Bug 923089, backed out for test failures.
authorKai Engert <kaie@kuix.de>
Thu, 19 May 2016 21:19:23 +0200
changeset 12165 c375f1fa727a990398b7f48a26a51dba4a79eb56
parent 12164 5835871a232c313278174dc32a40823fd7cdd599
child 12166 f0c8aefde8b4abc69f8a26852c865e803d93ee21
push id1217
push userkaie@kuix.de
push dateThu, 19 May 2016 19:19:31 +0000
bugs923089
Bug 923089, backed out for test failures.
external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
lib/softoken/pkcs11c.c
lib/ssl/ssl3con.c
lib/ssl/ssl3ecc.c
lib/ssl/sslenum.c
lib/ssl/sslimpl.h
lib/ssl/sslinfo.c
lib/ssl/sslproto.h
lib/ssl/sslt.h
lib/ssl/tls13con.c
lib/ssl/tls13hkdf.c
tests/ssl/ssl.sh
tests/ssl/sslcov.txt
--- a/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -100,28 +100,21 @@ INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V
                           TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                           // TLS_ECDH_RSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_RSA_WITH_RC4_128_SHA);
 // TODO - Bug 1251136 move DHE_RSA suites to V12Plus
 INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12,
                           TLS_RSA_WITH_AES_128_GCM_SHA256,
                           TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
-                          TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                           TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-                          TLS_RSA_WITH_AES_256_GCM_SHA384,
-                          TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-                          TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-                          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
+                          TLS_DHE_RSA_WITH_AES_128_GCM_SHA256);
 INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12Plus,
                           TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-                          TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-                          TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                           TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                           TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
 INSTANTIATE_CIPHER_TEST_P(CBC12, All, V12,
                           TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
                           TLS_RSA_WITH_AES_256_CBC_SHA256,
                           TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                           TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -6079,17 +6079,17 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h
     CK_MECHANISM_TYPE mechanism = pMechanism->mechanism;
     PRBool          isTLS = PR_FALSE;
     PRBool          isDH = PR_FALSE;
     HASH_HashType   tlsPrfHash = HASH_AlgNULL;
     SECStatus       rv;
     int             i;
     unsigned int    outLen;
     unsigned char   sha_out[SHA1_LENGTH];
-    unsigned char   key_block[NUM_MIXERS * SFTK_MAX_MAC_LENGTH];
+    unsigned char   key_block[NUM_MIXERS * MD5_LENGTH];
     unsigned char   key_block2[MD5_LENGTH];
     PRBool          isFIPS;		
     HASH_HashType   hashType;
     PRBool          extractValue = PR_TRUE;
 
     CHECK_FORK();
 
     if (!slot) {
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -102,40 +102,34 @@ static ssl3CipherSuiteCfg cipherSuites[s
  /* ECDHE-PSK from [draft-mattsson-tls-ecdhe-psk-aead]. Only enabled if
   * we are doing TLS 1.3 PSK-resumption.
   */
  { TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
     * bug 946147.
     */
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_DISABLE_ECC */
 
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
@@ -155,17 +149,16 @@ static ssl3CipherSuiteCfg cipherSuites[s
  { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_DISABLE_ECC */
 
  /* RSA */
  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
- { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_SEED_CBC_SHA,               SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
@@ -206,17 +199,16 @@ static const SSLSignatureAndHashAlg defa
     { ssl_hash_sha512, ssl_sign_rsa },
     { ssl_hash_sha1, ssl_sign_rsa },
 #ifndef NSS_DISABLE_ECC
     { ssl_hash_sha256, ssl_sign_ecdsa },
     { ssl_hash_sha384, ssl_sign_ecdsa },
     { ssl_hash_sha512, ssl_sign_ecdsa },
     { ssl_hash_sha1, ssl_sign_ecdsa },
 #endif
-    { ssl_hash_sha384, ssl_sign_dsa },
     { ssl_hash_sha256, ssl_sign_dsa },
     { ssl_hash_sha1, ssl_sign_dsa }
 };
 PR_STATIC_ASSERT(PR_ARRAY_SIZE(defaultSignatureAlgorithms) <=
                  MAX_SIGNATURE_ALGORITHMS);
 
 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
  */
@@ -305,17 +297,16 @@ static const ssl3BulkCipherDef bulk_ciph
     {cipher_des40,        calg_des,          8, 5, type_block,  8, 8, 0, 0, SEC_OID_DES_40_CBC},
     {cipher_idea,         calg_idea,        16,16, type_block,  8, 8, 0, 0, SEC_OID_IDEA_CBC},
     {cipher_aes_128,      calg_aes,         16,16, type_block, 16,16, 0, 0, SEC_OID_AES_128_CBC},
     {cipher_aes_256,      calg_aes,         32,32, type_block, 16,16, 0, 0, SEC_OID_AES_256_CBC},
     {cipher_camellia_128, calg_camellia,    16,16, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_128_CBC},
     {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_256_CBC},
     {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0, SEC_OID_SEED_CBC},
     {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8, SEC_OID_AES_128_GCM},
-    {cipher_aes_256_gcm,  calg_aes_gcm,     32,32, type_aead,   4, 0,16, 8, SEC_OID_AES_256_GCM},
     {cipher_chacha20,     calg_chacha20,    32,32, type_aead,  12, 0,16, 0, SEC_OID_CHACHA20_POLY1305},
     {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0, 0},
 };
 
 static const ssl3KEADef kea_defs[] =
 { /* indexed by SSL3KeyExchangeAlgorithm */
     /* kea            exchKeyType signKeyType authKeyType, is_limited limit tls_keygen ephemeral  oid */
     {kea_null,           ssl_kea_null, ssl_sign_null, ssl_auth_null, PR_FALSE,   0, PR_FALSE, PR_FALSE, 0},
@@ -342,164 +333,155 @@ static const ssl3KEADef kea_defs[] =
     {kea_ecdh_anon,      ssl_kea_ecdh, ssl_sign_null, ssl_auth_null, PR_FALSE,   0, PR_FALSE, PR_TRUE,  SEC_OID_TLS_ECDH_ANON},
     {kea_ecdhe_psk,      ssl_kea_ecdh_psk, ssl_sign_null, ssl_auth_psk, PR_FALSE, 0, PR_FALSE, PR_TRUE, SEC_OID_TLS_ECDHE_PSK}
 #endif /* NSS_DISABLE_ECC */
 };
 
