Bug 975229: Remove NSS-based certificate verification, r=keeler
authorBrian Smith <brian@briansmith.org>
Mon, 16 Jun 2014 23:13:29 -0700
changeset 189913 b3ebf7675c7bd1d85ed1b7290e1d2c3ae28a0490
parent 189912 83977d2750a225aa095b018c841d4c2169118209
child 189914 feaac6c10dc6dd76e908bdc9185cc8849bbb8595
push id26999
push userryanvm@gmail.com
push dateMon, 23 Jun 2014 14:42:40 +0000
treeherderautoland@4a7f4ed3f08b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs975229
milestone33.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 975229: Remove NSS-based certificate verification, r=keeler
netwerk/base/public/security-prefs.js
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/certverifier/ExtendedValidation.cpp
security/certverifier/ExtendedValidation.h
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/ScopedNSSTypes.h
security/manager/ssl/src/SharedCertVerifier.h
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSCallbacks.h
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/tests/unit/test_cert_eku.js
security/manager/ssl/tests/unit/test_cert_eku/generate.py
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_trust.js
security/manager/ssl/tests/unit/test_cert_version.js
security/manager/ssl/tests/unit/test_certificate_usages.js
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_getchain.js
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
security/manager/ssl/tests/unit/test_ocsp_timeout.js
security/manager/ssl/tests/unit/test_ocsp_url.js
toolkit/components/telemetry/Histograms.json
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -49,10 +49,8 @@ pref("security.ssl3.rsa_seed_sha", false
 pref("security.default_personal_cert",   "Ask Every Time");
 pref("security.remember_cert_checkbox_default_setting", true);
 pref("security.ask_for_password",        0);
 pref("security.password_lifetime",       30);
 
 pref("security.OCSP.enabled", 1);
 pref("security.OCSP.require", false);
 pref("security.OCSP.GET.enabled", false);
-
-pref("security.use_mozillapkix_verification", true);
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -8,17 +8,16 @@
 
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "NSSErrorsService.h"
 #include "PublicKeyPinningService.h"
 #include "cert.h"
-#include "ocsp.h"
 #include "pk11pub.h"
 #include "pkix/pkix.h"
 #include "prerror.h"
 #include "secerr.h"
 #include "sslerr.h"
 
 // ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
 // mozilla::ScopedXXX.
@@ -29,31 +28,21 @@ using namespace mozilla::psm;
 PRLogModuleInfo* gCertVerifierLog = nullptr;
 #endif
 
 namespace mozilla { namespace psm {
 
 const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
 const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
 
-CertVerifier::CertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
-                           missing_cert_download_config mcdc,
-                           crl_download_config cdc,
-#endif
-                           ocsp_download_config odc,
+CertVerifier::CertVerifier(ocsp_download_config odc,
                            ocsp_strict_config osc,
                            ocsp_get_config ogc,
                            pinning_enforcement_config pel)
-  : mImplementation(ic)
-#ifndef NSS_NO_LIBPKIX
-  , mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
-  , mCRLDownloadEnabled(cdc == crl_download_allowed)
-#endif
-  , mOCSPDownloadEnabled(odc == ocsp_on)
+  : mOCSPDownloadEnabled(odc == ocsp_on)
   , mOCSPStrict(osc == ocsp_strict)
   , mOCSPGETEnabled(ogc == ocsp_get_enabled)
   , mPinningEnforcementLevel(pel)
 {
 }
 
 CertVerifier::~CertVerifier()
 {
@@ -64,47 +53,16 @@ InitCertVerifierLog()
 {
 #ifdef PR_LOGGING
   if (!gCertVerifierLog) {
     gCertVerifierLog = PR_NewLogModule("certverifier");
   }
 #endif
 }
 
