Bug 1386955 - land NSS 3e81bdac8449 UPGRADE_NSS_RELEASE, r=me
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Thu, 10 Aug 2017 09:22:53 +0200
changeset 373959 165a764bb2ed32ff8ee2f663141e28da775e8fdc
parent 373958 28226c771f1114d0fc219be3fa7c0e1413067e32
child 373960 973ca5df0887528178b758e0525937ba3e048555
push id32311
push userkwierso@gmail.com
push dateFri, 11 Aug 2017 01:14:57 +0000
treeherdermozilla-central@253a8560dc34 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1386955
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1386955 - land NSS 3e81bdac8449 UPGRADE_NSS_RELEASE, r=me
security/nss/TAG-INFO
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/automation/taskcluster/graph/src/try_syntax.js
security/nss/automation/taskcluster/scripts/build_gyp.sh
security/nss/automation/taskcluster/scripts/gen_certs.sh
security/nss/automation/taskcluster/scripts/split.sh
security/nss/build.sh
security/nss/coreconf/coreconf.dep
security/nss/cpputil/manifest.mn
security/nss/fuzz/config/git-copy.sh
security/nss/gtests/manifest.mn
security/nss/help.txt
security/nss/lib/freebl/freebl.gyp
security/nss/readme.md
security/nss/tests/ssl/ssl.sh
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-a0a4e05dcdd5
+3e81bdac8449
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -19,16 +19,20 @@ const FUZZ_IMAGE = {
   name: "fuzz",
   path: "automation/taskcluster/docker-fuzz"
 };
 
 const WINDOWS_CHECKOUT_CMD =
   "bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
     "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
     "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)\"";
+const MAC_CHECKOUT_CMD = ["bash", "-c",
+            "hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
+            "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
+            "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)"];
 
 /*****************************************************************************/
 
 queue.filter(task => {
   if (task.group == "Builds") {
     // Remove extra builds on {A,UB}San and ARM.
     if (task.collection == "asan" || task.platform == "aarch64") {
       return false;
@@ -46,16 +50,25 @@ queue.filter(task => {
         task.platform == "windows2012-32") {
       return false;
     }
 
     // No ARM; TODO: enable
     if (task.platform == "aarch64") {
       return false;
     }
+
+    // No mac
+    if (task.platform == "mac") {
+      return false;
+    }
+  }
+
+  if (task.tests == "fips" && task.platform == "mac") {
+    return false;
   }
 
   // Only old make builds have -Ddisable_libpkix=0 and can run chain tests.
   if (task.tests == "chains" && task.collection != "make") {
     return false;
   }
 
   if (task.group == "Test") {
@@ -211,16 +224,81 @@ export default async function main() {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt"
       ],
       collection: "opt",
     }, aarch64_base)
   );
+
+  await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
+  await scheduleMac("Mac (debug)", {collection: "debug"});
+}
+
+
+async function scheduleMac(name, base, args = "") {
+  let mac_base = merge(base, {
+    env: {
+      PATH: "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
+      NSS_TASKCLUSTER_MAC: "1",
+      DOMSUF: "localdomain",
+      HOST: "localhost",
+    },
+    provisioner: "localprovisioner",
+    workerType: "nss-macos-10-12",
+    platform: "mac",
+    tier: 3
+  });
+
+  // Build base definition.
+  let build_base = merge({
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/build_gyp.sh", args]
+    ],
+    provisioner: "localprovisioner",
+    workerType: "nss-macos-10-12",
+    platform: "mac",
+    maxRunTime: 7200,
+    artifacts: [{
+      expires: 24 * 7,
+      type: "directory",
+      path: "public"
+    }],
+    kind: "build",
+    symbol: "B"
+  }, mac_base);
+
+  // The task that builds NSPR+NSS.
+  let task_build = queue.scheduleTask(merge(build_base, {name}));
+
+  // The task that generates certificates.
+  let task_cert = queue.scheduleTask(merge(build_base, {
+    name: "Certificates",
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/gen_certs.sh"]
+    ],
+    parent: task_build,
+    symbol: "Certs"
+  }));
+
+  // Schedule tests.
+  scheduleTests(task_build, task_cert, merge(mac_base, {
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/run_tests.sh"]
+    ]
+  }));
+
+  return queue.submit();
 }
 
 /*****************************************************************************/
 
 async function scheduleLinux(name, base, args = "") {
   // Build base definition.
   let build_base = merge({
     command: [
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -20,17 +20,17 @@ function parseOptions(opts) {
   if (builds.length == 0) {
     builds = ["d", "o"];
   }
 
