOp-KMzUXCFg$d>dQ6Ge_XHX1PG+VvWC<24s}d1Z
zBynN%m9^i9S4TkRVtB!R*r)*1)F?hnmvt@%D3Esh7G#zyRT75xHaHM}K|GtNy&j&p
zQ^RS78&{ea3@xK?FdZ)eUxz&pxCMZ6a2JL*CMZ~0H9HkbC?1IMN^q!~r>~HU9nBQ)
z4-l0r9mAzIfI?!efNKS%YI&R#-U8&)mJiV>2?Q;#+t8X6a`2F`#X7>?!@k=0WRUVF
zbU4JZ^WAv}u-NBTdM<ugra~XlneABRPPhczhYFtHufCHNsLWE7&u|&VO&8mc{g6IW
zq6DmEa^96tV0iNn!yX9@wZc#)ZxeU}5i!%6p^d|X)DcI&o>#*9Wt@AR0i=b_94Q(4
zQV`>Si52hZtK}}_qQEZmm5ic1abs*H_lGw@P%8jqmwXqmIS8mMr^3^~lrT__iFJb$
zg&nW?!k)s&M@8H&b6My0I&1$AE`LGA*mScY%B_c`JQ3Os`?aAp<ZV3q(R;x*A7Pf1
zN=94JzZ9@Ji>Ywp#B-C1b^-_sEp-n8HtfTz`~a8Bnpg#zZIBwZT&n3WK-%4%0f6v|
zmAj1NrxtLi9r*s;Soew~6?!202FX&2VKv%N3-i1?`vfGyWA`QYdITl<Bo0~&br@}|
zA<O`gl4iwZw~8Ok_svP?)wDz(KuAedV{Brk^vu)Iy>ltWpg7$wz#>^lT!Kv<k~KN7
z7(@86OS)=VM(C4yQBESszU6#CX4M^fJPXJFaJFNW#tFvDF7tXro-jY(m*#j5kPj1Z
zk>TVZ6Xz8SStMjSGm2qQm^Lq1i~>#JARu=aNOu}>?@n7;sIVxR4&p?`m!MVq_xge5
zX&UJg@2Q@ClCj2j#tRL|m%WOCb1rlAtFNXL(bxyM=An7aw?^;Of#A>NS65<<Bi^sh
znnZ+eJ!F~<D_MnWvFTjE$9}_+I72_FB?0DyrHzMgpQ`aFj_44@I!V)>B2ng8Mf2_o
z<dtS8y-GvX3x<=pf-|y5OI_?+MP0et+os1u8xxmem{)(^dqFupXVOv2CibOS_-gW9
zbj${nKQAWkb!iZ2U2jw_J!%b`3;1$jk2I2SD}VuniPaf5-q|D1{*C;fK5-k#22eWd
z<n3VEl&%nAV^sVTlVpjU9hqERD;en0;tZiRUwbB|%&Fz8)S2{3%(T5N_ByAUBdy;`
z3gK*FrDj{0w)__;onRtYWjfI=7?E~McFJT62O$Mi8EQ-*oTv}(;25NB3btlLR#!^W
z1v?5o>x0%S`{|t?xF^LolTNl$pSydl`M&X7s&R)mb5tYZsiDN%JwN=r9*qLzjh4aY
z>DJflesqdq%Q}A_X~TJ7?(}D;^_ti>bir^0WF@oA5MY33y)D-;kIU1u%`ofCq7csI
z2yt>*Us2+X%O|cZ$%q;zAvXnzCVKxE6Bw*Z6nIjD3fRM$CgL9&LcGLh{6L&qf{Y|k
zdXD~Ak*hp;`GPdlgB^l<>?=ZqN3+$%4nYS1>U$d1qJ=HMH}S$H;JYIc6X362b^?w_
zGv!~C7Uy4i9Uj;Z9g+0b3O0Vuz~-+>g;)%X`HzlF?AbWW%)tBNc0>Sv6rnLCFe3&D
zDuzgg_YDCF6)_eB6nfR~gGo)z^le_ap`z}&-kgJ6@h~wkAutIB1uG5%0vZJX1Qe%(
j2cl>0KifkIPtx<RM@M%o`dS1CWh8s6b^1g80s;sC;{@;|

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..9a302235cfb80c46a1bfc408e43e5a99205fc250
GIT binary patch
literal 36864
zcmeI52S5}@+sAjW!GW*{Do7AcKq*r8xTD!ZJBsw8hz*b9q!&4`B~nfiY#=HsB7%Yn
zf?`8JB@q=Yphgr+5GA%CAlSu%yt{jcATgiG2l<jW->mN3vs3;%^V`|So!L3h)7>d3
zn$MUQ5f#RbX0RYR2!<gG1_Od1X>6xsd(TG23`)-d_6hf~f6tVL4AAj1NGC*-`Unl7
zBURGX((%$3*a6r80YCr{00aO5KmZT`1OS2ma{?ALnxdi_>=P93&tJp~;RgAK3j}U4
zexX4;32P6Ir5A_c;9|p>&LGklt}cvE=?rZy6E)JAOeGYi5(=SQKYr+^9JJ3Ah_wC+
zEFBvPP4OEwcs5a95aSoj=S6=~pnj$xPVKM3M4394WSZj0o^}KY1Tp-mPa>4hL_~@G
zHO!bgN#?MGqM90<Vj0c#3*~<*{>dPTb-XOCoH%_s1o<=EJRF=YJ$x9B93RG17YFyL
z9Q+K{t}eDt4%S`_ODk6oFFghq#dapP8(}*Ow}}WmhKWa+;fH4Up&4<AXE9^rfiWJK
z;DIR~nBjpr9&qu%4-3o*DO3~^iYTtZL`CPpRhTF)!$ff%CW;F&QCx|M;!;c$*J7f$
z7!&2;p}2aY`Vq=TBAZY)B9x5?Wg|k_h)^~nl#K{w7Ey{tlwuL3SVSonQObl!H6c<>
zh*T3I)kKs^Xqph3rbJGH50e07M6}ch#mgEIEj1!)%SN%yh>1swO<b2n<Yp1MSwwCu
zk;o#-i05Gwq}V8aZZ<)RO^{*}XJr#-WfRxMm?&#Zs2LM##za{j-<ZW_8RL>-6W0}+
zc*Dddeg?6LH&JZj?G&3hK(UEa6qy7RvDsUUz$1?BEoRbF%%rzEnAuYu%<QQSX7*GE
zGkbI~v!^<k*`te@eRT0YgP$0S#XFAJ#Cwm}#JiB#^zSwKz2>}6CeaZ@dHs5;<A+zr
z-<XT~`w_&=@N0__*zvq<mI={sjm&kJB$^^e4TeNcWPT_%qW9&-L`M+EzMt-3U*;#1
zjJaA#+}+}XdKh_+n{?3!Zh{RE00aO5KmZT`1ONd*01yBK00BS%5C8=JJp?4FQdnc?
z$N>oHL^_a1NF#C$sX<O5<yaKh00BS%5C8-K0YCr{00aO5KmZT`1ONd*;BO)zNv6P5
zxpRqhk>OG+DK=^(L<aQ`O>7*b5(ZMeogy}}$RZ<oJxPL0p;M9MG-CWOQwGVDA!B44
zWz%JyWvMb1NGTHbH#HEP77zdg00BS%5C8-K0YCr{00aO5K;Sb16fy+U?I;OyFlxb^
zj83GHr&7p6jJ^1RXhu{-L^Q+N68};+!!1G(9T3I$ba!HSdO9(p_}GC!5EK#4h{m%D
zVz9O1l7plpF-SVJLDHcPk`85%bjS{rgkdmh#k4>ti>{X`alQWFrQ$~|;72id{HSOF
z$sSXp4~7yk{+GQ6A@#@##9X!o`5Bok+kvdcqQC|S00MvjAOHve0)PM@00;mAfB+x>
z2>cfjkRZ#$yPz3#e8xm_KqGKoXb?X<S~LQez~u&Qq5>DA45)5`KC=U4T#ht`>_$f!
zOjT3`pKFjFGQ7`JQ19H2X#Ia2grp(`NF~yMT*cP@??94}xc{O{45|tU00MvjAOHve
z0)PM@00;mAfB+x>2>i1N^h{2OKP88f$HJm%245c6fEN`lAx@zoWOW!{*ddOmisLDG
z3DMwRoI)0-kTl6Ibb%n$P?V}4784pB6dB6b=Y~e>hjYXD0$g7-{*Q!^`$!eC2U&>}
zAt^{R5{X>+XM+Q^0|Wp8KmZT`1ONd*01yBK00BS%5C8=J$pn<hZ1~V6PHT8=>ms@1
z+i6mB8eLO6_a7B4Pry^XBAEBjFRpb7s(w;kKqa}~_V{6eXte>JN-J`5wYJn9-o_!F
zZjsFIn!ko8pc2am@YLfQx+0$c<mqcXOL17_IY#cD=B1EmHGm?SP5;t)WiVJ&=oTcM
zDz%DcO|`(xf5(>WPhCP8CM&BBt#N~fCCHieX;y+9yU)>=P1!F;|FKxA9Q7cU6Z<K}
zK2tWRkgSRdNwgd?2_}(-$w?||b!MK<t9PEFz11yr;@Nr^PgI6R*Ii-1;*AUpOH-kN
zf3*iyRg}SgF@$Mk%4A``>cO6&D8n{E*-W<ha1hQQgw^|28>T{JA&fw%5SAhdF#<=w
zzy5p`C1bvDqJfF<SX+vu!tJ~EM_(>l&=f$MFEgugi+3)pd^SDEwDZ()<HGkgM^?UR
zRL)%bA|jjQv~U79kx$E-(D^~ycVa<7&}i;E&1;X8QngPNxwRcKrE4s5r*E*i+@^FO
zVqZ++%6Al3i-*}swrUfCs}dq5(XzyrS(`3)%`v;2vUXKfSKHyr!^&eFXdzFH{EOaH
zZb>b)zgjM=-x51y++lcpmD-dL_)uJPlBSh4Yx2(7hE_Aj9h?5)*oD9>h0{s5nwp+2
zHrF27aa}!w765Cqw3IfUI7u$r`POjf0YiEI#baCSY~OAv`(9h6(#n6wZOPZ)`ArCz
z^Gi%Fi3~$<t{f_h4#5`Uj8dRbQ8Em7_hp7%YK$2SIieFto7#2b#;h}V*+Ox=d$jbf
z=B<DW_XCmwPK*m~ejJt_fBxyp#+`MUdQ0WqESUS>D31{6w^6%xDZV~1cS=|)OQ4(@
zTk~RS^W3uu%Jm~O4@@mfx^q8uT8T|zo>Sp+GfVYdCn9sF)KqnL#O!&!di=KKnbOMF
zn<H2FUODh#fytTItkoM-+X5>l<{MI^O1q9VsD5|vyi}D^=uM?_LVX2;L(>)~euzK(
zCPqKoTaxoGqu9sk=8B_w-E(Bjcb2Qod;fx!_8{U!TJyG_uV^lwC6u175?}16JNixM
zNj=4}mDxL-?NX-|l`U^d(7N-MzUZ#D=OQ!@ifLLX*FJ|DPj19-u7UT+-?_C0{582R
zxn5WZQ5NBDMjo$wf*kRIn}2Nkb53R$w&A+6Y(4ygiv7<nmprXKVF+8^HVD{Y7{=s0
z`tDFwpm2V}p7l4M$lfw+Ra?LC;f^_NwkI{y;;Z&YHaW(v(O5w_nruTRJndL$jREdy
z`!Yxv_E&paq&f>@f!#cxO@d>-RtEDxuSC8UhWp)Z1E=*>$2th#^1~YNKfBg@Qx=R2
z5191Bx_!D&LUnxkt^3Z?&+ZRbK%WL0w{W5p=TqZeHYpjf){m7@x%2Uxl<COf;5rMd
z!i9FFp$Prbw&xqQHTI8+-CCdj*6>nN$#i8O<5qunbCbHRiED18g_JaMj<~l<lpL<N
z{kZk<)9*~Sa$ANzZ`ZgL;XH|a`Jq$BGyA8duRAV$Jl&E~;uA>XyocKI^{n{D`mklh
zbe}6-rknMHIJMstIC}HqQ!a11e!f8GoqgWP`0Jk48y&(s?4!1??9QSXQa-+Sc&Wqp
zW-mEy{M>xx?jIcGc9BlEEz!@_+dJ1Tk1GAW*4^r*g?0DgnZnMgJ8~Ms6O;1yYf*gv
zglqMgrDL+O%ih%5KIC?nm-U`$=k_a4iwilN+%feT|H{6hSqB17?K~>o_S00(7Uy%#
z+R--COpiU1(s(@UibR2S_pNyA+*{wCyHc*?D;4snLi5{<fVtnY(+=7%Wl2&pZ<w68
z-cnig>rht}ZbnVsqO_Oo9v$yC%~ag6cJ=%XY2P$uu^%Uo;XeCy#SzZf7Y(Zld>Ox}
zS8Q(@?cEXhpuxa=?ax-1vQ7D?(yLQd<~B7{%o~0w@!jLi#)h1?dn;y=lVcj()kpc>
zPvmbcY!ym<lN91AETc6ZIJRN=`Ph*osuXA6O%fKHIs~QPA96SS!aQZGQ)9AD$<>_b
znrmJTdB;$-FS+9mW8l4>gxyJl(6PVtm<kI?q&}W>SYI!KSN<#806l5)`d&{u2n{5`
zl;8T&@}{&H-~1hJcXR49muBm$S2Wi)T+;mIozjQ4guMLa^B&lbk4g@Q7vuk&xIk-F
zFkku^1-HN4l_sZQlyO)3wYP?td$qwHW%b1FmD1n64g$ijI@qr+ZT_nJykWm?*DK$9
zk$Y2YX6XyM%&zG!P(YYB&jz2`yS38u?8Q3&LmO*zWh1udHkM7iQxmK#9MyD+d9>iP
zPF~K9$9jup?4<Nnjz2Tq7<Fb{XXfS`QC@-G(*&ofR|^)~NK3uAm{3&u@lhFTl1$u@
ziYTZ8&iql%R>LBJ_5BkSIr1E@#C-{yYwteEt;@)`pF{C;A34@xnXBugZHrC0W^Xk1
zu3J&jS((`qbway*x$}dYDN}`xyMD--q^rCsB9$vxwdUjGrNOVBF7z=t(H64Cl~e2;
zb@Jl*H}_|}REW)V?+&TbzDtemy5Ujeb#`~LmtLAqF%!1=F)zk8o9V`D(e)Xs)gW@8
z0Vp5k;ZLSRDYMWS!co{yU@{GQ-Vqx_2IynG0beg}fCogf(eEcK>l!Q!3iao4qx}09
z?bk<$2VMj3b_F(6`9X5ediL-d){~5f%Y4>bOK5s1t*PF0RR8k$^B1rA?;PoP=(XP!
z%80O4rMqncJr*j>UJ^I<W!cl2F>94hJW+PE)wptIU4{Jq_v_A-yX7PwzO<?CyDios
z&RgMzc6yD<l-H#<sY4e^S6XOsUO0@~zG~XsT_3x;@7WC>QtsINV}aqtant=){GjJt
zv*5I3_D!YCW9+!3wyR_Ey%|@_&-hq2v6u=<q1&8KKW{YH&D+p@ZAuKPxuLvDDo0-b
zyO70u8fqUOr>g794WU7_5!<#H91Ym!Jo9YvmijOXtH#dj?7_fbkBN;MW{+j1U+Gw+
z%e^r!pK<G9bNk!9#M9hhI8@Bve0{0^mxli^KK`djJb`3eq;lywm;p9G01yBK00BS%
z5cqcySccMjhgf}^HcXxk$zp%7xg~5WOMdwfsNe95Na|bS&)WF^S&Wq-5tCJTVQkLo
ziw`8&EEJxG{r&&`c#cgQL)iSHWbY;Wd~WRzT!Mj(isf8tdq>3so<7B1di-`w+@&}h
z(Vb(lxBFEJS<h_zhx@6qlhln4<d3Qi9_7CwZ-pO!$<kySiNA4vQO>0X1C4dc&z9x(
zn_ndL8{7<hrlsHT*ZA`nH^wvmx1)x>-(mjh0QvZ@s?W=1V&jW7>T{1FLDd(+4&MAF
zVD$ukwknd&-?ZxaIKNp@t#YGdOJ=7^-hRZ>H`A@x^$CqOTz}23g}$-<Ml<z_mhHpJ
zb}j#~WvkQ=97${li})CVnEj+&e>GETc##%;`-_qpBMyC(2;I5sRmmhLr&s&C_xM`b
zD3Y!3U7Y!dS_lo57+qaBOD(ugkat;OcE@J<Xy2K2o4;L9J~?m6l4ouc%x=To>nK^H
zA-mabX0zv7WFB@eByDb!iwv(^kQqI?^ZF!ex6`(?ny8q7%FX<l8I5hRl}@UrbKa_R
z3sv^EDy=un=4Gpn)C~!E<(0xcxSOJ786!N-G1VF)-SsEt7gY}@J&%0XSlTd~?K&Z(
zgA}M8M>d=uFeU6x`^v0T&Muwz8I|LgmDN_>j+HjosUtfp?$LmhNLH<yJjV-R@3!20
zkhx^%gS~M@GKCI_b!N#j&Bhy^t(7;+Ir~J?W%rqMtHsR{Iynm52@uarlanM2Ka_SW
zKc>m;x`MnGDZL~%eVaBal&Wt}<c_e;uW@`IODkDNQV%Y+wSF5sW8Jbc2e*rYP-EYp
z_hj;t)TXq{E}d{}yzHu?A4$h|x7Y>jyHb2L{H7gmlADsr&>dcN->%-26X8_9sg3;l
zqC&vls3RJ0>lTsxB#W!ZJP&@F`^;xbr>fq0H(rU%$r5tukP0g++!+nL*JD0nFgo^^
zUZKN61zKNE+V_3%U++n&hX&J=e(~M$Z=I{7_Pn4w%St1%Y#TimmZtq^)EYE0Kr4TD
Ra62=tdSAS)x3Qx2e*j|bcw7Jg

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..8907e03577f91c6303d4b523aa88a3d23eb6f48c
GIT binary patch
literal 45056
zcmeI5c|276|Ho&{jCB^-35}5=+nF&lhLi{;)z~UZG{X=nWh{x(*ei-sxDjniX{A(_
zlBGpjlq95*Hfa%YOWohh!F9Xc@60@YfBo+F_c><Hd7tzCd|v1Ed7d*L=X1`3adVj;
z7{(#`hlH+Xg%QmV@(3gnF^fn<AP{n+Z~g+FB>8jnXe?MD{}TVFP!3@NS>gyo2x(bY
z1Qt!Gk-IDxDMyq2B<m`B<v&#d+W`SU01yBK00BS%5C8=JO$36aq*S%EkUYaM7CV@;
zniIydV}-HCmeR9b?QPuciS9PG^X-XaTZ#ICene+i#|1X7o<t{mPvWA5jxLMriOhw>
z+02Cw^Brfq6J70{=iAJ-HzM+{S67oq78C<hX-U=DT1Z6T8b8i@?z&)p(uWlu76PyP
zjOqK3$08Y9Nl8^z9po~&fbS|+px+uU*EuvWf)&P*8a3y*(9Yh22qy&=#tRVjS!9S}
zFbe}~EP*wGS!_=5coE5;G~nbf8fFF#Xi3$HI!K=p+u`gWj&Inw2IeOX?nwF<6*5FN
zn2nNDRUd0jAeS4?2_2U~|0FY#{Y8aAHb}NYN~!ATAh*wk581fDcqB0@HFDU-w~KS&
zY;2jX?nXow#DDXT8;in!n+alggJ26;u!$j9We8Ro@T#B)gDRNO1T(r|W-gd91Tzc4
zj3t<{`7;Yx3L2TiijY8q42|qZphAWOGGs`gLxu!GWJsVyh6GY%NT5ZA1Y%^!S1=#7
zH{uUgri{d}G6hzqz{(U@nF1?QU}XxdYzEgdgKL?=wanmJW^gS!oTbBAI-I4$S^7v8
z)}+Il=5R@v4;cnTfm=#}1a&EJODV8hD#V{CWWnaqP@roDmo|e-o57{|Nw~;JK|vWR
zOo|E#_DzLJQDIV4c&}7=uT=QB(BQf>Sd9j&(crqi9GV%`j3$sA4F$TRp`c--p<oZA
zp`eMQp`e|kp#b1$D4;kJ!ca!T@oF%h(XHdv=wsFB<97Jrm>qsNW``e++2My{y8Lj=
z4nG{z<%fUK6`V7I9rL#ePMpzDaQ2Lbf>UTT^cxR3<DvhbA$%f?lx2_GVGHc|(O8fl
z8z#;W99sy+E+|Viqr>Md#lpZ$LQ-{(&VT9x$3Lq+<nb8A|BWIo_^pEDzmd{r2>uI9
zfB+x>2mk_r03ZMe{3ilC<{@LzN_hOjzZXz)rs5I&A3Pp`z$+*uU=a$5h`5-spV8v{
zw4l`ga^j035E%LE3H${LiR5yFO}U)V2u`T+>hR#Oz_q~~V^(mO@f!YslWXD|8Yb8c
zL?mlNnv$qRXgRF1a|kyqAe7_gGM^a6;f4{p;rt=v+1vI#Yi{+dmoMKZDeK+A+%a_W
zJW?<r4kMQGUoCUf4-fb}Uwdr3otH89JLAE$2t@+<(Y2tf$9}7JyVls`cQ*6ZL43%*
zgB=&Fo-_n$#A!XfN<LpyV{oXT<&9AkZjP+6X89-c%+T8Op}koxq3$b}Eaui=?iWSb
z$;p0h<Q13wczMBW1}?U=G89pX+<RHxL3b9<ET&ge9_8(xc!HO8tF!lDQ%+7-0h;Zi
zKE*Mf$$Xg`WzJ#@>K;o^svN4``!=*f|6;;|7mv0tigP+#RWM_k#-5NJEbi9SA2T-w
z4SbCBG^u#EDwSz}YDwso#v6lOOZyc!?REKMRh@n(X4Cf;*JAf;g{Rz&G7L_Uk#?64
zg*)VvoqgX<^PDiX4T(TPaY#C(FDW-IX>QUW4vEDeQII-XX&-Cuf=zGUIFX0vHI>{s
z`s2BAMwtW>iH<``CuYA|5xr~eh9E=N*~W!ZCz?>hG7<Tge((8CGNy5^T&l${Za9Z}
zSvB~@g`AzA@!HtplcZ6*$Cu0(8nwsoG*`}RHg`UqX)sI9{i9*c<FELDxzmfU-T3i%
z)0gaBM`jm3e5>~U26=buQd1nX$ntqcj1l+Mv6-?889{mKrP~U;OimmOJH1SrH|2wU
zz6R?oH~R@?i?@1B(uBOQCui9AlZL}d9Lk!xhVrk2lU(BlQ~MHYv6GhUQ2k;3Y+*O$
z+nV=^Cu-&#FZ<@}b*14(g`Y?FmD;P<ySEKJnQwNc%z20Az}yf1uU&miP%<Z7zDQ5^
zj$1t=?B=xI$8#&QbQ0Ne#%kZ030kuTZWTeibN>KNuk>&uW+>j&V9QF!7;~H2Q*UpF
z2*B}D+&*rS(Lb1mY~+3R99|&xGze13OK6h%BdmFoe#eCCbtkF%FKd(*pEE*hNUvRy
z*7@@M1x6*VOE<~OC5}MAC?B5I>G1@5{A{Pu>Dufgr3osy>GC<RJ|~+LJoxq~F?Z+H
zPp*Eg(kq``a$56jDwj=v$GauRURaW;c(!H$i3$okJ+=PIF~gqa|Log5Xm2Sd{mb^;
zfwz?j=gNQNMI7Hd;yVIeT=w#4p3aXhr#@Qzx1Q!VhD#KDyz{K=q^;7)L&o1fR2ity
z%Uk#BbGPkFndhNsQRef_#>@NKxrPu$72PeSmVLLHdtS7xqm;j}-rqGP=3bInXaM$H
zo&}4B!XLi7zWG3c)J2Jnp0h6hb{`tDjrdRzynuIPU3;`c{W)s)qlxSl^z_Xqj{LLl
zFQLnW(3kFohON-e8m4`jvT>zv%qZ_Vy@Fze(vJ;CbDESBLYKZw_B<GD<$u{@pqR^a
zv}Lx>?F~T6@2)^?T>2b}el!>~x$RluLDtz)ZA6vr`DdBg%?go>-ls<rJ~DJR-i@$`
z@nAps^6Id^Udn-fPY<~dd1)!=R11%t!K#aG>oezVsXX47_2AfsIZ6{Pe{BB!a(2v8
z7Ryo!mHN-VQ}5sDx_30VXw_?<yM}LYdWl~pf=7I})91aJiIznt6ty?LeK)sba&h#q
zM2D9D>s*ORq{Jsi9?yBd1r(N8-|YOO(A=X-E<P*p&6X+?uYKy1mgl|<pQXI5>?8T1
z<<xdvTer-h*dRr%Q->yz^sv#96&J3#GfYxD@5ZF6OV*uvRTom<aiXh9?)Wo?R>n~4
znUtMF&G|}KE?udPS?Qeg&%Tcqru(B=lIOG{qd)YgI<d+<7Z{KDE}vo9C#kY~l4fk=
zO{`|AUrLH~vHAvL>{j+3=_$Vb%Lj~>tmtUCmCzF~&A;H0(%Sa@N56Kt@1mzYJZ5?5
z_wy2G0=D5|UffvglNE%5PPIv@Jew1L99c9a!?);5;fw47#mQIab{AK5eY=4BeEV?o
z(!r(>Mv2Db!_mn(lF5rJd!yw(zi?}eEf74vM*e^A*<}R~_|ND0FE9ZDfB+x>2mk_r
z03ZMe00MvjAOHve0)W7O838F2T1IdiePsMUj35mEmo*SH2M_=R00BS%5C8-K0YCr{
z00aO5KmZT`1YiOv6hdZX{Qnq1cnqKb0)PM@00;mAfB+x>2mk_r03ZMe00Mx(zmI?(
z%2`JAU%riu|Jx9Rwtrs>fnz`b5C8-K0YCr{00aO5KmZT`1ONd*01!Y-MlF;P`Tuc7
z#{aJogx7!=AOHve0)PM@00;mAfB+x>2mk_r03ZMe{M!krqNp<e^j~f<{DvV3-vrH*
z8(I9@TMGOG0)PM@00;mAfB+x>2mk_r03ZMe00Mx(&je)E1ke9<uqp^bKf#hPk#L@{
zp3qFlB6#9icw2l2J|91fuflJ}rQibbXk0yB7uStDf<1*z#~EUKar1Ck>}@O!tAY*1
zy8o;U)&K!O01yBK00BS%5C8-K0YKp2LO>g3gX9JV`1o={!+anb8S-T?Xg(ufKu)3P
z2u(voEtEA}dle^YtTOe_%9Dg;A?;tJsT^Nlz7P1T)-AMzrWu;T(rns9VQCs$Ls*(k
zRTq|~vDAd6>5%F#X^6(A{Mj%Sp=pM)ur!;dBrHv1D+)`qsS3i<G}Z)RX*wkTw>0GM
zOSj<s*)W38Gy^Xz&8FdmrD<%eur!-0CoD~4$qGx;A(>y&42H${5tA00W=IK3vuTpT
z(lj<kSei{m3ro{jC}C+jBq4{=l3B~*aw9`R{c!v)NeyueLCD8{#V^90#>rv*<*Ma0
zWg}&pWQ?U#q`IVLO6FktF--I^GzPUoqFh1+xsG4q|KP+UsbOs56c9i4Tz~C9SP*YB
z<RvLH`W?0yJj8@-##gZr6;15Cp<DgEF0G_3H(M!7iP$P-aP~&{XNz;{2RF#yOO*@f
ze}|<6k_gF4N{^^W$ow@%6CZ`|&|`Mreyf<B`>Jn$txbiBb}J`N@`$faCDltQ?-7rr
zD%2z$62oNrQP&$M`d5Drh*0TpY01@dD2~@N^)YU^-mGnJlCZi+l*!OWU0Ry=6x)+;
zy3m{@g#D$pEjGFbqHf<VpBq;FT)K`&Qu)>7PaT#RCYgrVnF-726NZEO3@0&brzQ3t
z8B9R89L}lSXzf&xRU^vent5j&L&MEzG0fkM708O1%tdKFq-Bw_`rjd?-nTM$@JPzS
zO)|tVdDl78emK`7Gsc<`>)}ANO7Xgz9ZHILXZLoeO3}g_#iC5s_;2=@XgE~seSXz;
zwMmJ(2?(a!%$SR4s@LO<M#XPt@<>WTO|ofXm|PydUyG+(JF&iNr+F0nEi-pXplO?K
z%{R&t#ji!{Jl=~k+2J-h{%qYRditd=%kA`*SXt~rH0UWEsCbj^cg(0@PXdpmDAXj4
zEr!Xy0(bLI0~eka^_+}U@Sx)|ktvg$NDrC@+p6{iRxuZfGU?quq!d!EHuWf;Hp}Q{
zX3xf#6Z)_3b{hI26Jnc|Yju-HQV?pAO%=mr#LjF5&*r|GfZk=k$?x4Q^b@xX&E1x6
zR$vkqvcS7e<Ok>ZDnm@`@L@~;Ii1X+s4cEeTI^FZl6xbf$&J(jHkQdFO%Q65CQcW0
zWjZeqiFkWWJGTB+nN$wOx-8)H=9oEqhlWe%{AM|$N)*ZComE@=2>O@zcQUKKJLqIv
zz6qUSNzmxGD0)_%p&q@SN0Jw6QmihBu0Qd>GwI>RjRVBW+~b42Gulu5;NTXUnnht8
zwz+su7G*Mqx6N(gJ?jk5&t~gg%G{zt^R1Vwm&OmSVBA#mj*{@=kqCb``L|08F%I{o
z={f#C4*W<MaCKCzdzy}FAf&xm`_9RKRg<Gj!vpjAqD*oExn4OKo8o@7-gc9#myYSL
zOMLpGahpT8X56|q$ABsx2`}8FI9<@e?J7H#1t|r(JnwueU#4kg=Uk-q<&Jyc%c_jC
z#5~UeQ6@t!tc5rmc<ZAN8lJG+N7jACIcQ}$Jd8hd!R4wg{@W@Z2`AK~SY6POd*`<y
zbTHE^H1-A+Y(B!6Gx_7rEdRx;F247+*A8BCSCmP!>aEWXe~j5W@q-$zkXbBy^!){w
z&1Se_-y#*on3mTZ9tkVdq*z^0A!+@$3l1gR`_!4KxBcg7PTs3AE8?xqCHJW@-3{A!
zaz&X`vJOm}_pr0>odJZDN}T7e_IZ<6=E)HH$u`Qjw4~eWJd&JHlVWv2<u32;lpNJO
z%YB~w>Gh(5cbXl+w(|%Yw(7q4T`95HI#DLW&%SeOVrRc8syL8o5LRc<-56ATBV0*=
z*~&dXQ7XlQN0Jq4Qmig$k<;NEnPP+K*!9z0?rxsCA@zhh;RP<|Lo<r)XK3qQBFZFF
z^4xNlfW&Ya@6Um^A~&W_XB@g#czFAf=iTKcYYJC3^GGs6O^Ve8xg4!ld)U}H&?E2r
zyRN-;P@;CX+MN1$&h{xY?)KdcyduhENjtK5y8oiY*NOGk%3pmVZ+!4-G?!4zxu05f
zQ6>En|8PtHYVxN+fEZm+C%4H)#_pws^2Nc`n35JZ<ztCeRe4Srt$QYWDRue1qD-b8
z+HuFPoRYOcTRy+&V|}iHyDc&PcAfbH>e;16$63}ql9X_h;&efE`KNDue6L=D+`V;*
z%Zvp>OXVEyTP!QQdxb_yC@FRD5oK~^^Es`m9eQ51(dyM5F0)ag8@=n8DxR_3KjPOS
z{B@joBuSwr#p;5T6Lxm6TR4>KK9@9Zcc8;M3Y3<Xw{_4JR=eC{*BsXsWfI?=+&4AM
zbb3@k4{7!K<kh{(KFd^}qm1vrQ{8q=zjG3ggb`{|tS-p$N^H~n@B3@h)l7ePRPB4X
zEhhB!j~Pd{8SH7ve$l5V@}hTdifPKN%dR_qJ5xKXkC5EI{9SKrno-n;<Y`yk+IOF|
z<&n@rO^Ve8<?m7`+^+MXc6<M2$-8NJ`bKTauQJZFGZh^posI8&mk>oV^^5xamfW|M
z`<b*ymUEIU_N#|Xxn{OwATjoj^&h6I@~<aRLQRU*1(mtB*adV<Kv%8%9oy@etlQJx
zdZ1wGg{M(pd<_Djy$DezXX5B2Z}mkE$vexS>(=oDR?!W_i1^S!HP;?_M=i~rJd%V^
zlVWv22kx%)40Q6ej4eO%@!IJ&bYs7|*UGciyq>AA?`W^vWhKhw?F;2nj@vVQe@w_f
z<>gXw=;5;Zn;T6%J!L}-(}SW;Pw+uvw5UAkvC;a~t4#^|EpqFn9I~>FDp84<7ddwz
zD@b2bZgfbC#UN3TI$Fu@jGO6i(a8rAHMG~|E)V#WbaChu-wRsa%Ddty#oKVt=c`i|
zZe6j?Q!xIQk)<IB%kby%6L7)UYgk>mSlP$?O<)2900BS%5C8-K0YCr{00c$|@JKp;
zzjXfFBVsWI#*VvIeK<9H$@N7m%0u2=s?fBhy+9^ih*7G~C^GpY=H*vWm(Cv4tWHDA
z7sC(C?fnN|VT>QGn5waM>PC+Vvy9hWo-WHDDG`O66z4$;ow>zXH{7>7_vkLnoQihE
z)(tVG8x035CcVs{RIV%kEXw4w2Omw{?jYV@u90}3a_4n@9H;QY_vF@7IcYlaQk+an
zp3WqU_2?t3e|%gn2FM||()#Fq?vl|bS9<S~32au<Fj@e`(~LIANIM=aCVdj+alK~k
z_pCKV4fVU+GA;MBKP8v!nXsXdA<?E(oNP5^>NTE@wos4aa9qREYd$_$M3~at_<h@8
z@mz*Pt64*Q(dCRqNgpk{2H%SEs66)sAzj|{$?3wHnt8WB&C#A=t6agR2X2sCEEnas
zn}7RI>(_(**GGRAVt`z8+oNM1?=p5$i)CGp{)*>u4I#`@$XKc7bbZbh^9VmtCduqs
zOVvzr)D(FskXCJCDhWOLe%Y);4G}kehg)YzT;h>5g_{)TR?XFYrTy`C8vP+^>zPRf
z*19q^Z@t6nJ<<XUuGw7*+b{BCldvK0*yJ?np}f|6`Nl!jaeJ-Jmra#d`Ii34>?V<7
zmBb@W6lzkeTQz65n>c8nmVTusZ&H$&#$C6%eD;p~5MM9dhTpm}j5It%k^J6kdVFTY
z)qz6ipa5@rtNZLKB6nK<!ydIOK|AT8r_nr;hES7Y-Ku$qo3d#w^rUZZh40Q?t;<d^
z-><Q6_s(@}#O2>=bFS7DWzxn?^HC(-sVwhCT$sg+*hy!2Z>&x$EF)X&)?SGEWYoqZ
zsS7nJ)~y<E2_!qAdPCZ?i$)8klYQ;x(+0Lm6tu586;b{5xu&kj`|iq$^!KWbXIdAw
cM|Lk=weQ$qK3Z!_ydkzr_354`)UQ4N1F9%}ZvX%Q