 /* must use ssl_LookupCipherSuiteDef to access */
 static const ssl3CipherSuiteDef cipher_suite_defs[] =
 {
-/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg prf_hash_alg */
-/*  Note that the prf_hash_alg is the hash function used by the PRF, see sslimpl.h.  */
-
-    {TLS_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null, ssl_hash_none},
-    {TLS_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_NULL_SHA256,      cipher_null,   hmac_sha256, kea_rsa, ssl_hash_sha256},
-    {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export, ssl_hash_none},
-    {TLS_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa, ssl_hash_none},
+/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
+
+    {TLS_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
+    {TLS_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
+    {TLS_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
+    {TLS_RSA_WITH_NULL_SHA256,      cipher_null,   hmac_sha256, kea_rsa},
+    {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
+    {TLS_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
+    {TLS_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
     {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-                                    cipher_rc2_40, mac_md5, kea_rsa_export, ssl_hash_none},
+                                    cipher_rc2_40, mac_md5, kea_rsa_export},
 #if 0 /* not implemented */
-    {TLS_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa, ssl_hash_none},
+    {TLS_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
     {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_rsa_export, ssl_hash_none},
+                                    cipher_des40,  mac_sha, kea_rsa_export},
 #endif
-    {TLS_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa, ssl_hash_none},
-    {TLS_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss, ssl_hash_none},
+    {TLS_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
+    {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
     {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-                                    cipher_3des,   mac_sha, kea_dhe_dss, ssl_hash_none},
-    {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss, ssl_hash_none},
+                                    cipher_3des,   mac_sha, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
 #if 0 /* not implemented */
     {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_dss_export, ssl_hash_none},
-    {TLS_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss, ssl_hash_none},
-    {TLS_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss, ssl_hash_none},
+                                    cipher_des40,  mac_sha, kea_dh_dss_export},
+    {TLS_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
+    {TLS_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
     {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_rsa_export, ssl_hash_none},
-    {TLS_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa, ssl_hash_none},
-    {TLS_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa, ssl_hash_none},
+                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
+    {TLS_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
+    {TLS_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
     {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_dss_export, ssl_hash_none},
+                                    cipher_des40,  mac_sha, kea_dh_dss_export},
     {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_rsa_export, ssl_hash_none},
+                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
 #endif
-    {TLS_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa, ssl_hash_none},
+    {TLS_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
     {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-                                    cipher_3des,   mac_sha, kea_dhe_rsa, ssl_hash_none},
+                                    cipher_3des,   mac_sha, kea_dhe_rsa},
 #if 0
-    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export, ssl_hash_none},
+    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
     {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_anon_export, ssl_hash_none},
-    {TLS_DH_anon_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dh_anon, ssl_hash_none},
-    {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des,   mac_sha, kea_dh_anon, ssl_hash_none},
+                                    cipher_des40,  mac_sha, kea_dh_anon_export},
+    {TLS_DH_anon_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dh_anon},
+    {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des,   mac_sha, kea_dh_anon},
 #endif
 
 
 /* New TLS cipher suites */
-    {TLS_RSA_WITH_AES_128_CBC_SHA,      cipher_aes_128, mac_sha, kea_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_AES_128_CBC_SHA256,   cipher_aes_128, hmac_sha256, kea_rsa, ssl_hash_sha256},
-    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dhe_dss, ssl_hash_none},
-    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dhe_rsa, ssl_hash_none},
-    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa, ssl_hash_sha256},
-    {TLS_RSA_WITH_AES_256_CBC_SHA,      cipher_aes_256, mac_sha, kea_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_AES_256_CBC_SHA256,   cipher_aes_256, hmac_sha256, kea_rsa, ssl_hash_sha256},
-    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_dhe_dss, ssl_hash_none},
-    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_dhe_rsa, ssl_hash_none},
-    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa, ssl_hash_sha256},
-    {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, ssl_hash_sha384},
+    {TLS_RSA_WITH_AES_128_CBC_SHA,      cipher_aes_128, mac_sha, kea_rsa},
+    {TLS_RSA_WITH_AES_128_CBC_SHA256,   cipher_aes_128, hmac_sha256, kea_rsa},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dhe_rsa},
+    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_rsa},
+    {TLS_RSA_WITH_AES_256_CBC_SHA,      cipher_aes_256, mac_sha, kea_rsa},
+    {TLS_RSA_WITH_AES_256_CBC_SHA256,   cipher_aes_256, hmac_sha256, kea_rsa},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_dhe_rsa},
+    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
 #if 0
-    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,   cipher_aes_128, mac_sha, kea_dh_dss, ssl_hash_none},
-    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,   cipher_aes_128, mac_sha, kea_dh_rsa, ssl_hash_none},
-    {TLS_DH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dh_anon, ssl_hash_none},
-    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,   cipher_aes_256, mac_sha, kea_dh_dss, ssl_hash_none},
-    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,   cipher_aes_256, mac_sha, kea_dh_rsa, ssl_hash_none},
-    {TLS_DH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_dh_anon, ssl_hash_none},
+    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,   cipher_aes_128, mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,   cipher_aes_128, mac_sha, kea_dh_rsa},
+    {TLS_DH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dh_anon},
+    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,   cipher_aes_256, mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,   cipher_aes_256, mac_sha, kea_dh_rsa},
+    {TLS_DH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_dh_anon},
 #endif
 
-    {TLS_RSA_WITH_SEED_CBC_SHA,     cipher_seed,   mac_sha, kea_rsa, ssl_hash_none},
-
-    {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa, ssl_hash_none},
+    {TLS_RSA_WITH_SEED_CBC_SHA,     cipher_seed,   mac_sha, kea_rsa},
+
+    {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
     {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-     cipher_camellia_128, mac_sha, kea_dhe_dss, ssl_hash_none},
+     cipher_camellia_128, mac_sha, kea_dhe_dss},
     {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-     cipher_camellia_128, mac_sha, kea_dhe_rsa, ssl_hash_none},
-    {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa, ssl_hash_none},
+     cipher_camellia_128, mac_sha, kea_dhe_rsa},
+    {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
     {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-     cipher_camellia_256, mac_sha, kea_dhe_dss, ssl_hash_none},
+     cipher_camellia_256, mac_sha, kea_dhe_dss},
     {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-     cipher_camellia_256, mac_sha, kea_dhe_rsa, ssl_hash_none},
+     cipher_camellia_256, mac_sha, kea_dhe_rsa},
 
     {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                                    cipher_des,    mac_sha,kea_rsa_export_1024, ssl_hash_none},
+                                    cipher_des,    mac_sha,kea_rsa_export_1024},
     {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024, ssl_hash_none},
-
-    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, ssl_hash_none},
-    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips, ssl_hash_none},
-
-    {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, ssl_hash_sha256},
-    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, ssl_hash_sha256},
+                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024},
+
+    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
+    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
+
+    {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
+    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
+#ifndef NSS_DISABLE_ECC
+    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
+#endif /* NSS_DISABLE_ECC */
+    {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss},
+
+    {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_dhe_rsa},
 
 #ifndef NSS_DISABLE_ECC
-    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, ssl_hash_sha256},
-    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha256},
-    {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha384},
-    {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, ssl_hash_sha384},
-    {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, ssl_hash_sha384},
-    {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, ssl_hash_sha384},
-#endif /* NSS_DISABLE_ECC */
-    {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, ssl_hash_sha256},
-    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, ssl_hash_sha256},
-    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, ssl_hash_sha256},
-    {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, ssl_hash_sha384},
-    {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, ssl_hash_sha384},
-
-    {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_dhe_rsa, ssl_hash_sha256},
-
-#ifndef NSS_DISABLE_ECC
-    {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_rsa, ssl_hash_sha256},
-    {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa, ssl_hash_sha256},
-
-    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa, ssl_hash_none},
-    {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa, ssl_hash_none},
-    {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, ssl_hash_none},
-    {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, ssl_hash_none},
-    {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, ssl_hash_none},
-
-    {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none},
-    {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none},
-    {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none},
-    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none},
-    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa, ssl_hash_sha256},
-    {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa, ssl_hash_none},
-
-    {TLS_ECDH_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_rsa, ssl_hash_none},
-    {TLS_ECDH_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_rsa, ssl_hash_none},
-    {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_rsa, ssl_hash_none},
-    {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_rsa, ssl_hash_none},
-    {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_rsa, ssl_hash_none},
-
-    {TLS_ECDHE_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdhe_rsa, ssl_hash_none},
-    {TLS_ECDHE_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdhe_rsa, ssl_hash_none},
-    {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdhe_rsa, ssl_hash_none},
-    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdhe_rsa, ssl_hash_none},
-    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa, ssl_hash_sha256},
-    {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdhe_rsa, ssl_hash_none},
+    {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
+    {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
+
+    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
+
+    {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
+
+    {TLS_ECDH_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_rsa},
+
+    {TLS_ECDHE_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdhe_rsa},
 