   // Parse platforms.
   let allPlatforms = ["linux", "linux64", "linux64-asan",
                       "win", "win64", "win-make", "win64-make",
                       "linux64-make", "linux-make", "linux-fuzz",
-                      "linux64-fuzz", "aarch64"];
+                      "linux64-fuzz", "aarch64", "mac"];
   let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
 
   // If the given value is nonsense or "none" default to all platforms.
   if (platforms.length == 0 && opts.platform != "none") {
     platforms = allPlatforms;
   }
 
   // Parse unit tests.
--- a/security/nss/automation/taskcluster/scripts/build_gyp.sh
+++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh
@@ -4,10 +4,15 @@ source $(dirname "$0")/tools.sh
 
 # Clone NSPR if needed.
 hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
 
 # Build.
 nss/build.sh -g -v "$@"
 
 # Package.
-mkdir artifacts
-tar cvfjh artifacts/dist.tar.bz2 dist
+if [[ $(uname) = "Darwin" ]]; then
+  mkdir -p public
+  tar cvfjh public/dist.tar.bz2 dist
+else
+  mkdir artifacts
+  tar cvfjh artifacts/dist.tar.bz2 dist
+fi
--- a/security/nss/automation/taskcluster/scripts/gen_certs.sh
+++ b/security/nss/automation/taskcluster/scripts/gen_certs.sh
@@ -7,10 +7,15 @@ fetch_dist
 
 # Generate certificates.
 NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh
 
 # Reset test counter so that test runs pick up our certificates.
 echo 1 > tests_results/security/localhost
 
 # Package.
-mkdir artifacts
-tar cvfjh artifacts/dist.tar.bz2 dist tests_results
+if [[ $(uname) = "Darwin" ]]; then
+  mkdir -p public
+  tar cvfjh public/dist.tar.bz2 dist tests_results
+else
+  mkdir artifacts
+  tar cvfjh artifacts/dist.tar.bz2 dist tests_results
+fi
--- a/security/nss/automation/taskcluster/scripts/split.sh
+++ b/security/nss/automation/taskcluster/scripts/split.sh
@@ -18,26 +18,20 @@ split_util() {
   #   nss/coreconf                full directory
   #   nss                         top files only
   #   nss/lib                     top files only
   #   nss/lib/util                full directory
 
   # Copy everything.
   cp -R $nssdir $dstdir
 
-  # Skip gtests when building.
-  sed '/^DIRS = /s/ cpputil gtests$//' $nssdir/manifest.mn > $dstdir/manifest.mn-t && mv $dstdir/manifest.mn-t $dstdir/manifest.mn
-
   # Remove subdirectories that we don't want.
   rm -rf $dstdir/cmd
-  rm -rf $dstdir/tests
   rm -rf $dstdir/lib
   rm -rf $dstdir/automation
-  rm -rf $dstdir/gtests
-  rm -rf $dstdir/cpputil
   rm -rf $dstdir/doc
 
   # Start with an empty cmd lib directories to be filled selectively.
   mkdir $dstdir/cmd
   cp $nssdir/cmd/Makefile $dstdir/cmd
   cp $nssdir/cmd/manifest.mn $dstdir/cmd
   cp $nssdir/cmd/platlibs.mk $dstdir/cmd
   cp $nssdir/cmd/platrules.mk $dstdir/cmd
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -68,16 +68,18 @@ fi
 while [ $# -gt 0 ]; do
     case $1 in
         -c) clean=1 ;;
         --gyp|-g) rebuild_gyp=1 ;;
         --nspr) nspr_clean; rebuild_nspr=1 ;;
         -j) ninja_params+=(-j "$2"); shift ;;
         -v) ninja_params+=(-v); verbose=1 ;;
         --test) gyp_params+=(-Dtest_build=1) ;;
+        --clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;;
+        --gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;;
         --fuzz) fuzz=1 ;;
         --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
         --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
         --scan-build) enable_scanbuild  ;;
         --scan-build=?*) enable_scanbuild "${1#*=}" ;;
         --opt|-o) opt_build=1 ;;
         -m32|--m32) build_64=0 ;;
         --asan) enable_sanitizer asan ;;
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/cpputil/manifest.mn
+++ b/security/nss/cpputil/manifest.mn
@@ -3,16 +3,21 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ..
 DEPTH      = ..
 