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt
new file mode 100644
index 0000000000..1d08f78285
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-multiple-alt-names.crt__server-multiple-alt-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-multiple-alt-names.pfx b/src/test/ssl/ssl/nss/server-multiple-alt-names.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..f90123e979d9373e3057b4cc47ee276b1ed4304a
GIT binary patch
literal 3325
zcmV<Z3<C2of(-cr0Ru3C48H~mDuzgg_YDCD0ic2mumpk(tT2KMs4#*DUj_*(hDe6@
z4FLxRpn?ZbFoFk60s#Opf(Jzg2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=t{`-H
z8*XiW0s;sCfPx1YV_}%kRe+$iw~4lIPqC$hjci8HAzK7H#6yn>2+QJ`x@3uG&Jz#^
zK}t3w4+nAz%960=LoP(sXq{R5$PQ|-!*?DAKU<;4F=iM4*KNE`^F|dilpMXXxZbyE
zc~844xi)#?|MN0gC7Qt~81TB<Z<zY9rV?ALEAl}7Q4I6ji-=v9HNU}>mA{gW@3768
z2HOd*ryg1lk?v1z*Xzf0n)S>avrqmdyIymXBGL;?_mfz$z<p{3XkwE3-U(N9**f#Q
z)i=L2W{TG1i&O__Umn2+$`Ifc`O9O+T*h0kwj|y5yN`Pbk_i<9Hn=h7^Cn&k`ay5T
zHn`wVCs0l3f%tO4A{306x9}4Ue~@3+NZU7Cn>ah*HRQI^i?rRYI`~?8sDwP(Kc!Bo
z8ipiB#uN$1?&B4$fox~&HN|4+k=s<}JG)R6QSW8Bzb-Qsnk7A~?bwcupr6nsZcP>j
zg2BA)>p&y*h-jAlhfg@FT+-(Oh|ZaFV{wFah(eHYp<W2*<b)PvR=L?o-Vaqx(&B&g
zZ{)b*N!=o1HhN!mdn{jYCu50JghH{$x}n0i-KS>}@z#rWZ8FO97t&oXs1+WG4z0<2
z;X_UO6%_b8T7>25mWO`GtG7M%5}hbxDhDL)eU>vsZ3UqVMGgX~OuJ4XXPLs7EB!;W
z=6ZnCqO)+(!+KgpRHpe+8tm2fXuCtM*klr~gs-}^m@Z(LkuhQ-PEkG_)s;Tcc|fI@
zrr&9%1BB~}sN6R^w4d|mh@yW3y@&BBGaBE81BTq`Xp(H3YEt<nc=0H-j1Bey<WjrL
z#>?zU&1h~!D*(q#6f`gSj*EG++f|`p9$K4snZJ$>y)7dsDip5kFHs!W=W@{wZ3*KP
zd*rXzy+xZBeJqw-3r4TCf|-V17iEYlxMw2dUhi`A>lGymH)_J>wUbg5?gKm{7$eMO
zKP@iV|73;mB6>c^l7?_*D|gCLY191REj7=m8Z)NaE;H~BUWqEJIhY9|r3N3#KDpV7
zC8bJ$Hcpgt7&)E;vozVp`?Vb;>B^mFDZB1TJj}Rm@QU?F;Lh#!#{;Le@RBV{y>z%L
z<IzSrH`aV=O6ffFLvJ`FkvC9P8FG(qWM{B0dh*KSSrvddu>gW3=G}cfJC!!g8g0f-
zIJ~-)%R3oDnFXL(0FJ*cBE+I`VrFBE2L@IKz{lC5YzR;ay72=0yyNVg${yPwhyuos
znY)?R1CiF*bh?1X$N~<}AD-^ghzCn!O~t0)g+2b>S)1wv;MPE0|Dg@FlCzu*<Mhv9
z&shnsxVC%hOU$5?P;Z#_>&pGaFUv53le9cmErHI215F|P2Cdb(EeS+cu9WcXNI$=Q
zRl@uy)Z<4D8|z%eL2#B}<Ejv|sa-*ADI~RPM;lazdL-tXKS;Pz4Xub4u;PVA@54@m
zaxIg4Wvb27n0Afv@(@{Ji96h4P%?){c<}1t{igOWP754@spzq;cm2bzo=miba~sIv
z@pr)&M8Azf(sK%Yz(TjMGavQdY!EmepM2O40sA-FG>R$qA~*2kbME~t<haiH7~Wd<
zBLRW5J2WC#WAd5^{z~|~B`!w|WmASzR*kvW77CcW6%Pky+f^0(!=4Pz<uk*x>D;Z$
z$H)#+Owv&%Oj&GOM$SkRv5EkY4IZ*-`xOrVS#pRgTWf}mD^YGT>H^l#qK-lQvmar@
z6?w#rw?qcS>OpRb(RVEW6;AfxYVu4wxc0yr+m0d2rJYba=p(RJXhgT~!q;Va!VL+d
zw!!o3{<$+LpmN8m+(?zvhZwxTY~V}4hIu?;8tmydj|$A<rZ2XK)I+P2w6R9*gn18&
zS&UCS5L-(STz{BsUskxYA@G3p3v1CK#?GAndy7`Sac2nC30;`4K(A<fO2WiI@Q-5I
z-8m=k$rRwN`Vs!T9}!$xTZ1=^)^ZQpHkCxdq7t#jTmpmcH)jow(o81agaeeS@LsPZ
z6h0**fInU0ZUhjo{SKeDe^eQit>Zk5*ICG8Z4vZkb~{Gi838r)eDd&6!8Hh>+LsX2
zm<mIf#RsfPOx1@)Ih|Ni#MO)beBfz7w*b~CFpA$ofC5=S$1)VdA9o-^2f&4PIUMh~
zKeel2H7AZ9`dBVv19Z!%GK=0Gh4sFx>d#HAyjtS(d?g@l1vclg(cgIm((ii!n&@i^
z`k}h0Wq2mYIlXE2*9~V(t}6WOqHZbzrUQUrJtO5#!i1G0X9wfQ@SD!wn>&*?swlj3
zMFB}qUYkfNlhM}k<G&ia8Eb^0rJb#TJBP4`>CBxx4-~1lDxkzFEt`MC)>>SjiG+i<
zvDFZuw&BpJg7{fWt0t-;i9AzXZUv>sQ|1lAsQvc7qq?!MX#!DW;`k>Uc+AW8-A_0@
zi}#wd@88}>FoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1P
zpn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PFI+k{fJMg>nJ{2ml0v1jyOV)3_-FlWs8J
zCYBhomm=ImS4V1hdLHo$5cVw@ej&@l^agP&_$HJqim2ghu#RR1*9K|SB-u=ft+-}@
z#(<}g0a*f~ROi{|!NnE{U#5<=(cst^TB*PHTz`_!4_BUoGVXn4L7mMaS-d7VMEK+C
z1<|<Kz^7r2*bqv$jn5vRYK7_K@}K1ffzcI9%37|FZUGyhytL7w<^D8ILk{ET656;_
z_9davhdJ{$qyK3?aH6FN=0&A+#AiK-7<lP-#6r?bk~Zrp?FJ=DHT5J(k`=IfaM*2S
z1#Z^J056+-Js6fGe}1c>%J!7CQ9nUPu5x)Ddt#DheA^UkpTxyta?$|(-8E6>jxj_O
z=eZJBK3e&wrFEt<yD;frd2qz1seiVEIVy;o+x9GR_xCtO36mXZ2yVgBX*crwgP(V)
zJvscX(9|)ZQfDiYSGF{!+IMjk_loULHrP%|aOuo`-#An{4$PMMHC~wY6XoyC^)iGH
zZ~E9U^jWmX#mT(v^JJxJN0?BhLP<LIyM?qhuhvKo+mTGzP(s?^Gfx3S#Cd!$eSa6C
zvPy}Q7b>1_`>*GFDi3dv)GI{EOfK4f?mbHWRJ81A%(!Ijj%C8#r*ly}!XKYA3Bqcq
z!0fagI!CcFt9Q2`W5nlXiam&W{_IP+;;|>|Ue!s$N>$i(xcXfUD=jP?UAQE+ieWfY
zqf&k?LbTRkoHm(xDovsr&u+Ua-%vHnri+0S`S88Xz0(BBsCb4Zh;R&)3Zt6lG>3m0
z!-XmVDQq4u??OkWPeyM|&=>%HZ@lRjt%>DK@g>6v&^&kfXhg9W+8N)N?l?!YAra-R
zchk7koyYWJ_cM4JQ-GMJidye;fs$;*u&@<u_l@4d#5rFrq4wbbQy<a~zRT!hZx4*y
ztZ2_iS_)%sw=`91Lo3A<9Q~ZCvPH=?(J(i6y7eM#ci26$cEtQ{t2LDgo6frusD{p+
zP8XvPr%u$WYV%s*xcj*KG}?PDetb-MnY?|5%*`(c`i1YET+8s9AKo_{0>c}L=<@vM
z7QxOujoInZP3lXtOH?&3^}4$XmNZ!)aKDxNy;{gjnYGIjXwgtCR9N)bT-@wSGHBHE
z&fix2KRd{4Jkob1=}Ge&&E*&75bgtlo|T($dC(&k6ZGF4eJ3!|COsW7=}P9uk|)a`
z<M&<<m)aja*RFWUS;}zggSfbW;Aj$^o0x+rm8p?Ogh47zU5wu}?l2Mq9pU=tE%_<5
zgGICEw#g(%oTVm}snkmu9&Snt;AB>K$AuJP$k^8wp9pHFo8_cJWrC1TuUQBtSs{U~
z<1}^snUK`L`9s!p+Pj)WutvGksFz}rzL1|<NKN^xoE4PJ@jj@UwH%U<cMj6cj&zE`
zIm%pE-Z+FqRIOH^Os%5RFBfHm9ay-dKW0gDpm>r@c|C|JfGj!G5x~#l;4!6*|2*n%
zbPNgIZn($R>tCkbBE#}vuv&f!Q~cOwE3$`x(u*8i{0vzo=8+ZLF;SArT@J-8=}Gf2
zZrFgu({cmHh39d~szFKM@hVz8LRzKu7bK^aP}Vbzfhhj!&*OM6-=oOmItrIXJmQS`
zBCJmJgVwF6ZF$xw5+}0tWw|jWFe3&DDuzgg_YDCF6)_eB6uID$bzi8VP~V`{n|+@x
zBE9I$+b}UOAutIB1uG5%0vZJX1QhIiFj!FD7tg`@eugW&6*Uplxnl$fayG0o$E7Tx
H0s;sCd=XR|

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..16075e71f320303d91db3e74cafa01df05fbba6f
GIT binary patch
literal 36864
zcmeI53tSE9|Ho&}txmV;wob*?QBjdP*DiADejzFqLgiFPy3?tIEjgqMN=Rr4i72#^
z6s=8L#L5;$h}JbpxtA!vnK>t=^;^6D`u+F6|KBsr%y*v4XP)Oh&wO9=Jo8M))x|L&
zf=^!*79PTjptB))2!<hZIvs)_X>_HcYu`df4N~6$x`zkY|IU<#3>Xt-kuHcL)eFf`
zkxJ<*={RX~^Z+b?03ZMe00MvjAOHve0)W8(IstPEg+|kWJpw}g_|d*Wya2yYfxtP^
zCpf@Y!fKX{g_{lCVWzdsTsj^{cbZB66i?UXF&QkqDP&y19ajkE`S623rJ#JKfX5A1
zVCz|vD729puqU2h5a|=h_l@|ZK>kcY96MNp$zbYP5Ggd(zIp@*1d;skPa>qxL`0E;
zHB6X#38t_FO+y1tv54UL1oJ;-|6~xvI&K!0jy3~11o+XNXF1HUnB_sAZsS3BpXuP@
zZiAh{%4w#pql1+j-NMpomYY7E$3Rymy0XxfjoEkr7Q)1WOt3=}?9c>1#FChBunia6
z7-1V@Y-56LOtB3Q+xVaxQ(TH6+Tw}~OoPb~od;84GB6n?1JhwLFd-%bQ(`hODJBEc
zVlpr>Cc_uoii;;IAFj+2*|;(bS7zbLEL@p|E3<HA7Ou?3bFuMUY&;hm&&9@b8R4-;
zc&rf~YlO!diDGe0BV5xMPl@wk;(%CqO<4>qFAJ|J3ok8)fi5g27A!U~T{fPYji+Yg
zsnJM0i6|kKhJ%yhFtBrTa8ewc6bC;m2R|zZzb;%nFBezi;%ZzxuP>j==CHY#q}arC
z#U@rUv5B2QY+_Xun^--?CI(P!ViZLt4n=JCXT$M`L;JHC^<^{aFAi$<6$dr@ii4Vc
z#X-$JUDWI=4r=!4qUHcytj%C2MnkcNBQ~+tBQ~)nBsTr}O@6<*=#z;z1W{U_{^Iyx
z#qs0v7=AuDaTDy?GH~ozS`OO?Z?`N{Jtl!dv(bPdkrP=OjP~fgd65xe__6n=JJ_4~
z$t0q#RuXf!Sf?IF-eV?Jw8KoW00MvjAOHve0)PM@00;mAfB+x>2mk_r!2cftk`yVl
zGE}4hLb{L+<Pp+@TthA)=a3RK2rPgAAOHve0)PM@00;mAfB+x>2mk_r03h%;5s)O3
zU^4B>JgUfW@sbo9o)Wk*qD7V>He|>mBgTRxHq414!<0pkAd;x$5vEMM|1WzAl0Ait
zk!zAmmzyC+mMueyk&wTsg5b1(03ZMe00MvjAOHve0)PM@00;mApAjGtA((1MS}hMV
z%$ZXdlPE-Y5>bZh#ur4;!^6TN=vEfkN8NPiFhPWWIN#O9k?!j1NDt?u2LeGrSSURL
zODc#&=ZZ@Xla9nN=}?AAhdfL=q+!w_I*?W?!wgHNIb(|GdKu%_>rY-Pes~l=obJmH
zj}Q>-Q6=hdDB=BoxqA>&kE}yX<yw)O$P~E_WIY-L7C-<H00aO5KmZT`1ONd*01yBK
z00BVYA4EWcs0imk^QhQ}iR6%a;J(2D{Llzd4_pG18@7Q8OpG+7vIz!^4iGUp!Wg16
zl|g5!Ge%)!4bn2-3>XUPANvu_|4)LD9Y`TM^Zz0G1waLohom7%|Da0@iV6q-0)PM@
z00;mAfB+x>2mk_r03ZMe{8I?@4O58sk_yDJuxP-++m~nH8y+Dcj-en#O&FWvAr2>t
z!%0{U(J+8GhA569s1YYp1%hBhQS5}!unD2O5WWCY74`p@K*)Wh5;=$@A^AuOauI1k
zmi$w|fpP)@fB+x>2mk_r03ZMe00MvjAOHve0{{02s1P~unOObuw8jITNeYSGrOGFB
z-s(LK7EMpUV%@@+_p6uxGBcp+S=Avj!R7X>AEQLG4X{{BzN3?s#kg<UYzP&tlDR!g
zH~0$3`1AoR_VkvXu$RBOdUF@hl$TtfXCG{dfkd+bXhaV6OXrnE5m6vBNJc`MKsil5
z1-qaJe{K;fQKCu8a&n4T^40Pte=b*FD!D%6Pwkb_1xqN$(Z_aV^v@jBxLUcw5IVDC
z=pVokl;tI9I$fC+`|D>+)7|MDJn4M>Ojj5^!>oZTG+lR5z@0V4VY_UbW-TjDJIi_+
zpz5!admyl#nO1cq&UOx$W|iniUV%~3gf=)s%AaFdEziM9|A)(8<1$DJ<syRyp+Dg`
zV1S4rB&sun1j-&F0VaI8stj2Qb=*4pb)B*>EKP=nPL!celSO~2gvl~yve91?;mo7S
za*P-pCP#cY3}+C+ngfdslOduIMj(a|mLdpI0w=#~c$rMvu~az8z(`oymLjQi`>y@T
z*U?eU{*<M%3!1ji$%fU=rw15!ojc9VdvARrsk2EfGv-xT7Qu0u884ns*=5%CLE3xL
zp+f<qdEMIA9;u}2p38S`J8n$XiguxHvA)u#QV@0|GCrxB<YfLZE5TO7EU<F*5=q9X
z_|^s6F86quTuIrOT-noBSYD_$)`1fAoaL9_S-w3r&;DwOuzq{2%=kihVx`8kAo%#I
zmIQ4}EB2Iqo`#n5$Cu9iP<nCkE~Scu#^&bd%T09^IvO;0Q2b$SwvNiyGd~gY_q{XR
zS74~fzg)WA&i38*Q{U;1D!268dt37DN*^<SuiqlG2}Brzv*j6b3>kC+(6>q?GJ^=i
z9|tl+FEz>xhNd&j2;17nts1k*;B_l$`rVVoceNY+FW&c0@INy?u;ocedR+DMq^5m!
znfft`&gRUcooXWl6WYi<IkdM03#WyovIT0Xv6o)Cw=6urTCIMBc7gk;ggf_BXBS!L
z?RU&uYht09b7o2Qv`dv;9gzp$uAlh*+DvJ+hL$DkylV?SL>c}3mc4$9dfVc%Nx6n3
zsp6i}Tk0$CRZCT>1m94(Ae^9NaD4Xi_z!V~osko==1AIf?>Oe+cw^m3{f}O<ru#}X
z7QKJPPJ0k`CavZBo3+}@7YL>2j*2_xGj4Qe*H8MivE^BNXV|6A&Of!bd9}`+chu;+
zx~|cT{ZM4{GWm8davZS<yNib2BLB^;HRR9pzU1;@Aw(MJd~qK<$Qk^>;a_tyzjMAZ
z7Q^X$Vfgo+wsNs>>8*pCZ#<K0G<>SDdD+9gUTwBNX{W_i9$nHrebol7b)=Jt)<oRX
zj)gWDV4ij$gVoCaaZej#jsiw+p3jEdQC};IdZ0HVUkk&7?zW*fvadSUVfeZbt-v3<
z)_c>UR73qI|G4SMxM#t7-u$OWs;TFXhAJ_hFXpz|M8q#8uX^3AV!+-!R(8~#-jOMD
zk;1?_bIZJCcE!O6wdVVmTXnULejB^9KKGqrO+wLJH4pAnKNnM@x}HfJuBQbRHQAhS
zc`8v<SZ~|A^U3p-Mmu?}3NPEW8pCExCSG~yxZ{QW^WwK17kevOQ;Iwm6Kvi?ZMpiE
zeC`C;B5bZlZI5xrgaDggMjo0z$2TtJ%C?5;Lweoz`+tgSaIM<v5ZYlMzB}pTE|MXs
z_r1ewJ^mcdiVE&aQ`G}MPM6OiRJ5&_kgb1sq1}G6^mjUUt77u%?!)tiUG97LG=;_|
z<Q~-_dH)61>ajr2XlswXv6X$$?H)I)gR?IjRhzvks4%g^{RO}Fh{CRd#pm{&ly3Xg
z-DdlY3oW`4*0YUEA4zFFSx_r+NcUr7oK<$?)C;vGD&A5-kIJ;C?(knYm6P^^eGFTY
zlzH9gOhapV{$mBFQM?_O_D83^ZlBfBy=^{i@5c2@x1^11-o<&6IEMG)@wyW>V_)4$
zKIBdRO|xuw^XNGpiyz!FFx`05vL?%ze=fZ$b=1P<TV;#Bsfq7?lEF2!d3U&MJ~1)!
zmW$@M-uL7AJM*3jrA8(MISEfunhHv{tgVh!9Z^a1yqh3AX6z7<eqZKp`o%?RmgmOo
zIwybWOwU5o5@=2&S+~Xob3#LJ^#t@z8it1brN?7fNFWUGq{;)m2v+#7EJO69rmTKX
zIt&#gz~tZiQjO|P`Vai0I#<<3oLkT#XO*G)@t2Ji;oj#g%Rl7!+{|r^BHATH!OO9y
z)``%1bJUl9M#1?%?n+IWC}qr*e)%0G`taI-`lKJx+70%n!@%sT9`&npsK4qjvrK!t
zmfxf|!VkvIyJME^pzzF{Z~a5oz4GX#ADl8CC(hmQTT+>Kpz(s-xyN74I@f)7K2bZ6
zt-UO&v&`D3l+N^Jta>d&>pbC>mZcQ?(0CR>F>!45q9VJQ8P$rt)$#Y6eKzTuUTrvB
z>$FpF)~olZk=gk3Z&uyb$}O|+j80%#F~+=WKIwYx@yAYwI*Zt~rZslqQ=8f|;Zo`b
za+rZ<9OcZ;!0QPmw!+iTy&v(4WDj5G3NHHG?;Tg7rLOQ=PmWr+y!~0>&xs+V4?Bc*
zDN(6q+w{(+CZ^R?UX{6I=5c3crb@v4iX&RmBpv5XV<!DbdE=CmGn?|H_x#U~k`&Kt
z;Qn&ZrNbXQ6CUT8n0j~fq;B3+jo&ji*~+15qSou)3%^c~$$rmo%n`igjOuy6yg2G%
zdD>k&M%lc@I)24-FVfRjJ9xj&AHDu^H>Kfr&E(tTv&Ziy=|npVrY$KvK7}Lo0IJwp
zqg7d}?6Uq{H$VHNf2gmjttyghy3u3VlhXy;P25;Ys>FR8$IR&7&|Ujo&As%QK?WW{
zjR(w*9pX8EIGbS;eImSz*JU*M%=ToiipffamA%(?N3s^_Bl?>kWyF!at|Yf!j@7PT
z{%dxQkIyDas|4F*-5a+OD)M}$wr(k|azA2x@A>HzncXqRJVwq*=5)XAb-B(z<7v<v
zu6>QW@@!)3q*WywvA!BK9F7gUGrrnPztsJQvHm}iN`$0Kq)wtcumA#p03ZMe00Mvj
zAn@NnU=4%X-vJz0VP!=QB!~V(Upt_0ITY8*K!ZAmc+|igf7QnRk~5lzfWODUGNZ3E
zzWA7ij*($;=>Pxrz63g`4WXl-lKq$L^O3(laS4XjXQ#P%_4nC_Jh+R#lKFj)y@%$B
zjPo)-{P9f+QQu_Zhx@6qlQmfdx!?X0_^scT{p)=AD`FC@CH}_IPnwG-3L0&cpG{F7
zH2O&x)a4ucIMATJI`{L}O5Az>)4tTeFT20mn?L<n{bh-4Y}_%e`s`99pz31C4>x}E
zUvI|GQb*GH+mc_7_gN7BRDN`9k!Pyp?MJ>7OvcrZ^9YVG+<eWhmAbY4dJDN$$M#`)
zyN+MTnq<v_6Y;k~!g_-clV8>9uVzYpldnVF{i<l*h~vEy!TWOF6is$?d~@{UL2pZI
z8qw<B<@t}ud60s{=&HO08i93!{a2JcJ2Dg_yyw?tOpPj;vVX;j7tUrTx8aYQNV`Tu
zcAm~Ao(s)03tjRE8Ex`QLd&BvBSv>MOeTMH{66hcc%*-M27msJrncB}M|ESbcbdGs
zQHP(ZY&OjD%~Dq#7v%rOErs{P0g{eIr0}$jvCbIjp1&~qsa}}ya!Gen@hwk|lUYy)
zVX^KiqTyWsX(4yolXj)r<mkQMQ9g0asb9)($4Z;()e&dV4r)Ov1k0z|zSA#;bZ@`$
zAaljO2ZvYX%jP-6*O?^Bws5z+*r;f-=lnCtnFoGOw_M&Lp|?kgX9oG2Xxk(RLyxC5
z=0-L<Hz+CU5Ymfc)4$hc2&L-V<9Q>jaxYDPA4@6PM9>U8W^45>aNedhryQIw3xc`c
zHxFj|CTL7+my0ngohX-_f0l6iK&zeqk=kQdLvPsmPIgu?QrPQOH+B8CJz<XZ+uDe4
zFDv;U4nLvwt}dG3BYCW9%*(*%*)Ke%b*bxDJNp*N{!~OPmMOEe#GKL4TRrL{hNEGB
IX<`BVFWqWKA^-pY

