Bug 1386955 - land NSS 3e81bdac8449 UPGRADE_NSS_RELEASE, r=me

2024-11-24 21:31:04 +00:00 · 2017-08-10 09:22:53 +02:00 · 2017-08-10 09:22:53 +02:00 · 11d57944d7
commit 11d57944d7
parent 3d364409fe
15 changed files with 153 additions and 93 deletions
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-a0a4e05dcdd5
+3e81bdac8449
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@ -24,6 +24,10 @@ const WINDOWS_CHECKOUT_CMD =
  "bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
    "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
    "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)\"";
+const MAC_CHECKOUT_CMD = ["bash", "-c",
+            "hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
+            "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
+            "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)"];

 /*****************************************************************************/

@ -51,6 +55,15 @@ queue.filter(task => {
    if (task.platform == "aarch64") {
      return false;
    }
+
+    // No mac
+    if (task.platform == "mac") {
+      return false;
+    }
+  }
+
+  if (task.tests == "fips" && task.platform == "mac") {
+    return false;
  }

  // Only old make builds have -Ddisable_libpkix=0 and can run chain tests.
@ -216,6 +229,71 @@ export default async function main() {
      collection: "opt",
    }, aarch64_base)
  );
+
+  await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
+  await scheduleMac("Mac (debug)", {collection: "debug"});
+}
+
+
+async function scheduleMac(name, base, args = "") {
+  let mac_base = merge(base, {
+    env: {
+      PATH: "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
+      NSS_TASKCLUSTER_MAC: "1",
+      DOMSUF: "localdomain",
+      HOST: "localhost",
+    },
+    provisioner: "localprovisioner",
+    workerType: "nss-macos-10-12",
+    platform: "mac",
+    tier: 3
+  });
+
+  // Build base definition.
+  let build_base = merge({
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/build_gyp.sh", args]
+    ],
+    provisioner: "localprovisioner",
+    workerType: "nss-macos-10-12",
+    platform: "mac",
+    maxRunTime: 7200,
+    artifacts: [{
+      expires: 24 * 7,
+      type: "directory",
+      path: "public"
+    }],
+    kind: "build",
+    symbol: "B"
+  }, mac_base);
+
+  // The task that builds NSPR+NSS.
+  let task_build = queue.scheduleTask(merge(build_base, {name}));
+
+  // The task that generates certificates.
+  let task_cert = queue.scheduleTask(merge(build_base, {
+    name: "Certificates",
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/gen_certs.sh"]
+    ],
+    parent: task_build,
+    symbol: "Certs"
+  }));
+
+  // Schedule tests.
+  scheduleTests(task_build, task_cert, merge(mac_base, {
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/run_tests.sh"]
+    ]
+  }));
+
+  return queue.submit();
 }

 /*****************************************************************************/
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@ -25,7 +25,7 @@ function parseOptions(opts) {
  let allPlatforms = ["linux", "linux64", "linux64-asan",
                      "win", "win64", "win-make", "win64-make",
                      "linux64-make", "linux-make", "linux-fuzz",
-                      "linux64-fuzz", "aarch64"];
+                      "linux64-fuzz", "aarch64", "mac"];
  let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);

  // If the given value is nonsense or "none" default to all platforms.
--- a/security/nss/automation/taskcluster/scripts/build_gyp.sh
+++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh
@ -9,5 +9,10 @@ hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
 nss/build.sh -g -v "$@"

 # Package.
-mkdir artifacts
-tar cvfjh artifacts/dist.tar.bz2 dist
+if [[ $(uname) = "Darwin" ]]; then
+  mkdir -p public
+  tar cvfjh public/dist.tar.bz2 dist
+else
+  mkdir artifacts
+  tar cvfjh artifacts/dist.tar.bz2 dist
+fi
--- a/security/nss/automation/taskcluster/scripts/gen_certs.sh
+++ b/security/nss/automation/taskcluster/scripts/gen_certs.sh
@ -12,5 +12,10 @@ NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh
 echo 1 > tests_results/security/localhost

 # Package.
-mkdir artifacts
-tar cvfjh artifacts/dist.tar.bz2 dist tests_results
+if [[ $(uname) = "Darwin" ]]; then
+  mkdir -p public
+  tar cvfjh public/dist.tar.bz2 dist tests_results
+else
+  mkdir artifacts
+  tar cvfjh artifacts/dist.tar.bz2 dist tests_results
+fi
--- a/security/nss/automation/taskcluster/scripts/split.sh
+++ b/security/nss/automation/taskcluster/scripts/split.sh
@ -23,16 +23,10 @@ split_util() {
  # Copy everything.
  cp -R $nssdir $dstdir

-  # Skip gtests when building.
-  sed '/^DIRS = /s/ cpputil gtests$//' $nssdir/manifest.mn > $dstdir/manifest.mn-t && mv $dstdir/manifest.mn-t $dstdir/manifest.mn
-
  # Remove subdirectories that we don't want.
  rm -rf $dstdir/cmd
-  rm -rf $dstdir/tests
  rm -rf $dstdir/lib
  rm -rf $dstdir/automation
-  rm -rf $dstdir/gtests
-  rm -rf $dstdir/cpputil
  rm -rf $dstdir/doc

