diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
index c0eb7da53802..65181152eed6 100644
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@@ -1,55 +1,56 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
 
 MAINTAINER=	ports-secteam@FreeBSD.org
 COMMENT=	Root certificate bundle from the Mozilla Project
 
 LICENSE=	MPL20
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 USES=		perl5 ssl:build
 USE_PERL5=	build
 
 NO_ARCH=	yes
 WRKSRC_SUBDIR=	nss
 
 OPTIONS_DEFINE=		ETCSYMLINK
 OPTIONS_DEFAULT=	ETCSYMLINK
 
 OPTIONS_SUB=		yes
 
 ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
 ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
 
 CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}
 
 VERSION_NSS=	3.69
 CERTDATA_TXT_PATH=	lib/ckfw/builtins/certdata.txt
 BUNDLE_PROCESSOR=	MAca-bundle.pl
 
 SUB_FILES=	MAca-bundle.pl pkg-message
 SUB_LIST=	VERSION_NSS=${VERSION_NSS}
 
 do-build:
 	@${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \
 		${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \
 	    < ${WRKSRC}/${CERTDATA_TXT_PATH} > \
 	    ${WRKDIR}/ca-root-nss.crt
 
 do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR}
 	${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR}
 	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
 	${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
 	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
 	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
 
 do-install-ETCSYMLINK-on:
 	${MKDIR} ${STAGEDIR}/etc/ssl
 	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
 
 .include <bsd.port.mk>
diff --git a/security/ca_root_nss/files/MAca-bundle.pl.in b/security/ca_root_nss/files/MAca-bundle.pl.in
index 092c2b445031..b94ca54ba2d1 100644
--- a/security/ca_root_nss/files/MAca-bundle.pl.in
+++ b/security/ca_root_nss/files/MAca-bundle.pl.in
@@ -1,221 +1,250 @@
 ##
 ##  MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt
 ##
 ##  Rewritten in September 2011 by Matthias Andree to heed untrust
 ##
 
 ##  Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org>
 ##  All rights reserved.
 ##
 ##  Redistribution and use in source and binary forms, with or without
 ##  modification, are permitted provided that the following conditions are
 ##  met:
 ##
 ##  * Redistributions of source code must retain the above copyright
 ##  notice, this list of conditions and the following disclaimer.
 ##
 ##  * Redistributions in binary form must reproduce the above copyright
 ##  notice, this list of conditions and the following disclaimer in the
 ##  documentation and/or other materials provided with the distribution.
 ##
 ##  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 ##  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 ##  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 ##  FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 ##  COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 ##  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 ##  BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 ##  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 ##  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 ##  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 ##  ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 ##  POSSIBILITY OF SUCH DAMAGE.
 
 use strict;
 use Carp;
 use MIME::Base64;
 
 #   configuration
 print <<EOH;
 ##
 ##  ca-root-nss.crt -- Bundle of CA Root Certificates
 ##
 ##  This is a bundle of X.509 certificates of public Certificate
 ##  Authorities (CA). These were automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt').
 ##
+##  It contains certificates trusted for server authentication.
+##
 ##  Extracted from nss-%%VERSION_NSS%%
 ##
 EOH
 my $debug = 0;
 $debug++
     if defined $ENV{'WITH_DEBUG'}
 	and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/;
 
 my %certs;
 my %trusts;
 
+# returns a string like YYMMDDhhmmssZ of current time in GMT zone
+sub timenow()
+{
+	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
+	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
+}
+
 sub printcert_plain($$)
 {
     my ($label, $certdata) = @_;
     print "=== $label ===\n" if $label;
     print
 	"-----BEGIN CERTIFICATE-----\n",
 	MIME::Base64::encode_base64($certdata),
 	"-----END CERTIFICATE-----\n\n";
 }
 
 sub printcert_info($$)
 {
     my (undef, $certdata) = @_;
     return unless $certdata;
     open(OUT, "|openssl x509 -text -inform DER -fingerprint")
             || die "could not pipe to openssl x509";
     print OUT $certdata;
     close(OUT) or die "openssl x509 failed with exit code $?";
 }
 
 sub printcert($$) {
     my ($a, $b) = @_;
     printcert_info($a, $b);
 }
 
+# converts a datastream that is to be \177-style octal constants
+# from <> to a (binary) string and returns it
 sub graboct()
 {
     my $data;
 