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..ef4a50a9526fc10ac8140fe4a46e98d7cf727c01
GIT binary patch
literal 45056
zcmeI5c|276|Ho&{ScX|5J2A#CYG%v~5?MoKiG)(jSW31Sl9Cz`ilVxeizrmuOZtYi
zP`1iVi@J(v6{TdUnDm`<aNWM$J2Q{pU*G%veU6#WdCz%&KCkooJkObr`JD4$JQgns
zi3uVGM@EM;V~ECxX$T||VMQb&5D2M>CvOEWV!RSP5ko8FpW?p@r4X~ob8v(&2nk7d
z1Qt!GmAWbwCq<X+mvooB_IHiIc0d3S00aO5KmZT`1OS155`i#rafKN(kerz@OjcM>
zcu)+}jv2$8Tua!x+gmTOCoZwJS!7R~+)C672_(9?J2_js`w$n}`w%@{oECf96J1@1
zwyrMo7dhE3A-dbUEwZ+?Hze{tuZB~`S5*Dk5@HIrGmwaoh`^xr?5Hqa(vKM%6A8ce
zo7DHCOhy<RF);-N4dimTLO>`pBrt-_c8d;K$BYRQpD^d-VrTD7gp-hksR~3rCWTDZ
zw-SXlykLzmCMzgxs*2bT8gTL_4P*WJXfXv94W!?=?O4{Dpn#Yu4bdMo*yHJ+R48PM
zzAZ{jL20r#A#8SRQ1p}x`Ujcu>`yAD6#dk>NO1)X4dhN+_>fHrOhqCSQsakhYP&E8
z&f3P+eTgBFN#;Fy$BjwlJ&mCl-T-Z(K$}dVm!{B5Q}`uR#gqmWbf{oJg$Y!cLWLPr
zFrk9QE6iXi@^}d=k|7NWd3-;R3WW^GP{@!Dg$xN%$dD3+3`tSQkQRjuiBZS_P&r|5
z+#jq=9gksUDy&R}m8q~Y6;`Ig%2Zg{7;a?@w=#xX8N;oN;Z_Vd%Yd^CILm;ujPWe2
z$$&LY;F>TW3Jiz}_moP8+EU@3Qen3=GH;<$pv@B@q-zY<Hil~(!?k%yxXO4%s16M#
zMI%G|rop6WFew_mR~o!m8hl*na9cX8Mu*ktaNB?&x-rd|4oOagknThXb!;Mp_An7b
zU7QG^eollCz=;r|I3B`KCc>#^FrJC6Q_UEY%@|X5c;TcSUN~uo7f#yYg_F9xaMBJh
zoYduof6|4{8ED76t<Z@x5khCrL<pTi6Jg*~7&H|I{}I9`!gyWQlpPjiCy>r02eM$|
zrqHn^!`Pv^G-C#Q-crr<jYY&195nuJ2%LJa`cbB06z?~R1oT@4$9p0rED*d0SO5V)
z01yBK00BS%5D-jYmlbj|S{9F=^Pg2^-Dr3O?+1@ZAn-CW$ykI;3L+_C@@JwtFAdfD
zKQ25`1VU8dHy_>#g+#L1VYAsm(d&YujUpnAB6t%{_N;*D7)YE<q^OZq#ZaDTDXg4Z
zBs*qRbdbm5MZ}mOb_|gn%bPM@PBgrp{riy>>C$N<m9iI0hV^^HkkEoCK`i4v3e3j7
z#J3TDN50fq)?r@cB>mnq$nIRh^Xu!QxUT!(q<Lp_rC0l{G4Va-eSW~bX5`s&l-3$!
zt+;ictL<2oL`nd8^B`8?^MxhZ1=AB>nYfF{r0FyUmpi!ZZ<HBpOnK4C%F;8t-+H{o
z^;h=Qm1CzF<}>SuHb2!oR_*wCeJa(Kto^m~qQ`?b-#<IuvrbGlYj%j9*WQ<lti)u9
zM$THXMeOpgYaXRm%ulNN==YjgjywK{&TeA87&EBQRFfXm$79Ok``(w`NDD`EbCMi(
zuG>|;Pygz!wCv`a_p!IkeL7rn6+@QSp3;;;>$+uW&%Gix<XTd)RP60o{f*b@GWF_6
z1d^PDWRUg5qztw>Zu^WwVnvZCvJzUhE;r7q>~2MXJw;X$Ay&EBRyD6v1c^i^AthGq
zD807Z=;d&<>b)y<!}5ea7w2KDjH0j2HpASKvO?^Ghdt68UMkM6?-^d&WSoBL;rxdo
z73t~vck0UC#9Z}~@`+h>dKXvyoo@KA{<nuVptQ5`_@xW6S2NelIEU%f$c%pWTTwZ8
zWh0$wZebVQM4MLGKPa8md{t7Sis9~xuzb`QwTi{UJkJ08R^;6yHw}lwkFJ?YWXfR@
zwO&fRb}jvqFV(QJ|FmkrPMt!zC+gB^C;AV5c-5Rew=#_o;izs=*ko2LYq}vNHNi&i
z!b$et3wM&X;q(^VqJ(~nSzP<MvFEG&@Pfy^{c_egeVs4i3#J!e(f!)OZacU;<&D?g
z{0E<E<BwIx`f|yf^1lGLInpD;HDPsC+SuWSC-3&uvFeYcK;SrOrH9wd-P)gtQtA7U
z-1qkJp|B&@X4bgO<EEE4EnpsqQlpoXZW=^4Sp{7zHT#$@9$fyebj9ds6Nze6>a4BD
z2n^Rm8TGhPUG$?uS{8j04_>TT`DOUb+wIfv{f9;4wbC-R7Pt%zJl}BgN#fnE4?6-b
z4cX<G#hs4y&=fD*SF!0@+;#HiO*u=%|JwKJueSzMaLtLg{Z=RDoceA!it<`C?)#SK
zLY+N_Y@P?v3pTcMx5&LRu1&kpmulB+)X=oa{QAKPxl+BoLm#uctHf;$hc|ycwP$Je
zFI%tlb%mE#r>Xn*`^0GvcOG3<)23lO-y*U8e5syYQ7KiW?6w8{mvgISjkXmYSoSz~
zqrp%}GI#!xr7xb@ymtS1adFDioQ%}Qfd}<|DI5LjJ<Sn+?R)LxJBOAi+zJ(c!rpq0
z6?EE?(_1#~d$toAA^O4oUT5#g+ARBD`U1{}I~LsDU5&_9J-w}NWLU%C#4pw^bidK=
z`%G#51OF1uKk-eei(0k6!{^MxsxG;YzbRqu3(9=<<CaC~#Ex|_Eze6oU45~NC_AjU
z&T=dx-@(6U^lVyY-F2HFeI_2cf#P9!v{Y*_*|V>RMJ3m%Z*AXYF|5h@Yv0nQPVu&H
zMIA5nTrAOwwQsU~<M4LeH+fy(iUJ?I2AR%Xapt#WslMmJ)JkR1Y7x=lXO?V>zoX%z
zTjXYPL}mB3I*qPl9{#eAEc~1A<VDLR2PmAlFTcQcByq#pb6&eP-thJPaPsLH{7ZuE
z>My?)EB-64-o*Q{4cexw!0vk2=+d+ht5{a}_Pf=utTAO~<qR#_z`h=(UWNLF<=t92
zOaIz8%U|~6c8eXyYTA?6Whpy^OS{*d9rx|V@F)6r?P=K2V!6`ONAYCrnKFO&O17zZ
zUH{Q@{t;IbMHCddHBsnS=SPxI{ym;KdaWHxo2^y-zFi6t`NZ&I%gBF;yyBK7dszGS
z^7Du{I-~;o1W9SFZ|P>!cJFcA+xkGy`1~`)6X>d@U&ZOibxwOmq&8cY?hIrENAJ|z
z|2${0=e)J$8#<u-*U10xBfBI7fp>qN_W%nZ00;mAfB+x>2mk_r03ZMe00MvjAOHyb
zj}Z_@p)t_K^YQsV7eV0uk981q2M_=R00BS%5C8-K0YCr{00aO5KmZT`1YiOv6aq6o
z|8GMO+5i+l01yBK00BS%5C8-K0YCr{00aO5KmZW<=Mm6GxnTtV<=goD{}qDp>Yvv`
z;20191ONd*01yBK00BS%5C8-K0YCr{00jO-Kp8a$^Edw=XMFzOjUaUYsXhn+0YCr{
z00aO5KmZT`1ONd*01yBK00BVYA4xy~MZ^5nf4LRq^#(~8h595lzWPUY510l700BS%
z5C8-K0YCr{00aO5KmZT`1OS1*B_OE?-T&9X$|DGaggFEi!bQS*!b8G-f)AdFx52mL
z3-Db075o-l8ZHEn#?|39aj$Skv1hPZxS81ZxCJ;Ywi!#u%44IkOa68zAOQ#f0)PM@
z00;mAfB+x>2mk{A)dbW~)<|~9D!+iB=omjTonjIYOlSIye*rm_s=+r+CeA?3gIk9N
z#ZNXi`=hZszbskpCuur`9>ntjf7QC#48CboReos}U4>to&Qj)=X3>=RrRhvXerX0-
z;Xl)iAX9SSA03nDn>Ll>muAsr`K9Ts>HN|xnhd`*ohi*P%^*+vDQyx+qx{h^0^hVL
zo?n_p$MH+kSy+B)7EOv@n$DEumu8SLKc$V$jH!QgOoDIPRGeR$MHl0jrn5x(rCBsI
zzcihR;+JNSMWj$OFl(7?c3fn1AdWW<DI#to2nF~NyeIA~P6`_=bzMqTG7fVOV<eF#
z{zBYREJt)u)D?XkEsF9NsS=S#M)4Z_7cLx<qNsI}4C058>(Ao{lg!yd_7%fSe21+l
zp6p7to_dKT)6m3w4ae7L{$5h<O01?`SoOL>^~ST&qJ7%w@0Y0_OKT(O^S;AU1W6=I
zib;&Ch+zI4qls}5Ln9X=W)dap<A#aiBNeMOUcA{-EBmP}BVnJ&imVqLk^*0o46+a=
z-_et@XJ4>UT{(TI`9<>a<)23FM&|h%FWr;4efGf85fecsN1Zph95OGeTC&RyKkxp(
z)_r;UT<f}}?n0T&s{G8g>mGAR@;{mUaljJ7q=;Ko^|ZAYrKH!D51`I}NNT|v-Zs!E
z;b>MQ5ss>-R|zs%I}_oXfGF3`nD2TvM_B~Tsi!k+KWHXxoGveWw$db=Lz3ff(o_hO
zAzkGU2X^~Ez7_fv5tsd*xk>kJW7fQ;_}YOD%4eR5Jr`tBu40Eu@8L(M-{68Mx*6I>
z`nT+4bY|t9N7y7)%30>@;E-hbnq<+1F!}uK;FHg3>wC%?qy6!|g*~;1=&O4ea-}0#
z%kMf4j3fv$sr!a&rgzCCV@qq+i}kOP9N&IwzI6U7{<>C$<+;Zr@9`YcbiO9(yzizJ
z_{Q1DDVi>2xFy$nZsH1j7x9?BuI+w}T4lZOn~PGex6d^YWb$n9-r?Dja}HQG5S-N%
zaukn*(i*o>R^%`ON{%GG%;R!MGJH+4XhN9$Hu~a_%BjBfCy&a~4p?j{l;~D|at)iU
z@o~GY)y~<Gc7jZ<NKM`m>S3Htt7PSn_eWNH1l`<%I9dF>AKg7S#KzN`Lz3oek}k{;
zlrrRVdY$>X`1l7$-KOuA*m@}!QQS0`ofleN_be_glqSgJH#_Y1Wha}f%P@OA<PKe^
z`ck^#nk&NT@fFV{(|u>$9^jCs@ii&b5M-!!w14Qa*i4IvY6t({RvjHUSER}vAUDak
z&cP&p=-esDWFFebEp%31;^&qZfww+;1ykuk68;~<hOO4T{C;${QX_{%_}SzSA1#D9
z+^pN!aPu9P6NWoJoKJmee4^&@8I?>W+s2m^<+b;4Y!yK!`{_}4kBh56>o7W1yFGe%
zd+1>P0lVscch8=03+&%zmU2jV{w9SPg1n~1ns?katKU_+vFwf$r*a-8?oPlW$E!!b
z75u8Yw-_hLq@1z~vFtKQEKpOvvsEl%&F%r+!>`AlI^pd1>0CJfA(}(N@ii&b5QNv-
z#Y&jhZ*a!6kd$yRgz?!WF-%_9qMvcIeSb-@5>=4NcIymvZpDIFGUMu~kyT87{gZd~
zm$StTKKO*rMz6kC#UWw&niOgXdK6+8)}qmJx-9heq6Zyk)!tqjF`RV+Rpetl_p4N*
z?`uIO^LH<wX&3NLuh^rki;(3^J>u7aF;}X-`_Z%M)zuc$Ar483uSubXphg?3gIVSq
z#+K_~C8=?q7B^1r+Vv)Ve}$UNNGfxhubUu~^~t^APmFrM-gO+RFO(ZN+&<HEZrdt~
zt#iJFf4AELR}M*%uSubXAQRj6=ZE$X+|2K-{xq{zgXWC1_rCO~lI3~jMR)$W<`F?A
z3vvz*L=}nHVKk<ROn3f$<Kl+iE~h;z?7V49POMzMIfg^R@HHva5agJoWhUKiB0)cW
zoZh;xw~;XD)LW|O7UtTC*86>HgTN0MW4^!0y!)!=a5niN+cstP{i2uLRHNJVO7Wcm
zPgk7|TFN0w{A}`vNq`VT(5p-J#n;V3vk)iyGpC*W-da&o;yW7L8u3LZxu&@%#X%6s
z<^BsdUUKlhTteU$kFs~Q;~UC3YVTWOTFlf-T)Y<0I3#iYCWRS-zLVFMEL@}=7~;HN
zGNv!J_P~%R+bE{_8tYVq1z|LPogkB52g)N(tv`T2b=$P|U8-UGdN*T6QU9po;`MW~
zy;hXva!6u)O$s#xS+^l(4;*q<>)5hX`%-3AbF2TL_EXbB|Ay-}g;G@+y@E`-9%Cz4
zny-7P<6^R^{p^Q3oE%X~x<Q75_wcC)jhk!IIV4fOCWRV;o|YbwtO$I!Y~SWrE(_$>
zWEiFtZE!Sc$SyDY{$x;l!)ie$o9vYn)1o|*11uA?TEBNnoh&V075r_^kn`mRxk}{l
zRt^cx*Q8KGkaNbSSdVST9iOc6m+dy_#BrO}l!dG3_j!lwcW2>MMg^HPKN0puN^$Uu
zvgm5v^*0mdSG>kVM$Opp<o(k$O6WC(?;H|}uSubXpyN;EzIm#*StZcKUbWKm^S%bP
z_Jp~$uRCgaGt|AN-cpdsG+kwtT{k%rnTLqp^JOgVKNQu{a!yw?sh`Jf^~_V-&moEM
zH7V2(RH(m7<jT{hg#l}I!a{NwO$MPu>#x*uy?j2M)it@<ZYap)wR3~odnM&9gTHSN
zSR0x0tN201c?wH?5+bb9DVE$vEI*{^3>rsba<*>RFpG3h^fIDY`=$3`b2IhzZtaW7
zbIE#QQWH~JtSAyiRzk~~K1y^?t+1-GTa<I&U3FB;EHC>F&kK5*z1kMThP0I8u-OLq
zMzzKcX#S6pq$3E+@fY#ZxG-!zR#R%TWE*c2SO5V)01yBK00BS%5C8-KfpG#HlEzOT
zoqxPVEX2h4MjLng3@MqDL*z{#xg%n^#*(cI60UzsdY)gFdL+ME-~~jz%$F<PKij9a
zY~bpH159>gT>Q0O!-CN09B%OHmbX^Q91@YgNnviZ=<S*7M^S5!X;r$w?rv}B_c)@U
zFMTbdX1Vo#E2PRXffu#O^%71G-|CHQ+IS>#ixM~OVa27Dn^%{%q_;djlu~m%g`=S^
zI&b2Z)nDE&7XswY*mjZG%PNwSR~a&w-LmRg71mLMlvR8--vAl8_ObMspg9Pu*U`3T
zmiVVrUuH(H4$mV{f4h4)`;+5|mb&eIxg$Qs91S(T9);o95ngro?&pQSUcg1wm5MXp
z*W?nOd~0iAXZ3d}hTo}qFUVuhaLNmx%9$1lxVPJ170zmZ;x}ElD%iCH{~~@&tIdaZ
z6=cTG2m8;r{>+2`+3MWh9nF=R+e%ecdf&!osq~8A)bA-D%pOI1eXQLnA;_dxblZ&d
z=Z~Lerd~1IcqDcV-y`1d!7Zd|#jfb|?9m?OkW~4b6y{Qm!C9J7pN3=bNH)fzyUgQ4
zZLe9|{oL)6;=Tv+mt$JH1epxDzm2%;Wa9i=kC^YV+9u(|+=E*@9HYu{E8JBIG&Axz
zBo)3Ug}PLe$&pk`uJqTHL1C2VW|@bcwbaDWbG?))st%j<N4n+<GI?N=*`sMIysH`*
zffp-OqTk*sFj5}dYe7*`eOPoOf14_Yq|Dc(P?u^Rym)>8Lz_YZ-m`=ILFYgvDV=3%
zrbyEJSUh*{txt;Sf=nLlF3H<Hw%JH^CoPNlHJhb>Q(*)jI!_Jd^d@EGvR4*|q{P>x
zP?u_M#pm?=Hpe%o&rgy09QRr7iun?}uZHWXp#|RN6*JKL1ev^b`@y0!>g5Xab^J7R
YwJF|(xqDIH>m1rw`)b~lamYjd8+gHb$p8QV

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt
new file mode 100644
index 0000000000..78691fd862
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-no-names.crt__server-no-names.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-no-names.crt__server-no-names.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-no-names.pfx b/src/test/ssl/ssl/nss/server-no-names.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..3db5c17f9c65ee8e38b435307569945f5230eef0
GIT binary patch
literal 3109
zcmV+=4BGQBf(#)70Ru3C3+Dz2Duzgg_YDCD0ic2l*aU(L)G&ez&@h4qhXx5MhDe6@
z4FLxRpn?W?FoFhj0s#Opf(C5{2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=QGiCI
zm7F)t0s;sCfPw}<A!8#{jJ%p@qQ?W>++eJi%sogn8c-1!Y0{EinWk1kj!2)1`E#3r
zcx_zQFV2=5ZjT^bL|#%pZ2>?b4drI6BYQ*-|6y@y)1mz=Tk=8i`6yXi*;L?qzL}pY
zd1urdP?r$?4~)4&0o1wHwsexr16d-;wI`|GI`S`sq5j_QzjCu5>Uh2+=1N(qH}m*C
zEp-qABF?F<8D{&(K;>4;=P~>!;}9!>%WO`?bcepRK4!D$tLblG<WzHGGz;4K%OLds
z>dEnNUZEv5U%kQf&_oS2#ja3e&jOn6hAp%~l3f(SqQZyX_)|5why!<`26^?rQ^o?v
zs*0tM9y@_V4K*?ne*oxyB4stAa)V$NY_%zq5^ye@&0AldHDhu}ghx>45rm`<#Qv3&
z&Go{AQ3wX>=>cLmr%mPY!Mef4PaAfX_iQ!+B`*z)8c*&j;S2V|HH%^l9@Mg3GyHRk
zO`T{pDo6jrpK5xXZN=F~+@FOY&z>o}9R5dkmQ59Tql~y@B#qv$yo7uQE*X__j{|!y
z6(Vg`0p*~h8j&t6um_(R$(~LPxmUw+*cJn%%?hhT%h4eRESt7^(0&;z&J^HpK)8f)
zd@hR5BQ`Ze|49UnNegM3h9%iDbdtcpr}^V*8r=O@s#BWq+1h>N2GWT*2%WB8`v3Lv
z8<QXx%Ax7>sD8u)o4VweG2uSv10TbCsh5c1ugx*L*}r<F&bzBa*T-hWAZC5{Xo+vO
z*0e%`)vA@heWyEmvMtp`d0$48;ER3JQ2YOKIQthlkeoXc{WvK;yhc3_N2(<OKJ`@T
zcD~w({EV?C53E=m7{&*}W;c}_Ry(qE5RzhsRwM%}$yh%oC_!tM5rHSjuj8`jC`>wJ
za0T7yxWM2}yt)i0GPk@z47bS`?;Eo{YW78kl?&WNyVQSIlAXLpC(G%7k-cIgEB%uV
z+2}2ztB=-c1Ea}~fCiOJ=ntXo8LH5v{~ruTB+5=9xS%mq1ol}&09fsw>SKksy&t+G
zo3bYolc>v63yxV*rgaVcR}m?0RxuW%Z1sY%OHq4In@%;bprEhEx@g5F7c~tS!Wy8A
zy7p9yU#jTXSIiJsFSiI;qU!ltaj;RzzpgaKKWz21S4o2R29t#%$PIji!n8+>clsqh
zL1aey!)6ENq-%o>mfx!wO+Y6)x`C~q!9tNB%f9=lN?;!8|F5_%sp4eQLzZW+`ia#Q
zMjWHy@=5Lg;*nS?s@7%VY~!RLqjy$EN8-Frgy<_CdoY2!4ZH7FBY$CltOH|bO9X=V
zJ3ay|1-I3Xe*}WThO?oapddgC=?-I;|4Ggxa3=4{KQVYcCU-@@UT{@qe=78$xm6{*
zKQb{FSbbyfTx2MTlVGu{hf4H8Z2XO0b6x(^FuO(%4V!v$qDWqHV?@;-(9V(fIk$+1
zxqWm=N|0N5ph?40jb#}n*_c%QUBVuga6-Er;w?{IGjU(4hL&K)>~b)piFtis0j~~p
z^o-FIA;jW47lQNSb`2m2BvQ=JdirtZJ;npxL7dK}glKF@a`ToxXogkq+hL)9-g{Lq
zJ2uQ(DMV7?o<K70gF1aB3Ww8!C+)+JNWK_;v2+*t%PnF21OCBESxMtO*e;3E^rhTB
zdA=v~V?FoEs+`!kypRjBkK&fs^Mc0ZbF6)=HctPBEH*->(wj#m5g$oe6ns?xvbIHx
zoF{tcz~XNSz8AH*{?bQTFhycVz!nDL)c9~m+DR+y!57yj-f;segX!e&#j`*%6_+06
zb|a1=g>YWX$DIecWb&c4l*yR^s0h-VpZ*e7Hzw}sF6?GZ6uy)g<h5nIv+ic(_Oxe`
zdhrx(CQSo`yTFB()4K17oC+7F_N`mNEgDvV!A#HbPBd54XEh&0)uC6-5zMZ^TKfYt
zChi`QfZ6q*4?=TTBUJy9XN>y5Mo3#v=wprN>Qw$oq3I8{j#Fcs3<A+}NTH3WU`va^
z=W*25hv^^P7yNA;t4D|4*->)8o9yxlNe46CRSyNTW?gup$^O$YkUl&d@p+&_Ae=1W
z8??jd&~%Xwbspj5<tN~7`C;&a!K}jKFBT8{=65iZTqjs!YBja!4s|A5VE5q+VpEZm
zFoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?
zFdPO7Duzgg_YDCI0Ru1&1PDa?miZFSJ}LqN2ml0v1jw4VYv98|b_$Efi@wlXPYk?1
zT#Y7mstF(@OG#HY+`{CNLM<ZdN`9#HYhdIqq*d?}^>DGX5xXPrQ02uLYbY|g*M5bG
zDDUWd=8t$1Ml%DyIUf3eWxsQ;7uO{>sE{<d<KDAk=Te`@Cr9fm)O%>&XeUH|@((P$
zpvwlu-rb)icwL{5ZqKb@gf#0$-*b^x?@;-j>n#0?TJdm?0KDj@5tN73A|qzUZ?&$I
zmtME^bO@jI&CfIPK&ERTmaRVfPcMS&Sr|ySzG*0WIb0hkY~zJ)-HZ4Du3xM*b&Q;d
z{*d0?M+cS2<f>Dmzl=~v2eSg@DNruNpGpG?SrjMsyiaWHi}mo}eL^)&iEE>(FUa#X
zNe@$>LgYaKf)wJg;l(AzGZ31n4_HlRAqs!J4}pYVal}$ipAF@{22u7eR?97|LII=@
zSXo17Fr^$@co)`g);`2jpMwzpBi_rlS(=X)pu;nUlMi)VDu{bCGRjXt(A-_{4dU`|
zPj)|<CKTrKVaD0wy$M-^zkE<6x^B}S&Nl=7XR$wE6|U@EI-d{MNl&vABWg9SRWfPD
zg83kBt|m6q;6lqH)+D*vc!o>Ho^E}P6Y>sQ&E2x0I>qqZ;|NtO8=lZTvXvhJ>|&v6
z;o5khqECy{EPF!&zI{;Zoaj%GohS4lN-Afh(P#UCp9vPX@+3hoq!&|30&zo@9A|e#
zNCp~@pb7#ejNL8lTq5)EIUgF&!A5_0Oy4_7P9R$t_aOywFwXMIRles&C4)W#mw2%r
zv9b~37e#u(#cIn$1&LZXh~o-!2&r#m)Oxp72`cH%eFMUgkDk53*6Y4!3?_ffhTfXb
z8Vmajo5aA(gRNBL0!g&WoZ~h|aAC48m6C^6oH|UO#`rbscrOvKtp8W6lp*^w0x1)p
z;wqG5B)X?YT}k}ZaP0`Yd?`DEx7bf~#|~^(-uLNm%W}br362dpI!Qw7_^Y&n^Nseo
zz|HTH9{O=vbWlSQ(_uMk4)B=TYnWV3j&0I}i%`K=ToG+lT1_3HlSV>-8$Y$(xpGON
zP2#;v5CU~+R;EmXDJl|MQ9^g1OeO00M|Ip1g~?5&Ds8K7#?d|ZIYwrY(PF5V<)`=L
zBy|Y}+y&0fTP_miTPs`WzTz7j@QamT2ABqag#2s$&qJ$AX91oXy!i{PVPTY3{%=tY
z%!qOM$uNQvhr^!$CzrXIWOUXW5Vv;5u&|$<e*1(Lghrmc?jXTnI_lj&^O4_0$^n~b
zmaw1LU;*b%s8U&9uoC|vc0@ib2ehe%;8I6!M+AN~PObCi+w%Ih4MZQg^L>Wt>ijkz
zz;7xaSf?E@=MDe$g|f$RSW@uC={qw4KrafQr}byyDPzlfQ<{q4D$$MTmZqam4%=WN
z+Cq+Ll)2P!CG;d8Ee0pvn^;SOLHaBkkB(pszZTy2leJjZYIggd<z)e@%OW`{v+uxH
z`EMPhniz%nKBIYOUQQ-mHx-)RWb^h0@pVD$djc;+rec}2h`&H!o%?l1JTOez-7h6u
z)xP#oj4E_U&t5ju&Db|oxH`k5z1CcuGcF2eD@C%jYn_LonYm&&pE~f~u$@Gj9&fej
zugWkDA}-cAr$I3#Fe3&DDuzgg_YDCF6)_eB6d%d=AhBhxC({}h!d&kTLzfx<%rG%9
zAutIB1uG5%0vZJX1Qe$nl2c~WmdPIg#}p3IPlJ-D0R{vJ_-^)Zb$W4y0s;sCzd^rY