-// Once we migrate to mozilla::pkix or change the overridable error
-// logic this will become unnecesary.
-static SECStatus
-insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
-                         CERTVerifyLog* verifyLog){
-  CERTVerifyLogNode* node;
-  node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
-                                              sizeof(CERTVerifyLogNode));
-  if (!node) {
-    PR_SetError(PR_UNKNOWN_ERROR, 0);
-    return SECFailure;
-  }
-  node->cert = CERT_DupCertificate(cert);
-  node->error = err;
-  node->depth = 0;
-  node->arg = nullptr;
-  //and at to head!
-  node->prev = nullptr;
-  node->next = verifyLog->head;
-  if (verifyLog->head) {
-    verifyLog->head->prev = node;
-  }
-  verifyLog->head = node;
-  if (!verifyLog->tail) {
-    verifyLog->tail = node;
-  }
-  verifyLog->count++;
-
-  return SECSuccess;
-}
-
 SECStatus
 IsCertBuiltInRoot(CERTCertificate* cert, bool& result) {
   result = false;
   ScopedPtr<PK11SlotList, PK11_FreeSlotList> slots;
   slots = PK11_GetAllSlotsForCert(cert, nullptr);
   if (!slots) {
     if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {
       // no list
@@ -194,118 +152,16 @@ SECStatus chainValidationCallback(void* 
   *chainOK = PublicKeyPinningService::
     ChainHasValidPins(certList, callbackState->hostname, callbackState->time,
                       enforceTestMode);
 
   return SECSuccess;
 }
 
 static SECStatus
-ClassicVerifyCert(CERTCertificate* cert,
-                  const SECCertificateUsage usage,
-                  const PRTime time,
-                  void* pinArg,
-                  ChainValidationCallbackState* callbackState,
-                  /*optional out*/ ScopedCERTCertList* validationChain,
-                  /*optional out*/ CERTVerifyLog* verifyLog)
-{
-  SECStatus rv;
-  SECCertUsage enumUsage;
-  switch (usage) {
-    case certificateUsageSSLClient:
-      enumUsage = certUsageSSLClient;
-      break;
-    case certificateUsageSSLServer:
-      enumUsage = certUsageSSLServer;
-      break;
-    case certificateUsageSSLCA:
-      enumUsage = certUsageSSLCA;
-      break;
-    case certificateUsageEmailSigner:
-      enumUsage = certUsageEmailSigner;
-      break;
-    case certificateUsageEmailRecipient:
-      enumUsage = certUsageEmailRecipient;
-      break;
-    case certificateUsageObjectSigner:
-      enumUsage = certUsageObjectSigner;
-      break;
-    case certificateUsageVerifyCA:
-      enumUsage = certUsageVerifyCA;
-      break;
-    case certificateUsageStatusResponder:
-      enumUsage = certUsageStatusResponder;
-      break;
-    default:
-      PR_NOT_REACHED("unexpected usage");
-      PORT_SetError(SEC_ERROR_INVALID_ARGS);
-      return SECFailure;
-  }
-  if (usage == certificateUsageSSLServer) {
-    // SSL server cert verification has always used CERT_VerifyCert, so we
-    // continue to use it for SSL cert verification to minimize the risk of
-    // there being any differnce in results between CERT_VerifyCert and
-    // CERT_VerifyCertificate.
-    rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), cert, true,
-                         certUsageSSLServer, time, pinArg, verifyLog);
-  } else {
-    rv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert, true,
-                                usage, time, pinArg, verifyLog, nullptr);
-  }
-
-  if (rv == SECSuccess &&
-      (validationChain || usage == certificateUsageSSLServer)) {
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
-           ("VerifyCert: getting chain in 'classic' \n"));
-    ScopedCERTCertList certChain(CERT_GetCertChainFromCert(cert, time,
-                                                           enumUsage));
-    if (!certChain) {
-      return SECFailure;
-    }
-    if (usage == certificateUsageSSLServer) {
-      PRBool chainOK = PR_FALSE;
-      SECStatus srv = chainValidationCallback(callbackState, certChain.get(),
-                                              &chainOK);
-      if (srv != SECSuccess) {
-        return srv;
-      }
-      if (chainOK != PR_TRUE) {
-        if (verifyLog) {
-          insertErrorIntoVerifyLog(cert,
-                                   PSM_ERROR_KEY_PINNING_FAILURE,
-                                   verifyLog);
-        }
-        PR_SetError(PSM_ERROR_KEY_PINNING_FAILURE, 0);
-        return SECFailure;
-      }
-    }
-    if (rv == SECSuccess && validationChain) {
-      *validationChain = certChain.release();
-    }
-  }
-
-  return rv;
-}
-
-#ifndef NSS_NO_LIBPKIX
-static void
-destroyCertListThatShouldNotExist(CERTCertList** certChain)
-{
-  PR_ASSERT(certChain);
-  PR_ASSERT(!*certChain);
-  if (certChain && *certChain) {
-    // There SHOULD not be a validation chain on failure, asserion here for
-    // the debug builds AND a fallback for production builds
-    CERT_DestroyCertList(*certChain);
-    *certChain = nullptr;
-  }
-}
-#endif
-
-static SECStatus
 BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
                              PRTime time, KeyUsage ku1, KeyUsage ku2,
                              KeyUsage ku3, KeyPurposeId eku,
                              const CertPolicyId& requiredPolicy,
                              const SECItem* stapledOCSPResponse,
                              ScopedCERTCertList& builtChain)
 {
   SECStatus rv = BuildCertChain(trustDomain, cert, time,
@@ -326,28 +182,24 @@ BuildCertChainForOneKeyUsage(TrustDomain
         PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
       }
     }
   }
   return rv;
 }
 