 MODULE = nss
 LIBRARY_NAME = cpputil
 
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+CPPSRCS = \
+      $(NULL)
+else
 CPPSRCS = \
       dummy_io.cc \
       dummy_io_fwd.cc \
       tls_parser.cc \
       $(NULL)
+endif
 
 EXPORTS = \
       $(NULL)
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@@ -2,32 +2,33 @@
 
 set -e
 
 if [ $# -lt 3 ]; then
   echo "Usage: $0 <repo> <branch> <directory>" 1>&2
   exit 2
 fi
 
-REPO=$1
-COMMIT=$2
-DIR=$3
+REPO="$1"
+COMMIT="$2"
+DIR="$3"
 
 echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
-if [ -f $DIR/.git-copy ]; then
-  CURRENT=$(cat $DIR/.git-copy)
-  if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
+if [ -f "$DIR"/.git-copy ]; then
+  CURRENT=$(cat "$DIR"/.git-copy)
+  if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then
     # On the off chance that $COMMIT is a remote head.
-    ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
+    ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -)
   else
-    ACTUAL=$COMMIT
+    ACTUAL="$COMMIT"
   fi
   if [ "$CURRENT" = "$ACTUAL" ]; then
     echo "Up to date."
     exit
   fi
 fi
 
-git init -q $DIR
-git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
-git -C $DIR reset --hard git-copy-tmp
-git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
-rm -rf $DIR/.git
+rm -rf "$DIR"
+git init -q "$DIR"
+git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
+git -C "$DIR" reset --hard git-copy-tmp
+git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
+rm -rf "$DIR"/.git
--- a/security/nss/gtests/manifest.mn
+++ b/security/nss/gtests/manifest.mn
@@ -8,25 +8,25 @@ DEPTH      = ..
 LIB_SRCDIRS = \
 	google_test \
 	common \
 	$(NULL)
 
 ifneq ($(NSS_BUILD_WITHOUT_UTIL),1)
 UTIL_SRCDIRS = \
 	util_gtest \
-	der_gtest \
 	$(NULL)
 endif
 
 ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
 ifneq ($(NSS_BUILD_UTIL_ONLY),1)
 NSS_SRCDIRS = \
 	certdb_gtest \
 	certhigh_gtest \
+	der_gtest \
 	pk11_gtest \
 	softoken_gtest \
 	ssl_gtest \
 	nss_bogo_shim \
 	$(NULL)
 endif
 endif
 
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -14,16 +14,18 @@ NSS build tool options:
     -h               display this help and exit
     -c               clean before build
     -v               verbose build
     -j <n>           run at most <n> concurrent jobs
     --nspr           force a rebuild of NSPR
     --gyp|-g         force a rerun of gyp
     --opt|-o         do an opt build
     -m32             do a 32-bit build on a 64-bit system
+    --clang          build with clang and clang++
+    --gcc            build with gcc and g++
     --test           ignore map files and export everything we have
     --fuzz           build fuzzing targets (this always enables test builds)
                      --fuzz=tls to enable TLS fuzzing mode
                      --fuzz=oss to build for OSS-Fuzz
     --pprof          build with gperftool support
     --ct-verif       build with valgrind for ct-verif
     --scan-build     run the build with scan-build (scan-build has to be in the path)
                      --scan-build=/out/path sets the output path for scan-build
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -153,16 +153,24 @@
       'MP_API_COMPATIBLE'
     ],
     'conditions': [
       [ 'target_arch=="ia32" or target_arch=="x64"', {
         'cflags_mozilla': [
           '-mpclmul',
           '-maes',
         ],
+        'conditions': [
+          [ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', {
+            'cflags': [
+              '-mpclmul',
+              '-maes',
+            ],
+          }],
+        ],
       }],
       [ 'OS=="mac"', {
         'xcode_settings': {
           # I'm not sure since when this is supported.
           # But I hope that doesn't matter. We also assume this is x86/x64.
           'OTHER_CFLAGS': [
             '-mpclmul',
             '-maes',
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@@ -36,59 +36,18 @@ After changing into the NSS directory a 
 
 Once the build is done the build output is found in the directory
 `../dist/Debug` for debug builds and `../dist/Release` for opt builds.
 Exported header files can be found in the `include` directory, library files in
 directory `lib`, and tools in directory `bin`. In order to run the tools, set
 your system environment to use the libraries of your build from the "lib"
 directory, e.g., using the `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`.
 
