diff --git a/pkgs/development/libraries/nss/85_security_load.patch b/pkgs/development/libraries/nss/85_security_load.patch
index 9e4be3bf282..7687ea9bedb 100644
--- a/pkgs/development/libraries/nss/85_security_load.patch
+++ b/pkgs/development/libraries/nss/85_security_load.patch
@@ -1,45 +1,45 @@
-diff -ru -x '*~' nss-3.27.1-orig/nss/cmd/shlibsign/shlibsign.c nss-3.27.1/nss/cmd/shlibsign/shlibsign.c
---- nss-3.27.1-orig/nss/cmd/shlibsign/shlibsign.c	2016-10-03 16:55:58.000000000 +0200
-+++ nss-3.27.1/nss/cmd/shlibsign/shlibsign.c	2016-11-15 16:28:07.308117900 +0100
-@@ -871,6 +871,8 @@
-     libname = PR_GetLibraryName(NULL, "softokn3");
-     assert(libname != NULL);
+diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/cmd/shlibsign/shlibsign.c nss/cmd/shlibsign/shlibsign.c
+--- nss/cmd/shlibsign/shlibsign.c	2017-01-04 15:24:24.000000000 +0100
++++ nss/cmd/shlibsign/shlibsign.c	2017-01-24 14:43:31.030420852 +0100
+@@ -875,6 +875,8 @@
+         goto cleanup;
+     }
      lib = PR_LoadLibrary(libname);
 +    if (!lib)
 +        lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
      assert(lib != NULL);
-     PR_FreeLibraryName(libname);
- 
-diff -ru -x '*~' nss-3.27.1-orig/nss/coreconf/config.mk nss-3.27.1/nss/coreconf/config.mk
---- nss-3.27.1-orig/nss/coreconf/config.mk	2016-10-03 16:55:58.000000000 +0200
-+++ nss-3.27.1/nss/coreconf/config.mk	2016-11-15 16:28:07.308117900 +0100
-@@ -217,3 +217,6 @@
- ifdef NSS_NO_PKCS11_BYPASS
- DEFINES += -DNO_PKCS11_BYPASS
- endif
+     if (!lib) {
+         PR_fprintf(PR_STDERR, "loading softokn3 failed");
+diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/coreconf/config.mk nss/coreconf/config.mk
+--- nss/coreconf/config.mk	2017-01-04 15:24:24.000000000 +0100
++++ nss/coreconf/config.mk	2017-01-24 14:43:47.989432372 +0100
+@@ -208,3 +208,6 @@
+ # exported symbols, which causes problem when NSS is built as part of Mozilla.
+ # So we add a NSS_SSL_ENABLE_ZLIB variable to allow Mozilla to turn this off.
+ NSS_SSL_ENABLE_ZLIB = 1
 +
 +# Nix specific stuff.
 +DEFINES += -DNIX_NSS_LIBDIR=\"$(out)/lib/\"
-diff -ru -x '*~' nss-3.27.1-orig/nss/lib/pk11wrap/pk11load.c nss-3.27.1/nss/lib/pk11wrap/pk11load.c
---- nss-3.27.1-orig/nss/lib/pk11wrap/pk11load.c	2016-10-03 16:55:58.000000000 +0200
-+++ nss-3.27.1/nss/lib/pk11wrap/pk11load.c	2016-11-15 16:28:07.308117900 +0100
-@@ -429,6 +429,13 @@
- 	 * unload the library if anything goes wrong from here on out...
- 	 */
- 	library = PR_LoadLibrary(mod->dllName);
-+	if ((library == NULL) &&
-+	    !rindex(mod->dllName, PR_GetDirectorySeparator())) {
+diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/lib/pk11wrap/pk11load.c nss/lib/pk11wrap/pk11load.c
+--- nss/lib/pk11wrap/pk11load.c	2017-01-04 15:24:24.000000000 +0100
++++ nss/lib/pk11wrap/pk11load.c	2017-01-24 14:45:06.883485652 +0100
+@@ -440,6 +440,13 @@
+          * unload the library if anything goes wrong from here on out...
+          */
+         library = PR_LoadLibrary(mod->dllName);
++        if ((library == NULL) &&
++            !rindex(mod->dllName, PR_GetDirectorySeparator())) {
 +            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
-+                                      (PRFuncPtr) &softoken_LoadDSO,
-+                                      mod->dllName);
-+	}
++                (PRFuncPtr) &softoken_LoadDSO,
++                mod->dllName);
++        }
 +
- 	mod->library = (void *)library;
+         mod->library = (void *)library;
  