 SECStatus
-CertVerifier::MozillaPKIXVerifyCert(
-                   CERTCertificate* cert,
-                   const SECCertificateUsage usage,
-                   const PRTime time,
-                   void* pinArg,
-                   const Flags flags,
-                   ChainValidationCallbackState* callbackState,
-      /*optional*/ const SECItem* stapledOCSPResponse,
-  /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
-  /*optional out*/ SECOidTag* evOidPolicy)
+CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
+                         PRTime time, void* pinArg, const char* hostname,
+                         const Flags flags,
+            /*optional*/ const SECItem* stapledOCSPResponse,
+        /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
+        /*optional out*/ SECOidTag* evOidPolicy)
 {
-  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
+  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n"));
 
   PR_ASSERT(cert);
   PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
 
   if (validationChain) {
     *validationChain = nullptr;
   }
   if (evOidPolicy) {
@@ -355,19 +207,22 @@ CertVerifier::MozillaPKIXVerifyCert(
   }
 
   if (!cert ||
       (usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) {
     PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
     return SECFailure;
   }
 
+  ChainValidationCallbackState callbackState = {
+    hostname, mPinningEnforcementLevel, usage, time
+  };
   CERTChainVerifyCallback callbackContainer;
   callbackContainer.isChainValid = chainValidationCallback;
-  callbackContainer.isChainValidArg = callbackState;
+  callbackContainer.isChainValidArg = &callbackState;
 
   NSSCertDBTrustDomain::OCSPFetching ocspFetching
     = !mOCSPDownloadEnabled ||
       (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
     : !mOCSPStrict              ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
                                 : NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
 
   ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled
@@ -554,378 +409,16 @@ CertVerifier::MozillaPKIXVerifyCert(
   if (validationChain && rv == SECSuccess) {
     *validationChain = builtChain.release();
   }
 