  # Start with an empty cmd lib directories to be filled selectively.
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@ -73,6 +73,8 @@ while [ $# -gt 0 ]; do
        -j) ninja_params+=(-j "$2"); shift ;;
        -v) ninja_params+=(-v); verbose=1 ;;
        --test) gyp_params+=(-Dtest_build=1) ;;
+        --clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;;
+        --gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;;
        --fuzz) fuzz=1 ;;
        --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
        --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,4 +10,3 @@
 */

 #error "Do not include this header file."
-
--- a/security/nss/cpputil/manifest.mn
+++ b/security/nss/cpputil/manifest.mn
@ -8,11 +8,16 @@ DEPTH      = ..
 MODULE = nss
 LIBRARY_NAME = cpputil

+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+CPPSRCS = \
+      $(NULL)
+else
 CPPSRCS = \
      dummy_io.cc \
      dummy_io_fwd.cc \
      tls_parser.cc \
      $(NULL)
+endif

 EXPORTS = \
      $(NULL)
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@ -7,18 +7,18 @@ if [ $# -lt 3 ]; then
  exit 2
 fi

-REPO=$1
-COMMIT=$2
-DIR=$3
+REPO="$1"
+COMMIT="$2"
+DIR="$3"

 echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
-if [ -f $DIR/.git-copy ]; then
-  CURRENT=$(cat $DIR/.git-copy)
-  if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
+if [ -f "$DIR"/.git-copy ]; then
+  CURRENT=$(cat "$DIR"/.git-copy)
+  if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then
    # On the off chance that $COMMIT is a remote head.
-    ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
+    ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -)
  else
-    ACTUAL=$COMMIT
+    ACTUAL="$COMMIT"
  fi
  if [ "$CURRENT" = "$ACTUAL" ]; then
    echo "Up to date."
@ -26,8 +26,9 @@ if [ -f $DIR/.git-copy ]; then
  fi
 fi

-git init -q $DIR
-git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
-git -C $DIR reset --hard git-copy-tmp
-git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
-rm -rf $DIR/.git
+rm -rf "$DIR"
+git init -q "$DIR"
+git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
+git -C "$DIR" reset --hard git-copy-tmp
+git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
+rm -rf "$DIR"/.git
--- a/security/nss/gtests/manifest.mn
+++ b/security/nss/gtests/manifest.mn
@ -13,7 +13,6 @@ LIB_SRCDIRS = \
 ifneq ($(NSS_BUILD_WITHOUT_UTIL),1)
 UTIL_SRCDIRS = \
 	util_gtest \
-	der_gtest \
 	$(NULL)
 endif

@ -22,6 +21,7 @@ ifneq ($(NSS_BUILD_UTIL_ONLY),1)
 NSS_SRCDIRS = \
 	certdb_gtest \
 	certhigh_gtest \
+	der_gtest \
 	pk11_gtest \
 	softoken_gtest \
 	ssl_gtest \
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@ -19,6 +19,8 @@ NSS build tool options:
    --gyp|-g         force a rerun of gyp
    --opt|-o         do an opt build
    -m32             do a 32-bit build on a 64-bit system
+    --clang          build with clang and clang++
+    --gcc            build with gcc and g++
    --test           ignore map files and export everything we have
    --fuzz           build fuzzing targets (this always enables test builds)
                     --fuzz=tls to enable TLS fuzzing mode
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@ -158,6 +158,14 @@
          '-mpclmul',
          '-maes',
        ],
+        'conditions': [
+          [ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', {
+            'cflags': [
+              '-mpclmul',
+              '-maes',
+            ],
+          }],
+        ],
      }],
      [ 'OS=="mac"', {
        'xcode_settings': {
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@ -41,49 +41,8 @@ directory `lib`, and tools in directory `bin`. In order to run the tools, set
 your system environment to use the libraries of your build from the "lib"
 directory, e.g., using the `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`.