 #if 0
-    {TLS_ECDH_anon_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_anon, ssl_hash_none},
-    {TLS_ECDH_anon_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_anon, ssl_hash_none},
-    {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_anon, ssl_hash_none},
-    {TLS_ECDH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_anon, ssl_hash_none},
-    {TLS_ECDH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_anon, ssl_hash_none},
+    {TLS_ECDH_anon_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_anon},
 #endif
-    {TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_psk, ssl_hash_sha256},
+    {TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_psk},
 #endif /* NSS_DISABLE_ECC */
 };
 /* clang-format on */
 
 static const CK_MECHANISM_TYPE auth_alg_defs[] = {
     CKM_INVALID_MECHANISM, /* ssl_auth_null */
     CKM_RSA_PKCS,          /* ssl_auth_rsa_decrypt */
     CKM_DSA, /* ? _SHA1 */ /* ssl_auth_dsa */
@@ -547,30 +529,28 @@ static const SSLCipher2Mech alg2Mech[] =
 };
 
 #define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
 #define mmech_md5 CKM_SSL3_MD5_MAC
 #define mmech_sha CKM_SSL3_SHA1_MAC
 #define mmech_md5_hmac CKM_MD5_HMAC
 #define mmech_sha_hmac CKM_SHA_1_HMAC
 #define mmech_sha256_hmac CKM_SHA256_HMAC
-#define mmech_sha384_hmac CKM_SHA384_HMAC
 
 /* clang-format off */
 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
     /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
     /* mac      mmech       pad_size  mac_size                       */
     { mac_null, mmech_invalid,    0,  0         ,  0},
     { mac_md5,  mmech_md5,       48,  MD5_LENGTH,  SEC_OID_HMAC_MD5 },
     { mac_sha,  mmech_sha,       40,  SHA1_LENGTH, SEC_OID_HMAC_SHA1},
     {hmac_md5,  mmech_md5_hmac,   0,  MD5_LENGTH,  SEC_OID_HMAC_MD5},
     {hmac_sha,  mmech_sha_hmac,   0,  SHA1_LENGTH, SEC_OID_HMAC_SHA1},
     {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH, SEC_OID_HMAC_SHA256},
     { mac_aead, mmech_invalid,    0,  0, 0 },
-    {hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH, SEC_OID_HMAC_SHA384}
 };
 /* clang-format on */
 
 /* indexed by SSL3BulkCipher */
 const char *const ssl3_cipherName[] = {
     "NULL",
     "RC4",
     "RC4-40",
@@ -757,37 +737,30 @@ ssl3_CipherSuiteAllowedForVersionRange(
              *   TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:     never implemented
              *   TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:  never implemented
              */
             return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
 
         case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
         case TLS_RSA_WITH_AES_256_CBC_SHA256:
         case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
-        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
         case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
         case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
         case TLS_RSA_WITH_AES_128_CBC_SHA256:
         case TLS_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_RSA_WITH_AES_256_GCM_SHA384:
         case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
         case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
         case TLS_RSA_WITH_NULL_SHA256:
         case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
         case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
         case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
-        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
-        case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
             return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
 
         case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
-        case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
         case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
         case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
         case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
             return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
 
         /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
          * point formats.*/
         case TLS_ECDH_ECDSA_WITH_NULL_SHA:
         case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
@@ -2578,19 +2551,16 @@ ssl3_ComputeRecordMAC(
                 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
                 break;
             case ssl_hmac_sha: /* used with TLS */
                 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
                 break;
             case ssl_hmac_sha256: /* used with TLS */
                 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
                 break;
-            case ssl_hmac_sha384: /* used with TLS */
-                hashObj = HASH_GetRawHashObject(HASH_AlgSHA384);
-                break;
             default:
                 break;
         }
         if (!hashObj) {
             PORT_Assert(0);
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
@@ -3897,41 +3867,16 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
      */
     if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
         ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE /*freeSrvName*/);
     }
     ssl_ReleaseSpecWriteLock(ss); /*************************************/
     return SECSuccess;
 }
 
-static CK_MECHANISM_TYPE
-ssl3_GetTls12PrfHashMechanism(sslSocket *ss)
-{
-    switch (ss->ssl3.hs.suite_def->prf_hash) {
-        case ssl_hash_sha384:
-            return CKM_SHA384;
-        case ssl_hash_sha256:
-        case ssl_hash_none:
-            /* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */
-            return CKM_SHA256;
-        default:
-            PORT_Assert(0);
-    }
-    return CKM_SHA256;
-}
-
-static SSLHashType
-ssl3_GetSuitePrfHash(sslSocket *ss) {
-    /* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */
-    if (ss->ssl3.hs.suite_def->prf_hash == ssl_hash_none) {
-        return ssl_hash_sha256;
-    }
-    return ss->ssl3.hs.suite_def->prf_hash;
-}
-
 /* This method completes the derivation of the MS from the PMS.
 **
 ** 1. Derive the MS, if possible, else return an error.
 **
 ** 2. Check the version if |pms_version| is non-zero and if wrong,
 **    return an error.
 **
 ** 3. If |msp| is nonzero, return MS in |*msp|.
@@ -4045,17 +3990,17 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
     }
 
     master_params.pVersion = pms_version_ptr;
     master_params.RandomInfo.pClientRandom = cr;
     master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
     master_params.RandomInfo.pServerRandom = sr;
     master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
     if (isTLS12) {
-        master_params.prfHashMechanism = ssl3_GetTls12PrfHashMechanism(ss);
+        master_params.prfHashMechanism = CKM_SHA256;
         master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
     } else {
         /* prfHashMechanism is not relevant with this PRF */
         master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
     }
 
     params.data = (unsigned char *)&master_params;
     params.len = master_params_len;
@@ -4288,17 +4233,17 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke
         returnedKeys.pIVServer = NULL;
     }
 
     calg = cipher_def->calg;
     bulk_mechanism = ssl3_Alg2Mech(calg);
 
     if (isTLS12) {
         key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
-        key_material_params.prfHashMechanism = ssl3_GetTls12PrfHashMechanism(ss);
+        key_material_params.prfHashMechanism = CKM_SHA256;
         key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS);
     } else if (isTLS) {
         key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
         key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
     } else {
         key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
         key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
     }
@@ -4353,40 +4298,30 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocke
 loser:
     if (symKey)
         PK11_FreeSymKey(symKey);
     ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
     return SECFailure;
 }
 
 /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in
- * buffered messages in ss->ssl3.hs.messages. Called from
- * ssl3_NegotiateCipherSuite() and ssl3_HandleServerHello. */
+ * buffered messages in ss->ssl3.hs.messages. */
 static SECStatus
 ssl3_InitHandshakeHashes(sslSocket *ss)
 {
     SSL_TRC(30, ("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
 
     PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown);
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone);
         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
-            const SECOidData *hashOid =
-                SECOID_FindOIDByMechanism(ssl3_GetTls12PrfHashMechanism(ss));
-
-            if (hashOid == NULL) {
-                PORT_Assert(hashOid == NULL);
-                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-                return SECFailure;
-            }
-
-            ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(
-                HASH_GetHashTypeByOidTag(hashOid->offset));
-
+            /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+             * then this will need to be updated. */
+            ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
             if (!ss->ssl3.hs.sha_obj) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
             ss->ssl3.hs.hashType = handshake_hash_single;
             ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
         } else {
@@ -4399,30 +4334,19 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
     {
         PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha);
         /*
          * note: We should probably lookup an SSL3 slot for these
          * handshake hashes in hopes that we wind up with the same slots
          * that the master secret will wind up in ...
          */
         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
-            /* determine the hash from the prf */
-            const SECOidData *hash_oid =
-                SECOID_FindOIDByMechanism(ssl3_GetTls12PrfHashMechanism(ss));
-
-            /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_hash)
-             * Convert that to the OidTag. We can then use that OidTag to create our
-             * PK11Context */
-            PORT_Assert(hash_oid != NULL);
-            if (hash_oid == NULL) {
-                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-                return SECFailure;
-            }
-
-            ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset);
+            /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+             * then this will need to be updated. */
+            ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
             if (ss->ssl3.hs.sha == NULL) {
                 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.hashType = handshake_hash_single;
 
             if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
@@ -4732,22 +4656,16 @@ ssl3_AppendHandshakeHeader(sslSocket *ss
 