   return rv;
 }
 
 SECStatus
-CertVerifier::VerifyCert(CERTCertificate* cert,
-                         const SECCertificateUsage usage,
-                         const PRTime time,
-                         void* pinArg,
-                         const char* hostname,
-                         const Flags flags,
-                         /*optional in*/ const SECItem* stapledOCSPResponse,
-                         /*optional out*/ ScopedCERTCertList* validationChain,
-                         /*optional out*/ SECOidTag* evOidPolicy,
-                         /*optional out*/ CERTVerifyLog* verifyLog)
-{
-  ChainValidationCallbackState callbackState = { hostname,
-                                                 mPinningEnforcementLevel,
-                                                 usage,
-                                                 time };
-
-  if (mImplementation == mozillapkix) {
-    return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
-                                 &callbackState, stapledOCSPResponse,
-                                 validationChain, evOidPolicy);
-  }
-
-  if (!cert)
-  {
-    PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
-    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    return SECFailure;
-  }
-  if (validationChain) {
-    *validationChain = nullptr;
-  }
-  if (evOidPolicy) {
-    *evOidPolicy = SEC_OID_UNKNOWN;
-  }
-
-  switch(usage){
-    case certificateUsageSSLClient:
-    case certificateUsageSSLServer:
-    case certificateUsageSSLCA:
-    case certificateUsageEmailSigner:
-    case certificateUsageEmailRecipient:
-    case certificateUsageObjectSigner:
-    case certificateUsageVerifyCA:
-    case certificateUsageStatusResponder:
-      break;
-    default:
-      PORT_SetError(SEC_ERROR_INVALID_ARGS);
-      return SECFailure;
-  }
-
-  if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) {
-      PORT_SetError(SEC_ERROR_INVALID_ARGS);
-      return SECFailure;
-  }
-
-#ifndef NSS_NO_LIBPKIX
-  ScopedCERTCertList trustAnchors;
-  SECStatus rv;
-  SECOidTag evPolicy = SEC_OID_UNKNOWN;
-
-  // Do EV checking only for sslserver usage
-  if (usage == certificateUsageSSLServer) {
-    CertPolicyId unusedPolicyId;
-    SECStatus srv = GetFirstEVPolicy(cert, unusedPolicyId, evPolicy);
-    if (srv == SECSuccess) {
-      if (evPolicy != SEC_OID_UNKNOWN) {
-        trustAnchors = GetRootsForOid(evPolicy);
-      }
-      if (!trustAnchors) {
-        return SECFailure;
-      }
-      // pkix ignores an empty trustanchors list and
-      // decides then to use the whole set of trust in the DB
-      // so we set the evPolicy to unkown in this case
-      if (CERT_LIST_EMPTY(trustAnchors)) {
-        evPolicy = SEC_OID_UNKNOWN;
-      }
-    } else {
-      // No known EV policy found
-      if (flags & FLAG_MUST_BE_EV) {
-        PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-        return SECFailure;
-      }
-      // Do not setup EV verification params
-      evPolicy = SEC_OID_UNKNOWN;
-    }
-    if ((evPolicy == SEC_OID_UNKNOWN) && (flags & FLAG_MUST_BE_EV)) {
-      PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-      return SECFailure;
-    }
-  }
-
-  PR_ASSERT(evPolicy == SEC_OID_UNKNOWN || trustAnchors);
-
-  size_t i = 0;
-  size_t validationChainLocation = 0;
-  size_t validationTrustAnchorLocation = 0;
-  CERTValOutParam cvout[4];
-  if (verifyLog) {
-     cvout[i].type = cert_po_errorLog;
-     cvout[i].value.pointer.log = verifyLog;
-     ++i;
-  }
-  if (validationChain) {
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: setting up validation chain outparam.\n"));
-    validationChainLocation = i;
-    cvout[i].type = cert_po_certList;
-    cvout[i].value.pointer.chain = nullptr;
-    ++i;
-    validationTrustAnchorLocation = i;
-    cvout[i].type = cert_po_trustAnchor;
-    cvout[i].value.pointer.cert = nullptr;
-    ++i;
-  }
-  cvout[i].type = cert_po_end;
-
-  CERTRevocationFlags rev;
-
-  CERTRevocationMethodIndex revPreferredMethods[2];
-  rev.leafTests.preferred_methods =
-  rev.chainTests.preferred_methods = revPreferredMethods;
-
-  uint64_t revFlagsPerMethod[2];
-  rev.leafTests.cert_rev_flags_per_method =
-  rev.chainTests.cert_rev_flags_per_method = revFlagsPerMethod;
-  rev.leafTests.number_of_preferred_methods =
-  rev.chainTests.number_of_preferred_methods = 1;
-
-  rev.leafTests.number_of_defined_methods =
-  rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1;
-