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-password.pfx b/src/test/ssl/ssl/nss/server-password.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..973ffd13c772f74dc2fcdbed87274f78fdbbbffe
GIT binary patch
literal 3197
zcmV-@41)78f(&^A0Ru3C3_k`5Duzgg_YDCD0ic2mFa&}OEHHu$C@_Ks-v$XPhDe6@
z4FLxRpn?X_FoFim0s#Opf(FF~2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=a+JOo
z1n(xW0s;sCfPw~?5aOjS^N0N2-jxo({)A77$adjUO<8A*ADp&j4a7ua`ThCN9w$fK
zp+Tg}y!4jFYbPC_agnCy=e~giX{r5v83T8qamYQPDlhA;<}|y*t^7wdCw4VYN(ve%
zwoP)|-8!spK99VQx;nL-gz)UU-e_4Q!48Bd*w@<$NLgA!EYnkg+WkpCFWd4w%o^~V
zVL~~QMla7a)@t42N0s3Up^pBqu%?U~9!LugmJ$VP1SA$&y-h@}ubXR$3vynt1ZdD4
z1Qjq8plsvefTd%m<Bu-g3<e%X2cC{p8dbZChwaaFY@$3ywbp;`M(SjV|9aMW_-<Lb
zl|&#N5m^at<753;+efK<JUE_yz{7SEA&REkxA<ufCaVURonytL9`PMgMHJw^sSuYu
z{re%$Gw||#$<6Kp%FA65NCwc!th#6qPGWLN`{Ps>KDIEUvTKgfda#n{8?sJR@7zp)
zzz6<$Ne**8e78K9?@i;{C`INg-hmozV5Pj{Gq!eWf<tFe%$JM+oZdzTZ>5Q4{qa!1
z>Dyx=U&;_@)Xl=?PbF^fE!F~fF6_B?m8T{-Mue<nV%Q0D?K(#$c7Jz2TkB0KT2^jy
zv$j9yG@?1yfYBP5XdJL-)kAL?CP?P_U3^3{Am@xu*Xh~dR}!U~5)P#?c?}15jPT48
z%X>(uPVaCDZkBt+?i4$X=$CFFBvUN{WkW5*&IkxzdSW=9THR0HZAMx@L?v{r5*+KV
zD??rNbd)%SH#lq1>w)g{OdVHzGWQaT6D~%&Rk8QA-qtR9AYs_B=XTaw%IUMO1r_E?
z)v+4aM#R5CEV>w5+1wDvs2g~*DV6_{iFA@xy$)r1)rQKxVp2jP=eHR^0^V~P@9`Yx
z!sej&l;pBNkXIyx!^Jn{k*cL;HLMT~Vl6&*g+~IHy>skpY~$-CjIA$#?LE-7y0W8E
zPC#JB(wKtuW>VvONqS1*d&h;F`PP&z6`&0;DxVX~ID=89r3@;jcX&4neBG-0kE&iC
z$hw6?<0Xi;*qpJLx7BW+Jp^*E1IHU|M|NoG+ZpX8-XE(;8p1ryb<GUG&ezH1NzZ{b
zK(!2NZ<^Na=j9ON?!W#QzBS`!3s)`#-tB!IbTpHp86KA02#omf>4YTBKS>5j*nHmQ
zDvC|0FeBC|H2LpzAbk&H8d&FgbbOboqQYBjv7T$m9ZPsUbJn{oUnV9GPLVbq8)h9$
zy~HZhRFMJsI4_tITcm82ASIeqj=a_?r3Ewv?2FK7BHIXV5Zc_sIBBrTS5Oa>hGHJ2
ztCUuXQoLE>oPrds?4UWG0Q%1on7a!iVq2+^5um&(!aCW*7Hogq2fymOC-r}dU6jXI
zY2l_z*VB%k4&Br-XE#!m3f^<ZjoP%uJ9!WOHli0|EPMe5#7B6$bF~r{U{b^bSo$;n
z{_*iex_30Pj!sM5ndnODX@331>EF7R`M1&L9Mnb+hevX@&dF;yAF`uBa`?KA+^Lm>
zv0rRnsjTeS1^{!OHGHW==wI!kDY?SO0R#W&ZL4Tb4PE6d^G2Q0aXK`QlUtiJ7DZb=
zfrJBh*(`%YQa{W(yOo8j@W{I5KUR9Hm|6gE%vz_}C+#3LJG?m9Y4{t52+}HZ3^0$t
z+`C}Q65sm+6$p=SvMBleU-!-A)Ho)XP1d+90x`sCe5cC3Q@&*0pSq_+sm&xsS(R?I
z?<yC%a`2!hYI?;j!T{G`#HYs|LUiE27O{%tIi?@gj5}n9V4$Pen73M&R$IA8TyZgX
zUf@#f7OR3{Mk;+^XhtYpT``yg>PF|pr72a}F836yus4K(kq59%YacdL)p!t2fQcCr
zl8yYK6f$nMxSylBA<l;kF+&CyUvnh}O<nAz=_BkzC$<h1e4JGGYmfLSaPQvPRrN>y
z`cD-#HRE4!CPIDjtDrrDk|BtY1CZG^?Ra_ZWJLXuy4ri5V?G;Cq`2icf+AxhSG1rV
zs0=>iHUpSS&YrqVJ&FUKZo?H5U{}N17Gy@zJC3G<T<G0EghIpk4s4GOgid^m1&@UP
zXPtqtpAgEQgG?@hCDdu!mAYjEaaj(}TtP!Oyc`TC?hIVQLJ)zPwdyh2BmnrvQ_zbP
zs$dI@8?PKzr;zuIwDs@FQ~AdZk5fJV;dPSc?uGtR6XmU`7xzW=IV_aihm$iQ>mUaM
zlYySY1Z!`kl9B<5OIN>Isl#4Zi%GJrkZZ$k`t*X9$um6nFoFd^1_>&LNQU<f0S5t~
zf(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&
z1PI3xNy-$>E7Sr42ml0v1jwSx-^rj~pfyQqdJ!{?Fhn{(Y1S)w&XeqXu8kTn5fM-N
z-eh`s3i;>~6oT(41w;O@K{z^pz97-4PVrX9nsktfK_{A8H0KT}pe%WMTdk;%V#!a%
z+Hc-5VCF&={7oi)oHE9bCAq5`$#lAW1v~!;7`eqT>=}_8BEI(Lx01%Mh$f1|PmpKv
zqm{!=_1&i#OEWX}TWQ6u>$>`A4&x4eeop92q~a!}vwN308>l=EV71$q7%rZ1TA&tC
zRChQ=|5*d5gObjEE0e1@Dfa(pu$!^NX?=@ABGv#M;aft;!tXg&`{=%el7Kzp{UX%V
zpD9Z2yg+ZpeuRgAA}ym{G~<QB{5P48DsBkD{S$nlkl_C@p14^PRXOIh2X_4JkqY7G
z_!NR#`*>Tka9E#qd21vtLVaBDI?&V^z1c=<J4IxK><A#b)qyb6d+pQ&4n`jOmkKrl
zv!nn&3h5l?iIwLX!CwMVuEjID<d9ERrr5Pzk<|irZRj}M9Kv7zy`j_tDCtwYS_<|m
zK6`rC+<|{}h1wLpeonie@;+lhgD(fdoP&d!cs+8xgC@3zvbb~f2X-9TwX6EijNC)e
zJVN=?2Kro5hM?f9s622IQ~5~tjniHdy&#pAGB?iU_6$Z(hpMP&R|UOs;f*TV;6W(=
z(`T#^tynU+ub(hL|E&<{vhO&=o|_w^F?ijD;m6@%bIuiU4P{qz4){aYVL>Wpr-hUx
zbRSoRd<AJ<zGK&hVl4wCTJYBK2RPUWbr$lVc})SSVtygo+o<Del(@uga_qfqf_0;(
zpE;yW<2lTG%pLJWO>4H}t0dA;<^8F>Lm|cV#Gi7>Pa4LgGL$xlhRGDhS8AImqY>o=
z^ifBC<i?GrJ;F=W)c$60XnqmRJW$9k2~1T28d&eBIsX<<X?9slH4siqs(2XUn9K%H
zAGmq|Guhj9eL$o(_=gdKBzRkHz2nxOOd}!`*n5m(*?_aQ+qYStsZ6N1g=4{SB++Zx
zmF7|(HQ(PX7($^aa^qAkaZH@^k|VWzcOHR#&s+jIpgaTK|5cu*-OgNX)-|M+%zbS)
zRP4;)h6$G>ywtzWPYh-rV7@DlIzj=oJW4X=jpN@<=a_sGP{;b4n)JDAHhOJ%<;s8{
zS3mZ|#>u;_l4=PDnd&9-J7&8k_1AM74_=8fFxyre%Q$&~#pOZpJzVP1jTcRZGQ|ek
z%KB4#B3g?RncpWs-XCO?cooLr!k(Gk++!)u9oT>vD1FMH=an>cGX(^r5~*pJ4Dbw%
zNdkJQp&uJ45gEyFK5@?nR<?^nPU}yr+Nk9qW`&aL`FYH;*T_?avy<j1tGIU=r`9ow
zTC|G%-Iv^B5(wm19=W%csZg`vkv|wNIjX};s2!5~C((?D6`*i&*cgbiDX=z$LNL1Z
zsh8OibaZ!E?_|~|F5BSD&fj>*uILE@KVC`48?tW<U1cVNlA&_Qw0ln$0Rq@`>hr+n
zgDf`-ag%zKXxkkz8oUjKsKfxo$e8YPE;_|8F2WFK6j8E51^6QmaVSlG3k)gM9iUEr
zHcSP7HZA)WFbv7`fMbM9+CZV1#d(HIxtRph3>t;ht*5{?2p*ayE(nBoaS1UcFe3&D
zDuzgg_YDCF6)_eB6nfR~gGo)z^le_ap`z}&-kgJ6@h~wkAutIB1uG5%0vZJX1Qd6q
jxT($2&avhR+GII*NQh75x19tC2(g<Elzsg10s;sC!b<QA

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/cert9.db b/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..f396d2216eddb9e8080c5f2a5398a0ad30a330d0
GIT binary patch
literal 36864
zcmeI52Urx>+Q(<M!BTc;2}OhzQHqpVb{7`0P+X)b)ea&oD<Wm3*+p1I!~&vXLjqz4
z6au0sY6K&SMpO*gKuL@SX(Bc($eo#81daDg@<DFylY2&I_MKDybIxzhyw9F@W)^Qx
zw~!bibFL^VJRpY2hLj)}hHRNk2!iCXm5!~w3l%dcy*t<^+|T}ZraWYZj#fmvAe!6<
zNP&)Akgt@Fm$$`szyb&W0)PM@00;mAfB+x>2>izh*wSd~>bmfZkcc4RVnJv?NKiy{
zv`1`UScpKz!HaL_!)H2Ap1_~ZB=VT<lbIj$nT7!@)WT>Sl~9;MD1-$B3d25@pnal1
z<bAHdHkv@8sSnYG{fPR}v4Qi2f|!pA)K3(oxu0vWP?nJ$nWnDU+mDdw=vZOYM-j>=
zB9hF{HFzweBx_hkT~`-Qv5N@^3=@8={?Q;wb$smX-T3`Egak1?yqqW5dCg$D@@Fuo
zOm_C1!pD!`;6B;W&Dp_+X=m^5<zvDOK(UpDtrpnI#%&@2PhsInJbagj@A8OUya<nj
zZ@Boz65m+i8y>!~#y0`@CJ@_L6H=&TODLka1`CxO2UlUCxC{%$byz4a#6oc;7K%%;
zP+W_J;$kdRfN!PEleCXewvgC_vIU`RK`2`g$`*vO1)*#~D6@%LY@!yMsKq8~v58ui
zM6M-~Yf0o<61kR=Ttd^5(6k~-5`0($APb_W7ARiVg6OFQ(OM3QEfy?1S!&|CY@#%q
zD9t8HW0^z|NkO~}hakm4@ndrcQXGO5hd3&SI4XxYFI=K7mr&ypYFwhOK*(it*j!vv
zYT~+56YrSR#E&2~@h(bDyq{7N2PidhiV~B6A~pM}5qPAjebp>`t6BCn2Qzz{gPFa}
z!OY&~U}mo_X7)A*GkbM0v!5<LX7B@JsrbN=n)v9En)ncsnn8W0u+N<P(If_fq-<bc
za{}?^1aSk<pg@8+4?njkfgLZ)VOtX8*23C|MWU(mbzw;2L?Xkm8NGi%Y>bH5_y2eW
z`?EfpWX#pd;_eoo)WgU-+@woBa1$(m03ZMe00MvjAOHve0)PM@00;mAfB+!y&mka7
zmBTtiM+zaN3weq>MjDVGkt;|AauQ1d3m^ap00MvjAOHve0)PM@00;mAfB+x>2>eY1
zWXTkmswLb;Ck)M-EwWOhSw><c7ty4~w^WH?lthslYsiG5QSC>PAyep7jcQ+F{;yaH
zDV8E57!8bc#v}$+@eFbT3ICfq2o4Jf00MvjAOHve0)PM@00;mAfB+!y2>}Wjg6R_}
z2}&?(%NmD{p^>Lh$O>E^VRQ^LN+gP5I@sYabu&Fg(J{eMLT^turnk2nGfIf<L`R2+
zBA79F(dbz0S#jAx(vcY?9oiu2PzOneGDtdPXG($^jM}qo(Q%UVWksB?KX|HyQ457p
zOo1>eCYt1gDbWW*iJ1R0${^$@;*Y2>&LirKOGpq>j3t2u5C8-K0YCr{00aO5KmZT`
z1ONd*01)_ZARt3lf%ii*>3Aqac0f~WL0E_|B1ST`mciu)EdqgyQ3lku=zi0FGA>7Q
zqa<k4QAd^zs*Ohx<Q2Z^7v$-S>ag@tJxP>dh(Ht`E{ZUX2nZLNEeJM^jt;|%nc*AB
z^Z)B0WEXM_`2l+a;6Cy_l8<ag*8Mk}V$cRa01yBK00BS%5C8-K0YCr{00aO5K;WN7
zpf{W${ghQEkAx+G34cL=nII}gMw&xI$a*mTjE6LxDov;0H6-BzX%1PML((Mk=-8~^
zT#{=VC0r;96$as=lKKAv2ziKHKn^0w*xbJfS%9P<m;Y&eL4N=NKmZT`1ONd*01yBK
z00BS%5C8-Kf&Ux<4KfE-)7-pc>nQhK_a3!*j^e%Aou6VqN%9l}p6erGJ*-;t!{m_4
zw#vg)l4rfw*@cpa67XDFzMH#)o$*(#eA4-5*+bot8wAl*;wb|>w`@zdsPnqFKi5}X
zZNVkx-h)jmAjv}m>SPZ6OUG5jx=w|ukbIfkahix4hME6+%i197Qi>Xbp$Bd7fYcI{
zc>NG0C~^Ajec5DuIr)#JQZ<vm#Y$p-cClYf2NjcbP%(*?O(wx4lA4mNx<OaQ`F*vM
zTnu-4gpIjaJJ}mmq|uGnIIVfD2*dJJXyC5_p*re{*k2c6Sy-{y*k1tQ%v4w8SfU&j
zN4h%*M-an${hN&qHnJE-AXE&?k;E8*<IC$h*HLyxipQ8)ichts$g0*qa60~C@xsPn
zTBM?H!;WctVXcelAy!=#W!$`X6OJXnZqUkD@m!Qea$95*kSL^O+H}2__aAfkaLBNL
zxB5Rm)<`w1$oFV1vZ4=P>`C7;;aaOkq3B3#V)9#xyX~W_Bu8DF`4<uv$fBi*&A!{N
zcF*QrOWC;YLU(I%d9l_=XIf~7MNt0h@*SypPB%}AYj?ycj4FmlU(j_4g^N};CF$Ec
zu*c>2ncL4Ab!z(iQ<vvus-91})7aRt#M)5#X`S9qS}?57Hqh95`W!hw=Z$$zp}C6i
z>Zu(Q9pCIIU2dpdZXdL#UiQ_pK%3y%KgI4PkzokltAsL81?<tCp{f)rN`~Q{{>-pb
zjWL5ESJZ~It=)L#h)rfMnklXij-Pm-e<%3z!{DUg)1&4$Jqb^buj)u{$f?ONS)t-#
z%R2g6>+5LKR%-Wt^;d;+T*6b?(ORi-SDsI4nsYHhtM+UC!YQRm_aCNCEt!zF&n<5?
z&rWau=>>aTu3YGP8hh~7`q8^rXUJ>SH7!`<f1~jILd)-8vDa_WX`Odw%pr4%+==c}
z_jH#1TqSowBkZ=uC9$chS<%!biSOf!U&oqeO_Sxn-B~ch?e?1ECOxwit#eN5&VBcs
zo%W09bXwEyyEpWg_=@GHYsVJ^8V`Hjb<RY6WO>$}NfT42=9jK+Ofb0rhQ9cLq4#2R
z9~9fTNU41`HJ;pnUt9wpk^kn>8t^N1Uvks17@{o3-HZy}_5>y312_NJ^5>k48n)oN
z42}u@LDe)$s`hs9h9T^Uxk11N!!Rc2)qjO9%o9i6JGl9F8{>|7i|*z{kM_)Nbv&n^
z7JuRBf=1Vs8-}l;9A7(uOnBOn&;~Qy)AnbOp!S!0TB9`>3+&?gBub9?T1CtQy_EP`
z82;>P8#t}sb*zK%Mj+OK|J$|x?6OcZB6#fCO-GE|!i@ZdEk~;87mr4$q8;<N&HR|e
zNb1TLjT&a`%_9}H?|&GQG94+NUt?>Zw`k&tFoa&cyK}4I@S{WHcGVtwV_uz9GF@v1
zw<XBa+Onp5%!XTOp(PFcW1cNCCB?OlA9g+ISZ28^pjo-IefS;Gq_N~{kKA@XbLu$p
z>gnYV=bKYXX3Qh;-$AX1OzeeRQ`k;4ea4M$tL>&C{2zuKcAX}OPr0_OuIjMSTc>^J
z;_JLCw>n2Wb&C2XxhIoiPWkZ8`Gt{i8fWQwZl|^8fwQhk`$^|pmzwT1$(=KCA60(2
z!Gp>bc{LB=S>moKd$JoM5|a)cHK6$a3D-Kq*T`~fx098FQ)qp+kHf*KmyT*pT^U-u
z_UV*o!W&1FGYjWc<Q$i8y*`D%W74H2!<Y$Etxi3b8~()ihRk8Zo;&dld+&_DbmOFk
zzg+0!Gy3Cq2G1GKN&D7m1zVPqam(^_U2}Q<ugdP)0XwhkTb%Zy-RtSwZL`$(Y+N6?
zC2dG!Cg;i85dqJBU2}{-^7*}Why9s9>7DteaoDt{^M1K!X1(#QeRY<Vup+%OReMh3
zy)$#as!n|SWINZK|0eg$Eb`jed!Bkj{U0U@cjdK+<%T4Mx{FI`4TYz+tgedF{Q82r
z--9G^ft7Pe`a^{W>6hnf*;kCntWdggx_gfGNoZOu)v($VcNha7^(5>{8iaxUrLVNG
zm_+L5N!9v$5xnugvkc6WV!xi%=Sc^lgCv;tTVI;x?s7ZRY4V2A?LS>#u6L_md9(85
zKq%6maWRT@^A&C9)g?je*V@B`FXcfS6fj@<355jhzuK2#za55Q#(n7*?<-<oUf*Lr
z=@+bbpZn86VD`Hnb&#Hp{#~z{v#Pq&r}$x<QDet+>anYx*7CC!$*63t(A`iV&tF`l
zU8&;tLc8<H^Wd{vv_3evXD_;%b*5V5xQ^499L4IT3p)fRzdjoq$+ucvQMzHei^-*w
z#q00aU+XRycKP{P<9)ZQ_LxMDANQd+ICo}(@7>)ohF)4bIalJ$s><q8MI8$1Tf)2+
z-Y6RPz^?jxgUcPG7Zslu7CrJRElT{5n~{9|PHCfDw0q^qjfp**s4uD%=GZ?Tvj5!F
zf?EuGtL(B!+e1s!lIp){dobJqEqIWa-JRQY)TPMQ%5d|ec-5j!5lgJ=?l)!d+@7_d
zYK`)B+wyxZ)zRJ`n`-%$cO3F^|FiMsIYSAr`q>F4zMiVQJaF@Um-8yfAR{HMx^3y!
zvu%oJYL*Q3G>?c3I$g0$xqePsU|aT`^+T_3JtkVY=UVQ5r1X_CQ@>n2H7oh2VFjC;
zO0FA(+`7%HH<U@s5twGaj&;oSYAW1VHnE^>YUjw=&7!q$o#vctq^O0~ZS%c6fswLy
zw0mpN%hCDEeaOp1wT83rKGL2{ez~l5?vh-Yla{_KHjcR7Eu_8bxSo35c2RP5Mc3WZ
z!@e&2)q0kt8!ww?#};H5m${yuO&jI)I$Ykg>!x|lrQK!O3?pi2=gLbRLHftPdt2-_
z&PaQ=U;X-3Io-?U$yKzNxweo^4)fO{YgIFonW|fg4qGRzbItk@cR_>U{_yK(kOuRY
zrvETL|EI{bL5ya(z4UC%01F@h2mk_r03ZMe{IdwGLg{_erv6=1Q{g}i>>m~{!opK3
zs}-Qnrc^{${~CYR#(%RIt3x6JP<Ul54)w(^Bv@n#&%^%zuYb43LctIgGnDN+WuL~&
z{=g|1*i0Aub?LsD?tnw0*o}<e&U3rf{Sf2Xwz)koQ^+Q~(eEFo#*NjpC_FUuhxtQ;
zw(MIIC|tT??F5;>GiG?R83T<C%1@rf{VZlk`fLg`@aV~BGhFVcH)FUn|G#sK{;xX!
z?(DYgSDnt2igED;!)y1RLP9Dphktwfr{MKA!YmymUAS#s=cqv6s1~JRaV37Kvh|Mz
zraa?X;~8Nw=9_<<*i7HreyfRk!@%)TdAmVS_^Ne!g~t-_g^NCfBE0KbwKp^5zREYC
zfAhR#=GR3ZWWsXxzbqN+=JxVv&q06t3F>5rpRdk(OwEIoWrkJe`RdNEiQacj)$i$c
zl^Fk7HQUE8JUMRP(xuNlY<Tr>&n8OdFleHm2hVSgZAP(Y9%*~4(t?Qcg&8r!y6VPK
zd)#)XU5SbfF5fPkwX>l$uG~$>YW5qwfIRKo7LCp3S%NGbP2<qump&;0-yWbC*u{#=
z_*MoZ<h%bw%uuH|sdK^Gh7<SvIPNx~Pf7C(SCY-A2fKvdZ%@ul<?lCox3hfos?s0I
z>*M6DjcUk~)DI4aG)VR>`U2O>;cs``{v~5+&M&zu^A+=)6Ki;D6`QzQo^4d&WnXNQ
zoqXW?bo(VuGDg{|0XC3;r_WCkM--*qITYLIQKzb6KuRx(OW$pXisfqC69c|>ICRDJ
zT^y}s6G?A=fuqBl`7<}IDs}d_8Xd;<zk4u4kfiI<&RAh{YBXbA{&%FZ1I-hIkK8D@
z8F71}V62CRrScx1n(^zmWsBTux3!XAT~!UvjXE~`P0eCbplm_qh|c*Pd!Nm4>C!Q&
z@(`3Lo+}}rP&i|6k2|A*k9y2U4939z(k*mYtV-+eN&Da9{p&qxa?xOV(l6c*{;hL$
pHJlrAf7J<5relNGq7!M~S+s;`1{)kYFu$FZR(T}eaT-_M;a{1idFKEC