 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
  * |sigAndHash| to the current handshake message. */
 SECStatus
 ssl3_AppendSignatureAndHashAlgorithm(
     sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash)
 {
     PRUint8 serialized[2];
-    SECOidTag hashAlg = ssl3_TLSHashAlgorithmToOID(sigAndHash->hashAlg);
-    if (hashAlg == SEC_OID_UNKNOWN) {
-        PORT_Assert(hashAlg != SEC_OID_UNKNOWN);
-        PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
-        return SECFailure;
-    }
 
     serialized[0] = (PRUint8)sigAndHash->hashAlg;
     serialized[1] = (PRUint8)sigAndHash->sigAlg;
 
     return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
 }
 
 /**************************************************************************
@@ -4853,20 +4771,17 @@ ssl3_ConsumeHandshakeVariable(sslSocket 
         i->len = count;
         *b += count;
         *length -= count;
     }
     return SECSuccess;
 }
 
 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
- * SECOidTag used internally by NSS.
- *
- * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
- */
+ * SECOidTag used internally by NSS. */
 static const struct {
     SSLHashType tlsHash;
     SECOidTag oid;
 } tlsHashOIDMap[] = {
     { ssl_hash_sha1, SEC_OID_SHA1 },
     { ssl_hash_sha256, SEC_OID_SHA256 },
     { ssl_hash_sha384, SEC_OID_SHA384 },
     { ssl_hash_sha512, SEC_OID_SHA512 }
@@ -5079,21 +4994,21 @@ ssl3_ComputeHandshakeHashes(sslSocket *s
         ss->ssl3.hs.hashType == handshake_hash_single) {
         /* compute them without PKCS11 */
         PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
         ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
         ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
                                  sizeof(hashes->u.raw));
 
-        PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len));
+        PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
 
         /* If we ever support ciphersuites where the PRF hash isn't SHA-256
          * then this will need to be updated. */
-        hashes->hashAlg = ssl3_GetSuitePrfHash(ss);
+        hashes->hashAlg = ssl_hash_sha256;
         rv = SECSuccess;
     } else if (ss->opt.bypassPKCS11) {
         /* compute them without PKCS11 */
         PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
         PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
 #define md5cx ((MD5Context *)md5_cx)
 #define shacx ((SHA1Context *)sha_cx)
@@ -5191,18 +5106,19 @@ ssl3_ComputeHandshakeHashes(sslSocket *s
         }
         rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
                                sizeof(hashes->u.raw));
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             rv = SECFailure;
             goto tls12_loser;
         }
-
-        hashes->hashAlg = ssl3_GetSuitePrfHash(ss);
+        /* If we ever support ciphersuites where the PRF hash isn't SHA-256
+         * then this will need to be updated. */
+        hashes->hashAlg = ssl_hash_sha256;
         rv = SECSuccess;
 
     tls12_loser:
         if (stateBuf) {
             if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 rv = SECFailure;
             }
@@ -6848,30 +6764,16 @@ ssl3_SendCertificateVerify(sslSocket *ss
     }
 
 done:
     if (buf.data)
         PORT_Free(buf.data);
     return rv;
 }
 
-/* Once a cipher suite has been selected, make sure that the necessary secondary
- * information is properly set. */
-static SECStatus
-ssl3_SetCipherSuite(sslSocket *ss, ssl3CipherSuite chosenSuite)
-{
-    ss->ssl3.hs.cipher_suite = chosenSuite;
-    ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef(chosenSuite);
-    ss->ssl3.hs.kea_def = &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg];
-    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
-
-    /* Now we've have a cipher suite, initialize the handshake hashes. */
-    return ssl3_InitHandshakeHashes(ss);
-}
-
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ServerHello message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     PRInt32 temp; /* allow for consume number failure */
@@ -6939,16 +6841,23 @@ ssl3_HandleServerHello(sslSocket *ss, SS
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
                                                    : handshake_failure;
         errCode = SSL_ERROR_UNSUPPORTED_VERSION;
         goto alert_loser;
     }
     ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
+    rv = ssl3_InitHandshakeHashes(ss);
+    if (rv != SECSuccess) {
+        desc = internal_error;
+        errCode = PORT_GetError();
+        goto alert_loser;
+    }
+
     rv = ssl3_ConsumeHandshake(
         ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
     if (rv != SECSuccess) {
         goto loser; /* alert has been sent */
     }
 
     /* Check the ServerHello.random per
      * [draft-ietf-tls-tls13-11 Section 6.3.1.1].
@@ -7015,23 +6924,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
             break; /* success */
         }
     }
     if (!suite_found) {
         desc = handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
-
-    rv = ssl3_SetCipherSuite(ss, (ssl3CipherSuite)temp);
-    if (rv != SECSuccess) {
-        desc = internal_error;
-        errCode = PORT_GetError();
-        goto alert_loser;
-    }
+    ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
+    ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
+    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
+    PORT_Assert(ss->ssl3.hs.suite_def);
+    if (!ss->ssl3.hs.suite_def) {
+        errCode = SEC_ERROR_LIBRARY_FAILURE;
+        PORT_SetError(errCode);
+        goto loser; /* we don't send alerts for our screw-ups. */
+    }
+
+    ss->ssl3.hs.kea_def = &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg];
 
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
         /* find selected compression method in our list. */
         temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
         if (temp < 0) {
             goto loser; /* alert has been sent */
         }
         suite_found = PR_FALSE;
@@ -7657,26 +7570,26 @@ done:
     if (pubk)
         SECKEY_DestroyPublicKey(pubk);
     return rv;
 }
 
 /* Destroys the backup handshake hash context if we don't need it. Note that
  * this function selects the hash algorithm for client authentication
  * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
- * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */
+ * to determine whether to use SHA-1 or SHA-256. */
 static void
 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
                                            const SECItem *algorithms)
 {
     SECStatus rv;
     SSLSignType sigAlg;
     PRBool preferSha1 = PR_FALSE;
     PRBool supportsSha1 = PR_FALSE;
-    PRBool supportsHandshakeHash = PR_FALSE;
+    PRBool supportsSha256 = PR_FALSE;
     PRBool needBackupHash = PR_FALSE;
     unsigned int i;
 
 #ifndef NO_PKCS11_BYPASS
     /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
     if (ss->opt.bypassPKCS11) {
         PORT_Assert(!ss->ssl3.hs.backupHash);
         return;
@@ -7690,25 +7603,25 @@ ssl3_DestroyBackupHandshakeHashIfNotNeed
         goto done;
     }
 
     /* Determine the server's hash support for that signature algorithm. */
     for (i = 0; i < algorithms->len; i += 2) {
         if (algorithms->data[i + 1] == sigAlg) {
             if (algorithms->data[i] == ssl_hash_sha1) {
                 supportsSha1 = PR_TRUE;
-            } else if (algorithms->data[i] == ss->ssl3.hs.suite_def->prf_hash) {
-                supportsHandshakeHash = PR_TRUE;
-            }
-        }
-    }
-
-    /* If either the server does not support the handshake hash or the client key prefers
+            } else if (algorithms->data[i] == ssl_hash_sha256) {
+                supportsSha256 = PR_TRUE;
+            }
+        }
+    }
+
+    /* If either the server does not support SHA-256 or the client key prefers
      * SHA-1, leave the backup hash. */
-    if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) {
+    if (supportsSha1 && (preferSha1 || !supportsSha256)) {
         needBackupHash = PR_TRUE;
     }
 
 done:
     if (!needBackupHash) {
         PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
         ss->ssl3.hs.backupHash = NULL;
     }
@@ -8447,29 +8360,37 @@ ssl3_KEASupportsTickets(const ssl3KEADef
 ** and a TLS 1.1 client should definitely not be offering *only* export
 ** cipher suites. Therefore, we refuse to negotiate export cipher suites
 ** with any client that indicates support for TLS 1.1 or higher when we
 ** (the server) have TLS 1.1 support enabled.
 */
 SECStatus
 ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites)
 {
+    ssl3CipherSuiteCfg *chosenSuite = NULL;
     int j;
     int i;
 