-  const bool localOnly = flags & FLAG_LOCAL_ONLY;
-  CERTValInParam cvin[7];
-
-  // Parameters for both EV and DV validation
-  cvin[0].type = cert_pi_useAIACertFetch;
-  cvin[0].value.scalar.b = mMissingCertDownloadEnabled && !localOnly;
-  cvin[1].type = cert_pi_revocationFlags;
-  cvin[1].value.pointer.revocation = &rev;
-  cvin[2].type = cert_pi_date;
-  cvin[2].value.scalar.time = time;
-  i = 3;
-
-  CERTChainVerifyCallback callbackContainer;
-  if (usage == certificateUsageSSLServer) {
-    callbackContainer.isChainValid = chainValidationCallback;
-    callbackContainer.isChainValidArg = &callbackState;
-    cvin[i].type = cert_pi_chainVerifyCallback;
-    cvin[i].value.pointer.chainVerifyCallback = &callbackContainer;
-    ++i;
-  }
-
-  const size_t evParamLocation = i;
-
-  if (evPolicy != SEC_OID_UNKNOWN) {
-    // EV setup!
-    // XXX 859872 The current flags are not quite correct. (use
-    // of ocsp flags for crl preferences).
-    uint64_t ocspRevMethodFlags =
-      CERT_REV_M_TEST_USING_THIS_METHOD
-      | ((mOCSPDownloadEnabled && !localOnly) ?
-          CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-      | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
-      | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
-      | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
-      | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
-      | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
-
-    rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl]
-      = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
-
-    rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
-      = ocspRevMethodFlags;
-
-    rev.leafTests.cert_rev_method_independent_flags =
-    rev.chainTests.cert_rev_method_independent_flags =
-      // avoiding the network is good, let's try local first
-      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
-      // is overall revocation requirement strict or relaxed?
-      |  CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
-      ;
-
-    rev.leafTests.preferred_methods[0] =
-    rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
-
-    cvin[i].type = cert_pi_policyOID;
-    cvin[i].value.arraySize = 1;
-    cvin[i].value.array.oids = &evPolicy;
-    ++i;
-    PR_ASSERT(trustAnchors);
-    cvin[i].type = cert_pi_trustAnchors;
-    cvin[i].value.pointer.chain = trustAnchors.get();
-    ++i;
-
-    cvin[i].type = cert_pi_end;
-
-    rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
-    if (rv == SECSuccess) {
-      if (evOidPolicy) {
-        *evOidPolicy = evPolicy;
-      }
-      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
-             ("VerifyCert: successful CERT_PKIXVerifyCert(ev) \n"));
-      goto pkix_done;
-    }
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
-           ("VerifyCert: failed CERT_PKIXVerifyCert(ev)\n"));
-    if (flags & FLAG_MUST_BE_EV) {
-      return rv;
-    }
-    if (validationChain) {
-      destroyCertListThatShouldNotExist(
-        &cvout[validationChainLocation].value.pointer.chain);
-    }
-
-    if (verifyLog) {
-      // Cleanup the log so that it is ready the the next validation
-      CERTVerifyLogNode* i_node;
-      for (i_node = verifyLog->head; i_node; i_node = i_node->next) {
-         //destroy cert if any.
-         if (i_node->cert) {
-           CERT_DestroyCertificate(i_node->cert);
-         }
-         // No need to cleanup the actual nodes in the arena.
-      }
-      verifyLog->count = 0;
-      verifyLog->head = nullptr;
-      verifyLog->tail = nullptr;
-    }
-
-  }
-#endif
-
-  // If we're here, PKIX EV verification failed.
-  // If requested, don't do DV fallback.
-  if (flags & FLAG_MUST_BE_EV) {
-    PR_ASSERT(*evOidPolicy == SEC_OID_UNKNOWN);
-#ifdef NSS_NO_LIBPKIX
-    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
-#else
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
-#endif
-    return SECFailure;
-  }
-
-  if (mImplementation == classic) {
-    // XXX: we do not care about the localOnly flag (currently) as the
-    // caller that wants localOnly should disable and reenable the fetching.
-    return ClassicVerifyCert(cert, usage, time, pinArg, &callbackState,
-                             validationChain, verifyLog);
-  }
-
-#ifdef NSS_NO_LIBPKIX
-  PR_NOT_REACHED("libpkix implementation chosen but not even compiled in");
-  PR_SetError(PR_INVALID_STATE_ERROR, 0);
-  return SECFailure;
-#else
-  PR_ASSERT(mImplementation == libpkix);
