nss: 3.34.1 -> 3.35; cacert.certdata2pem: 20160104 -> 20170717

pkgs/data/misc/cacert/default.nix

@@ -9,8 +9,8 @@ let
 
   certdata2pem = fetchurl {
     name = "certdata2pem.py";
-    url = "https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20160104";
-    sha256 = "0bw11mgfrf19qziyvdnq22kirp0nn54lfsanrg5h6djs6ig1c2im";
+    url = "https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20170717";
+    sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy";
   };
 
 in

pkgs/development/libraries/nss/85_security_load.patch

@@ -13,10 +13,10 @@ diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/cmd/shlibsign/shlibsign.c nss/cmd/sh
 diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/coreconf/config.mk nss/coreconf/config.mk
 --- nss/coreconf/config.mk	2017-01-04 15:24:24.000000000 +0100
 +++ nss/coreconf/config.mk	2017-01-24 14:43:47.989432372 +0100
-@@ -208,3 +208,6 @@
- # exported symbols, which causes problem when NSS is built as part of Mozilla.
- # So we add a NSS_SSL_ENABLE_ZLIB variable to allow Mozilla to turn this off.
- NSS_SSL_ENABLE_ZLIB = 1
+@@ -202,3 +202,6 @@
+ 
+ # Hide old, deprecated, TLS cipher suite names when building NSS
+ DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
 +
 +# Nix specific stuff.
 +DEFINES += -DNIX_NSS_LIBDIR=\"$(out)/lib/\"

pkgs/development/libraries/nss/default.nix

@@ -9,11 +9,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "nss-${version}";
-  version = "3.34.1";
+  version = "3.35";
 
   src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_3_34_1_RTM/src/${name}.tar.gz";
-    sha256 = "186x33wsk4mzjz7dzbn8p0py9a0nzkgzpfkdv4rlyy5gghv5vhd3";
+    url = "mirror://mozilla/security/nss/releases/NSS_3_35_RTM/src/${name}.tar.gz";
+    sha256 = "1ypn68z9ncbbshi3184ywrhx5i846lyd72gps1grzqzdkgh7s4pl";
   };
 
   buildInputs = [ perl zlib sqlite ]