     while (<>) {
 	last if /^END/;
 	my (undef,@oct) = split /\\/;
 	my @bin = map(chr(oct), @oct);
 	$data .= join('', @bin);
     }
 
     return $data;
 }
 
-
 sub grabcert()
 {
     my $certdata;
-    my $cka_label;
-    my $serial;
+    my $cka_label = '';
+    my $serial = 0;
+    my $distrust = 0;
 
     while (<>) {
 	chomp;
 	last if ($_ eq '');
 
 	if (/^CKA_LABEL UTF8 "([^"]+)"/) {
 	    $cka_label = $1;
 	}
 
 	if (/^CKA_VALUE MULTILINE_OCTAL/) {
 	    $certdata = graboct();
 	}
 
 	if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
 	    $serial = graboct();
 	}
+
+	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
+	{
+	    my $distrust_after = graboct();
+	    my $time_now = timenow();
+	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    if ($debug) {
+		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	    }
+	    if ($distrust) {
+		return undef;
+	    }
+	}
     }
     return ($serial, $cka_label, $certdata);
 }
 
 sub grabtrust() {
     my $cka_label;
     my $serial;
     my $maytrust = 0;
     my $distrust = 0;
 
     while (<>) {
 	chomp;
 	last if ($_ eq '');
 
 	if (/^CKA_LABEL UTF8 "([^"]+)"/) {
 	    $cka_label = $1;
 	}
 
 	if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
 	    $serial = graboct();
 	}
 
-	if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
+	if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
 	{
-	    if ($2 eq      'CKT_NSS_NOT_TRUSTED') {
+	    if ($1 eq      'CKT_NSS_NOT_TRUSTED') {
 		$distrust = 1;
-	    } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+	    } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
 		$maytrust = 1;
-	    } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+	    } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
 		confess "Unknown trust setting on line $.:\n"
 		. "$_\n"
 		. "Script must be updated:";
 	    }
 	}
     }
 
     if (!$maytrust && !$distrust && $debug) {
 	print STDERR "line $.: no explicit trust/distrust found for $cka_label\n";
     }
 
     my $trust = ($maytrust and not $distrust);
     return ($serial, $cka_label, $trust);
 }
 
+my $untrusted = 0;
+
 while (<>) {
     if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
 	my ($serial, $label, $certdata) = grabcert();
 	if (defined $certs{$label."\0".$serial}) {
 	    warn "Certificate $label duplicated!\n";
 	}
-	$certs{$label."\0".$serial} = $certdata;
+	if (defined $certdata) {
+	    $certs{$label."\0".$serial} = $certdata;
+	} else { # $certdata undefined? distrust_after in effect
+	    $untrusted ++;
+	}
     } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
 	my ($serial, $label, $trust) = grabtrust();
 	if (defined $trusts{$label."\0".$serial}) {
 	    warn "Trust for $label duplicated!\n";
 	}
 	$trusts{$label."\0".$serial} = $trust;
     } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
         print "##  Source: \"certdata.txt\" CVS revision $1\n##\n\n";
     }
 }
 
 sub printlabel(@) {
     my @res = @_;
-    map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res;
+    map { s/\0.*//; s/[^[:print:]]/_/g; "\"$_\""; } @res;
     return wantarray ? @res : $res[0];
 }
 
 # weed out untrusted certificates
-my $untrusted = 0;
 foreach my $it (keys %trusts) {
     if (!$trusts{$it}) {
 	if (!exists($certs{$it})) {
 	    warn "Found trust for nonexistent certificate ".printlabel($it)."\n" if $debug;
 	} else {
 	    delete $certs{$it};
 	    warn "Skipping untrusted ".printlabel($it)."\n" if $debug;
 	    $untrusted++;
 	}
     }
 }
 
 print		"##  Untrusted certificates omitted from this bundle: $untrusted\n\n";
 print STDERR	"##  Untrusted certificates omitted from this bundle: $untrusted\n";
 
 my $certcount = 0;
 foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
     if (!exists($trusts{$it})) {
 	die "Found certificate without trust block,\naborting";
     }
     printcert("", $certs{$it});
     print "\n\n\n";
     $certcount++;
     print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
 }
 
 if ($certcount < 25) {
     die "Certificate count of $certcount is implausibly low.\nAbort";
 }
 
 print		"##  Number of certificates: $certcount\n";
 print STDERR	"##  Number of certificates: $certcount\n";
 print "##  End of file.\n";