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
         SSLVersionRange vrange = { ss->version, ss->version };
         if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
             continue;
         }
         for (i = 0; i + 1 < suites->len; i += 2) {
             PRUint16 suite_i = (suites->data[i] << 8) | suites->data[i + 1];
             if (suite_i == suite->cipher_suite) {
-                return ssl3_SetCipherSuite(ss, suite_i);
+                chosenSuite = suite;
+                ss->ssl3.hs.cipher_suite = chosenSuite->cipher_suite;
+                ss->ssl3.hs.suite_def =
+                    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+                ss->ssl3.hs.kea_def =
+                    &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg];
+                ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
+                return SECSuccess;
             }
         }
     }
     return SECFailure;
 }
 
 /*
  * Call the SNI config hook.
@@ -8754,16 +8675,23 @@ ssl3_HandleClientHello(sslSocket *ss, SS
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
                                                    : handshake_failure;
         errCode = SSL_ERROR_UNSUPPORTED_VERSION;
         goto alert_loser;
     }
     isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
     ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
 
+    rv = ssl3_InitHandshakeHashes(ss);
+    if (rv != SECSuccess) {
+        desc = internal_error;
+        errCode = PORT_GetError();
+        goto alert_loser;
+    }
+
     /* Generate the Server Random now so it is available
      * when we process the ClientKeyShare in TLS 1.3 */
     rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
     if (rv != SECSuccess) {
         errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE;
         goto loser;
     }
 
@@ -9107,27 +9035,27 @@ ssl3_HandleClientHelloPart2(sslSocket *s
              * Implemented ("isPresent") shouldn't change for servers.
              */
             if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss))
                 break;
 #else
             if (!suite->enabled)
                 break;
 #endif
-            /* Double check that the cached cipher suite is in the client's
-             * list.  If it isn't, fall through and start a new session. */
+            /* Double check that the cached cipher suite is in the client's list */
             for (i = 0; i + 1 < suites->len; i += 2) {
                 PRUint16 suite_i = (suites->data[i] << 8) | suites->data[i + 1];
                 if (suite_i == suite->cipher_suite) {
-                    rv = ssl3_SetCipherSuite(ss, suite_i);
-                    if (rv != SECSuccess) {
-                        desc = internal_error;
-                        errCode = PORT_GetError();
-                        goto alert_loser;
-                    }
+                    ss->ssl3.hs.cipher_suite =
+                        suite->cipher_suite;
+                    ss->ssl3.hs.suite_def =
+                        ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+                    ss->ssl3.hs.kea_def =
+                        &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg];
+                    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
 
                     /* Use the cached compression method. */
                     ss->ssl3.hs.compression =
                         sid->u.ssl3.compression;
                     goto compression_found;
                 }
             }
         } while (0);
@@ -9537,16 +9465,23 @@ ssl3_HandleV2ClientHello(sslSocket *ss, 
         /* send back which ever alert client will understand. */
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
                                                    : handshake_failure;
         errCode = SSL_ERROR_UNSUPPORTED_VERSION;
         goto alert_loser;
     }
     ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
 
+    rv = ssl3_InitHandshakeHashes(ss);
+    if (rv != SECSuccess) {
+        desc = internal_error;
+        errCode = PORT_GetError();
+        goto alert_loser;
+    }
+
     /* if we get a non-zero SID, just ignore it. */
     if (length != total) {
         SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
                  SSL_GETPID(), ss->fd, length, total));
         desc = illegal_parameter;
         errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
         goto alert_loser;
     }
@@ -9591,36 +9526,36 @@ ssl3_HandleV2ClientHello(sslSocket *ss, 
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
         SSLVersionRange vrange = { ss->version, ss->version };
         if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
             continue;
         }
         for (i = 0; i + 2 < suite_length; i += 3) {
             PRUint32 suite_i = (suites[i] << 16) | (suites[i + 1] << 8) | suites[i + 2];
             if (suite_i == suite->cipher_suite) {
-                rv = ssl3_SetCipherSuite(ss, suite_i);
-                if (rv != SECSuccess) {
-                    desc = internal_error;
-                    errCode = PORT_GetError();
-                    goto alert_loser;
-                }
+                ss->ssl3.hs.cipher_suite = suite->cipher_suite;
+                ss->ssl3.hs.suite_def =
+                    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+                ss->ssl3.hs.kea_def =
+                    &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg];
+                ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
                 goto suite_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
     goto alert_loser;
 
 suite_found:
 
     /* If the ClientHello version is less than our maximum version, check for a
      * TLS_FALLBACK_SCSV and reject the connection if found. */
     if (ss->vrange.max > ss->clientHelloVersion) {
         for (i = 0; i + 2 < suite_length; i += 3) {
-            PRUint16 suite_i = (suites[i] << 16) | (suites[i + 1] << 8) | suites[i + 2];
+            PRUint16 suite_i = (suites[i + 1] << 8) | suites[i + 2];
             if (suite_i == TLS_FALLBACK_SCSV) {
                 desc = inappropriate_fallback;
                 errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
                 goto alert_loser;
             }
         }
     }
 
@@ -10130,32 +10065,30 @@ loser:
     return SECFailure;
 }
 
 SECStatus
 ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
                                      unsigned maxLen, PRUint32 *len)
 {
     unsigned int i;
-    /* We only track a single hash, the one that is the basis for the PRF. */
-    SSLHashType suiteHashAlg = ssl3_GetSuitePrfHash(ss);
 
     PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2);
     if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
     *len = 0;
     for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
         const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i];
         /* Note that we don't support a handshake hash with anything other than
-         * the PRF hash, so asking for a signature from clients for something
-         * else would be inviting disaster. */
-        if (alg->hashAlg == suiteHashAlg) {
+         * SHA-256, so asking for a signature from clients for something else
+         * would be inviting disaster. */
+        if (alg->hashAlg == ssl_hash_sha256) {
             buf[(*len)++] = (PRUint8)alg->hashAlg;
             buf[(*len)++] = (PRUint8)alg->sigAlg;
         }
     }
 
     if (*len == 0) {
         PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
         return SECFailure;
@@ -11659,17 +11592,17 @@ ssl3_AuthCertificateComplete(sslSocket *
 done:
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_ReleaseRecvBufLock(ss);
 
     return rv;
 }
 
 static SECStatus
-ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec,
+ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
                         PRBool isServer,
                         const SSL3Hashes *hashes,
                         TLSFinished *tlsFinished)
 {
     SECStatus rv;
     CK_TLS_MAC_PARAMS tls_mac_params;
     SECItem param = { siBuffer, NULL, 0 };
     PK11Context *prf_context;
@@ -11682,17 +11615,17 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s
         return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
                                            hashes->len, tlsFinished->verify_data,
                                            sizeof tlsFinished->verify_data);
     }
 
