diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 519b892686..fb05624855 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -42,7 +42,9 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages sqlite)
-  #:use-module (gnu packages time))
+  #:use-module (gnu packages time)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26))
 
 (define-public nspr
   (package
@@ -103,7 +105,7 @@ in the Mozilla clients.")
     ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
     ;; version and source to avoid a top-level variable reference & module
     ;; cycle.
-    (version "3.99")
+    (version "3.101.4")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -114,11 +116,12 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+                "1sqvh49qi9vq55sbg42c5n0kz6w6ni383hgiyhaym6drsmbzb86a"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-getcwd-nonnull.patch"
-                                       "nss-increase-test-timeout.patch"))
+                                       "nss-increase-test-timeout.patch"
+                                       "nss-disable-broken-tests.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -177,7 +180,7 @@ in the Mozilla clients.")
           ;; around that, set the time to roughly the release date.
           (add-after 'unpack 'set-release-date
             (lambda _
-              (setenv "GUIX_NSS_RELEASE_DATE" "2024-01-23")))
+              (setenv "GUIX_NSS_RELEASE_DATE" "2025-02-05")))
           (replace 'configure
             (lambda _
               (setenv "CC" #$(cc-for-target))
@@ -257,13 +260,15 @@ in the Mozilla clients.")
     (properties '((timeout . 216000)))  ;60 hours
 
     (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
-    (synopsis "Network Security Services")
+    (synopsis "Network Security Services (ESR)")
     (description
      "Network Security Services (@dfn{NSS}) is a set of libraries designed to
 support cross-platform development of security-enabled client and server
 applications.  Applications built with NSS can support SSL v2 and v3, TLS,
 PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
+security standards.
+
+This package tracks the Extended Support Release (ESR) channel.")
     (license license:mpl2.0)))
 
 ;; nss-rapid tracks the rapid release channel.  Unless your package requires a
@@ -288,7 +293,10 @@ security standards.")
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "03qwl3ps3xgc9pkc07qrsa4vd2r57mjwicv3gb483gfk2ashdvxc"))))
+               "03qwl3ps3xgc9pkc07qrsa4vd2r57mjwicv3gb483gfk2ashdvxc"))
+             (patches
+              (remove (cut string-suffix? <> "nss-disable-broken-tests.patch")
+                      (origin-patches (package-source nss))))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
diff --git a/gnu/packages/patches/nss-disable-broken-tests.patch b/gnu/packages/patches/nss-disable-broken-tests.patch
new file mode 100644
index 0000000000..8d6e101471
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-broken-tests.patch
@@ -0,0 +1,33 @@
+These tests are broken in 3.101.3.
+
+See https://bugzilla.mozilla.org/show_bug.cgi?id=1964304
+
+--- nss-3.101.3/nss/tests/tools/tools.sh	1969-12-31 16:00:01.000000000 -0800
++++ nss-3.101.3/nss/tests/tools/tools.sh	2025-05-05 16:36:47.835447542 -0700
+@@ -540,26 +540,6 @@
+   ret=$?
+   html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file"
+   check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+-  ret=$?
+-  html_msg $ret 19 "Fail to list private key with bad iterator"
+-  check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+-  ret=$?
+-  echo "Fail to list private key with bad salt val=$ret"
+-  html_msg $ret 19 "Fail to import private key with bad salt"
+-  check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+-  ret=$?
+-  echo "Fail to import private key with no length val=$ret"
+-  html_msg $ret 19 "Fail to import private key with no length"
+-  check_tmpfile
+ }
+ 
+ ############################## tools_p12 ###############################
\ No newline at end of file