diff --git a/.gitignore b/.gitignore
index 859a2bb..21717ea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,3 +57,4 @@ TestUser51.cert
 /nss-3.58.tar.gz
 /nspr-4.29.tar.gz
 /nss-3.59.tar.gz
+/nss-3.60.1.tar.gz
diff --git a/nss-turn-off-expired-ocsp-cert.patch b/nss-turn-off-expired-ocsp-cert.patch
new file mode 100644
index 0000000..dfbbb50
--- /dev/null
+++ b/nss-turn-off-expired-ocsp-cert.patch
@@ -0,0 +1,19 @@
+diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
+--- a/tests/chains/scenarios/nameconstraints.cfg
++++ b/tests/chains/scenarios/nameconstraints.cfg
+@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x
+ verify NameConstraints.dcissallowed:x
+   result pass
+ 
+ # Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
+ #
+ # This tests that a non server certificate (i.e. id-kp-serverAuth
+ # not present in EKU) does *NOT* have CN treated as dnsName for
+ # purposes of Name Constraints validation
+-verify NameConstraints.ocsp1:x
+-  usage 10
+-  result pass
++#verify NameConstraints.ocsp1:x
++#  usage 10
++#  result pass
+ 
diff --git a/nss.spec b/nss.spec
index 3e27158..ac03dff 100644
--- a/nss.spec
+++ b/nss.spec
@@ -2,8 +2,8 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global nspr_release 9
-%global nss_version 3.59.0
+%global nspr_release 10
+%global nss_version 3.60.1
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -64,6 +64,7 @@ Requires:         nss-system-init
 Requires:         p11-kit-trust
 Requires:         /usr/bin/update-crypto-policies
 # for shlibsign
+BuildRequires: make
 BuildRequires:    nss-softokn
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
@@ -117,6 +118,7 @@ Patch2:           nss-539183.patch
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
+Patch13:          nss-turn-off-expired-ocsp-cert.patch
 %if 0%{?fedora} < 34
 %if 0%{?rhel} < 9
 Patch20:          nss-gcm-param-default-pkcs11v2.patch
@@ -124,8 +126,6 @@ Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 # can drop this patch when the underlying btrfs/sqlite issue is solved
 Patch30:          nss-fedora-btrf-sql-hack.patch
-# can drop this patch once crypto-policies has been updated
-Patch31:          nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -347,13 +347,13 @@ popd
 # This package fails its testsuite with LTO.  Disable LTO for now
 %global _lto_cflags %{nil}
 
-export FREEBL_NO_DEPEND=1
+#export FREEBL_NO_DEPEND=1
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
 # copied to dist and the rpm install phase can find it
 # This due of the upstream changes to fix
 # https://bugzilla.mozilla.org/show_bug.cgi?id=717906
-export FREEBL_LOWHASH=1
+# export FREEBL_LOWHASH=1
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
@@ -392,6 +392,8 @@ export NSS_USE_SYSTEM_SQLITE=1
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
 %if %{with dbm}
 %else
 export NSS_DISABLE_DBM=1
@@ -1047,6 +1049,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Thu Jan 21 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-1
+- Update to NSS 3.60.1
+- Drop NODEPEND_FREEBL and LOWHASH
+
 * Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
 - Work around btrfs/sqlite bug
 - Disable new policy entries until crypto-polices has been updated
diff --git a/sources b/sources
index 62e2a42..d49f4c8 100644
--- a/sources
+++ b/sources
@@ -4,4 +4,4 @@ SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60b
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
 SHA512 (nspr-4.29.tar.gz) = ba5ac275fe0beb69d7a7674c9ee9e4429bd5761daed285edd975ccc829af30d062bf4a0f5e44361e3bd191f21b1905f96ab146d53b55324020f13ecb3c05609b
-SHA512 (nss-3.59.tar.gz) = 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38
+SHA512 (nss-3.60.1.tar.gz) = ba398ddad6f90f3562a041b7fd5fc7b72eb20961cc5c1f4890c3b0d95d438404b26ae6feb54cb8c650707134479a915e1f522f0e9257bc2ede053dd0811156d5