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db b/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..a3c30ee146f36500198bc5b7401260affff556e5
GIT binary patch
literal 45056
zcmeI53pi9;|Ho&{#bw5f+({ZE<=zZ4W9Z@*DMBvQNy0G6{Vu66DpZt8N+?N%T#_i!
z<)DO8Iw4Bw9=cGHO7)+;ah%?IXXbg||MUFM|9#gsv-WTA-&)`OU7x*MX6^lC9GBYo
zgtJL&f<gm4!b$oF2?P>}Fd>l;2n25Y&0WC@mRq97V`zo^OZ?A597303Bu*Sbh=@5L
z@MvNk?h<YtjxIJR<{)<YpEUye0Rcb&5C8-K0YCr{00jO&5%3olmYX&W$<Ye;VEMBH
z*x?=vJi<LD)*|K(7N$-XBqvid8w=9JUXr?x7s=jX(GpXK-$>RLzmc467cF(RAlccH
z%<XI~Z5Ek3ksK`SZA{HAv`O60s{z!pm7d0I5v-i~G$g_&(2E@v7UIuMx_Lx|2f^EJ
z6Z&q{iAdB8i<Og8LAt;dJpDX;yaL0*>_dGbJ;K?-<K`CGF0fcZf|HPi$qFQO4=P1Z
z!vq6sEQdAxJy>l2$tu_%G~nb<8u}WRXsp~+6{Opk?Fg1H+cSJp1M`DM*jV}}6)J_Q
zVUEJeDNOXnCoC+29Xct4{y}Ce`;!Wjs*yMsDJ-X=g4}5ipR!4T$w+8iYV5R4?ib|5
znVQ)-IBAnSDBL&qym{zx-}+Dt?|}ADp<PU9lL>7y;Z3LtlLi%Zs9->a0aP%d!VoGv
zpn}CM3}GqCSP3gqAPp*I>^P7Ll>*67DUc480trzmkP?*wNl__~7L@{tQ7N8KIc{&v
zAFQl57Q@PVu(BSktOqOW!OD8DvL39g54X~XTj|5C^x;<ea4QC!Wx!bmoMpgS##k2C
zWWbsRa7~yG6$YdS_f(Gpwbg@rst3EJQMij971})>Lc02JZGE`5K3todgsY5IgzC^>
zQZx#5Y#L0829u(}N2S3>rNQTg4!5PlYIInQ4!8AW)AeckbVzbMgmlM4sAJ<HbcFE`
z>f(3^^>aLg0FH+c#jy~EG9FGggYk^-oovRKXvUbd!wo0waKi~Z+;GAUH=NMrh7)$U
z;e;+X{EIGh%|Hj{?u9O#@esOt#zW{58V|iDL-u62=Fbqm5XS1VChf2wJ6?1TiWdte
z&V<e_1;!55rRg)^>sHTDLth9hw@~Gu4S|#YR^6zRF^c;eMFje-BF=pyMPw1&7gzuR
zKmZT`1ONd*;J=!{E^j0UiIyf1nE!}DnxjM`Ah<sS0s=vhl-z<xNNz>MZ=CoUug^_G
zwf@D0D~dp16xsW@D-;qL7Un-Yj2#-u4%G=|M+W(^y>vZ8!y#>oB~_WCghe@{ad;W~
zps;Z7P`2Yz8&WtsESwY;!JQ0JXHdvc9)+Lk859r@6sQx(or~%Qd+Tsjp=!ENA+50I
zK$@1_!F$hMFV$iWXBF)<TY`iZ#4*H5?kjh5%R8s?Covj511m6RZoD(ZxvUeGOsk!q
zT#B=Zx~+6o(sfAbUGIDEi+dHnncL;8yK(qJi+rWB)!bb1mgvX<Pwf|j^Fk~Pw$z?W
zUa?sF+RmsQ5ANUmTB_3Y{-S2y-Nqx@A;$B+m3tSi<gDt-3Ribf%%C;L=r&fj?+O~g
z@7wF|5ZQWq{zKE2`dLi_M(fJ!*r%U4oIAbsTVdw5Tb<{6#KP>Z&P>_*Jry(5h<7)8
zKK0n;Wu+YiGlQJ!5R?4q-HG=Py?&@_PAPr3HRo&LNXg>UCI;$zp2bO>P7Pdd*#6*U
zCevoHpCa9ZYfmrweytrldS)3z#xaKY;n<+@@44LhHIfpKWKh(xIL!pBgpcA#JO+uP
zD4?a02Nla2Zpu|D9@{<rOMjWCPSbuZAtVwVj}*C*d_}DO(<SxC6b3<M*N9<5Cp-4x
z5?n6os6*UFsp)YxhwPQU&bZyZRLA9t_+nR+OW6m@+BEMz{iLg<6Z5rg)`s_vrGAgk
zh@B67e`UMG2Kkwvgd{^Z$9MI$sS33xO;eq{hCbyFvFEjEb=Vxq*w2v>!;xp6Z9=WD
zuap*=id@z5<xRQJmF(S-JJywH+9y3ZzDO!ZLgiwU>}89F3mL^|y7S^~wFXfo2@SJ8
z5+YaMUbQFc^SbU;pN^#Fe0A4D#j4JY*!t-Cz-pbT6%OCeRGzZH45|&=cn-XBTBfZ3
zaWPWS$5KL7&2H(n%(x)R)B|j_qWCx?EBwM<>`P(Gwa3<0A2B_fnri0KNa0lc0$g^c
zTZj4C!%h7kv=cV9w`I-~cGQQ!agsXUwGazhUY_IZ*yj?a-Ev*xQd7~eQnT}&13N6w
zt$x!wT{X)nzJDe$?}&JKhjh>PK=HjVG8Ub=-rJ8qE<Cl;4O?fCeYN)8ZN1DCwNPvE
zZ8g?cswz_w-?|KEsp(!=;J0u4hX^L#TZCfkT(gzof7Y2}L0nX3s;1z!BdWhgeV#9S
zFsEagh3c<;%QTxEJi$CQ|1QyP?Yi~7VoK)L!(+a^?QTvD*}Tjy_fV|W3suj~vkffu
zlWWg23o_OFL#p&eTjLqn<7aa99_-6gunNr=+Hm0Vj_lYEqJ4>rPqonk`(<&xUrfW_
zzA<sWFl~VuJ=69+AxzZZq^4<6_R@8<Idg4mOFB<mOB~VDcyqiwraQ9v`cU}yWV;AQ
zTnjd#clVkD?{TXAk2>;y?K{>lZH?H6*M=Pp%Wrv9R9f~HU|Pp~J9%jg?`V=xa<`sk
z6w%R;p!rFabtvi!V%k|kb^490)-<-ed9qQoh1+>$cCu0a!p^Eg4fmIJ&HrTNUh^bE
zL&ZX^3Z=<>cr7ly{=kM$Z=M{C#O$Fd<D_&x*OYdq#u$a}UA3!1b@LI2U@SIq!Fda+
z4^o?h@gOD`wdM;y@$GLcJLph!VdmXm`?eO6cPW{F`m*%}xm|}FuKz((QivJzEvk#I
zqEWTfoVPX)nC(bdlZ9nF*AH5LdGk?zBU>4*OJ6E&{a)E@dMb70swtOB&05+`UDq|n
z*l;M_Pe-Hg5U`tWJATgiD9o|$E`HWG5Kvu#?RyfQx~S7K$ha@LO=~15_*2rI{Ex*S
zE6-3>*&;#vD;|8UZ&aG)U&N_2wk&fi8g*UveTL7keLt!9$G_gcsbSl-+()C8qM^4G
z=ieUlE#dlMirvg7t4rK+>gzMLN0^Pp1sewU8<eH{p0M^W5B`4Oc7<P4(xdNAa`S^-
z2z@;-vhItmcQ8pgYkK^}S@+%QmrDp=%$+lL4g__$(n`JlNXhQnl~|uRf{WLVcO-_C
zs$Gh?su9(Fyf$8UUEUJ^E$70Mg~}2>1v($N>2ow~<HtV6ImRqyG3fa<^1pp#7lR;h
zpU-n&U;zXG0YCr{00aO5KmZT`1ONd*01yBK0D=E70>UV?D0GK?Z2murAddcrbr5t1
z5C8-K0YCr{00aO5KmZT`1ONd*01yBKU;-!<LUe5YUydM_11Nw1AOHve0)PM@00;mA
zfB+x>2mk_r03h%;B4C5&D2e`W{m-|t`TuhS@%i7VhrkLT00;mAfB+x>2mk_r03ZMe
z00MvjAOHyb3j`EUOwnKe6`is9|4Rh%<-Z^cng9ZT03ZMe00MvjAOHve0)PM@00;mA
zfWY61fE<b@`m4Wki{ZLN62CxRabv5$m2F@K5C8-K0YCr{00aO5KmZT`1ONd*01yBK
z{%rzc^3d~t6}&8hI7BoeP9;_nqlj(9{lwo09t1N&H{md0lyH#{C!QqkLqLmPC8&x&
z6F-43#ixpE;a`g{7RTdT@N~Q^J{0ftZ<_%EfB+x>2mk_r03ZMe00MvjAn<=eKpAC<
z4D<1J^JIsHyHV&=4+h<k;WqXK<a&B4Jku1?G?X#i+K;_{qA~r?#?yIaDa!vSZRn-X
zW^sMMU$t&Hjc1yv#4F9BPvw=SvlMxySu_P+X}X6zuQY=q_fwi_$kO|>W3oKcOc`Ej
z7G0WGn$D8qm1fZ-d8O$dQ+TBr6p5eGdWKAcKRZU`nPw7rrCD@wUTHcD&nwNM;drI#
z9%8)G42tMKrkUKU(Cg2RiSSG_g?Xh}bS$qlorU3*X3@~R(sU0LuQY=qghNde4fY5N
zTNf1SCC(jR<Pp~q#KVNo1ZVM6;yC;o-0wIgv2~)iMRi1ygr5k{$7W!LFm~udGzR4^
zR4pWn4B<BT8!jBOJjOI$67koO>xc2fgTjfUtip<pe}^rGK(V8kPHy5UG&D)frb{K3
zZHRHW?!LHMS~-r~=cu}gcE&4%)iC-tiEYjO4oe{<i6Vv-8B-Aw{cDUSi9f~Xkx$++
zrMCVd?R%lkkh<gPL5b{UlRYD(4@qqIUJhA~r%47y0F&v*qN-=Ui`V?**p)Mbwq9~a
zSH&^aIT!SA6wXx&6=l!iXOgBlxTLA^-sUp2N~qaz+{)j5wmX#UAw8<Uq1uHcweRDQ
zWq&sL!+<4#Ny(~Dhpx6tNd`)Jma}BtbP}E-Y-0*G#1-4N&dW+j+|SQs!qH``7FW-&
zdO*iDb~dCRIDoQwaq<b{;f!<DNU0=y28S%e+ayx}lWSN@nyj!|t~BF$m#d|TnmbSW
zD?Fg7CjNf8d-VXjypx|vmc-}E+QlsmMjF2#k5#8Ns}C{{uiLOVr9xMRRu~*s$stSg
zG|8e1V6v_t;@0i%$0IU(?l}8yuUR5-DN!m#tUjb~yG9MmD(4$NlLc3G)-0&*ejppV
zB$D3fn?^>&4nLc*u;AXemmfELY$@fCrFfd8vji}iS9jFvsfI?<-bBR8!@Fv{jg|av
zQIe-Ry{UPR4>!nu%FkrwviRRTbEeKar&(*x>>Wj(iOaAaI$SEFeCdp1!G{&m9I_-&
zlPsD5CXd)u?Q(AWgthET?ddmFGre`QS>_|j{gimqh;8isLpuCS26irvx}Q%Ak-)BK
zXNq?Bv=wf9HfvtRt<_&K$*BH?6b^X`Pm^>(h9H>^`|qyW-iLle-QR<Zr0CQwyb&9E
zsIc~n;%|yCTS}m>E#^4{>8_YF`!4l~iRI()4t4sxB^U#RJVe3jcQJvl)L(8-(&CUM
zc$ySw2%0}zX_JBQfo3e*J1`HSQmL3DE3<dlD4_0EN5q{yPhI$#3^D5(weO9svv*pW
z_XonTRi5=O#B#xl{lfU0QjSNXi#TNB&nAEPXd%Gq&RNtPla5Xs3|Px4E6(^hC7QhO
z^g*Y4sQUPBjln(FO8J@GXK^A&O~@j5<zSIPUkS3p-xim9?d-gZYZGpKZr*9NokJ$@
zHYvyult0gRKh?BoAWkx1#Lq=ubhfC*O4(OsbxHN%U+oWXujFTvzCO$Ks7rxbj2AT+
zzuL9Ws>WdM%-0E?sNTni7B3-v<dDUAniOaV3U--4W8;IK!|w*p)A9Y6gQXXo@+14_
zr$6tP%1gVOCdbd@(ZmQ!i8Eu{AJ>+nhX(?)eUNEH*R-ay1HPs~1;mQA95SA#Nr8qS
zO~z~CCV!=>%)o{PZ=AQ5t-qWjOinkyDPy99a5_a<!_Q>GZ+AKs^;%v9s|LiGlwWwb
z@a~j5y6&N00`8gbdzUg=!6D;#niOaVa@HJ8i%r{nf?VXdu~61fvF=^`hN8EH3q?va
z?m88-CHa}m#7S?l-Z5mm`h%AaI|CClH~q?u^ghFr@=_{Qc1+Ao4q1$+Nr8r-Q~j-u
zbAx-f3!N#AE>~GU_wwAD<+)O4OdfbGye&*hm*!_O__A#A%O+=2`L=--LoYhA3O$~F
zshr*Yg{~@+(78>1IfpFD)1*K{&^y01qHTs#f?ES)w4cg0=BaLci+p%&mZsFci)tB2
zGa5gW4}+>lT?!=?{MrjzUTreJZbgd`lHB)4{^CZvuWnhRwH&g@PbPny1PCw$9k3S}
zFx-^9v9?I{^AiO2L&fvtT_JDFYdxPyJNHBpO8A*P=Df6a_T#eoeT8b(r?)7*A3`Df
zoL0IebQIh_yrW0|Er%@3+oT{vP~fE)dRw47d+n5B|K+|}&#q{#$a9_NPPoys$zKw)
zZ5Kb2U&{jAUwV<cvGZ1MJ5i8O;3r3`Q*V5J%sO!8?U&>!og6Zjr%8c^pvUJtdLmA0
zm6$Z)#L^a&MCCW;ZyFG@7mqYtcJ0b_q!wS38r>t+l#n>`mAcQXoo-hg%t=7G6vkGs
zm0+55%~(d@kTE<>3N!?@q{yXiiHb-u9VvD)&O}Tzd6^rv%D8BYg<|p5tBv>i_?fiW
z{BXwE`MHnI4=M!Q_5a@0zMGYuG(4=ASVyhj*L1v|Lq_v7DbNsPkG`Wjv&J>S`oYl(
zli%BzZm}lGx0c;7k}ut}JX!T3nx9GOWEV}#tHmc;rl32DzbTGHJw7EFB(p2nN1^`(
zVymAxhm7KBQlKGdchN0vH$TjMs_FLf4D>7S=YGkV&G|tWNR3kuzpb+I<7aZ#krB1@
zYZ+Dpc_e(wi(_eY^VYZ5W!^18A8i&d`nH~XO$zZeDbNt~y7cYC^v^jv8|%x1164UD
zH23h+_j(PDk5dDNE9+}C_?c|!QPuZOnbPyEH>74cX3m`yLRGYQ)m;v|?N%%@NJGpG
ziJ3;@h)m4Z&(XB?buVdU-y}Y~655|RV*W`soHCc9j>U~nY4I2&ilTs)CO1rPm7wNf
zNA=<ogPZf(4ZH42aJ`@<#5M)ppEET2>ay1NoM^>?)6o21RE&-wx)3S}Q^fu84R}>t
ztXLO!7gzuRKmZT`1ONd*01yBK0D&<A9J0z!ADw@EL@dC>`1qZNC($qLFqhgKX35`9
zkdSOIR}@!~631Wg6*JD-#`k_P>B^jAE1rv(p&}1%?Vq{II68^(@zHepP<rn46bJ3<
zJ`S10+oT{5THbx>aiuFf*G^HiN|nVf+#j3UJVW`U`NGHMYm^$=NBGV;uX;vRuUcxH
zXj^l&Rt0z8;Hk`-4c`@nDDstIPT3n@Y~rX)#~6=4vijxYasfc@w#xQgLtB;her99I
zIi2vCqECjiYPL(}79Y=bKJOs9h2I=x`2zoSFJ0YMYOOGf^>D(M=O6QR*=&)WsvE6h
zXM5}QcaDlOPmh9dyz#QLYgDJt)X!`vzIk+8cfOr$cr;>p<1^H%CAPh(cKkeQC!aVf
z(zYUhOUL5}nl=06BDd{qnA75z5c=9ZtNljC4i0(RPbd3_M}LL_fNTtUz{ys;#?)<I
zwJh1aZHK&?oK!~Bk<|wg$5uOpTN?8-DLmwwzt7ZsZ*NuZYO^Wj8{bBEmGlp)_4n6Y
zFtapL{mdaN@ir;Qt(v^190Wq_&V@!)WNW3H@x2pCzB68JP|gXTakU`byX*=-lMQ!{
z%Mmu?RklQ5GJR8iV~8!GKJ@6Jf{I+#i(;K;hov~=sXR>zbgL$6r>#ai%`ag|Vsqr(
zJtBUW6+b5Tf8V_iuibOerulRcKa<Ck^8<#23id1Gbkx@>n)x!$yOFJIyWdLUOl+49
zCnj*niabpUbgRa+z<g24v(CI-b{*Qg_utIuO833^%spJ|?N(85*EhF+=Vy|}G<Pk(
z?-sUedZ{PAFj>PSa{%pQKi5NTKemUk(#4)bR^Vw;pj$O{!k?a0-6MV7z5lJFP=<cc
zc16S4x~YezACl9s+pe~quSu~zE_*&NZ(X#uIT{h5H7sE`R|Zu}v|uJG&eV;%qoeRY
Daqo==

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt
new file mode 100644
index 0000000000..c5e90c7000
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-revoked.crt__server-revoked.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-revoked.crt__server-revoked.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-revoked.pfx b/src/test/ssl/ssl/nss/server-revoked.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..52fd4217213867aa1dcdd8d0bbe428dbc54c7b7f
GIT binary patch
literal 3181
zcmV-z43hIOf(&T_0Ru3C3@-)=Duzgg_YDCD0ic2mAOwO8958|m7%+kc&jtx9hDe6@
z4FLxRpn?X#FoFiW0s#Opf(Eq)2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I==0!}Y
zPkIjL0s;sCfPw~y#6V`4GYx})wEEZYnG>aUO58DsnYElF`vXnnUfsI%u-+c4Quy}L
z>0v;V1t(rZE*25VwQ~Nc5be)?@cG^^e$Nhh%1xjOMWyY5e58f3*`0^V9Wzv|J~)Ix
zYFU>FU)7*A)BzIeh|RFkHqF2M-Gzx{RqXABu#IR|{i%GD+)4a|^vY*LjHFBTCEy4t
zqGYyY%URR=-`?u)fx6*}JX0NiW$es4RqvJ(awzEpmFWs8NEm6V;ru7~TLEDWjIinS
za5YV;))HtI>#akPU3i6nn2fWfPcaku(U<$s4hdKyb?=wmjO}y%`_yHOX5rLLXq9X4
z-!)+bFj!SsdRatuFZW~2?`UX$bj6F-^xZf-m>>Xw*;%#{p{0b&9215slt)^QB_kO*
zL8Tz62*xrli%J4740^=dIw49Yu4edvnI|$SLebd!QGHfVlN8%qP>DuI<Q2g<*C?Bc
zpr&7%m9qjm9ZM^dNs<wc)KVt_2<%}om327jFMoWrK)%YOIL<{cz=t2BcDKJchX8W$
zmb`uPwqN$e;4jgIF&!NY9QbHI!&FXV?LQOo7U+kuPjG1<`qx%)?$Sap*>nN$)^t3|
zD}<4Wllcpd+tU5C&JOnFj1?Ail%1tcilF3|Eq)F??D%=5?~8UCg3R`d$~Z^@{#^+w
z@5Uu2LoZ>9fRNZv|K@wGotLIkmTy{_a|C~Y-V$-m@c+`r2~8ZmeHz(YFgnRauu)!X
z${pY2#1hSTU865Nkuf6Q+pzEmumL}t0+UKCsq@HBynvooUijr$chxcn4n^EoeV8R3
zvl;f(h_Z7>Q25o~sQU{X!xRPhG(t2lZ>G;ed5+Jb!gAQH;H8U~D{4ym{EUryAmP(t
z4qgd{R~3@Zs&SAWWL3TOc&L}WECg!S?9P+lXA)|&Tl5&uKidkS-pH3Kzv#T%?RDl0
z{G9A1qc~RouYqrswYrP>;7{Qv9V9@6dHF6Vt{*-Be+h_fwEh=d8VH+4DCWF2#Bw!x
zW!74aU3CSepw^(AM=x&u`g#Nfc*p3Hh{A1h-o`fIAU@Y<xnCukOfK_t))2~@)ylF~
zwrAvMOrWsvP-X$W=7(>S7Bqi%7BA!DWRCu=aTvqEQ%bSS(M)4|8V_nlt78|zAjCBh
zl2mP!XFuuXigvMs5Eq1=tzW#b`XMESBK0^`tZpvMMLJ!#FPm|(y4}iL{q0>C_mO@P
zA?Nr4lM1MDGCF|Wb2s5g``%#n{of+e+O1T3zVj0&0f{TKfDz_RX*=~}FAAdhS+r7v
z?!9tQGD4BFvFcyfsssf87`1y>X`t>uR2U&RX1gyQUw@FFkvO~4TzqexLMWg#+m7_)
zi2+%zk`2g=qqSRRL&2|D)$x~=x})HEHshZjZvXbxzjcs1N2^!kXBeh1B|>6i+D=p;
zj1+0E$7xp|ksFMvN|EnneyYAzFB<Qus^B30<P1vPT;BG~h{s8vHO3SmI04uMc3E5@
zwZy(9E{=Ja-qomOEV8HM2CdzHhRR|&Ke3ZWFZY=%NvdQpKbcRJ$O#$!v^v7%z}-=j
zenBx*ldLy95N$+w!}r!GPahwmN$Z;cPd)S(2N@bKLv$;eS(7z0sqh@f=|lMr|HWqN
zk7&@OG6^FeP6BqJ-=6^Eeo4CDo({%_v*$2RU{!Kmb9tZ8Y4^huO2+~&yuBJ?szdf%
z(Ema|N`rL)_hBoTvNl2udcF;9(rL-c)D7Lu3VagApl&8H;6K*gnz@{pG<nkt3^MIl
zoRaO`+OaImqx=~duak-8fvdLWnX^!zQVw23ofGK`fc*3M(G0W6Ft1&<J4uU>C?vNg
z0_=C0*Y{Iyb}gM<^nYyE$)l+koSp~FH49~ud9Ln)7YgkugBj6orfUtPtIS)QLtMu>
z!Oi`-7yDKtPZXet!?@fDd0}OXM?vfqHhptZGW$`4YOsdbrEiRv!*C@Z24JfR32J-C
zJ?yhn7Lnxn_<=Hqc$>I8nbtvm;5N|?v?9}78n(dUvcj~IGPXXH<Tma7IwQaoBo1js
zu~<yG(#-$-Gkk-?gb*7%En+-z^Sq|PAm|;^OWpkq*jr_Blg0Cp)PjC}k@%|IyaHZ|
zW+F0%scN676%K~c60c64PLJpmHk*HvC9sbO0dJXCOl98IdeD@?LufDp<xb@hI^MC_
z=)1QuxoTy27czSdwE1#5ANsIgFoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f9
z3o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PBzX^=u)D@1z0(2ml0v
z1jrv1jkxz38bI8UT>7b;_t!(<ws`TUEdo^}zw&e)RAxO%7Va>KvQ+Uj2^6bMwz#-C
zQmJMBttwq6@|Llj8R)C=chV<LRFj0-Ga4^tX#|tG^IdT=UQaFV(BH3QZ#*||(5Okv
z2S?D%7KUOY@af%6UEfm;_m#wRg9px`waJEvPto4qHSj#+OT2P1pM5E>5$i@iA9!w@
zMwHBiZin>?O&(z<F%$T4s?(q7Bg-LKzs!Tn#$<d6&D7f*%>TK4j2>W|WfClyV=_fC
z>_U`q^$YQl3xl=~xMMR@qP*P}$AT>@%{%cAnr+(RcMTzeP>*)%?}#~>DB|q4qv8>Q
zRpc+@^)aqliEE78>Q+*His~^I6X~Wyvu);$|0(ZI23ONhJ7qar^?+f6>rt7<(tYte
z<3U`93RaL!M@eKbDosuy^DFv%l<V+b(9lD-UCJbxKPUq=^|imm6NPebS+-jKLkUW^
zxX!ROHs?k(ifd*?*GXPAdAUV%z`>YJsSLlAn^S%r=t5i8l1gz3aSM>o&I+O!NfpQn
z1IzLNA2p!kmi?~})d7P$ppbGJJB0ldbsf_nrz^xqTcG8oV7ZsJ=-d=xYCt=(h`*zP
zLBAcXiIxmWGjUm%tX0~~%UEIR)Rlp#{^ckkyF>kA&O+Z&Q7nSsjiJQdNYszU<-1?5
zc1UtBC>CAg_c^+Fu<+#kJi7SM^QpV?kZ?7qCWvuX9BZUB?mH;2ldm!=Cp6?Y?9`^W
z!VoIzmje^f$8%Da0gcmgt=jN@{+16vl`~w8A<oyTO!BsU@MjlznJedv9&Odq^NX9R
zd41BMKYcUdUX{{FbAY2&(eE3b>Pf$Uc}`<)9)xaaV(dc1vlZAn+$n+MXtoOdgbC`p
z*A4{vFhie9M8QzA;;Rw+YjzQ4;zmR$+Fd9>6y@Z9A_C?=|2fb(Sf6`rU=W!Lz$~^x
zod6Q-TWe!^{um4JXqdyyZFGG$4iT{jXWjtH&3FHjPpm|#?8#@B@IG4x<r`Xz6X8*N
zCE%Y4_dSX^WuC*U9h+|Zo(EZ(#wnX3Qw?16`ve?D>yXVVh5PJ}Xp}Wzw)MI5SxOA=
zQG_Qrs5=fqdwoBpI4h>P8MCr`SeAo&<Whojw2TBUrbi^dQnz7OC5u&BVau{BR8xF>
z^(H5VmY{=Q#w(?6P~4FJpH5NMDM2f=-tdoLmISJ4P}2d*1n~=Y8{pAi4Gb5-!?qw6
zKxl1m#JC^^#&K&HyfZ%KwMhOjy+SlhI*DRg)_wC(^T=H2b(L=ZxnLSlrt!hRs(+@L
z`|Tj~P}{Ybl{IKIGX_AAViCSL35-Y|$CW^uG{`v1tYeszI@w)BtZ$Chxvexz?xx(1
zcjY3YrX$eadBJ)zGA-d%RP!J0p+U~dI_|8V9teksAUkus9hgLo<HNRTLi3^PA*I>{
zs(u1=VCa*dT<NR50gpc#9%ZJ6v|pPnunhW~?vq=dTO(QRk-mIPW$UP>P91KPC_;0%
z1C{)6GYpZQvRm)fwQo<hI(_iV7|5bV@+(Lz@2j3L#8KOr85}@ZG^IV!ZVpP7LHz7X
zR?6$5rk-JH90QYzTL`}et!tig%ZpO|Gb{v0d3Z4;Fe3&DDuzgg_YDCF6)_eB6rWE@
z*qumDj5_Y&(0n4-+!2xyPB1YrAutIB1uG5%0vZJX1QfA3mqYVW1hlRN2E;kY4{C0z
T0tf^MS6bnOG&(z40s;sCEb;V7