-    Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
-                    [--test] [--pprof] [--scan-build[=output]] [--ct-verif]
-                    [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
-                    [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
-                    [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
-
-    This script builds NSS with gyp and ninja.
-
-    This build system is still under development.  It does not yet support all
-    the features or platforms that NSS supports.
-
-    NSS build tool options:
-
-        -h               display this help and exit
-        -c               clean before build
-        -v               verbose build
-        -j <n>           run at most <n> concurrent jobs
-        --nspr           force a rebuild of NSPR
-        --gyp|-g         force a rerun of gyp
-        --opt|-o         do an opt build
-        -m32             do a 32-bit build on a 64-bit system
-        --test           ignore map files and export everything we have
-        --fuzz           build fuzzing targets (this always enables test builds)
-                         --fuzz=tls to enable TLS fuzzing mode
-                         --fuzz=oss to build for OSS-Fuzz
-        --pprof          build with gperftool support
-        --ct-verif       build with valgrind for ct-verif
-        --scan-build     run the build with scan-build (scan-build has to be in the path)
-                         --scan-build=/out/path sets the output path for scan-build
-        --asan           do an asan build
-        --ubsan          do an ubsan build
-                         --ubsan=bool,shift,... sets specific UB sanitizers
-        --msan           do an msan build
-        --sancov         do sanitize coverage builds
-                         --sancov=func sets coverage to function level for example
-        --disable-tests  don't build tests and corresponding cmdline utils
-        --system-sqlite  use system sqlite
-        --no-zdefs       don't set -Wl,-z,defs
-        --with-nspr      don't build NSPR but use the one at the given location, e.g.
-                         --with-nspr=/path/to/nspr/include:/path/to/nspr/lib
-        --system-nspr    use system nspr. This requires an installation of NSPR and
-                         might not work on all systems.
-        --enable-libpkix make libpkix part of the build.
+See [help.txt](https://hg.mozilla.org/projects/nss/raw-file/tip/help.txt) for
+more information on using build.sh.

 ## Building NSS (legacy build system)

@ -122,10 +81,6 @@ set or export:
 Note that you might have to add `nss.local` to `/etc/hosts` if it's not
 there. The entry should look something like `127.0.0.1 nss.local nss`.

-If you get name resolution errors, try to ensure that you are using an IPv4
-address; IPv6 is the default on many systems for the loopback device which
-doesn't work.
-
 ### Running tests

 **Runnning all tests will take a while!**
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@ -57,6 +57,12 @@ ssl_init()
  fi

  PORT=${PORT-8443}
+  # Avoid port conflicts when multiple tests are running on the same machine.
+  if [ -n "$NSS_TASKCLUSTER_MAC" ]; then
+    cwd=$(cd $(dirname $0); pwd -P)
+    padd=$(echo $cwd | cut -d "/" -f4 | sed 's/[^0-9]//g')
+    PORT=$(($PORT + $padd))
+  fi
  NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
  nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
  NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
@ -141,16 +147,16 @@ wait_for_selfserv()
 {
  #verbose="-v"
  echo "trying to connect to selfserv at `date`"
-  echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
  echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
-  ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+  ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
          -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
  if [ $? -ne 0 ]; then
      sleep 5
      echo "retrying to connect to selfserv at `date`"
      echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
      echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
-      ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+      ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
              -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
      if [ $? -ne 0 ]; then
          html_failed "Waiting for Server"
@ -295,11 +301,11 @@ ssl_cov()
              VMAX="tls1.2"
          fi

-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
          echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"

          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
                  -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
                  >${TMP}/$HOST.tmp.$$  2>&1
          ret=$?
@ -343,10 +349,10 @@ ssl_auth()
          fi
          start_selfserv

-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
          echo "        ${cparam}  < ${REQUEST_FILE}"
          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
                  -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
                  >${TMP}/$HOST.tmp.$$  2>&1
          ret=$?
@ -395,10 +401,10 @@ ssl_stapling_sub()

    start_selfserv

-    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
    echo "        -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
 	    -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
 	    >${TMP}/$HOST.tmp.$$  2>&1
    ret=$?
@ -514,10 +520,10 @@ ssl_signed_cert_timestamps()

    # Since we don't have server-side support, this test only covers advertising the
    # extension in the client hello.
-    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
    echo "        -U -V tls1.0:tls1.2 < ${REQUEST_FILE}"
    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
            -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \
            >${TMP}/$HOST.tmp.$$  2>&1
    ret=$?
@ -642,10 +648,10 @@ ssl_crl_ssl()
 	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 	  start_selfserv

-	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+	  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
 	  echo "        ${cparam}  < ${REQUEST_FILE}"
 	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	  ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
 	      -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
 	      >${TMP}/$HOST.tmp.$$  2>&1
 	  ret=$?
@ -733,11 +739,11 @@ NSS=trustOrder=100
 	  cat ${P_R_CLIENTDIR}/pkcs11.txt
          echo "******************************"

-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
          echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"

          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
                  -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
                  >${TMP}/$HOST.tmp.$$  2>&1
          ret=$?
@ -826,7 +832,7 @@ load_group_crl() {
        fi
        echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="

-        echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+        echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
        echo "          -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
        echo "Request:"
        echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
@ -839,7 +845,7 @@ GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}

 _EOF_REQUEST_

-        ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \
+        ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f  \
            -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
            >${OUTFILE_TMP}  2>&1 < ${REQF}

@ -930,10 +936,10 @@ ssl_crl_cache()
            cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `

            echo "Server Args: $SERV_ARG"
-            echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+            echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
            echo "        ${cparam}  < ${REQUEST_FILE}"
            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-            ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+            ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
 	        -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
                >${TMP}/$HOST.tmp.$$  2>&1
            ret=$?