     if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
         tls_mac_params.prfMechanism = CKM_TLS_PRF;
     } else {
-        tls_mac_params.prfMechanism = ssl3_GetTls12PrfHashMechanism(ss);
+        tls_mac_params.prfMechanism = CKM_SHA256;
     }
     tls_mac_params.ulMacLength = 12;
     tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
     param.data = (unsigned char *)&tls_mac_params;
     param.len = sizeof(tls_mac_params);
     prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN,
                                              spec->master_secret, &param);
     if (!prf_context)
@@ -11887,17 +11820,17 @@ ssl3_SendFinished(sslSocket *ss, PRInt32
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecReadLock(ss);
     cwSpec = ss->ssl3.cwSpec;
     isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
     rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
     if (isTLS && rv == SECSuccess) {
-        rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished);
+        rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
     }
     ssl_ReleaseSpecReadLock(ss);
     if (rv != SECSuccess) {
         goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */
     }
 
     if (isTLS) {
         if (isServer)
@@ -12058,17 +11991,17 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
     if (isTLS) {
         TLSFinished tlsFinished;
 
         if (length != sizeof tlsFinished) {
             (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
             return SECFailure;
         }
-        rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer,
+        rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
                                      hashes, &tlsFinished);
         if (!isServer)
             ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
         else
             ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
         ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
         if (rv != SECSuccess ||
             0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
--- a/lib/ssl/ssl3ecc.c
+++ b/lib/ssl/ssl3ecc.c
@@ -1044,58 +1044,50 @@ static const ssl3CipherSuite ecdh_rsa_su
     0 /* end of list marker */
 };
 
 static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     0 /* end of list marker */
 };
 
 static const ssl3CipherSuite ecdhe_rsa_suites[] = {
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     0 /* end of list marker */
 };
 
 /* List of all ECC cipher suites */
 static const ssl3CipherSuite ecSuites[] = {
     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_NULL_SHA,
     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
--- a/lib/ssl/sslenum.c
+++ b/lib/ssl/sslenum.c
@@ -17,31 +17,24 @@
  * in ssl3ecc.c.
  *
  * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
  *
  * The ordering is as follows:
  *    * No-encryption cipher suites last
  *    * Export/weak/obsolete cipher suites before no-encryption cipher suites
  *    * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
- *    * Within key agreement sections, prefer AEAD over non-AEAD cipher suites.
- *    * Within AEAD sections, order by symmetric encryption algorithm which
- *      integrates message authentication algorithm: AES-128-GCM, then
- *      ChaCha20-Poly1305, then AES-256-GCM,
- *    * Within non-AEAD sections, order by symmetric encryption algorithm:
+ *    * Within key agreement sections, order by symmetric encryption algorithm:
  *      AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
  *      then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
  *      strong cipher internationally, and is often hardware-accelerated.
  *      Camellia also has wide international support across standards
  *      organizations. SEED is only recommended by the Korean government. 3DES
  *      only provides 112 bits of security. RC4 is now deprecated or forbidden
  *      by many standards organizations.
- *    * Within non-AEAD symmetric algorithm sections, order by message
- *      authentication algorithm: HMAC-SHA256, then HMAC-SHA384, then HMAC-SHA1,
- *      then HMAC-MD5.
  *    * Within symmetric algorithm sections, order by message authentication
  *      algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
  *    * Within message authentication algorithm sections, order by asymmetric
  *      signature algorithm: ECDSA, then RSA, then DSS.
  *    * As a special case, the PSK ciphers, which are only enabled when
  *      TLS 1.3 PSK-resumption is in use, come first.
  *
  * Exception: Because some servers ignore the high-order byte of the cipher
@@ -59,40 +52,34 @@ const PRUint16 SSL_ImplementedCiphers[] 
 #ifndef NSS_DISABLE_ECC
     /* ECDHE-PSK from [draft-mattsson-tls-ecdhe-psk-aead]. */
     TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
 
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
     /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
      * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
      */
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
 #endif /* NSS_DISABLE_ECC */
 
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
-    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
     TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
@@ -111,17 +98,16 @@ const PRUint16 SSL_ImplementedCiphers[] 
     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDH_RSA_WITH_RC4_128_SHA,
 #endif /* NSS_DISABLE_ECC */
 
     TLS_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_RSA_WITH_AES_256_GCM_SHA384,
     TLS_RSA_WITH_AES_128_CBC_SHA,
     TLS_RSA_WITH_AES_128_CBC_SHA256,
     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
     TLS_RSA_WITH_AES_256_CBC_SHA,
     TLS_RSA_WITH_AES_256_CBC_SHA256,
     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
     TLS_RSA_WITH_SEED_CBC_SHA,
     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -52,17 +52,16 @@ typedef SSLMACAlgorithm SSL3MACAlgorithm
 #define calg_chacha20 ssl_calg_chacha20
 
 #define mac_null ssl_mac_null
 #define mac_md5 ssl_mac_md5
 #define mac_sha ssl_mac_sha
 #define hmac_md5 ssl_hmac_md5
 #define hmac_sha ssl_hmac_sha
 #define hmac_sha256 ssl_hmac_sha256
-#define hmac_sha384 ssl_hmac_sha384
 #define mac_aead ssl_mac_aead
 
 #define SET_ERROR_CODE    /* reminder */
 #define SEND_ALERT        /* reminder */
 #define TEST_FOR_FAILURE  /* reminder */
 #define DEAL_WITH_FAILURE /* reminder */
 
 #if defined(DEBUG) || defined(TRACE)
@@ -310,19 +309,19 @@ typedef struct {
     ssl3CipherSuite cipher_suite;
     PRUint8 policy;
     unsigned char enabled : 1;
     unsigned char isPresent : 1;
 #endif
 } ssl3CipherSuiteCfg;
 
 #ifndef NSS_DISABLE_ECC
-#define ssl_V3_SUITES_IMPLEMENTED 75
+#define ssl_V3_SUITES_IMPLEMENTED 68
 #else
-#define ssl_V3_SUITES_IMPLEMENTED 42
+#define ssl_V3_SUITES_IMPLEMENTED 39
 #endif /* NSS_DISABLE_ECC */
 
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
 
 /* MAX_SIGNATURE_ALGORITHMS allows for a large number of combinations of
  * SSLSignType and SSLHashType, but not all combinations (specifically, this
  * doesn't allow space for combinations with MD5). */
 #define MAX_SIGNATURE_ALGORITHMS 15
@@ -464,17 +463,16 @@ typedef enum {
     cipher_des40,
     cipher_idea,
     cipher_aes_128,
     cipher_aes_256,
     cipher_camellia_128,
     cipher_camellia_256,
     cipher_seed,
     cipher_aes_128_gcm,
-    cipher_aes_256_gcm,
     cipher_chacha20,
     cipher_missing /* reserved for no such supported cipher */
     /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
 } SSL3BulkCipher;
 
 typedef enum { type_stream,
                type_block,
                type_aead } CipherType;
@@ -715,17 +713,16 @@ struct sslSessionIDStr {
     } u;
 };
 
 typedef struct ssl3CipherSuiteDefStr {
     ssl3CipherSuite cipher_suite;
     SSL3BulkCipher bulk_cipher_alg;
     SSL3MACAlgorithm mac_alg;
     SSL3KeyExchangeAlgorithm key_exchange_alg;
-    SSLHashType prf_hash;
 } ssl3CipherSuiteDef;
 
 /*
 ** There are tables of these, all const.
 */
 typedef struct {
     /* An identifier for this struct. */
     SSL3KeyExchangeAlgorithm kea;
--- a/lib/ssl/sslinfo.c
+++ b/lib/ssl/sslinfo.c
@@ -184,17 +184,16 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc
 #define B_SJ 96, 80, 80
 #define B_DES 64, 56, 56
 #define B_56 128, 56, 56
 #define B_40 128, 40, 40
 #define B_0 0, 0, 0
 
