Security update: use newer Mozilla Builtin-Trust store
to revoke DigiNotar.nl trust.
Security fix: the modssl ca-bundle.pl script did not process
"untrusted" marks on certificates. Drop it and write a new
script in its place that does that.
Synch up with security/nss port to 3.12.11.
Not asking for maintainer approval because of multiple
timeouts in response to related PRs vs. security/[ca_root_]nss.