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..3105d1ccda3f613c65ac25c887fd054226aecbb7
GIT binary patch
literal 36864
zcmeI52S60py2p36!GbU}1(Co~lp<xeQ7sgyq5_J7f=F4H-isP3ZbVcJh%^-&f`Wob
zR1^`TXh5+BB1WSq5j6-1hz&&a&CD)>#(Pa3<R$mMGcdE?obsPDzd7@<=bN+ad}qgi
zXfAzuSY(KIG@V6|B0vzqoK7bY2;%5UL)W2&f*RzZ9rP6%VgD;roS=`GO2B;ts@OZi
zI2v3lUMHR;ZjSDN1rPuP00BS%5C8-K0YCr{_&+CLPNmArt3d7np?=&IzCqprexXrO
zPBA{g0lp$uF4h(ctm*c1XIZ<^@jUvxx%3bDbS-ZN!qlEY!4+I_g<x+VZt#Z^)Q=SK
zyiXNa+Ox=1`AI5}Ctg1)#wU>L8~s6n@{xit_fri9!qB!LQROENoku`aR17!rg9!N}
z5kcms8paIm6cb29UPT2;vxxTg3FdyN{=py$brx7yI$Dq95a365a<QLd;o?r8ZS78X
zoonyxYK<MiYTjHMM|-OUbPLOQE(>(&-Uzxf(3Od<EX>9euoMQCWQ^?^W4p%qE>^^t
zjcqvC#t_>WVH;y?V}fnGv5gP9F~Ow}!4_9UFbxJGI1Z-5Krk5wg6S|2Oo)MCN(=;(
zVj!3n1Hr@?h%dGkHc!w#T$w4bab+g1%*2(MxH1!0X5z|BT$zQ}V&Sz|cr6xQi-p%R
z#B&YtTtht95YIIf<l>r!xTX<a66eFf0WtA2Wg=KzCVr+&ytQluU6>3kS!iOqEW9)e
zFU`VBqnUUSK|!nx8z;p^uw%1vQf!<Q8$T)=KPnr)E*!ir2Up|ZY8<?-FPFn&vpATf
z(8P3wCU#;%6FY*?#7<FYV&^F|F@Qo7qbM+OC_;0%8jeSpI$X_gsG8w$b5L`rIjA|*
z9Ml|Y4r&hRqUKO@P;*EZHAm=TeFi%)nu>KCp^5b#p^0@Nq3Jhla)-_3A56R>2+H~l
zH^&ESjvvPx@$<on8)MfN!Legy*(^i6-!e_K8APhQwF*QKIFX28bVTpv9TOdf?|Xf?
zgS{9ZOcLs9MKO1a4eB9y05fTV7t90;AOHve0)PM@00;mAfB+x>2mk_r03ZMe{Pz$L
zrHG*?Lxal+a39<aKZcv(8}McL9DEW@0t+Aj2mk_r03ZMe00MvjAOHve0)PM@00{g|
z1Vl+>h$7S7L=zaX5u!pPTtr~#WK)Gk76mt?TUU^UMjT0C<l7KMNMssCI^P-}|4UR7
zBr4&_lFgFYl5->}5~tx4aLC_ug5a=#03ZMe00MvjAOHve0)PM@00;mA9}ysv2oTMd
zyhaK_%o#I~X;hLcnKX{GfEyJ}j|>ZordwHHAL^z%g+)d4BDwRO9qIGuJJKV$=uT8r
zKv*a}8Y>zVgU%Hf9U~o)G18%qkq%{ybjV|*L$W8Yk%JIRhB-1raJ`K1>-7gO6*n@L
z8%g)&Mn*>w?NBA!SSaD+f5`^~xCvedn@G09zrZsjyWvzc2`qpBAOHve0)PM@00;mA
zfB+x>2mk_rz<&?{5t0nFkFc1AMNC9TH3Ihy4&a7H3r64~nB15JDljqfsM;1aB050A
z<cO0=PBethP)3xnScCYu@gqV(!?7R1{C_?H-U64xKfw3kn{YK;2ycY>|3Q}+G!+m4
z1ONd*01yBK00BS%5C8-K0YCr{_{S3%icbh%MWsnoAVH+T%hy}qH!@m8m_vn0Y7jQJ
zLzqqxrjxN6g7LpFha}7)s*>zzQBlDLf?U0*fKXmASI;{*S})W)go}v_#{c02xD~F2
zi{K4t6d(<5gTvuV|9Ehqfq(!Y00;mAfB+x>2mk_r03ZMe00Mx(KbC+3i4A2am7fk8
zID0B>XO)?iN8!}u#Zr$2(-W}V1!0WV`juDa2Gl*RJ3t{i-*x#uRxsND%cYh&&a<-6
z8Q*D5Jl`%_JQ%UbH;RH!AHZ@?We$e*{y5)@;~_5>evw{K)D}+=%m$Drv1y+>t^`Vo
z0*xn#UlyyQCQ??TCRo<{QC5-VBqh}do16%8Yov@vAXy{D9<ld%Q}Xl4e=L<EqmzY}
zM8Ae{M63tllavuYk-CROgos2rDN%XNzP$5=O>-QywmSt+yU;XuJ|aP->8!I`_gVsi
z#3_W)e=G=5mX|=kZG^!zVzAI}1Ys|hmtY$rYzAAnI|fJKLuw<N4N(XrJ_HjGJ|sru
zqXdqxzS+Bxye)!1P2Z4T)tM$Ld-uNG@fRy%TX@t636JKjiwYpc3)uliedkVbN(N>f
z+wi(sF)#jk*lwa@oSAnrm%7ue@2$Akv;zkMRK4G5+<2^zu63@|sq=^tO?`zkEpyiO
zPKENYLovx4-jL^+KiZvQqhc0VyCz%|sZ4J7$hkVW)cAVZw;O8*JCD{JRh(i^4eDX~
zmA<aonqFe}(@B2Q)`W3Wk3y!kDh@%=k;JwX4NEK5jJ=))mP@8qxxKBr<iAt)e9G;X
zmY$U+TGHJ&)wWT2kOoUrA*=c<sdR6@!QOHM8Sd4pt+qD(TPs&<Db-l|<=+*3^|g-~
zZ|Scw1w;}=fC{7#Nn{*4iRUX>G6f+)(EE|h&`XUng9x(`Gh$AcPU7Uv`Y+nav+o~2
zabM#$?@}u-g;zZ_u<c1mc2a%MhUUGEdAjj3PUeiV*NPLO^g1bn`{ZAhFLMY<XGJNd
zCtQB++P3V%8pWmw8s)B)Dfe2_7go$FDReAZYiyymuR6TI;c{(XcTCZ%RMQ=6^TZWz
zwuP_rYAAmjYxu(}R%)hlr~m0`#Rg=t6N6QEl)rvZFIKA%d`saXUr$#5$ikJ$Z<CI`
zj?vq_NYwhxw!`j@x7HokeZN$~Wba9p<pa-I84ts%Gun3i(x9=@gD>u;lyulfNA-2z
zSzY-lHM{fY*rqQmtz6r(M)O`jZN+`9`74k@LQG4XRM%2U5~&%xxkle3|HZ8}>W|oc
z&TT_{0(k}IW@NCouaUxEF!PTsf6mFsp$n!f$=1bQDCmEMxi;TwK14vL#*G0s2!c>K
zmys)>)}J47r)bNqr;@h~I#jmAJ<4C&X>(R1BdNA5yk&OcCiQjX<LhUUa8Emhut^{D
zv?Cd;k^8GXt#oS~$^yN4K8l{BzE%SDKraQp7J@#x+eT08i;i^+J|T#nz`u8`4;*4A
zhVrI=zxj~P(_n2cZpWc|+J&-ES)|9G({3G|96?EZ(W0Qw+A>8#>E63ZX>Rb*z(#Y+
zk~rHF!7%OGj@~RS^|G%Lwl@{`8(d4Na8q>Wboe=&7&Z=0+w^lrP(`!#G3O4Eila?7
z@3ueb`Py*1ce`|Nm-_9nInznkA31J&X4iA#RrjTL=iAdN-2I8x1BA|ET}v)U53&ez
zb8i?l%GC?7zB1{+>_xswY1eaZ)*sM*V^?@K>E`^pEc?)IyU1M|-tQzEklzj1ztH9`
zVy`;S={1?S|NGfe`-tZ|SLqe#9$aQyND*JHdA}~cq_GuR!tZm<-_snLoKjq-N%r~^
zuGQT`+c0a;&dACx=<eVGtD=P$%M=$T1|41B?fQ({a7cP*x&OJn$HhB;bhX|(=VF^y
z^sI$ORgcBgpLjHg9MF1yJISix_RNb7Cl$QJf*zmNn7NI&Y$iM7JG*$6C^_$E!|I#u
zHKo5v&r|Z=cDZmx#)~eO?l(D0<nzBxjmXTH)UuQPWc_6CXTPmGW<BNkos9>)=)bC+
z-qoVIsN4VH9etB;f3du_+lYHEyDnX6S<9W%%g0|!e)A-kV_@BX@bnVW`j|V;YF~M^
zCUdu!bnwL{r3B66S5lkHt1{QtCrq4BEAM$fg@4${J|Mew-2LoJ%M~rpP2PD<>T>nq
zGLw^pMKKhuYtER%7=5oNqIc35bnMT)#fA7p;s{SFH`0q>jsL<jN>7?^Gweyn-~@>f
z>G!^Lz~J1)xWkz_I#(Z>KKMm3sj%TvR&b|DwZo#E$Ay;+g0}En#;s>UE3rQ(c7#nj
zs4xA9g418_O7pEz%9tztw~rf9-ztu}rsqQ6O8V5djsd?fde<+`iT<MRtlg-j$1PiL
zM!K@ANAD^tkw(>km=7k}ev6n)j9$CL_mS!9m_+#kzh6^tMBY!_y84RB7K>F+vch+q
zCkNHKQGJj0zp}pK8NWDVn!HoS-M0?1$M;?vD7s*v#gbnXotin%Y;{nk$G8*6Z|N(f
zhXe*>`=@vr)?dD&(%jT?MOUvj?k&$%C+)`~(knmBet7Y(^%ofZrakqi^K|+aKFp0%
zJhnL8#cBLYW~um@32)2n`iq|L&zs^fAgV>lk=)hN?J_>Ccd7aw{nX%m$wZ&ZOnvQc
zX9ge9_%3imd{=3ly1!iEl+e`g-nE#;8)SHhURKSWb>luSI9+mWu4~@4U5EEf75Gkl
zL>JM)-j+&})e%*`is0$8{)eZ_;XFOGGhkEA^|8$-ml}W5y5PCkYVF*{-kyCI{1xmc
zE?N4t{$`SXi@A4eX4%O}sm9r=7CB0roZ{jJ*tYIUG#VuRWc<r`9}C@wZ=-b{Jlgxj
zE$g~mL&q`GIT4hCi)F>TG6E$VIzx9SOTDbheVN_y?(mG-7eQKX)u}{y=39<RiMxu0
z<B=!R7H?l0+}L-3m&z_$Q+?=|<qw4~-PyA>7J0_gn<~$TS`afWqCAU=6n3{2%1pR%
zrjL4C|L0V_EY>CIPWH+Nu@;2VWmTLFey@Lir@7^9HBZ-L*G%zn{=5igaJihq1@~z#
zacUfw$Z$7<m`=I!maFVoGwCy%)5^yWoarg<TED5@^jrzO)U72Hb4+956j7h?<*ELk
z8~#Js_@6BDlpxtIRzTZ>8ejng00BS%5C8-Kf&VT7-ypQ%VbaJ`lapZ+B+(x<K7@v&
zWY&%&d@_W>vqskVvo`iWi_tnnJm7>?M&nMOeM5pqlCV7V_y7C5Y&7&sKx2fW!<X#i
z_}Cw~1fv_-%EU$tk8DRB0!1HO{C-?JDDMgDEHyv){$(0T*Vy!JYkI<THD-D7S62eR
z^2;n-=fhnUzkZg;-xwp5i48|Vqn+}jIk}(22#KEzZblz1`D7H!`S{@rXYv1b)G+ch
z%wHVmp88F>_oPHZ(qZ+cf+{$m?o!Biw|?cNnsIk4!`a-NjlENSJR&=!R1+#Z(?#z-
z_SG}iY0_~IjyBkG!?vB4)%9~5r9so?QB9YoU&uEb)yj`0-w6qO7X%yssMz#Vp4j+O
zP1>&K6^kbvc_$LQci+p3>5h&s%ib4xS<aFtSv|PA<T0g$AT6R=SK^@(*cerKUDmTZ
zS0>tPNn`HJ*po8~SFL*HWM+I9dcT>xQ<Y%r>16D=%slU?a|toGQz|^PCN?ixweRM1
z%6rEh8J8ntcs04)CEJ=i6KWiljh6PSd6y_1>`>TZu-kXH@<g2=-pd7P-rwyfYg)wc
zPgxsjP8J{h6EQ;Nqba@NZ<<fs@np|43+g8NYbBBl+;|Ql_qsOhOt;>rJ+Q6D^qa~n
zHFp!lO|%<HbL5NE2?|8Z4h`SgmqOlbz4b6})!v5(6H6sZ?2{Xf*Gsf<GM{}bW4!0W
zQ_;Emf5^66*(RdBN7mbn;A^a5ox%@2l5x8@rp4)|tc)fxyCNZbhZe#YYwAk&o?umc
zdG<g8wPG_-E%307Re#{(&EHhoJ6(+m=6L;5l;@kG;?N}-Z&qb0xv}&N@znlyTi&6D
z!#{=Ivh|(rq+lqWzo2nuYR;Z8$EKW4(yOboyn~U))cYG(5Pd`s*G=vX>?wHW?$D>K
zTkqssA#t{XbYk3TOH0fdjlS2TK4L67_U9g<Lws54NKZQQneJcjNp-Tv(vyDn`S0(Y
r>ujy%0r$Q+5w_E&*(L5o#u;Wuz(k&A@&3RrMn>JCB%4JXd8_{c?;K97

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..ab1762634ccb5a0b9a25ed5606495032285f73e8
GIT binary patch
literal 45056
zcmeI5c|276|Ho$-!z^ZyeH|0Bn;A2crNxp6Wr;2#W*8#7kwh_~RLBx7N}IG1N=1@(
zX_cs?=xVviO=&N3e{&A5+qZjX=JEUMcfY^SG4na^bKalN>%2bCb9`n#a~{k>57%%m
zhZGtUAI0L5%n>pOBobjmA|Vh6-1w8ff)_NuM2*ML3i+4#pF$kMlwu`K{DP3edLr;B
z;ze9DE(yoL4q-j9=l-b?*bfK*0)PM@00;mAfB+!yZz2#WDXFBPf#ex+S?owo6o<>2
z!{V|g)>8JK4z^wnBrjV#R|nF>UXp%z2+7@Z-h5k6Uy_T1FUfnsJP&UNlG_53z1xDh
zuJi1@NS+SvuD13L#w7mx)hO!Nie_LYg;uiHKqA7ULpUoE;v)IUKvp6*2Hp;w&<~_e
zL>N0XT1iP8xfrexyo?nd5}lCX9v{A(#pOtjo13>_j)M;gPC^zYE0FYAR0_?&MgrFO
z1=fgUu{n{GRnR|Zz{#I9%njzE&`N6B$iOk%iR=hYFn3Zz;s=d{vGh+WR0`F=UL38Y
zGSQpxgoH#+{G<%(2br<#PbwBvgLN~Il1kdz$UJ-aluZguMq=YqW2bF$zbGfp*3Qk-
z%b3KX@Spti#-j0`=1>gpfc8+KT^7)$1+-}aZ$ecp=up9c3MN!chYAa*u!IU0RIvGl
zB`if5D`7<nq(P;O9S2gOQXm;B1=68XAR#IRQle5IDJlihqEa9+DkT^y$L)>zgOzDx
zF|163m1(dt4OXVX$~0J+1}mGxt<2$8=5Q->xRp8FiV0_#aFz*YnQ)dlmW4H$u;z5Q
zCd`Kl1ERq_rBR@^G`OcU*e#vHUuaZl_jm~Dn!~lt;o9bKZGIB2GFB0)Lx)MxDbTU$
zFey4riVh!@4j+{cpBDz)mI13VU^NEZHkiXOr<*e%$?*`<9S@<7jfc<?#zUx!;~~_~
z@el$y9zqnyLKw<;IN1!wGro7S8FQi;bJ7k!oUp?WC+zUU2|N67LYE&-*x`p0y8Q4j
zy3jQP9hkotx^Tur=;|2{p-X5y44Di$lVRweA$%c>)n!lGVMBI87%WN%8zyc6om&cw
z9jZ$=XTsMl&C<YJ46Wp-{ZB*S<nL-Abut#`zoJM%uPV~~CsK-u;6K0u2mk_r03ZMe
z00Mx300NsFk!dJ-0>SA&>&Uy)2?+iVfq*~|<m58(2)QgoM(V`Rcy)dns`bBI_@W4e
zgxs4B{z@E)Oh||{OW?#W=fs;Nghz)(a!go}T$5=2jMFqYo(mm=LZWI?)Y0PJC>&nF
zJtl!07SCDe;Y#9i61b#<ME;bqK)t4E+3>l>yq%}5?fuJ*vixLTAfW}ZAK}M;T;8B=
z!a164Eq<fyt;tREGz?k?N$XQ_%%xbWa5HxVKetLvOjFty^6SQq_};XwsW-F=ZCCbh
zj@@w)wd}GFI{5h4PYyQ%R{0goP;xJLG~ztv<lbAu2U^VZ&6R%PZY*-MPF+^yk3V(t
zfvNJQsEF|5rRxHjt=Dg8J??yR!`S3<(ny%MVP4w-@lPSsz7qX@ZEc}`wR+pyRBHHT
z(X%Z{s&#&`p6&`CX_dHU#gU^<Uk|*mDAjWwmeQ9fA(TCN<EfDMZpqZ$rW+&o5YpK7
zMWzOCJg6BIo!W@?s|G8RrY@B)*Nfg*JNm?Wm05wm)OGDGb2@s%A~z8-w|JM{Dy!aY
zghU`I8Av8YAB{6y>$LW>G!id?6sM@5<h#V8;{sb7mvm1zUX~PJ-v8iG7e)+;L}ehQ
zFk;?kf@^DRyH+r_^*(a3%Zx=oy{K1GK4{2E|2pu>zY+hmx?#_k#L5y!&%U;M)eoF#
z{h?*G>*$GAo5};C9-Il98ELQWk4!Gsli8ZP|GMvqnf>l>aF~PAcBd}i`BE=Y7)J13
zxBl`eQs+BQrDsR-?)RPi`mnI>L?b7<?YQEygmtfXRbD#2Z$m@thZlaEWU0SdZwSo0
z;&t5FYIeirUtT>k9F6n-u65e=SYgMDTh%#grAAb>t(r4O>5@M4W2YXLTVrrPD!Q;w
zbH4K}pTXDNy{Sc(%cIJRrL1^qrpu#rG(NYmift_iKga0QOrIk`DVN{Dm8|!?^XS@3
zPb@KS)s;Avq{<PWlN8>GzX8XzQ;GRleMEWM{hm+z=AS&{A=9k^f#YRU)z+7xf`bgX
z<mk+^WE;f*&v4JZt9yyvC$w!$bVKD2ZSOtNmVPEMr>X~w`L?$zldv<i?(lFbp;MWe
zHT7Oj-108v=6tJVI!?~BNm}Qp?o&JZ<&Oa0XO^^cD~cR4Jm`1x*Qi!&yU=%grMRaN
zb=*u}Eul75@-9e<zs4mly2Hs$TuR+WH~V|vr^*iZ$?~?iJFKj{^6T}CtrAuqE@Qsq
zOswpB<lD5H)flF#iumWHZ;{=vPfH@}v$~!upF(^uQ8$pwvp*cLH1zR?nWg6>O8d{`
z%M3r`4YnBO4x7IVIQNbh<I+V!%4&S_P4s?x((UWDXqwL>>9}Nc&T-Qj%5Di2wa>*C
z%)op=VGAzq(!e{!l&r6qRb4IaefEIF7spJGg~<k8ig|zU`^s-^N)~l~`S!oJUtefd
zxqhR;r*C7v_g3brYq-c5n&fspJ9bn5W|M;Nje8Ya^anVrYCIlCbvqFqU0?SVeAsZN
z@y%W7td3UeuGZ{G6=kiVZT7W_Z>`gRPs%C%vc*R8>Ig=`=GEap%yZ6F*$+$H;Z8YW
zL`b&p>(+Celd?`Tf*$0(TX`E*o3MAyv?Ghtr*978mA=ivUzGUt9Pw!Pp1=3qKh$iT
zvGUXF==|1IJ|07!PKg!yW4^NoTuDb>N-FAY@9fjkLJVX-xKa7GP?Gp0rBDsopf(sZ
zn4GPdz?2O*v36E~(cyzti^A;j!7H?_Ty#wiG^{a}+04y7apB0vRf-a54XHhS#dS$8
ziA&XER(S4x`u;$<gZavuL(eik<Irjyj)ODy-CUc1s#e(*y0fD~`gXAf<>|n-eT9DA
zs*C>KxAn_Rw?*5x$$iyb;QPs=#8^jfr{kFK2LB}ny3UqP<ObSD2CnH?FcQlmE68Wn
zRM}7Q?0DY5bj&a``ZZS1rHglL1a*4#P8)A^*WPI;is7|QY@2P1UT3>DRb77MyZ!T&
z=TFw&`9=Fuei&8(6>Jlr9qi{)6mGPa(W2D-C2EeJ%9W^)uXTDSo*o;hJG#azHLTOT
zRjL_Ty5q@QUyb+B{cGg^_mLe7LEzt?=Rd##2mk_r03ZMe00MvjAOHve0)PM@00;mA
z|78Ru#ZegOGxV|f{|JIO@?X|L&>cVk5C8-K0YCr{00aO5KmZT`1ONd*01$u)h>IgI
zWAp!q2;xHk1rPuP00BS%5C8-K0YCr{00aO5KmZT`1pa*lbj95<!vFGZZ2sSaAol$G
zdI%f?0)PM@00;mAfB+x>2mk_r03ZMe00MvjL_k~I2_yLb<BZM!Um}Pv0Wm-T5C8-K
z0YCr{00aO5KmZT`1ONd*01)`M6HpSTWB%^H+)D5}h9nL{-NTKo{_Q;l{s93%01yBK
z00BS%5C8-K0YCr{00aO5K;TCLSY_z`zcyYGLHt0pBB~Kj5?2sAiCc)i1Qx-L@R+cR
zFhV#>NSDr*4kw_buMnn6KbJm$ug2#~8{uC|J4@s7x9|+SB0e7P^`kP_0t5g7KmZT`
z1ONd*01yBK0D*rC0ZnmRWI}jYU@#}18%SYLX`IjyM&Q^Nkke?|0@D<dhWKo_^)gQK
zL}U7&jkN@2DVje?PiIc2@_oQxwQi{)Fm0hOD9vW52}(2As)EvNx{9DQgQYAe&7>&(
zl%}yP8Gm+6QDE9aK~S2_kQbC@u%`%0v*~hz(hQcYpfr;r^Pg!d$9%fQpB*C#Oj{5H
zrP&N=L1_jXFDT8X;{>G{EUch3lY;pv&7#toe|AhtVA?`bP@2s^3raKC5`xlfI!aKQ
z!4emgW>Um(;u@G(RzgBjOnitme@IeB+&~a_5xx<;rE8>d_)y$=oH{lM(~dEb%9ea8
zISai_;)8@6>M%+|JV>ljOc5E!Z}5L`;gOXkY%}B#Ka5;|9Y0tUUOL4ejT!$ATL}Wi
zjbb~wiKoy}q!oXZtf|PbDcq-MSzDARMZw*3`qqLw{bn>VfJa$v@tyx2mSRW}1&fv%
zQxU`bHAaz4PSq~?Htl}(vW2qeugy=g(O5KNxr3kC+?Tppi`)0zyTc<Z2{g&1h+y*4
zj*Dha8fRnLzSaGHb#;1rYGcxNb*z%AcY5v_YX*@g%;c`Ys3Fy(B@x-}TK(+yw%tRc
zoxFrQrHrRjkL4DZ%stK{EB<WqhXG3jli1bYBG=vt>Ed|pU30woo{!Oxn9>~mm!rj%
zJ`tH}HyVVQ9MF`V`=-KsFz{rTzP!ROckjsF2$wsmmv+I-eE*J6YfBzkL9j^+5lqT`
ze%2vQyH}F2@c5Lj`3$jd)!YpmHD|7x>JYuv$NB*Dm8AktH#f!Ia+n!(P*LUE7TG;+
zbdC16`zqUQD|{CX1<IgHnLM(*K$C2S2qp=$Pj>a$cl28f9l1Pf<*0{^v2l7#<(;?R
zS;NXX%SYA=Guf`yp@O_5r65-KeOgSvYQ*eFE%(I1O}ty9RasJ_z7KfhDFRJ0*dmy`
zHg8s^xw?06$J0QQ!fNqLy6URxmG4z7e*JvVidgDVC(LB-!Cl(6@l+q=w$$q#cL`kC
z#amXk6qtQ&C&yMzRsExzN0t+4l1&%EWU7Tx>1m_+J@QQn7m{QQ(!M(v6h-KecpuZ2
zBu7?7wh1$t6|G{W){E=Onop40-8k>}UHbWX3*Y8DknU9Oe!safh)0$cXp$ky5M(a#
zF|j&y&&m7L$_ptu1uI%UluUhke%RD%N!`*Og|0ARCU+;LrO%-xd->aF)p%}fd@{}K
zoAT9jzwa`fx#HQoOa~txSw^5qk%k~w-8)x`7dfqqZn}~?r7hkQT@oq(y6niIt)nV&
z$&EagFq4isOa*EB1zGP4dM_HoZyJ?Zuq2n>JcDU1j?mT#s@C9<i9ebA@vVgjr#r}T
zQ=GHzLTvX^WSUNd+k;Uj;wcu__;Kja#x3#>*koZQZ3_D2H!Z$-?Y!^$PCJ9`%fqA}
zJhb_$ZGT<Cx*p-BJd;Nz2sSCo5OlRDH0R)%h7XtP{uo>%R#3-O8r->T*7EC(YvxO*
zkL<P(W|A~xYd|!$j6!`irQPR#@!5rpI0IBLQ@Y-?Qz86!Tn~>dEzqP$Ly-Nc$jgU^
zcI~WSJs>Mq1Q#s2)K}kIoSsp)u3&M>qKJ3GOxEs0^f$E4$T@%Is_W7x+BL5W%Fb2l
zM^D|0NXn}B8(PjI;{}=&X$YEfIl|_;y4Q@`t9(DSVXo}Zwl0XY{Mg&~sYYuQ8EJSx
zn8|(foVpN;%kP{cY%Y^Pjs!K<x~3<s%9U!j%-32H{*u5W;{=)%X$ZQaQLA6z+-K*W
zdok&an&sTZO;w9a9o4wTN334eAX2@AnJlpOFR(@H$SGr+=!DpWM~R)>!$s4%W*cg~
zdB>a$O?hOjK$9X3L1^p(yOb!g6NGg;EH!&Jr)8%cSzMT~P_5>2okrcv4+vo<f4k<p
zFs0zPo)>nh(;v`^xu*kiNP$`Vo4YeZ=006xA<H9U1ez3S2$COiDvn)Zh0j8NA+Pof
zN;ZAyt>BOPUeBp24CFMI#S1gJX+NuZNenSymWpHcn|l@;TJx8!x|nCs-yz*Qd*x$;
zR32ICXOlln0z?>sHf(utt$cxWAtk85{k==^>ZeLarpmoR8{DpJ)jOoza!;7ay4}aU
zO$LG!jq3yNKQVLh+0NeDdf})AHu@CeruVSw2Oe2cut`ydAl$AlO|6vJSG|ql-lR^9
z{=gSP{nGo77V2OJX6d>%C<!x}X6{p{S#Hu@)&CLwGPLsHX4CtM)oWF`D!jb9O^ffZ
z=aJC@O^P%GN!~eUG+TUbr>yQ)1GD1H5fUk<KgBRz!Etu0>#o|ONMR<Qe<qeU=3NcN
z>T=nJ_Yaz>P-M=o7&^JF<uG+FLax1>N0tz1Qlufs{7r03j(l5d(oIxna^}{gmT+F4
z_$YRBSV-^rup>w9g_(R=7_jpJr}h~(snNglQEYP6(SZG>ZbJjkjugr43#oJ-870u9
zNJCI~wmrhX{}eK|W=cv@h-`Dd>tH=0Be<$y?}usOn032_nRMJCrZ;M&G&u0q#KB$p
z*7J{s-<tP?v$7Oriy6q5%iDQmae*d98iL~5X=TO_GZ(Mzbx2=&(6waAW{<f!OM~p4
z&NmHoDPxWbGwJoA=J?|i+2`F1Vs_p#m2$=(Vp$r@s{Pz@zQ?Gs>h?1pSxlfwk%l1B
z#eBUd;jMaw2M?RpZ0>z_&aNV5rJIY{9QOXS#BWY6!b}El-L+wRWp#U)+U}1RjkULJ
z)v+*~7O^(Uo@v2(eNXjbAW}ku&Xby$t=~SKO_cNeq*+}WQPJeP{6XvQ=>wD*6n!*q
zd`gR#K#EgTQ1UJ`O!*wU;ze7CiH6ZdmWt&(CFms@C9{ffD5Z7q){SoaQAyqDXUNd}
zAA@Beh>Hm)39{0W_!j(BTpIQve-~H)0YCr{00aO5KmZT`1OS0C0z9(zPj8)nyhSX+
z#P}FO_fwFsQB?Ag?_W=y*CR!i+e!NS>ZC<aQ{I19`oa-mZ=GLn``GUto0B>)@1l(L
zqwF>rlcQ5K7ddappMlYCCR|<1Ba;N16y-*X7_lsF80o(-;eAe>`)`lBJ<rX18NY+K
zdalkJs?70@Twx~b>~if2Y!x*Id+du*dT;mLlT_vEb*t96mGS5*^Ol|DX=_Q$9=~Pv
zx3|kh0O?$Y^0*t|W3X(!io|Hil_%-<jl~DE=gr)I=~CWmC!=e^Ji5qNVtt?G?5SVy
zt!JG|)5DF{SNDnyR%HL`;<R_xwAT_mZB2n5Md2u$;nH}GT2+*J+B*aHi%HIW<@!Q<
z4F`h4!_YR|@g{R&9vdWsqYUh>YtuNx_pZGEZrB|d9ABHZL`LlWep{Cpqy`>Y<L8t8
z*IR#<B7iK~Qc21EEOq8(pY_g+)b)LbpJd<uaLcdFt%)}j`?g_*Fq6b>d08!o3Pv~G
zt!sWBlZO4J#{I?ZDzD@lS;rHD!Up_!WOczNMfs?vrS$IOO*2D_7pys^wtv8^q~6&o
z6X&g@pw<}XA2TvPN0`YV%1wvLu=e}cVyCT-c{T4fNwe$WEcua{DymCRzgeM+cw{w!
zCPn(F#`N7#f$kq(m6vnc&-UCmZA`A1w)D`N7Yy&GgTn;d7@;>&XH{GeUtt|Ka^USJ
z!&|th&d^W&%(}Ce)VJ!3#oL&!kl~S41)3D;qnf}a1&zg*wlwwa+kYzbTU76}FV9O{
z(=OHeqDhySh<96sk!)_-*#6s#dok~)?JbGAz4xO!I^~e*BWJtnHn$5G>aU#OkyQkm
z6zQWHIVNNJiN<SIes_;VtmYwSZ-3mxTq;R@uJR%xeI+p~RG3M|xx?};ar;uAD#RT&
Zzq(1rW?-`iW_zVhN4x$u9TNuXe*hRnL686d