- 	if (library == NULL) {
-diff -ru -x '*~' nss-3.27.1-orig/nss/lib/util/secload.c nss-3.27.1/nss/lib/util/secload.c
---- nss-3.27.1-orig/nss/lib/util/secload.c	2016-10-03 16:55:58.000000000 +0200
-+++ nss-3.27.1/nss/lib/util/secload.c	2016-11-15 16:29:50.482259746 +0100
+         if (library == NULL) {
+diff -ru -x '*~' -x '*.orig' -x '*.rej' nss/lib/util/secload.c nss/lib/util/secload.c
+--- nss/lib/util/secload.c	2017-01-04 15:24:24.000000000 +0100
++++ nss/lib/util/secload.c	2017-01-24 14:43:31.030420852 +0100
 @@ -70,9 +70,14 @@
  
      /* Remove the trailing filename from referencePath and add the new one */
diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix
index 72f57dff1ce..e1a8ca93f08 100644
--- a/pkgs/development/libraries/nss/default.nix
+++ b/pkgs/development/libraries/nss/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, nspr, perl, zlib, sqlite }:
+{ stdenv, fetchurl, fetchpatch, nspr, perl, zlib, sqlite }:
 
 let
 
@@ -9,11 +9,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "nss-${version}";
-  version = "3.27.2";
+  version = "3.28.1";
 
   src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_3_27_2_RTM/src/${name}.tar.gz";
-    sha256 = "dc8ac8524469d0230274fd13a53fdcd74efe4aa67205dde1a4a92be87dc28524";
+    url = "mirror://mozilla/security/nss/releases/NSS_3_28_1_RTM/src/${name}.tar.gz";
+    sha256 = "58cc0c05c0ed9523e6d820bea74f513538f48c87aac931876e3d3775de1a82ad";
   };
 
   buildInputs = [ nspr perl zlib sqlite ];
@@ -23,11 +23,17 @@ in stdenv.mkDerivation rec {
   '';
 
   patches =
-    [ ./nss-3.21-gentoo-fixups.patch
+    [ # FIXME: what is this patch for? Do we still need it?
+      (fetchpatch {
+        url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch";
+        sha256 = "0z58axd1n7vq4kdp5mrb3dsg6di39a1g40s3shl6n2dzs14c1y2q";
+      })
       # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
       ./85_security_load.patch
     ];
 