 /* "mac algorithm" and size */
 #define M_AEAD_128 "AEAD", ssl_mac_aead, 128
-#define M_SHA384 "SHA384", ssl_hmac_sha384, 384
 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256
 #define M_SHA "SHA1", ssl_mac_sha, 160
 #define M_MD5 "MD5", ssl_mac_md5, 128
 #define M_NULL "NULL", ssl_mac_null, 0
 
 /* flags */
 #define F_FIPS_STD 1, 0, 0, 0
 #define F_FIPS_NSTD 1, 0, 1, 0
@@ -279,25 +278,17 @@ static const SSLCipherSuiteInfo suiteInf
 
     { 0, CS(ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, F_NFIPS_STD, A_RSAS },
     { 0, CS(ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_RSAS },
     { 0, CS(ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDHE, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_RSAS },
     { 0, CS(ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, F_FIPS_STD, A_RSAS },
     { 0, CS(ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_RSAS },
     { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, F_FIPS_STD, A_RSAS },
     { 0, CS(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, F_NFIPS_STD, A_RSAS },
-    { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA384),  S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_RSAS },
-    { 0, CS(ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_ECDSA },
-    { 0, CS(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_ECDSA },
-    { 0, CS(ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAS },
 #endif /* NSS_DISABLE_ECC */
-
-    { 0, CS(DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_DSA },
-    { 0, CS(DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAS },
-    { 0, CS(RSA_WITH_AES_256_GCM_SHA384),     S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAD }
 };
 
 #define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0]))
 
 SECStatus
 SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
                        SSLCipherSuiteInfo *info, PRUintn len)
 {
--- a/lib/ssl/sslproto.h
+++ b/lib/ssl/sslproto.h
@@ -159,21 +159,18 @@
 #define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA    0x0086
 #define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA   0x0087
 #define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA   0x0088
 #define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA   0x0089
 
 #define TLS_RSA_WITH_SEED_CBC_SHA               0x0096
 
 #define TLS_RSA_WITH_AES_128_GCM_SHA256         0x009C
-#define TLS_RSA_WITH_AES_256_GCM_SHA384         0x009D
 #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     0x009E
-#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     0x009F
 #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     0x00A2
-#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     0x00A3
 
 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
  * Must NEVER be chosen by server.  SSL 3.0 server acknowledges by sending
  * back an empty Renegotiation Info (RI) server hello extension.
  */
 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV       0x00FF
 
 /* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a
@@ -210,25 +207,21 @@
 
 #define TLS_ECDH_anon_WITH_NULL_SHA             0xC015
 #define TLS_ECDH_anon_WITH_RC4_128_SHA          0xC016
 #define TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     0xC017
 #define TLS_ECDH_anon_WITH_AES_128_CBC_SHA      0xC018
 #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA      0xC019
 
 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
-#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   0xC027
-#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   0xC028
 
 #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
-#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
 #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256  0xC02D
 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC02F
-#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   0xC030
 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256    0xC031
 
 #define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA8
 #define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
 #define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCAA
 
 /* Experimental PSK support for [draft-mattsson-tls-ecdhe-psk-aead] */
 #define TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256   0xD001
--- a/lib/ssl/sslt.h
+++ b/lib/ssl/sslt.h
@@ -125,18 +125,17 @@ typedef enum {
 
 typedef enum {
     ssl_mac_null = 0,
     ssl_mac_md5 = 1,
     ssl_mac_sha = 2,
     ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
     ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
     ssl_hmac_sha256 = 5,
-    ssl_mac_aead = 6,
-    ssl_hmac_sha384 = 7
+    ssl_mac_aead = 6
 } SSLMACAlgorithm;
 
 typedef enum {
     ssl_compression_null = 0,
     ssl_compression_deflate = 1 /* RFC 3749 */
 } SSLCompressionMethod;
 
 typedef struct SSLExtraServerCertDataStr {
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -232,62 +232,31 @@ tls13_CheckHsState(sslSocket *ss, int er
                 func, file, line));
     tls13_FatalError(ss, err, unexpected_message);
     return SECFailure;
 }
 
 SSLHashType
 tls13_GetHash(sslSocket *ss)
 {
-    /* All TLS 1.3 cipher suites must have an explict PRF hash. */
-    PORT_Assert(ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none);
-    return ss->ssl3.hs.suite_def->prf_hash;
-}
-
-unsigned int
-tls13_GetHashSize(sslSocket *ss)
-{
-    switch (tls13_GetHash(ss)) {
-        case ssl_hash_sha256:
-            return 32;
-        case ssl_hash_sha384:
-            return 48;
-        default:
-            PORT_Assert(0);
-            return ssl_hash_sha256;
-    }
+    /* TODO(ekr@rtfm.com): This needs to actually be looked up. */
     return ssl_hash_sha256;
 }
 
 CK_MECHANISM_TYPE
 tls13_GetHkdfMechanism(sslSocket *ss)
 {
-    switch (tls13_GetHash(ss)) {
-        case ssl_hash_sha256:
-            return CKM_NSS_HKDF_SHA256;
-        case ssl_hash_sha384:
-            return CKM_NSS_HKDF_SHA384;
-        default:
-            /*PORT_Assert(0);*/
-            return CKM_NSS_HKDF_SHA256;
-    }
+    /* TODO(ekr@rtfm.com): This needs to actually be looked up. */
     return CKM_NSS_HKDF_SHA256;
 }
 
 static CK_MECHANISM_TYPE
 tls13_GetHmacMechanism(sslSocket *ss)
 {
-    switch (tls13_GetHash(ss)) {
-        case ssl_hash_sha256:
-            return CKM_SHA256_HMAC;
-        case ssl_hash_sha384:
-            return CKM_SHA384_HMAC;
-        default:
-            PORT_Assert(0);
-    }
+    /* TODO(ekr@rtfm.com): This needs to actually be looked up. */
     return CKM_SHA256_HMAC;
 }
 
 /*
  * Called from ssl3_SendClientHello
  */
 SECStatus
 tls13_SetupClientHello(sslSocket *ss)
@@ -376,19 +345,17 @@ tls13_HandlePostHelloHandshakeMessage(ss
 }
 
 static SECStatus
 tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid)
 {
     PK11SymKey *wrapKey; /* wrapping key */
     PK11SymKey *SS = NULL;
     SECItem wrappedMS = { siBuffer, NULL, 0 };
-    SSLHashType hashType;
     SECStatus rv;
-
     SSL_TRC(3, ("%d: TLS13[%d]: recovering static secret (%s)",
                 SSL_GETPID(), ss->fd,
                 ss->sec.isServer ? "server" : "client"));
     if (!sid->u.ssl3.keys.msIsWrapped) {
         PORT_Assert(0); /* I think this can't happen. */
         return SECFailure;
     }
 
@@ -418,22 +385,21 @@ tls13_RecoverWrappedSharedSecret(sslSock
     if (!wrapKey) {
         return SECFailure;
     }
 
     wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
     wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
 
     /* unwrap the "master secret" which becomes SS. */
-    hashType = tls13_GetHash(ss);
-    PORT_Assert(hashType == ssl_hash_sha256 || hashType == ssl_hash_sha384);
+    PORT_Assert(tls13_GetHash(ss) == ssl_hash_sha256);
     SS = PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
                                     NULL, &wrappedMS,
                                     CKM_SSL3_MASTER_KEY_DERIVE,
-                                    CKA_DERIVE, hashType,
+                                    CKA_DERIVE, 32,
                                     CKF_SIGN | CKF_VERIFY);
     PK11_FreeSymKey(wrapKey);
     if (!SS) {
         return SECFailure;
     }
     PRINT_KEY(50, (ss, "Recovered static secret", SS));
     rv = tls13_HkdfExtractSharedKey(ss, SS, StaticSharedSecret);
     PK11_FreeSymKey(SS);
@@ -480,22 +446,19 @@ tls13_AllowPskCipher(const sslSocket *ss
             sid->u.ssl3.cipherSuite);
         PORT_Assert(cached_cipher_def);
 
