diff --git a/nss-3.101-fix-pkcs12-md5-decode.patch b/nss-3.101-fix-pkcs12-md5-decode.patch
new file mode 100644
index 0000000..a461852
--- /dev/null
+++ b/nss-3.101-fix-pkcs12-md5-decode.patch
@@ -0,0 +1,43 @@
+diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
+--- a/lib/util/nsshash.c
++++ b/lib/util/nsshash.c
+@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
+ SECOidTag
+ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
+ {
+     SECOidTag hashOid = SEC_OID_UNKNOWN;
+ 
+     switch (hmacOid) {
+         /* no oid exists for HMAC_MD2 */
+         /* NSS does not define a oid for HMAC_MD4 */
++        case SEC_OID_HMAC_MD5:
++            hashOid = SEC_OID_MD5;
++            break;
+         case SEC_OID_HMAC_SHA1:
+             hashOid = SEC_OID_SHA1;
+             break;
+         case SEC_OID_HMAC_SHA224:
+             hashOid = SEC_OID_SHA224;
+             break;
+         case SEC_OID_HMAC_SHA256:
+             hashOid = SEC_OID_SHA256;
+@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
+ SECOidTag
+ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
+ {
+     SECOidTag hmacOid = SEC_OID_UNKNOWN;
+ 
+     switch (hashOid) {
+         /* no oid exists for HMAC_MD2 */
+         /* NSS does not define a oid for HMAC_MD4 */
++        case SEC_OID_MD5:
++            hmacOid = SEC_OID_HMAC_MD5;
++            break;
+         case SEC_OID_SHA1:
+             hmacOid = SEC_OID_HMAC_SHA1;
+             break;
+         case SEC_OID_SHA224:
+             hmacOid = SEC_OID_HMAC_SHA224;
+             break;
+         case SEC_OID_SHA256:
+             hmacOid = SEC_OID_HMAC_SHA256;
diff --git a/nss-3.101-skip-ocsp-if-not-connected.patch b/nss-3.101-skip-ocsp-if-not-connected.patch
index ac68afe..a0101fc 100644
--- a/nss-3.101-skip-ocsp-if-not-connected.patch
+++ b/nss-3.101-skip-ocsp-if-not-connected.patch
@@ -8,7 +8,7 @@ diff -up ./tests/ssl/ssl.sh.disable_ocsp_policy ./tests/ssl/ssl.sh
 +  # if we are running on a build machine that can't tolerate external
 +  # references don't run.
 +  vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} > ${P_R_SERVERDIR}/vfy2.out 2>&1
-+  RET=$? ; cat ${P_R_SERVERDIR}/vfy2.out" 
++  RET=$? ; cat "${P_R_SERVERDIR}/vfy2.out" 
 +  # 5961 reset by peer
 +  grep 5961 ${P_R_SERVERDIR}/vfy2.out
 +  GRET=$?  ; echo "OCSP: RET=$RET GRET=$GRET"
diff --git a/nss.spec b/nss.spec
index 1ca04c1..f51c01c 100644
--- a/nss.spec
+++ b/nss.spec
@@ -182,6 +182,7 @@ Patch74:          nss-3.90-dh-test-update.patch
 Patch75:          nss-3.90-ppc_no_init.patch
 Patch76:          nss-3.101-enable-kyber-policy.patch
 Patch77:          nss-3.101-fix-rsa-policy-test.patch
+Patch78:          nss-3.101-fix-pkcs12-md5-decode.patch
 
 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
@@ -1168,6 +1169,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Thu Jul 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-4
+- Fix MD-5 decode issue in pkcs #12
+
 * Mon Jul 15 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
 - Add FIPS 140-3 defines to sec file