diff --git a/nss-3.71-camellia-pkcs12-doc.patch b/nss-3.71-camellia-pkcs12-doc.patch
new file mode 100644
index 0000000..f14b5a9
--- /dev/null
+++ b/nss-3.71-camellia-pkcs12-doc.patch
@@ -0,0 +1,20 @@
+diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
+--- ./doc/pk12util.xml.camellia	2022-01-26 09:46:39.794919455 -0800
++++ ./doc/pk12util.xml	2022-01-26 09:54:58.277019760 -0800
+@@ -317,7 +317,7 @@ Certificate    Friendly Name: Thawte Fre
+ 
+   <refsection id="encryption">
+     <title>Password Encryption</title>
+-    <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
++    <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
+     <para>The private key is always protected with strong encryption by default.</para>
+     <para>Several types of ciphers are supported.</para>
+     <variablelist>
+@@ -327,6 +327,7 @@ Certificate    Friendly Name: Thawte Fre
+         <listitem>
+ 	  <itemizedlist>
+ 	    <listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
++	    <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
+ 	  </itemizedlist>
+         </listitem>
+       </varlistentry>
diff --git a/nss-3.71-fix-lto-gtests.patch b/nss-3.71-fix-lto-gtests.patch
new file mode 100644
index 0000000..462e8ad
--- /dev/null
+++ b/nss-3.71-fix-lto-gtests.patch
@@ -0,0 +1,36 @@
+diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
+--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
++++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
+@@ -8,23 +8,32 @@
+ 
+ #include "prtime.h"
+ #include "secerr.h"
+ #include "ssl.h"
+ 
+ #include "gtest_utils.h"
+ #include "tls_agent.h"
+ #include "tls_connect.h"
++#define LTO
+ 
+ namespace nss_test {
+ 
++#ifndef LTO
++// sigh this construction breaks LTO
+ const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
+ const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
+ const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
+ const std::string kDCId = TlsAgent::kServerEcdsa256;
++#else
++#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
++#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
++#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
++#define kDCId  TlsAgent::kServerEcdsa256
++#endif
+ const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
+ const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
+ 
+ static void CheckPreliminaryPeerDelegCred(
+     const std::shared_ptr<TlsAgent>& client, bool expected,
+     PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) {
+   EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth));
+   EXPECT_EQ(expected, client->pre_info().peerDelegCred);
diff --git a/nss.spec b/nss.spec
index 6da4d8c..3d83be6 100644
--- a/nss.spec
+++ b/nss.spec
@@ -4,7 +4,7 @@
 # - increment %%{nspr_version}, when updating the NSS part only
 # - put the nss_release number here next to nspr, as they both
 #   need to be updated on a given release
-%global nss_release 5
+%global nss_release 6
 %global nspr_release %[ %nss_release+2]
 %global nss_version 3.71.0
 # only need to update this as we added new
@@ -146,6 +146,10 @@ Patch50:          nss-3.71-fips-module-name.patch
 # upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470
 Patch60:          nss-3.67-cve-2021-43527.patch
 Patch70:          nss-3.67-cve-2021-43527-test.patch
+# not upstreamable patch...
+Patch80:          nss-3.71-fix-lto-gtests.patch
+# camellia pkcs12 docs.
+patch85:          nss-3.71-camellia-pkcs12-doc.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -368,7 +372,7 @@ popd
 # Build NSS
 #
 # This package fails its testsuite with LTO.  Disable LTO for now
-%global _lto_cflags %{nil}
+#%%global _lto_cflags %%{nil}
 
 #export FREEBL_NO_DEPEND=1
 
@@ -1101,6 +1105,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Wed Jan 26 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-6
+- update pkcs12 documentation to include camellia
+- turn on lto
+
 * Wed Jan 12 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-5
 - remove old dbm files from the build