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt
new file mode 100644
index 0000000000..82255d3f4e
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server-single-alt-name.crt__server-single-alt-name.key.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/ssl/nss/server-single-alt-name.pfx b/src/test/ssl/ssl/nss/server-single-alt-name.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..3d0fee97935a0513dbaa0979b6754b885a6a7c71
GIT binary patch
literal 3213
zcmY+FcQhM}zs7}#8AR<>v$Y$0)s~9Aw^~8%mLi0pF<!NW*n3m7HCtQlP1USbtvySN
znz!#c_uk*Ve|*pPoX>O4^XKz{V#r_P0|=lPay<|Ue-u3G91I`=6ky1efEe<}f3Y+a
z13LOo1S-IQ*8ZX;d;s3xH}jta0A&G@{&xd800gA~60a*{1T<<5QQ+ef<Aq^B6?^x4
zCuVD83XGygq`&i#Ij?yP<PJ3RnikFy@Mw}F<=UzjsNierGCzF>9N*Y!NS_#GS<t2S
z%&#-Dv21qg%e6;))(emvIt!KzbaeRvrP!~vh1iCgWMgL<>$g;4x(al;nZ*5}XSC6a
zcgfS(Yl&)0^*9ezUV<PqetUAwjRNQVo#oOMN#;O;US?TrQvYD%&iqiOL!z9nC|IqQ
zO?4?NN}ig0mZqXcZSs<F-;FOxo(OZR-};dE)iTl>;HYbu)i9V@2-`cYv)Qm#=pXW3
z!`Dfy_5Gth$kFIJ`n;p>dAt@jevqQGq_HA;%h-!RWXh&j>?JR(+V1{%t5F;F-mrFS
z``T20(|DVhb?3CiAO8SFS<QB(=O-82&>l~)`MF!gtB2_C#|dOHIVkFI<g<fK7kis+
zq9NVL4&L@#Lk4mC-EDLV?`!q%wb<YQ)6z#2GJS@f#GF27J0ao^^}Zize^5zkr&4(g
zSmdX&B@cZDYSIym^Bn3fbF@~nrP}e`dY|DkT#zwH+LqRZD(lHTPDDGjq4CKkV?~tA
z#8~4wnx*;R!F7TeJmE#h{XCZ+Wu6F9NpY>URoEoUt<%xjif5@x^;l%+tSZT$*OeG(
zq0;JgRzPy}hiA#5ji<SWbvweHwRJ{ae%%SUqg78g;@!q7`_t7d%G6KdHtR1?6%+=C
zV%x4mXQ9P3T&cDXj(>N-#h*run>;g5R$b+!*e+q#hRf4zofDUR<%tvQfAE|mFQ77Z
zEN#R~-DGzgh-+gMVj)?~Hq5!osB3olCGgHlMLo;7*&$kPGt&?(##x^>cE;dx)=`aV
z{Q~X8b|Q2a@ca<scZS%R1{2lww$9b{CqL5F31g|;)i!^swv0BwW~&VEEX_Vs=g(@+
zG-*c<d#BE>f)Y^3{M$)B#632lcSAuC;YuBihqrAD<*P!$3BOL7O3Q&R)*MggRr?`M
zQ;2J(vI1f}+>xY$`9iOq@T~smf@foK{Y?hC=h+w$8;^F!OOGA;-@3cuEoh3|GDM4P
zkrFyS+LI`ps;$4XSxh+4yLJK{9BI0kX`>RJGR)|n_&h7jjZV4}ro6eyGXqP(7@ujs
zb7N{#@o?+igqR+LjLXVb&wQNf*F9J^D)F-Raeh<ssEE8)>h>2O<BQ(?G-{NsUqP9%
z@GE~W;=o8~R%>#r5$o9~ZV}`uJq{oUQyHNE)N_5W;fbgvf8e)ASCNnC)CVT;h&{H;
zq0W!243Nv_<i8JdMK$WnR@bD6#Grp%X`Vv#=SWddRp~&^`m9Xx%bAnYWKxROe9f1x
zzzwfa0I}Bv401buuQ<mxSIa}TveXx7k*8lTuU=N?jj|=-wR~%$C-D=hRfN$_fWLtF
z9Pbp0iURTb9bVYWvz>KkBy8c$(m!$R7eV(8Yrg8dtWLWw50e+D$61Q?nfL%_HTqo*
z44ek^wuV@8s8FMuqS$6L87Y{xyfhEdsTL$l$WjO`6OLmuyOC8X2!Skumv#fsk4yHH
zZhqg-p|=72<FQl+rXPvorfeKwkCZO%Vq(y~iGZEYQabq|9vU?BXv1@`E^b9_wSHrh
zi{2%fvP?2@4dZe-x&1**&esd_oZad#+bc7^S$XA5)W02^`!*u>b=Ws{SVrvx8=_>V
zlQB=(Ys<9^xB_|iwZ~qo^n#uKNn$7ZX?1I9=G_F(b!HeqlNT&2ui-gJxpbKG-n{tI
z`G+*t=fL1(P>S5|3yR&6M1B7N*elOzq|eOsF0!s;0~^d9C&GB4BIQJ=@$^#%!mu)V
zk15d8tJJw_{$cs80TE)nle^yr70VOU4U!+-^uA~(gsl>I$fW#pX8ZcX`8ltKyA7&&
zXU5T1fvF+CLxHo4Yl8rcf=A#F$CO90G}xR21mmR`f2Kt7tp#%N7CyM+mK-B|CZe?U
zrJD>?zUDm0;cF*R75+hy>4}tucuUBLN;$)o?Kd7?kV{1Tl(q6s`Jf*+GZSCMNmvdo
zDodi|5z|O7Y;t;-5O2?U!i|6V^O2qkj`6!MZb&jHdFkqQXRQ*6vd}r6bc5sZkeK@u
zyj!L2iqJeLS+U{I+gPB9SNK-uEt)z{D~Ky#^!FA#or|8Fw|V4EfYu6n>3tRvNR+rB
z9^_ut^ceTCTQoLJXNH5{MTyN)F+Mjs`6|jE4xZE0?66ZGoVa##nvMacv@Ov~@FUz!
z-k`OQl5Twb8jzAF_>JJ1o~a+{?E{m}SDXT`L9j2iN#0Nlq4NI`TLFep6o?@d{)_ql
z-UATX|7eaBfM0+C9zrp|-T!Alf`9F&CvV@~U8w!xU;6<uz`;5}rC%I(O=DAG4h{Iu
zfyYF0VBPDD#LN{1BR)&u*LmY`?(mXVFUYEwkQTypC*d{mr%1P1U&fCHUMxR5Dw|cK
zu_@4J?as$u*4uwxHeh^s=?TZ0;IsR<smEYC56A68aKxRRme20{aF1G6tx<!)c3(;U
zSuPe?f*X77OscTibpC$l2w48`D9LU6v^vKxr@(zOt4yQbKV4Hav9O1psiiLN30x!M
zY)6iW&>RvkY&-y(js$%gatovISn!E^b;;{w+qY@o$-*+NaP8@6qWnAEoO&{}7jXdp
z2$9v^FFUQoA|^v=xLvatwj`Dz0={p*k$Iv0d1t8{MSctEsYr)bx(t&YL}kwfm~V7o
zo>q0UE?;~iF?-QS9hAlDmv{E<2)vRq<7kkgAZudPCvIh4dE;_0x^}?u=QJe@NMg1A
zPK1L-XJn*$r&Lbw{R-~hYn(l@V@bU{@#GE14uXSu(}zlJ$zq8XQxL*z*xp}^juPL0
zE$5Ifw4wq^8Um?8KrZ|2bt4~DYr80l4bR&e-MvllHY)R)RIC*R-85RTtO@H#9mDl`
z8|vMWpy2R|{wSuZRWCftU!qn&MDR;IW+?D)#+3IW9<-_|UKR5<I6YuF_q?&p8N5i!
zp=XxqwuzB)o5s7RhuDqCM(urBzZ3W0st;hHiIIyk2+o5<zOlcdXymM#iKSIc7gqoC
z*#&g&m>pds#^888r{C!!@MsUKONqW;*aa&(YGG(iW^)udSB4m$ji${BdU1B)4wlu@
zWyVS9;#m&;ARaXeHXHY8JdmkP)sf|%fPv2?w9qZ~a?`EdD2IRu?a%&00wFm)Xo8m8
z9zWwrCXA0yb#|%&2FFt0%Jr246ce2v=|*cxN?q@M$ceOh(n&f};94T~+1>T29m5-*
zCI9hv^wYL%x~pw*cn27j=gw7JVgO6h?O~Ndvj~zm^KT=}$+IPkE>p@RhU<ZI8~*J}
zhl{@+v&!Q}$S!(+9cGGbzS2>^#vvptoheges9D8sR-`G<g1Jmvyq1=qd#&Pev5_s<
z!l&U@suDe=d1R7RoRmsPB-vpl4*wSR5ARmjk=U7pqKFxza0VYjmDd;|+K#AR9*9Y(
znG7z85MYzbJk<!4(VexDn#avEesv$*|2BDfdF*?AL*3@c1h3Jy2=mlEej>VD4Gt1R
zuwEG7hu<T_>=h4$5XhYf(8Du?@Wlx(;RzPYPXs#R2;Xa2jY5$v4G(6CdWL;}TGAwR
z&IpuAB|$2#0gNZyl!eq90WZn8%6Lqci1+f=sfnzf6builT~COll(_O9p|~BHvx|t4
z3MNZuc}W|_6CdZ=T*9@G6<wi}HJ-+b?{@EL_}Q<;3F?bjT<SEbPSma^er0d{{BvfJ
zlX*Sv!?;nolq5SHOCpJ+sKdntw#YvlmRGDc5%;Nf>6%B(<i;rBc73>J$_RZlD4Zi7
zEck}L)HBFfFG52{|GjBO29Ydu7y;QYee1QY<mlkuv%Ca=2r0_aY_5Gh5dK&XZgHb;
z2Lq*h8t?QDWg*h%AwKK+$`$ehPy5<yNH!}M%m~3G0LQ!Vr};g!vfRQ^?@=3t2V{Fm
zQy!R4eW8=bI7Lw!5gsVl|E?nmtq2{E=IYU>LFC(%H2$$4vg?aXVI@<;sZbFp2b2Uv
vC_q7g&qRm^q$y2a!92ruQc@VGrKdep#<Map)c_JZeamH-gB0EWcP0M|mqhSk

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server.crl b/src/test/ssl/ssl/nss/server.crl
new file mode 100644
index 0000000000000000000000000000000000000000..769196dda6dfffeb4141ec007d6e276d3afb5e84
GIT binary patch
literal 418
zcmXqLVw`8t*lxhf#;Mij(e|B}k&&B~!NAGT!N87<Ih2K&$2=spxJ1F(Q6VkANFgA<
zxFo$OH8{{mAvoAap(qu|DK5^;&r>J?sVYt_DoZU=NKP#(DHi87v@kR@GB-3fF)%fa
z66ZBBGcYkUfpQH*41|~%+0YcBIfJ>0k&z)cx-<6WM&pI2r!*dm3egYCR+DZEcFbs=
zJLCSW&CW;U#5aBOwXHll$=p%k!bPiXhut}MT~u<8-g_X&?EdN?ab}a1JABr;+ig`=
z<67*aH7|L#+SOR4x3|MWJEoZ4vY)6nxx9MOgT+t(bDezlrzuZUzqqQ}z2kL-Q>O0U
zHbE<wjSIh&+P2+I(flFf&)N8NZ@bU8AI59GGNp869L-9#II(HANW;al9|>u9KQFgj
zG1J5K+BS|et`!}!yF)I0+pZ_l{^ZHDOBr?gx7Y$1Zp_zSS614#>}BGLu8NhBoGu3M
o9tXbUKYKSkd*T+M_r-Y*A{D<U7Q|28yuIn;%#d&L*G&^z0V1ELsQ>@~

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db b/src/test/ssl/ssl/nss/server_ca.crt.db/cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..0c8a303d1121dc443d26281cf1c9d688ff3613ea
GIT binary patch
literal 28672
zcmeI43vd%f7{~8&NlIGU6s<-m*b@{R2FhOUlC%y&9|T${l)iup7}E5hv9+;DDh!I0
zj8IfS%S%B~5fl)q$Ws&;gaJXFD$IytMXFVK6fIO#1Y6wQT+)_N2M5MM{cdJA|9$=U
z+uv<6-6TzJcBacG^Ap{k2OK_LWTF|CWs-TGVHgglFr0#y1`BntfFId*`p+cCB%r$@
z_2(IFcq`Lcr{5c~FQPIc85iIJ0zd!=00AHX1b_e#00RFwfn=@LV2EQ2TxCV_6laOU
zRaEBnj;tswbveV*a%?GiHa=s-VA~j;w((gb_)t3^?+}p5I8Z|!@~K0qqfjml_0V>3
zplz2sh{nNctsyp!9Z$!5D+=$IoxYHRrh|jhdbx*y1Y-)PHFOQG!{zl>$exgix`Roe
z@p6wu!B~~Vh8g1G*m)^FM`5WP8XgiV#V0Q%HPhCfgR6)inUgU*C8vNNW-H+HM`UE@
z+sF)QStEvIW~AluDXCdGd3|{Y!b!l%gp)`#tspf5sY)cpL{dzoMbafvBAJ<F7Lr*>
zmPoQBk~v6Lh_fVWg#tNsM8rctfq96FfQXHNh>w7Xk${MkfQXfVh?jtfnSh)mSHcU#
zN1aUpO`T2D*+iX9)Y(LxP1M;$okcoIq@zSSN~EJiI?6&@Ewt4_TP?KJ5@@BK7V2rG
zJt-f70y5E+nh+UlqANAgXeER%lR&B!Nqj}xTco{3+8a00E`g4uk3>mHh|DcfQW7O4
z(OD%rt3>aMnT|D6H#2oJ)3Hw3EJ~u8SSphEDv~Trkz@u%k|ipVtW%K$pdtyyfTU0q
z**1*gQEJ<US%SkXZQ)=U3<t|#I9LY5!7}KJWiT8pgT7d{^Cf$ROpI&E#!)2MJ&Gh-
zNRdTtQf`wILy~TUK;Oc)a0*E{MP>&oDx|~{$-PAsJLxNl7P@auNk&1XHQ3@<Ch#Is
zUW!ljc1MNJP0RMsGuSSKBstr6A}_a*IH|(7FcI5u1{V+j0zd!=00AHX1b_e#xGo9!
z8PybZOjOhjB)S>V^x?__jk@x#xMvK$$bcxRFL}^tnt!X!P0MAOSD1TIvM>-0&~o`|
zuCqB$_WF2_+wJ4iQpg8t{7ARgH_0RCW@qxbxtY92#s#m}<u2oWq^q|A|DCR4Sr*&n
zv`@_5Vt;wvs`;ONA9bXEW8D17-!8xJ^pIV*S6A+>d9Z%i^f|p|skh7?%uXc;dNXqp
zn3#?XX2eJ&)W5v`9)!!RFocV^3V&4Sl|2v19=p?#;Pm*ApNm9(_NSLP6|2H4Ly=lt
zpIPa%eu-q+2n}=fw9u`FNPGYmOjbd}hg9iaL!@Luk{~HXlqw{nfr0yBrT60sZv|Zi
z@02}0FJ3^;_JOk+hV!#}2G@tH{CLS<-}6w{vPpOEe0p7<?@Nt#xpCbA-Fr1<H=;Ae
z=2JG`%yP~2bM?0*i1T|#cK@<9cHS8M#`_N?r>>nmbZe<zSNnYP!uVb_Jsw^9$?9MG
z*H&#F)2+bVSd^V)In**>&ZpHSn~&NyWjBUx-uTIo)}<%UJZxF&IMt>3hh9hA!|&!k
z`ZjaP+4M78e{Ooeb<e4Jn+u9nwu{W^)qPWCb3Zo4J*MDbi}jg)F58E(Yle+>R?hoq
z@!<n&j2F^Z?y5YTyKiAeSyQ^_g~u-~Q}<W5Ud%XWlt)Wb_n4cLy1u$|SoABZJ*TJk
zThaHm2}4(EA|AQ(*uH6N4>ho3{pa(SzjU;0X4UGNJJog-$1?1SXcUDyW70itRBI5&
zvX|O3!#5i<W0`_+M$5vMbZc6A$rmkoX{$!<ujw{wddbGwP5Ec#gX_91TVK5U<t-7X
zKhC#3JAD6%c;Dbr*0;Y4?{#wA!LT*)myT4XtvE7h|G{my*uzV{+j0A#C6gu$lB(ZK
zpC)!vKliC+`{7gXzJ9z*R(Hpe4^~d8KKDaT(}l%j4a?^~S-zk;wtks(a`qjLv&Uy`
zvi1J4?uj*a{;QrlUZ}rqbW`y+bqPsxKToZF(JJp=wC}0z6YA@BOuVUf=7p2bnETs)
zeQn2BZgxdocF!L6hMDrxwT=Gp*s78&|6AIl>)&4R*nvm8-n`c^{#cd&4QqyLQA6ir
zi{78uEp_)D%XUY9u)SqM(l%yvg(ki>n>=l<e%F&{(lyxF?<{C>H-DUKH;*&KJh-1<
zvFgM$h7HFNs`O2a{yfg$0s=q)2mk>f00e*l5C8%|00;m9AOHmZ3j{iGYL>i%sS4xN
zI`S@F;QU|C=(p+1{|gI*H2?u100e*l5C8%|00;m9AOHk_01&t?2n<!vh-R<BcLIiB
zAKlga1kV2(82twQ*6V@~1OWtq01yBIKmZ5;0U!VbfB+Bx0zd!=U;=86VO8ns88NzR
z@lOGP^Z#*1-=sedc!2;A00KY&2mk>f00e*l5C8%|00;nqe>H(H?gkeBUWqE2>#ghX
zlO2Kce*>d$(4Y8MuMmO<0zd!=00AHX1b_e#00KY&2mk>f@c$-2zc66nB;6nV0O0TQ
CAa^7H

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/key4.db b/src/test/ssl/ssl/nss/server_ca.crt.db/key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..7724801ab7b783dee9780314a10c797f4b0bc203
GIT binary patch
literal 36864
zcmeI5d2ka|9LKZG(ez3HDG_PxHsC;!<L!|&#cG>|0O4vIT4=e_O`Bq|rI4h6h(J(4
zVFb&_Q4To-91a0Rkr9+4!f=d?1%z_QcomWA2*Pm4<-V7Vfnl2VU&}8udHL@9z4zVk
z`@BusZD-mcIRi_5Zn~txQ!e;uPS#3BQL+r0mdRvt@fjsPgAbJ`6u|@Wm3l}wCgrjo
zs8^i!mP{S(ki{yr`(yUTOo}l^UyXJ|*EBW>`hfrt00KY&2mk>f00jO|1j-^Kb$UJJ
zf8Hm!%G~8{pU_+I3Bgyj)nT*b+UQ(M=0F=A?4`Su7Sq`d`yh*>fF58gpz{XXbMkC-
z)?nJ2HMq|}yET_~*s=#&thR2n`2A`*6L?{hd#Y7BtDcgTjw^Og_D(1hi%y}^S3!=Q
zL4PL`R8g5Kl}?vLjUWSxUJ*)*$9cWkp3;ee&mAd+vk&fV%cn^ZM+gm|y9f+olQWdW
zV;J!$6I|}H&=A!l9;En~2bbJOq0)6oqMU))m9DYwB45Zu`G|)%P=3sXK}@n$uF|y+
zuBO!Mt#o@rHi}1V0@cS{%uMo}G%8Y;ltj(9k}V4vgj9rN71*{=e{(j@l9}bm?M4eo
ze2V)fu;P=$nsneE26vh9p&1{V$srzM=5b@hjR`j?xH01<6*mHITw;?-tWcmOjtF}&
zC~zL^!XRwJAnd~+Y{Ve!#2{?NAne5;Y{sA>+)D8R`G_+c(8QS~&Ma|ei8D)_S>ntR
zXO7I`$SjV`;>awH%rcRxiBwIbY9durph`SV#50AABzzbGh$Sm!5uVGEm9iu)kHiPd
z;BHA`Uyh9C$Y_p?7K>y^U?3jD6H+|F=jI71o{-|nS$T3+p6rW}%rz1>BXKj5xkYXx
z$8$z(DM{=rNxU#g;xkARFHw?sosz@=C5b5pB!MEy&@_Ta>J3dZ1*e%paYPx6Bg$YL
zQ3m6PGUzMHU>s2feMR|@FTQ5*iN#)g;Ybo+J(9$ikR*#k(jAf||4DKo1jf2Taa=e~
zu~9(9E<)Ul_ZAWCcr4GE$aTx6CUX%gUEid}J_1AURVNeD_}*TPzpBLHrWJ1B0R(^m
z5C8%|00;m9AOHk_01yBIKmZ7|R07d>VQ~N7Qnwe@1q6Tq5C8%|00;m9AOHk_01yBI
zK!6Z{`+v9)fB+Bx0zd!=00AHX1b_e#00KY&2()|xaR1-(_ZU_P1b_e#00KY&2mk>f
z00e*l5C8%|0Pg?c8UO-700;m9AOHk_01yBIKmZ5;0U*%w3Bdh-%im*IArJrpKmZ5;
z0U!VbfB+Bx0zd!=00I2>|J5-GGVLnOKbpL_?Qt=&B{BQN4tM|oAOHk_01yBIKmZ5;
zfhUZB-=J1nX10-eOUF2i+#a738IiGsEh!R@$iMzdMgAFRq$;ZG?0&Ov#!*TQ%0iaV
zVJzYmw7pB8r5`8NMml`=bDmR{c<LJp^z>qG(K-2*jN4l@wGk8*LD48$r4G16L_Mq(
z^z6E8ce=KYPx>n7mZPq&c;1+fRXYl{j2oZOaa;PxvG1+&8zRGpG&dt;>-=TT^lwmN
z&GDZbuGp99drqF%kUqCzVbx^K=?^*onx;Z7w@tMVpQ_&*>v?Nhrxd#2rL10D?8akj
zH&^t(u7ADrWxqicHl)kgjF7+7x3eA{Hg84rlsk*wOsuYa@!rc9mOWFmkKz+nxQ8CT
z)KthTh1OYP=F}y+YBR2XS36oAXL@iZ|A!-$>#tcZuCy!5{RU;&kVaQCLJmmF9k3}&
zGcD1SoA&ApWh)C$yi+CLx#_t4r1LlZhUIgb3VBz1`o7_fo9m8dK0A?F-sbDMopw8_
zJXGtq{RwwIb1dlLHz>k}bn(pyxun0-a9P-O<CFT`8+Qzv_UVHu`6-!g4`}2$SqD(}
zr}?Hr&f9n9Wc{D<{ZfWc-7sj4JvDo4g<V;Ftz*sk{RgMi8XSIuJZwnuzuGnZ#`$~7
zPq}k#Cko?lr5;Wm-t~y*LM*j_TRd|5D*v)QE3P&)6|(HtX_F$Vj`iJ~u8DkV=&|g)
z)#KymukEm8(W&wk>%N$=)NhCg8`6ZD5pv?m?&Z~^$K1bIzUzeZV8*pSWTSLPzC3)G
zT3tWjMtoi8rb5mf@$Rg4pZ`89<zo8#y)NI~zN7ZmA;J0Wp}&4SzjdVdw9-i_^}Js_
zUhsM+Rd|YrRF5u*>Xfx`4?Df^_6Ml_r8e7+pfuD)6(fBF#VRQ|YOiSf(ecdn!*=$~
zHJrQG?lnzG+5Ecd1Tl-E)!DhHE>4g!dpuF2qO=Roj=;bFS8F@SwAZ!0v>miNwUf2q
zYnNyXp0JO4SS}C%0zd!=00AHX1b_e#00KY&2t2t2o|Rju#((su4qG-yhAX>_s&Hka
bOBt^0;uYb_MnN8~Y(fz+a(z_rCkp=p>@<Ih

literal 0
HcmV?d00001

diff --git a/src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt b/src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt
new file mode 100644
index 0000000000..b81ced09e6
--- /dev/null
+++ b/src/test/ssl/ssl/nss/server_ca.crt.db/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:ssl/nss/server_ca.crt.db' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index fd2727b568..00530d98af 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -4,15 +4,22 @@ use PostgresNode;
 use TestLib;
 use Test::More;
 
-use File::Copy;
-
 use FindBin;
 use lib $FindBin::RealBin;
 
-use SSLServer;
+use SSL::Server;
+
+my $openssl;
+my $nss;
 
 if ($ENV{with_openssl} eq 'yes')
 {
+	$openssl = 1;
+	plan tests => 93;
+}
+elsif ($ENV{with_nss} eq 'yes')
+{
+	$nss = 1;
 	plan tests => 93;
 }
 else
@@ -32,32 +39,6 @@ my $SERVERHOSTCIDR = '127.0.0.1/32';
 # Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
-# The client's private key must not be world-readable, so take a copy
-# of the key stored in the code tree and update its permissions.
-#
-# This changes ssl/client.key to ssl/client_tmp.key etc for the rest
-# of the tests.
-my @keys = (
-	"client",     "client-revoked",
-	"client-der", "client-encrypted-pem",
-	"client-encrypted-der");
-foreach my $key (@keys)
-{
-	copy("ssl/${key}.key", "ssl/${key}_tmp.key")
-	  or die
-	  "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!";
-	chmod 0600, "ssl/${key}_tmp.key"
-	  or die "failed to change permissions on ssl/${key}_tmp.key: $!";
-}
-
-# Also make a copy of that explicitly world-readable.  We can't
-# necessarily rely on the file in the source tree having those
-# permissions.  Add it to @keys to include it in the final clean
-# up phase.
-copy("ssl/client.key", "ssl/client_wrongperms_tmp.key");
-chmod 0644, "ssl/client_wrongperms_tmp.key";
-push @keys, 'client_wrongperms';
-
 #### Set up the server.
 
 note "setting up data directory";
@@ -72,32 +53,28 @@ $node->start;
 
 # Run this before we lock down access below.
 my $result = $node->safe_psql('postgres', "SHOW ssl_library");
-is($result, 'OpenSSL', 'ssl_library parameter');
+is($result, SSL::Server::ssl_library(), 'ssl_library parameter');
 
 configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR,
 	'trust');
 
 note "testing password-protected keys";
 