-    Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
-                    [--test] [--pprof] [--scan-build[=output]] [--ct-verif]
-                    [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
-                    [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
-                    [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
-
-    This script builds NSS with gyp and ninja.
-
-    This build system is still under development.  It does not yet support all
-    the features or platforms that NSS supports.
-
-    NSS build tool options:
-
-        -h               display this help and exit
-        -c               clean before build
-        -v               verbose build
-        -j <n>           run at most <n> concurrent jobs
-        --nspr           force a rebuild of NSPR
-        --gyp|-g         force a rerun of gyp
-        --opt|-o         do an opt build
-        -m32             do a 32-bit build on a 64-bit system
-        --test           ignore map files and export everything we have
-        --fuzz           build fuzzing targets (this always enables test builds)
-                         --fuzz=tls to enable TLS fuzzing mode
-                         --fuzz=oss to build for OSS-Fuzz
-        --pprof          build with gperftool support
-        --ct-verif       build with valgrind for ct-verif
-        --scan-build     run the build with scan-build (scan-build has to be in the path)
-                         --scan-build=/out/path sets the output path for scan-build
-        --asan           do an asan build
-        --ubsan          do an ubsan build
-                         --ubsan=bool,shift,... sets specific UB sanitizers
-        --msan           do an msan build
-        --sancov         do sanitize coverage builds
-                         --sancov=func sets coverage to function level for example
-        --disable-tests  don't build tests and corresponding cmdline utils
-        --system-sqlite  use system sqlite
-        --no-zdefs       don't set -Wl,-z,defs
-        --with-nspr      don't build NSPR but use the one at the given location, e.g.
-                         --with-nspr=/path/to/nspr/include:/path/to/nspr/lib
-        --system-nspr    use system nspr. This requires an installation of NSPR and
-                         might not work on all systems.
-        --enable-libpkix make libpkix part of the build.
+See [help.txt](https://hg.mozilla.org/projects/nss/raw-file/tip/help.txt) for
+more information on using build.sh.
 
 ## Building NSS (legacy build system)
 
 After changing into the NSS directory a typical build of 32-bit NSS is done as
 follows:
 
     make nss_build_all
 
@@ -117,20 +76,16 @@ calling `ping $HOST.$DOMSUF`. If this is
 set or export:
 
     HOST=nss
     DOMSUF=local
 
 Note that you might have to add `nss.local` to `/etc/hosts` if it's not
 there. The entry should look something like `127.0.0.1 nss.local nss`.
 
-If you get name resolution errors, try to ensure that you are using an IPv4
-address; IPv6 is the default on many systems for the loopback device which
-doesn't work.
-
 ### Running tests
 
 **Runnning all tests will take a while!**
 
     cd tests
     ./all.sh
 
 Make sure that all environment variables set for the build are set while running
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -52,16 +52,22 @@ ssl_init()
   if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
       grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
           html_head "SSL Test failure"
           Exit 8 "Fatal - SSL of cert.sh needs to pass first"
       }
   fi
 
   PORT=${PORT-8443}
+  # Avoid port conflicts when multiple tests are running on the same machine.
+  if [ -n "$NSS_TASKCLUSTER_MAC" ]; then
+    cwd=$(cd $(dirname $0); pwd -P)
+    padd=$(echo $cwd | cut -d "/" -f4 | sed 's/[^0-9]//g')
+    PORT=$(($PORT + $padd))
+  fi
   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
   nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
 
   # Test case files
   SSLCOV=${QADIR}/ssl/sslcov.txt
   SSLAUTH=${QADIR}/ssl/sslauth.txt
   SSLSTRESS=${QADIR}/ssl/sslstress.txt
@@ -136,26 +142,26 @@ is_selfserv_alive()
 
 ########################### wait_for_selfserv ##########################
 # local shell function to wait until selfserver is running and initialized
 ########################################################################
 wait_for_selfserv()
 {
   #verbose="-v"
   echo "trying to connect to selfserv at `date`"
-  echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
   echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
-  ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+  ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
           -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
   if [ $? -ne 0 ]; then
       sleep 5
       echo "retrying to connect to selfserv at `date`"
       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
       echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
-      ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+      ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
               -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
       if [ $? -ne 0 ]; then
           html_failed "Waiting for Server"
       fi
   fi
   is_selfserv_alive
 }
 
@@ -290,21 +296,21 @@ ssl_cov()
           fi
           if [ "$testmax" = "TLS11" ]; then
               VMAX="tls1.1"
           fi
           if [ "$testmax" = "TLS12" ]; then
               VMAX="tls1.2"
           fi
 
-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
           echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
 