+  patchFlags = "-p0";
+
   postPatch = ''
     # Fix up the patch from Gentoo.
     sed -i \
diff --git a/pkgs/development/libraries/nss/nss-3.21-gentoo-fixups.patch b/pkgs/development/libraries/nss/nss-3.21-gentoo-fixups.patch
deleted file mode 100644
index 33819821c19..00000000000
--- a/pkgs/development/libraries/nss/nss-3.21-gentoo-fixups.patch
+++ /dev/null
@@ -1,243 +0,0 @@
-diff -urN a/nss/config/Makefile b/nss/config/Makefile
---- a/nss/config/Makefile	1969-12-31 18:00:00.000000000 -0600
-+++ b/nss/config/Makefile	2015-11-15 10:42:46.249578304 -0600
-@@ -0,0 +1,40 @@
-+CORE_DEPTH = ..
-+DEPTH      = ..
-+
-+include $(CORE_DEPTH)/coreconf/config.mk
-+
-+NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
-+PREFIX = /usr
-+
-+all: export libs
-+
-+export:
-+	# Create the nss.pc file
-+	mkdir -p $(DIST)/lib/pkgconfig
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@exec_prefix@,\$${prefix}," \
-+	    -e "s,@libdir@,\$${prefix}/lib64," \
-+	    -e "s,@includedir@,\$${prefix}/include/nss," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss.pc.in > nss.pc
-+	chmod 0644 nss.pc
-+	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
-+
-+	# Create the nss-config script
-+	mkdir -p $(DIST)/bin
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss-config.in > nss-config
-+	chmod 0755 nss-config
-+	ln -sf ../../../config/nss-config $(DIST)/bin
-+
-+libs:
-+
-+dummy: all export libs
-+
-diff -urN a/nss/config/nss-config.in b/nss/config/nss-config.in
---- a/nss/config/nss-config.in	1969-12-31 18:00:00.000000000 -0600
-+++ b/nss/config/nss-config.in	2015-11-15 10:42:46.250578304 -0600
-@@ -0,0 +1,145 @@
-+#!/bin/sh
-+
-+prefix=@prefix@
-+
-+major_version=@NSS_MAJOR_VERSION@
-+minor_version=@NSS_MINOR_VERSION@
-+patch_version=@NSS_PATCH_VERSION@
-+
-+usage()
-+{
-+	cat <<EOF
-+Usage: nss-config [OPTIONS] [LIBRARIES]
-+Options:
-+	[--prefix[=DIR]]
-+	[--exec-prefix[=DIR]]
-+	[--includedir[=DIR]]
-+	[--libdir[=DIR]]
-+	[--version]
-+	[--libs]
-+	[--cflags]
-+Dynamic Libraries:
-+	nss
-+	ssl
-+	smime
-+	nssutil
-+EOF
-+	exit $1
-+}
-+
-+if test $# -eq 0; then
-+	usage 1 1>&2
-+fi
-+
-+lib_ssl=yes
-+lib_smime=yes
-+lib_nss=yes
-+lib_nssutil=yes
-+
-+while test $# -gt 0; do
-+  case "$1" in
-+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-+  *) optarg= ;;
-+  esac
-+
-+  case $1 in
-+    --prefix=*)
-+      prefix=$optarg
-+      ;;
-+    --prefix)
-+      echo_prefix=yes
-+      ;;
-+    --exec-prefix=*)
-+      exec_prefix=$optarg
-+      ;;
-+    --exec-prefix)
-+      echo_exec_prefix=yes
-+      ;;
-+    --includedir=*)
-+      includedir=$optarg
-+      ;;
-+    --includedir)
-+      echo_includedir=yes
-+      ;;
-+    --libdir=*)
-+      libdir=$optarg
-+      ;;
-+    --libdir)
-+      echo_libdir=yes
-+      ;;
-+    --version)
-+      echo ${major_version}.${minor_version}.${patch_version}
-+      ;;
-+    --cflags)
-+      echo_cflags=yes
-+      ;;
-+    --libs)
-+      echo_libs=yes
-+      ;;
-+    ssl)
-+      lib_ssl=yes
-+      ;;
-+    smime)
-+      lib_smime=yes
-+      ;;
-+    nss)
-+      lib_nss=yes
-+      ;;
-+    nssutil)                                                      
-+      lib_nssutil=yes                                             
-+      ;;
-+    *)
-+      usage 1 1>&2
-+      ;;
-+  esac
-+  shift
-+done
-+
-+# Set variables that may be dependent upon other variables
-+if test -z "$exec_prefix"; then
-+    exec_prefix=`pkg-config --variable=exec_prefix nss`
-+fi
-+if test -z "$includedir"; then
-+    includedir=`pkg-config --variable=includedir nss`
-+fi
-+if test -z "$libdir"; then
-+    libdir=`pkg-config --variable=libdir nss`
-+fi
-+
-+if test "$echo_prefix" = "yes"; then
-+    echo $prefix
-+fi
-+
-+if test "$echo_exec_prefix" = "yes"; then
-+    echo $exec_prefix
-+fi
-+
-+if test "$echo_includedir" = "yes"; then
-+    echo $includedir
-+fi
-+
-+if test "$echo_libdir" = "yes"; then
-+    echo $libdir
-+fi
-+
-+if test "$echo_cflags" = "yes"; then
-+    echo -I$includedir
-+fi
-+
-+if test "$echo_libs" = "yes"; then
-+      libdirs=""
-+      if test -n "$lib_ssl"; then
-+	libdirs="$libdirs -lssl${major_version}"
-+      fi
-+      if test -n "$lib_smime"; then
-+	libdirs="$libdirs -lsmime${major_version}"
-+      fi
-+      if test -n "$lib_nss"; then
-+	libdirs="$libdirs -lnss${major_version}"
-+      fi
-+      if test -n "$lib_nssutil"; then
-+       libdirs="$libdirs -lnssutil${major_version}"
-+      fi
-+      echo $libdirs
-+fi      
-+
-diff -urN a/nss/config/nss.pc.in b/nss/config/nss.pc.in
---- a/nss/config/nss.pc.in	1969-12-31 18:00:00.000000000 -0600
-+++ b/nss/config/nss.pc.in	2015-11-15 10:42:46.251578304 -0600
-@@ -0,0 +1,12 @@
-+prefix=@prefix@
-+exec_prefix=@exec_prefix@
-+libdir=@libdir@
-+includedir=@includedir@
-+
-+Name: NSS
-+Description: Network Security Services
-+Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
-+Requires: nspr >= 4.8
-+Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
-+Cflags: -I${includedir}
-+
-diff -urN a/nss/Makefile b/nss/Makefile
---- a/nss/Makefile	2015-11-15 09:25:06.410786060 -0600
-+++ b/nss/Makefile	2015-11-15 10:42:46.252578304 -0600
-@@ -46,7 +46,7 @@
- # (7) Execute "local" rules. (OPTIONAL).                              #
- #######################################################################
- 
--nss_build_all: build_nspr all
-+nss_build_all: all
- 
- nss_clean_all: clobber_nspr clobber
- 
-@@ -115,12 +115,6 @@
- 	--with-dist-prefix='$(NSPR_PREFIX)' \
- 	--with-dist-includedir='$(NSPR_PREFIX)/include'
- 
--build_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
--
--clobber_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
--
- build_docs:
- 	$(MAKE) -C $(CORE_DEPTH)/doc
- 
-diff -urN a/nss/manifest.mn b/nss/manifest.mn
---- a/nss/manifest.mn	2015-11-15 09:25:06.411786060 -0600
-+++ b/nss/manifest.mn	2015-11-15 10:43:15.633576994 -0600
-@@ -10,4 +10,4 @@
- 
- RELEASE = nss
- 
--DIRS = coreconf lib cmd external_tests
-+DIRS = coreconf lib cmd config