-open my $sslconf, '>', $node->data_dir . "/sslconfig.conf";
-print $sslconf "ssl=on\n";
-print $sslconf "ssl_cert_file='server-cn-only.crt'\n";
-print $sslconf "ssl_key_file='server-password.key'\n";
-print $sslconf "ssl_passphrase_command='echo wrongpassword'\n";
-close $sslconf;
-
-command_fails(
-	[ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
-	'restart fails with password-protected key file with wrong password');
-$node->_update_pid(0);
-
-open $sslconf, '>', $node->data_dir . "/sslconfig.conf";
-print $sslconf "ssl=on\n";
-print $sslconf "ssl_cert_file='server-cn-only.crt'\n";
-print $sslconf "ssl_key_file='server-password.key'\n";
-print $sslconf "ssl_passphrase_command='echo secret1'\n";
-close $sslconf;
+SKIP:
+{
+	skip "Certificate passphrases aren't checked on server restart in NSS", 1
+	  if ($nss);
+
+	set_server_cert($node, 'server-cn-only', 'root+client_ca',
+					   'server-password', 'echo wrongpassword');
+	command_fails(
+		[ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
+		'restart fails with password-protected key file with wrong password');
+	$node->_update_pid(0);
+}
 
+set_server_cert($node, 'server-cn-only', 'root+client_ca',
+				'server-password', 'echo secret1');
 command_ok(
 	[ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
 	'restart succeeds with password-protected key file');
@@ -149,82 +126,105 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"sslrootcert=invalid sslmode=verify-ca",
-	qr/root certificate file "invalid" does not exist/,
+	qr/root certificate file "invalid" does not exist|could not connect to server/,
 	"connect without server root cert sslmode=verify-ca");
 test_connect_fails(
 	$common_connstr,
 	"sslrootcert=invalid sslmode=verify-full",
-	qr/root certificate file "invalid" does not exist/,
+	qr/root certificate file "invalid" does not exist|could not connect to server/,
 	"connect without server root cert sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (We're using the client CA as the
 # root, but the server's key is signed by the server CA.)
-test_connect_fails($common_connstr,
-	"sslrootcert=ssl/client_ca.crt sslmode=require",
-	qr/SSL error/, "connect with wrong server root cert sslmode=require");
-test_connect_fails($common_connstr,
-	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
-	qr/SSL error/, "connect with wrong server root cert sslmode=verify-ca");
-test_connect_fails($common_connstr,
-	"sslrootcert=ssl/client_ca.crt sslmode=verify-full",
-	qr/SSL error/, "connect with wrong server root cert sslmode=verify-full");
-
-# Try with just the server CA's cert. This fails because the root file
-# must contain the whole chain up to the root CA.
-test_connect_fails($common_connstr,
-	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
-	qr/SSL error/, "connect with server CA cert, without root CA");
+test_connect_fails(
+	$common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=require cert_database=ssl/nss/client_ca.crt.db",
+	qr/SSL error/,
+	"connect with wrong server root cert sslmode=require");
+test_connect_fails(
+	$common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca cert_database=ssl/nss/client_ca.crt.db",
+	qr/SSL error/,
+	"connect with wrong server root cert sslmode=verify-ca");
+test_connect_fails(
+	$common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-full cert_database=ssl/nss/client_ca.crt.db",
+	qr/SSL error/,
+	"connect with wrong server root cert sslmode=verify-full");
+
+SKIP:
+{
+	# NSS supports partial chain validation, so this test doesnt work there.
+	# This is similar to the OpenSSL option X509_V_FLAG_PARTIAL_CHAIN which
+	# we don't allow.
+	skip "NSS support partial chain validation", 2 if ($nss);
+	# Try with just the server CA's cert. This fails because the root file
+	# must contain the whole chain up to the root CA.
+	test_connect_fails($common_connstr,
+		"sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
+		qr/SSL error/, "connect with server CA cert, without root CA");
+}
 
 # And finally, with the correct root cert.
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require cert_database=ssl/nss/root+server_ca.crt.db",
 	"connect with correct server CA cert file sslmode=require");
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca cert_database=ssl/nss/root+server_ca.crt.db",
 	"connect with correct server CA cert file sslmode=verify-ca");
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db",
 	"connect with correct server CA cert file sslmode=verify-full");
 
-# Test with cert root file that contains two certificates. The client should
-# be able to pick the right one, regardless of the order in the file.
-test_connect_ok(
-	$common_connstr,
-	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca",
-	"cert root file that contains two certificates, order 1");
-test_connect_ok(
-	$common_connstr,
-	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca",
-	"cert root file that contains two certificates, order 2");
+SKIP:
+{
+	skip "CA ordering is irrelevant in NSS databases", 2 if ($nss);
 
+	# Test with cert root file that contains two certificates. The client should
+	# be able to pick the right one, regardless of the order in the file.
+	test_connect_ok(
+		$common_connstr,
+		"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca",
+		"cert root file that contains two certificates, order 1");
+
+	# How about import the both-file into a database?
+	test_connect_ok(
+		$common_connstr,
+		"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca",
+		"cert root file that contains two certificates, order 2");
+}
 # CRL tests
 
 # Invalid CRL filename is the same as no CRL, succeeds
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid cert_database=ssl/nss/root+server_ca.crt.db",
 	"sslcrl option with invalid file name");
 
-# A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
-	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
-	qr/SSL error/,
-	"CRL belonging to a different CA");
+SKIP:
+{
+	skip "CRL's are verified when adding to NSS database", 2 if ($nss);
+	# A CRL belonging to a different CA is not accepted, fails
+	test_connect_fails(
+		$common_connstr,
+		"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
+		qr/SSL error/,
+		"CRL belonging to a different CA");
+}
 
 # With the correct CRL, succeeds (this cert is not revoked)
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl cert_database=ssl/nss/root+server_ca.crt__root+server.crl.db",
 	"CRL with a non-revoked cert");
 
 # Check that connecting with verify-full fails, when the hostname doesn't
 # match the hostname in the server's certificate.
 $common_connstr =
-  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/root+server_ca.crt.db";
 
 test_connect_ok(
 	$common_connstr,
@@ -237,14 +237,14 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"sslmode=verify-full host=wronghost.test",
-	qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/,
+	qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"mismatch between host name and server certificate sslmode=verify-full");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
 
 $common_connstr =
-  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db";
 
 test_connect_ok(
 	$common_connstr,
@@ -262,12 +262,12 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"host=wronghost.alt-name.pg-ssltest.test",
-	qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/,
+	qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"host name not matching with X.509 Subject Alternative Names");
 test_connect_fails(
 	$common_connstr,
 	"host=deep.subdomain.wildcard.pg-ssltest.test",
-	qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/,
+	qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"host name not matching with X.509 Subject Alternative Names wildcard");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
@@ -275,7 +275,7 @@ test_connect_fails(
 switch_server_cert($node, 'server-single-alt-name');
 
 $common_connstr =
-  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db";
 
 test_connect_ok(
 	$common_connstr,
@@ -285,12 +285,12 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"host=wronghost.alt-name.pg-ssltest.test",
-	qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/,
+	qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"host name not matching with a single X.509 Subject Alternative Name");
 test_connect_fails(
 	$common_connstr,
 	"host=deep.subdomain.wildcard.pg-ssltest.test",
-	qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/,
+	qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"host name not matching with a single X.509 Subject Alternative Name wildcard"
 );
 
@@ -299,7 +299,7 @@ test_connect_fails(
 switch_server_cert($node, 'server-cn-and-alt-names');
 
 $common_connstr =
-  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
+  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full cert_database=ssl/nss/root+server_ca.crt.db";
 
 test_connect_ok(
 	$common_connstr,
@@ -312,14 +312,14 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"host=common-name.pg-ssltest.test",
-	qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/,
+	qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"certificate with both a CN and SANs ignores CN");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
 switch_server_cert($node, 'server-no-names');
 $common_connstr =
-  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+  "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/root+server_ca.crt.db";
 
 test_connect_ok(
 	$common_connstr,
@@ -328,7 +328,7 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"sslmode=verify-full host=common-name.pg-ssltest.test",
-	qr/could not get server's host name from server certificate/,
+	qr/could not get server's host name from server certificate|SSL_ERROR_BAD_CERT_DOMAIN/,
 	"server certificate without CN or SANs sslmode=verify-full");
 
 # Test that the CRL works
@@ -340,11 +340,11 @@ $common_connstr =
 # Without the CRL, succeeds. With it, fails.
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca cert_database=ssl/nss/root+server_ca.crt.db",
 	"connects without client-side CRL");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/server.crl cert_database=ssl/nss/root+server_ca.crt__server.crl.db",
 	qr/SSL error/,
 	"does not connect with client-side CRL");
 
@@ -365,21 +365,21 @@ command_like(
 # Test min/max SSL protocol versions.
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2 cert_database=ssl/nss/root+server_ca.crt.db",
 	"connection success with correct range of TLS protocol versions");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1 cert_database=ssl/nss/root+server_ca.crt.db",
 	qr/invalid SSL protocol version range/,
 	"connection failure with incorrect range of TLS protocol versions");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls cert_database=ssl/nss/root+server_ca.crt.db",
 	qr/invalid ssl_min_protocol_version value/,
 	"connection failure with an incorrect SSL protocol minimum bound");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls cert_database=ssl/nss/root+server_ca.crt.db",
 	qr/invalid ssl_max_protocol_version value/,
 	"connection failure with an incorrect SSL protocol maximum bound");
 
@@ -390,7 +390,7 @@ test_connect_fails(
 note "running server tests";
 
 $common_connstr =
-  "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
+  "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db";
 
 # no client cert
 test_connect_fails(
@@ -406,32 +406,43 @@ test_connect_ok(
 	"certificate authorization succeeds with correct client cert in PEM format"
 );
 
-# correct client cert in unencrypted DER
-test_connect_ok(
-	$common_connstr,
-	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key",
-	"certificate authorization succeeds with correct client cert in DER format"
-);
+$common_connstr =
+  "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
+
+SKIP:
+{
+	skip "NSS database not implemented in the Makefile", 1 if ($nss);
+	# correct client cert in unencrypted DER
+	test_connect_ok(
+		$common_connstr,
+		"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key",
+		"certificate authorization succeeds with correct client cert in DER format"
+	);
+}
 
 # correct client cert in encrypted PEM
 test_connect_ok(
 	$common_connstr,
-	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+'",
+	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+' cert_database=ssl/nss/client.crt__client-encrypted-pem.key.db",
 	"certificate authorization succeeds with correct client cert in encrypted PEM format"
 );
 
-# correct client cert in encrypted DER
-test_connect_ok(
-	$common_connstr,
-	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'",
-	"certificate authorization succeeds with correct client cert in encrypted DER format"
-);
+SKIP:
+{
+	skip "NSS database not implemented in the Makefile", 1 if ($nss);
+	# correct client cert in encrypted DER
+	test_connect_ok(
+		$common_connstr,
+		"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'",
+		"certificate authorization succeeds with correct client cert in encrypted DER format"
+	);
+}
 
 # correct client cert in encrypted PEM with wrong password
 test_connect_fails(
 	$common_connstr,
-	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong'",
-	qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!,
+	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong' cert_database=ssl/nss/client.crt__client-encrypted-pem.key.db",
+	qr!connection requires a valid client certificate|\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!,
 	"certificate authorization fails with correct client cert and wrong password in encrypted PEM format"
 );
 
@@ -471,18 +482,19 @@ command_like(
 		'-P',
 		'null=_null_',
 		'-d',
-		"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
+		"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key cert_database=ssl/nss/client.crt__client.key.db",
 		'-c',
 		"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
 	],
 	qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n
-				^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
+				^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/?CN=ssltestuser,1,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
 	'pg_stat_ssl with client certificate');
 
 # client key with wrong permissions
 SKIP:
 {
 	skip "Permissions check not enforced on Windows", 2 if ($windows_os);
+	skip "Key not on filesystem with NSS",            2 if ($nss);
 
 	test_connect_fails(
 		$common_connstr,
@@ -495,10 +507,13 @@ SKIP:
 test_connect_fails(
 	$common_connstr,
 	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
-	qr/certificate authentication failed for user "anotheruser"/,
+	qr/unable to verify certificate|certificate authentication failed for user "anotheruser"/,
 	"certificate authorization fails with client cert belonging to another user"
 );
 
+$common_connstr =
+  "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client-revoked.crt__client-revoked.key.db";
+
 # revoked client cert
 test_connect_fails(
 	$common_connstr,
@@ -510,7 +525,7 @@ test_connect_fails(
 # works, iff username matches Common Name
 # fails, iff username doesn't match Common Name.
 $common_connstr =
-  "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR";
+  "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db";
 
 test_connect_ok(
 	$common_connstr,
@@ -536,17 +551,23 @@ test_connect_ok(
 # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
 switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
-  "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
+  "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client+client_ca.crt__client.key.db";
 
-test_connect_ok(
+TODO:
+{
+	local $TODO = "WIP failure cause currently unknown";
+	test_connect_ok(
+		$common_connstr,
+		"sslmode=require sslcert=ssl/client+client_ca.crt",
+		"intermediate client certificate is provided by client");
+}
+
+test_connect_fails(
 	$common_connstr,
-	"sslmode=require sslcert=ssl/client+client_ca.crt",
-	"intermediate client certificate is provided by client");
-test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
-	qr/SSL error/, "intermediate client certificate is missing");
+	"sslmode=require sslcert=ssl/client.crt",
+	qr/connection requires a valid client certificate|SSL error/,
+	"intermediate client certificate is missing");
 
 # clean up
-foreach my $key (@keys)
-{
-	unlink("ssl/${key}_tmp.key");
-}
+
+SSL::Server::cleanup();
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 20ab0d5b0b..b50659e568 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -11,11 +11,11 @@ use File::Copy;
 use FindBin;
 use lib $FindBin::RealBin;
 
-use SSLServer;
+use SSL::Server;
 
 if ($ENV{with_openssl} ne 'yes')
 {
-	plan skip_all => 'SSL not supported by this build';
+	plan skip_all => 'OpenSSL not supported by this build';
 }
 
 # This is the hostname used to connect to the server.
diff --git a/src/test/ssl/t/SSL/Backend/NSS.pm b/src/test/ssl/t/SSL/Backend/NSS.pm
new file mode 100644
index 0000000000..837f0d9891
--- /dev/null
+++ b/src/test/ssl/t/SSL/Backend/NSS.pm
@@ -0,0 +1,64 @@
+package SSL::Backend::NSS;
+
+use strict;
+use warnings;
+use Exporter;
+
+our @ISA       = qw(Exporter);
+our @EXPORT_OK = qw(get_new_nss_backend);
+
+sub new
+{
+	my ($class) = @_;
+
+	my $self = { _library => 'NSS' };
+
+	bless $self, $class;
+
+	return $self;
+}
+
+sub get_new_nss_backend
+{
+	my $class = 'SSL::Backend::NSS';
+
+	return $class->new();
+}
+
+sub init
+{
+	# Make sure the certificate databases are in place?
+}
+
+sub get_library
+{
+	my ($self) = @_;
+
+	return $self->{_library};
+}
+
+sub set_server_cert
+{
+	my $self     = $_[0];
+	my $certfile = $_[1];
+	my $cafile   = $_[2];
+	my $keyfile  = $_[3];
+
+	my $cert_nickname = $certfile . '.crt__' . $keyfile . '.key';
+	my $cert_database = $cert_nickname . '.db';
+
+	my $sslconf =
+	    "ssl_ca_file='$cafile.crt'\n"
+	  . "ssl_cert_file='ssl/$certfile.crt'\n"
+	  . "ssl_crl_file=''\n"
+	  . "ssl_database='nss/$cert_database'\n";
+
+	return $sslconf;
+}
+
+sub cleanup
+{
+	# Something?
+}
+
+1;
diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
new file mode 100644
index 0000000000..62b11b7632
--- /dev/null
+++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
@@ -0,0 +1,103 @@
+package SSL::Backend::OpenSSL;
+
+use strict;
+use warnings;
+use Exporter;
+use File::Copy;
+
+our @ISA       = qw(Exporter);
+our @EXPORT_OK = qw(get_new_openssl_backend);
+
+our (@keys);
+
+INIT
+{
+	@keys = (
+		"client",     "client-revoked",
+		"client-der", "client-encrypted-pem",
+		"client-encrypted-der");
+}
+
+sub new
+{
+	my ($class) = @_;
+
+	my $self = { _library => 'OpenSSL' };
+
+	bless $self, $class;
+
+	return $self;
+}
+
+sub get_new_openssl_backend
+{
+	my $class = 'SSL::Backend::OpenSSL';
+
+	my $backend = $class->new();
+
+	return $backend;
+}
+
+sub init
+{
+	# The client's private key must not be world-readable, so take a copy
+	# of the key stored in the code tree and update its permissions.
+	#
+	# This changes ssl/client.key to ssl/client_tmp.key etc for the rest
+	# of the tests.
+	foreach my $key (@keys)
+	{
+		copy("ssl/${key}.key", "ssl/${key}_tmp.key")
+		  or die
+		  "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!";
+		chmod 0600, "ssl/${key}_tmp.key"
+		  or die "failed to change permissions on ssl/${key}_tmp.key: $!";
+	}
+
+	# Also make a copy of that explicitly world-readable.  We can't
+	# necessarily rely on the file in the source tree having those
+	# permissions. Add it to @keys to include it in the final clean
+	# up phase.
+	copy("ssl/client.key", "ssl/client_wrongperms_tmp.key")
+	  or die
+	  "couldn't copy ssl/client.key to ssl/client_wrongperms_tmp.key: $!";
+	chmod 0644, "ssl/client_wrongperms_tmp.key"
+	  or die
+	  "failed to change permissions on ssl/client_wrongperms_tmp.key: $!";
+	push @keys, 'client_wrongperms';
+}
+
+# Change the configuration to use given server cert file, and reload
+# the server so that the configuration takes effect.
+sub set_server_cert
+{
+	my $self     = $_[0];
+	my $certfile = $_[1];
+	my $cafile   = $_[2] || "root+client_ca";
+	my $keyfile  = $_[3] || $certfile;
+
+	my $sslconf =
+	    "ssl_ca_file='$cafile.crt'\n"
+	  . "ssl_cert_file='$certfile.crt'\n"
+	  . "ssl_key_file='$keyfile.key'\n"
+	  . "ssl_crl_file='root+client.crl'\n";
+
+	return $sslconf;
+}
+
+sub get_library
+{
+	my ($self) = @_;
+
+	return $self->{_library};
+}
+
+sub cleanup
+{
+	foreach my $key (@keys)
+	{
+		unlink("ssl/${key}_tmp.key");
+	}
+}
+
+1;
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSL/Server.pm
similarity index 78%
rename from src/test/ssl/t/SSLServer.pm
rename to src/test/ssl/t/SSL/Server.pm
index f5987a003e..1261d21861 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSL/Server.pm
@@ -23,19 +23,39 @@
 # explicitly because an invalid sslcert or sslrootcert, respectively,
 # causes those to be ignored.)
 
-package SSLServer;
+package SSL::Server;
 
 use strict;
 use warnings;
 use PostgresNode;
+use RecursiveCopy;
 use TestLib;
 use File::Basename;
 use File::Copy;
 use Test::More;
+use SSL::Backend::OpenSSL qw(get_new_openssl_backend);
+use SSL::Backend::NSS qw(get_new_nss_backend);
+
+our ($openssl, $nss, $backend);
+
+# The TLS backend which the server is using should be mostly transparent for
+# the user, apart from individual configuration settings, so keep the backend
+# specific things abstracted behind SSL::Server.
+if ($ENV{with_openssl} eq 'yes')
+{
+	$backend = get_new_openssl_backend();
+	$openssl = 1;
+}
+elsif ($ENV{with_nss} eq 'yes')
+{
+	$backend = get_new_nss_backend();
+	$nss     = 1;
+}
 
 use Exporter 'import';
 our @EXPORT = qw(
   configure_test_server_for_ssl
+  set_server_cert
   switch_server_cert
   test_connect_fails
   test_connect_ok
@@ -144,12 +164,19 @@ sub configure_test_server_for_ssl
 	close $sslconf;
 
 	# Copy all server certificates and keys, and client root cert, to the data dir
-	copy_files("ssl/server-*.crt", $pgdata);
-	copy_files("ssl/server-*.key", $pgdata);
-	chmod(0600, glob "$pgdata/server-*.key") or die $!;
-	copy_files("ssl/root+client_ca.crt", $pgdata);
-	copy_files("ssl/root_ca.crt",        $pgdata);
-	copy_files("ssl/root+client.crl",    $pgdata);
+	if (defined($openssl))
+	{
+		copy_files("ssl/server-*.crt", $pgdata);
+		copy_files("ssl/server-*.key", $pgdata);
+		chmod(0600, glob "$pgdata/server-*.key") or die $!;
+		copy_files("ssl/root+client_ca.crt", $pgdata);
+		copy_files("ssl/root_ca.crt",        $pgdata);
+		copy_files("ssl/root+client.crl",    $pgdata);
+	}
+	elsif (defined($nss))
+	{
+		RecursiveCopy::copypath("ssl/nss", $pgdata . "/nss") if -e "ssl/nss";
+	}
 
 	# Stop and restart server to load new listen_addresses.
 	$node->restart;
@@ -157,26 +184,51 @@ sub configure_test_server_for_ssl
 	# Change pg_hba after restart because hostssl requires ssl=on
 	configure_hba_for_ssl($node, $servercidr, $authmethod);
 
+	# Finally, perform backend specific configuration
+	$backend->init();
+
 	return;
 }
 
-# Change the configuration to use given server cert file, and reload
-# the server so that the configuration takes effect.
-sub switch_server_cert
+sub ssl_library
+{
+	return $backend->get_library();
+}
+
+sub cleanup
+{
+	$backend->cleanup();
+}
+
+# Change the configuration to use given server cert file,
+sub set_server_cert
 {
 	my $node     = $_[0];
 	my $certfile = $_[1];
 	my $cafile   = $_[2] || "root+client_ca";
+	my $keyfile  = $_[3] || '';
+	my $pwcmd    = $_[4] || '';
 	my $pgdata   = $node->data_dir;
 
+	$keyfile = $certfile if $keyfile eq '';
+
 	open my $sslconf, '>', "$pgdata/sslconfig.conf";
 	print $sslconf "ssl=on\n";
-	print $sslconf "ssl_ca_file='$cafile.crt'\n";
-	print $sslconf "ssl_cert_file='$certfile.crt'\n";
-	print $sslconf "ssl_key_file='$certfile.key'\n";
-	print $sslconf "ssl_crl_file='root+client.crl'\n";
+	print $sslconf $backend->set_server_cert($certfile, $cafile, $keyfile);
+	print $sslconf "ssl_passphrase_command='$pwcmd'\n"
+	  unless $pwcmd eq '';
 	close $sslconf;
+	return;
+}
 
+# Change the configuration to use given server cert file, and reload
+# the server so that the configuration takes effect.
+# Takes the same arguments as set_server_cert, which it calls to do that
+# piece of the work.
+sub switch_server_cert
+{
+	my $node = $_[0];
+	set_server_cert(@_);
 	$node->restart;
 	return;
 }
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index b6d0cfd39b..c53c59229e 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -438,7 +438,8 @@ sub CopyContribFiles
 		{
 			# These configuration-based exclusions must match vcregress.pl
 			next if ($d eq "uuid-ossp"  && !defined($config->{uuid}));
-			next if ($d eq "sslinfo"    && !defined($config->{openssl}));
+			next if ($d eq "sslinfo"    && !defined($config->{openssl})
+			  && !defined($config->{nss}));
 			next if ($d eq "xml2"       && !defined($config->{xml}));
 			next if ($d =~ /_plperl$/   && !defined($config->{perl}));
 			next if ($d =~ /_plpython$/ && !defined($config->{python}));
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 20da7985c1..818a1922f3 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -192,12 +192,19 @@ sub mkvcbuild
 	$postgres->FullExportDLL('postgres.lib');
 
 	# The OBJS scraper doesn't know about ifdefs, so remove appropriate files
-	# if building without OpenSSL.
-	if (!$solution->{options}->{openssl})
+	# if building without various options.
+	if (!$solution->{options}->{openssl} && !$solution->{options}->{nss})
 	{
 		$postgres->RemoveFile('src/backend/libpq/be-secure-common.c');
+	}
+	if (!$solution->{options}->{openssl})
+	{
 		$postgres->RemoveFile('src/backend/libpq/be-secure-openssl.c');
 	}
+	if (!$solution->{options}->{nss})
+	{
+		$postgres->RemoveFile('src/backend/libpq/be-secure-nss.c');
+	}
 	if (!$solution->{options}->{gss})
 	{
 		$postgres->RemoveFile('src/backend/libpq/be-gssapi-common.c');
@@ -255,12 +262,19 @@ sub mkvcbuild
 	$libpq->AddReference($libpgcommon, $libpgport);
 
 	# The OBJS scraper doesn't know about ifdefs, so remove appropriate files
-	# if building without OpenSSL.
-	if (!$solution->{options}->{openssl})
+	# if building without various options
+	if (!$solution->{options}->{openssl} && !$solution->{options}->{nss})
 	{
 		$libpq->RemoveFile('src/interfaces/libpq/fe-secure-common.c');
+	}
+	if (!$solution->{options}->{openssl})
+	{
 		$libpq->RemoveFile('src/interfaces/libpq/fe-secure-openssl.c');
 	}
+	if (!$solution->{options}->{nss})
+	{
+		$libpq->RemoveFile('src/interfaces/libpq/fe-secure-nss.c');
+	}
 	if (!$solution->{options}->{gss})
 	{
 		$libpq->RemoveFile('src/interfaces/libpq/fe-gssapi-common.c');
@@ -428,9 +442,14 @@ sub mkvcbuild
 		push @contrib_excludes, 'xml2';
 	}
 
+	if (!$solution->{options}->{openssl} && !$solution->{options}->{nss})
+	{
+		push @contrib_excludes, 'sslinfo';
+	}
+
 	if (!$solution->{options}->{openssl})
 	{
-		push @contrib_excludes, 'sslinfo', 'ssl_passphrase_callback';
+		push @contrib_excludes, 'ssl_passphrase_callback';
 	}
 
 	if (!$solution->{options}->{uuid})
diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm
index bc8904732f..ac11d9ab26 100644
--- a/src/tools/msvc/Solution.pm
+++ b/src/tools/msvc/Solution.pm
@@ -484,6 +484,7 @@ sub GenerateFiles
 		USE_NAMED_POSIX_SEMAPHORES => undef,
 		USE_OPENSSL                => undef,
 		USE_OPENSSL_RANDOM         => undef,
+		USE_NSS                    => undef,
 		USE_PAM                    => undef,
 		USE_SLICING_BY_8_CRC32C    => undef,
 		USE_SSE42_CRC32C           => undef,
@@ -537,6 +538,10 @@ sub GenerateFiles
 			$define{HAVE_OPENSSL_INIT_SSL}      = 1;
 		}
 	}
+	if ($self->{options}->{nss})
+	{
+		$define{USE_NSS} = 1;
+	}
 
 	$self->GenerateConfigHeader('src/include/pg_config.h',     \%define, 1);
 	$self->GenerateConfigHeader('src/include/pg_config_ext.h', \%define, 0);
@@ -1004,6 +1009,21 @@ sub AddProject
 			}
 		}
 	}
+	if ($self->{options}->{nss})
+	{
+		$proj->AddIncludeDir($self->{options}->{nss} . '\..\public\nss');
+		$proj->AddIncludeDir($self->{options}->{nss} . '\include\nspr');
+		foreach my $lib (qw(plds4 plc4 nspr4))
+		{
+			$proj->AddLibrary($self->{options}->{nss} .
+							  '\lib\lib' . "$lib.lib", 0);
+		}
+		foreach my $lib (qw(ssl3 smime3 nss3))
+		{
+			$proj->AddLibrary($self->{options}->{nss} .
+							  '\lib' . "\\$lib.dll.lib", 0);
+		}
+	}
 	if ($self->{options}->{nls})
 	{
 		$proj->AddIncludeDir($self->{options}->{nls} . '\include');
diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl
index 2ef2cfc4e9..49dc4d5864 100644
--- a/src/tools/msvc/config_default.pl
+++ b/src/tools/msvc/config_default.pl
@@ -17,6 +17,7 @@ our $config = {
 	perl      => undef,    # --with-perl=<path>
 	python    => undef,    # --with-python=<path>
 	openssl   => undef,    # --with-openssl=<path>
+	nss       => undef,    # --with-nss=<path>
 	uuid      => undef,    # --with-uuid=<path>
 	xml       => undef,    # --with-libxml=<path>
 	xslt      => undef,    # --with-libxslt=<path>
-- 
2.21.1 (Apple Git-122.3)