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
                   -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
                   >${TMP}/$HOST.tmp.$$  2>&1
           ret=$?
           cat ${TMP}/$HOST.tmp.$$
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
           html_msg $ret 0 "${testname}" \
                    "produced a returncode of $ret, expected is 0"
       fi
@@ -338,20 +344,20 @@ ssl_auth()
       elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
           if [ "$ectype" = "SNI" ]; then
               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
           start_selfserv
 
-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
           echo "        ${cparam}  < ${REQUEST_FILE}"
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
                   -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
                   >${TMP}/$HOST.tmp.$$  2>&1
           ret=$?
           cat ${TMP}/$HOST.tmp.$$
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 
           #workaround for bug #402058
           [ $ret -ne 0 ] && ret=1
@@ -390,20 +396,20 @@ ssl_stapling_sub()
 
     SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
     P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
 
     echo "${testname}"
 
     start_selfserv
 
-    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
     echo "        -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
 	    -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
 	    >${TMP}/$HOST.tmp.$$  2>&1
     ret=$?
     cat ${TMP}/$HOST.tmp.$$
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 
     # hopefully no workaround for bug #402058 needed here?
     # (see commands in ssl_auth
@@ -509,20 +515,20 @@ ssl_signed_cert_timestamps()
     fi
 
     echo "${testname}"
 
     start_selfserv
 
     # Since we don't have server-side support, this test only covers advertising the
     # extension in the client hello.
-    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+    echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
     echo "        -U -V tls1.0:tls1.2 < ${REQUEST_FILE}"
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+    ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
             -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \
             >${TMP}/$HOST.tmp.$$  2>&1
     ret=$?
     cat ${TMP}/$HOST.tmp.$$
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 
     html_msg $ret $value "${testname}" \
             "produced a returncode of $ret, expected is $value"
@@ -637,20 +643,20 @@ ssl_crl_ssl()
 	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
 	  do
 	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
 	  TEMP_NUM=`expr $TEMP_NUM + 1`
 	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
 	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 	  start_selfserv
 
-	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+	  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
 	  echo "        ${cparam}  < ${REQUEST_FILE}"
 	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	  ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
 	      -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
 	      >${TMP}/$HOST.tmp.$$  2>&1
 	  ret=$?
 	  cat ${TMP}/$HOST.tmp.$$
 	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
 	      modvalue=$rev_modvalue
               testAddMsg="revoked"
@@ -728,21 +734,21 @@ NSS=Flags=internal,critical trustOrder=7
 name=RootCerts
 NSS=trustOrder=100
 ++EOF++
 
           echo "******************************Testing with: "
 	  cat ${P_R_CLIENTDIR}/pkcs11.txt
           echo "******************************"
 
-          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
           echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
 
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
                   -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
                   >${TMP}/$HOST.tmp.$$  2>&1
           ret=$?
           cat ${TMP}/$HOST.tmp.$$
           rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
 
           #workaround for bug #402058
           [ $ret -ne 0 ] && ret=1
@@ -821,30 +827,30 @@ load_group_crl() {
         if [ $group -eq 1 ]; then
             echo "==================== Resetting to group 1 crl ==================="
             kill_selfserv
             start_selfserv
             is_selfserv_alive
         fi
         echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
 
-        echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+        echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
         echo "          -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
         echo "Request:"
         echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
         echo ""
         echo "RELOAD time $i"
 
         REQF=${R_CLIENTDIR}.crlreq
         cat > ${REQF} <<_EOF_REQUEST_
 GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
 
 _EOF_REQUEST_
 
-        ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \
+        ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f  \
             -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
             >${OUTFILE_TMP}  2>&1 < ${REQF}
 
         cat ${OUTFILE_TMP}
         grep "CRL ReCache Error" ${OUTFILE_TMP}
         if [ $? -eq 0 ]; then
             ret=1
             return 1
@@ -925,20 +931,20 @@ ssl_crl_cache()
           while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
             do
             CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
             TEMP_NUM=`expr $TEMP_NUM + 1`
             USER_NICKNAME="TestUser${CURR_SER_NUM}"
             cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 
             echo "Server Args: $SERV_ARG"
-            echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+            echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
             echo "        ${cparam}  < ${REQUEST_FILE}"
             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-            ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+            ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
 	        -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
                 >${TMP}/$HOST.tmp.$$  2>&1
             ret=$?
             cat ${TMP}/$HOST.tmp.$$
             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
             is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
             isRevoked=$?
             if [ $isRevoked -eq 0 ]; then