         /* Only offer a PSK cipher with the same symmetric parameters
          * as we negotiated before. */
         if (cached_cipher_def->bulk_cipher_alg !=
             cipher_def->bulk_cipher_alg)
             return PR_FALSE;
-
-        /* PSK cipher must have the same PSK hash as was negotiated before. */
-        if (cipher_def->prf_hash != cached_cipher_def->prf_hash) {
-            return PR_FALSE;
-        }
     }
+    /* TODO(ekr@rtfm.com): Check the KDF code whenever we have
+     * adjustable KDFs. */
     SSL_TRC(3, ("%d: TLS 1.3[%d]: Enabling cipher suite suite 0x%04x",
                 SSL_GETPID(), ss->fd,
                 cipher_def->cipher_suite));
 
     return PR_TRUE;
 }
 
 /* Check whether resumption-PSK is allowed. */
@@ -1368,18 +1331,23 @@ tls13_AddContextToHashes(sslSocket *ss, 
         0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
     };
     const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify";
     const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify";
     const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_verify_string
                                                               : server_cert_verify_string;
     unsigned int hashlength;
 
-    /* Double check that we are doing the same hash.*/
-    PORT_Assert(hashes->len == tls13_GetHashSize(ss));
+    /* Double check that we are doing SHA-256 for the handshake hash.*/
+    PORT_Assert(hashes->hashAlg == ssl_hash_sha256);
+    if (hashes->hashAlg != ssl_hash_sha256) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    PORT_Assert(hashes->len == 32);
 
     ctx = PK11_CreateDigestContext(ssl3_TLSHashAlgorithmToOID(algorithm));
     if (!ctx) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         goto loser;
     }
 
     PORT_Assert(SECFailure);
@@ -1622,37 +1590,40 @@ tls13_ComputeHandshakeHashes(sslSocket *
                              SSL3Hashes *hashes)
 {
     SECStatus rv;
     PK11Context *ctx = NULL;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     /* TODO(ekr@rtfm.com): This first clause is futureproofing for
      * 0-RTT. */
-    PORT_Assert(ss->ssl3.hs.hashType != handshake_hash_unknown);
-    ctx = PK11_CloneContext(ss->ssl3.hs.sha);
-    if (!ctx) {
-        ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-        return SECFailure;
+    if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
+        PORT_Assert(0);
+    } else {
+        ctx = PK11_CloneContext(ss->ssl3.hs.sha);
+        if (!ctx) {
+            ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+            return SECFailure;
+        }
     }
 
     rv = PK11_DigestFinal(ctx, hashes->u.raw, &hashes->len,
                           sizeof(hashes->u.raw));
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
         goto loser;
     }
 
     PRINT_BUF(10, (NULL, "Handshake hash computed ",
                    hashes->u.raw, hashes->len));
 
     /* If we ever support ciphersuites where the PRF hash isn't SHA-256
      * then this will need to be updated. */
-    PORT_Assert(hashes->len == tls13_GetHashSize(ss));
-    hashes->hashAlg = tls13_GetHash(ss);
+    PORT_Assert(hashes->len == 32);
+    hashes->hashAlg = ssl_hash_sha256;
 
     PK11_DestroyContext(ctx, PR_TRUE);
     return SECSuccess;
 
 loser:
     PK11_DestroyContext(ctx, PR_TRUE);
     return SECFailure;
 }
--- a/lib/ssl/tls13hkdf.c
+++ b/lib/ssl/tls13hkdf.c
@@ -92,20 +92,17 @@ SECStatus
 tls13_HkdfExpandLabel(PK11SymKey *prk, SSLHashType baseHash,
                       const PRUint8 *handshakeHash, unsigned int handshakeHashLen,
                       const char *label, unsigned int labelLen,
                       CK_MECHANISM_TYPE algorithm, unsigned int keySize,
                       PK11SymKey **keyp)
 {
     CK_NSS_HKDFParams params;
     SECItem paramsi = { siBuffer, NULL, 0 };
-    /* Size of info array needs to be big enough to hold the maximum Prefix,
-     * Label, plus HandshakeHash. If it's ever to small, the code will abort.
-     */
-    PRUint8 info[110];
+    PRUint8 info[100];
     PRUint8 *ptr = info;
     unsigned int infoLen;
     PK11SymKey *derived;
     const char *kLabelPrefix = "TLS 1.3, ";
     const unsigned int kLabelPrefixLen = strlen(kLabelPrefix);
 
     if (handshakeHash) {
         PORT_Assert(handshakeHashLen == kTlsHkdfInfo[baseHash].hashSize);
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -78,31 +78,24 @@ ssl_init()
 
   fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
   #fileout=1
   #verbose="-v" #FIXME - see where this is usefull
 
   USER_NICKNAME=TestUser
   NORM_EXT=""
 
-  EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
-  EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
-  EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
-
-  NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
-  NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdefgijklmnvyz"
-
   if [ -z "$NSS_DISABLE_ECC" ] ; then
       ECC_STRING=" - with ECC"
       # List of cipher suites to test, including ECC cipher suites.
-      CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
+      CIPHER_SUITES="-c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
   else
       ECC_STRING=""
       # List of cipher suites to test, excluding ECC cipher suites.
-      CIPHER_SUITES="-c ${NON_EC_SUITES}"
+      CIPHER_SUITES="-c :0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2:CCAAcdefgijklmnvyz"
   fi
 
   if [ "${OS_ARCH}" != "WINNT" ]; then
       ulimit -n 1000 # make sure we have enough file descriptors
   fi
 
   cd ${CLIENTDIR}
 }
--- a/tests/ssl/sslcov.txt
+++ b/tests/ssl/sslcov.txt
@@ -16,19 +16,16 @@
   noECC  SSL3   j    SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
   noECC  SSL3   k    SSL3_RSA_FIPS_WITH_DES_CBC_SHA
   noECC  SSL3   l    SSL3_RSA_EXPORT_WITH_DES_CBC_SHA   (new)
   noECC  SSL3   m    SSL3_RSA_EXPORT_WITH_RC4_56_SHA    (new)
   noECC  SSL3   n    SSL3_RSA_WITH_RC4_128_SHA
   noECC  SSL3   v    SSL3_RSA_WITH_AES_128_CBC_SHA
   noECC  SSL3   y    SSL3_RSA_WITH_AES_256_CBC_SHA
   noECC  SSL3   z    SSL3_RSA_WITH_NULL_SHA
-  noECC  TLS12 :009F  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-  noECC  TLS12 :00A3  TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
-  noECC  TLS12 :009D  TLS_RSA_WITH_AES_256_GCM_SHA384
 #  noECC  SSL3  :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
 #  noECC  SSL3  :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
 #
   noECC  TLS10   c    TLS_RSA_WITH_RC4_128_MD5
   noECC  TLS10   d    TLS_RSA_WITH_3DES_EDE_CBC_SHA
   noECC  TLS10   e    TLS_RSA_WITH_DES_CBC_SHA
   noECC  TLS10   f    TLS_RSA_EXPORT_WITH_RC4_40_MD5
   noECC  TLS10   g    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
@@ -152,17 +149,13 @@
    ECC   TLS12  :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
    ECC   TLS12  :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
    ECC   TLS12  :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
    ECC   TLS12  :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
    ECC   TLS12  :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    ECC   TLS12  :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
    ECC   TLS12  :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ECC   TLS12  :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-   ECC   TLS12  :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    ECC   TLS12  :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-   ECC   TLS12  :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    ECC   TLS12  :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-   ECC   TLS12  :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-   ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256