diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6a73e8caa6..0327bfb3f7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -52,7 +52,6 @@
 #   HAVE_RAND_EGD: `RAND_egd` present in OpenSSL
 #   HAVE_AWSLC: OpenSSL is AWS-LC
 #   HAVE_BORINGSSL: OpenSSL is BoringSSL
-#   HAVE_PK11_CREATEMANAGEDGENERICOBJECTL: `PK11_CreateManagedGenericObject` present in NSS
 #   HAVE_SSL_CTX_SET_QUIC_METHOD: `SSL_CTX_set_quic_method` present in OpenSSL/wolfSSL
 #   HAVE_QUICHE_CONN_SET_QLOG_FD: `quiche_conn_set_qlog_fd` present in QUICHE
 #   HAVE_ZSTD_CREATEDSTREAM: `ZSTD_createDStream` present in Zstd
diff --git a/Makefile.am b/Makefile.am
index f25e4e2f0e..fa20363bdf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -43,7 +43,6 @@ CMAKE_DIST =                                    \
  CMake/FindNGHTTP2.cmake                        \
  CMake/FindNGHTTP3.cmake                        \
  CMake/FindNGTCP2.cmake                         \
- CMake/FindNSS.cmake                            \
  CMake/FindQUICHE.cmake                         \
  CMake/FindWolfSSL.cmake                        \
  CMake/FindZstd.cmake                           \
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md
index 6029378e1c..4b4560a60e 100644
--- a/docs/CIPHERS.md
+++ b/docs/CIPHERS.md
@@ -165,118 +165,6 @@ When specifying multiple cipher names, separate them with colon (`:`).
 `TLS_AES_128_CCM_8_SHA256`
 `TLS_AES_128_CCM_SHA256`
 
-## NSS
-
-### Totally insecure
-
-`rc4`
-`rc4-md5`
-`rc4export`
-`rc2`
-`rc2export`
-`des`
-`desede3`
-
-### SSL3/TLS cipher suites
-
-`rsa_rc4_128_md5`
-`rsa_rc4_128_sha`
-`rsa_3des_sha`
-`rsa_des_sha`
-`rsa_rc4_40_md5`
-`rsa_rc2_40_md5`
-`rsa_null_md5`
-`rsa_null_sha`
-`fips_3des_sha`
-`fips_des_sha`
-`fortezza`
-`fortezza_rc4_128_sha`
-`fortezza_null`
-
-### TLS 1.0 Exportable 56-bit Cipher Suites
-
-`rsa_des_56_sha`
-`rsa_rc4_56_sha`
-
-### AES ciphers
-
-`dhe_dss_aes_128_cbc_sha`
-`dhe_dss_aes_256_cbc_sha`
-`dhe_rsa_aes_128_cbc_sha`
-`dhe_rsa_aes_256_cbc_sha`
-`rsa_aes_128_sha`
-`rsa_aes_256_sha`
-
-### ECC ciphers
-
-`ecdh_ecdsa_null_sha`
-`ecdh_ecdsa_rc4_128_sha`
-`ecdh_ecdsa_3des_sha`
-`ecdh_ecdsa_aes_128_sha`
-`ecdh_ecdsa_aes_256_sha`
-`ecdhe_ecdsa_null_sha`
-`ecdhe_ecdsa_rc4_128_sha`
-`ecdhe_ecdsa_3des_sha`
-`ecdhe_ecdsa_aes_128_sha`
-`ecdhe_ecdsa_aes_256_sha`
-`ecdh_rsa_null_sha`
-`ecdh_rsa_128_sha`
-`ecdh_rsa_3des_sha`
-`ecdh_rsa_aes_128_sha`
-`ecdh_rsa_aes_256_sha`
-`ecdhe_rsa_null`
-`ecdhe_rsa_rc4_128_sha`
-`ecdhe_rsa_3des_sha`
-`ecdhe_rsa_aes_128_sha`
-`ecdhe_rsa_aes_256_sha`
-`ecdh_anon_null_sha`
-`ecdh_anon_rc4_128sha`
-`ecdh_anon_3des_sha`
-`ecdh_anon_aes_128_sha`
-`ecdh_anon_aes_256_sha`
-
-### HMAC-SHA256 cipher suites
-
-`rsa_null_sha_256`
-`rsa_aes_128_cbc_sha_256`
-`rsa_aes_256_cbc_sha_256`
-`dhe_rsa_aes_128_cbc_sha_256`
-`dhe_rsa_aes_256_cbc_sha_256`
-`ecdhe_ecdsa_aes_128_cbc_sha_256`
-`ecdhe_rsa_aes_128_cbc_sha_256`
-
-### AES GCM cipher suites in RFC 5288 and RFC 5289
-
-`rsa_aes_128_gcm_sha_256`
-`dhe_rsa_aes_128_gcm_sha_256`
-`dhe_dss_aes_128_gcm_sha_256`
-`ecdhe_ecdsa_aes_128_gcm_sha_256`
-`ecdh_ecdsa_aes_128_gcm_sha_256`
-`ecdhe_rsa_aes_128_gcm_sha_256`
-`ecdh_rsa_aes_128_gcm_sha_256`
-
-### cipher suites using SHA384
-
-`rsa_aes_256_gcm_sha_384`
-`dhe_rsa_aes_256_gcm_sha_384`
-`dhe_dss_aes_256_gcm_sha_384`
-`ecdhe_ecdsa_aes_256_sha_384`
-`ecdhe_rsa_aes_256_sha_384`
-`ecdhe_ecdsa_aes_256_gcm_sha_384`
-`ecdhe_rsa_aes_256_gcm_sha_384`
-
-### chacha20-poly1305 cipher suites
-
-`ecdhe_rsa_chacha20_poly1305_sha_256`
-`ecdhe_ecdsa_chacha20_poly1305_sha_256`
-`dhe_rsa_chacha20_poly1305_sha_256`
-
-### TLS 1.3 cipher suites
-
-`aes_128_gcm_sha_256`
-`aes_256_gcm_sha_384`
-`chacha20_poly1305_sha_256`
-
 ## GSKit
 
 Ciphers are internally defined as [numeric
diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
index 0ef75ba82f..73443dcf59 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
@@ -84,9 +84,6 @@ a TLS extension that sends the hostname to the server. The server may use that
 information to do such things as sending back a specific certificate for the
 hostname, or forwarding the request to a specific origin server. Some hostnames
 may be inaccessible if SNI is not sent.
-
-NSS: If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero,
-\fICURLOPT_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be overridden.
 .SH DEFAULT
 2
 .SH PROTOCOLS
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index 82028bd41a..1374e42b00 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -688,9 +688,6 @@ ${SIZEOF_TIME_T_CODE}
 /* If you want to build curl with the built-in manual */
 #cmakedefine USE_MANUAL 1
 
-/* if you have the PK11_CreateManagedGenericObject function */
-#cmakedefine HAVE_PK11_CREATEMANAGEDGENERICOBJECT 1
-
 /* if you want to use OpenLDAP code instead of legacy ldap implementation */
 #cmakedefine USE_OPENLDAP 1
 
diff --git a/tests/data/test1470 b/tests/data/test1470
index c9dd8f4675..30f539d4bc 100644
--- a/tests/data/test1470
+++ b/tests/data/test1470
@@ -35,7 +35,6 @@ Funny-head: yesyes
 <features>
 proxy
 unix-sockets
-!NSS
 </features>
 <server>
 https