-
-  // The current flags check the chain the same way as the leafs
-  rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-  rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-    // implicit default source - makes no sense for CRLs
-    CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
-
-    // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
-    | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
-
-    // no fresh CRL? well, let other flag decide whether to fail or not
-    | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
-
-    // testing using local CRLs is always allowed
-    | CERT_REV_M_TEST_USING_THIS_METHOD
-
-    // no local crl and don't know where to get it from? ignore
-    | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
-
-    // crl download based on parameter
-    | ((mCRLDownloadEnabled && !localOnly) ?
-        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-    ;
-
-  rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-  rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-    // use OCSP
-      CERT_REV_M_TEST_USING_THIS_METHOD
-
-    // if app has a default OCSP responder configured, let's use it
-    | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
-
-    // of course OCSP doesn't work without a source. let's accept such certs
-    | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
-
-    // if ocsp is required stop on lack of freshness
-    | (mOCSPStrict ?
-       CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
-
-    // ocsp success is sufficient
-    | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
-
-    // ocsp enabled controls network fetching, too
-    | ((mOCSPDownloadEnabled && !localOnly) ?
-        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-
-    | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
-    ;
-
-  rev.leafTests.preferred_methods[0] =
-  rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
-
-  rev.leafTests.cert_rev_method_independent_flags =
-  rev.chainTests.cert_rev_method_independent_flags =
-    // avoiding the network is good, let's try local first
-    CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
-
-  // Skip EV parameters
-  cvin[evParamLocation].type = cert_pi_end;
-
-  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: calling CERT_PKIXVerifyCert(dv) \n"));
-  rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
-
-pkix_done:
-  if (validationChain) {
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: validation chain requested\n"));
-    ScopedCERTCertificate trustAnchor(cvout[validationTrustAnchorLocation].value.pointer.cert);
-
-    if (rv == SECSuccess) {
-      if (! cvout[validationChainLocation].value.pointer.chain) {
-        PR_SetError(PR_UNKNOWN_ERROR, 0);
-        return SECFailure;
-      }
-      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: I have a chain\n"));
-      *validationChain = cvout[validationChainLocation].value.pointer.chain;
-      if (trustAnchor) {
-        // we should only add the issuer to the chain if it is not already
-        // present. On CA cert checking, the issuer is the same cert, so in
-        // that case we do not add the cert to the chain.
-        if (!CERT_CompareCerts(trustAnchor.get(), cert)) {
-          PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert:  adding issuer to tail for display\n"));
-          // note: rv is reused to catch errors on cert creation!
-          ScopedCERTCertificate tempCert(CERT_DupCertificate(trustAnchor.get()));
-          rv = CERT_AddCertToListTail(validationChain->get(), tempCert.get());
-          if (rv == SECSuccess) {
-            tempCert.release(); // ownership traferred to validationChain
-          } else {
-            *validationChain = nullptr;
-          }
-        }
-      }
-    } else {
-      destroyCertListThatShouldNotExist(
-        &cvout[validationChainLocation].value.pointer.chain);
-    }
-  }
-
-  return rv;
-#endif
-}
-
-SECStatus
 CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
                      /*optional*/ const SECItem* stapledOCSPResponse,
                                   PRTime time,
                      /*optional*/ void* pinarg,
                                   const char* hostname,
                                   bool saveIntermediatesInPermanentDatabase,
                  /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
                  /*optional out*/ SECOidTag* evOidPolicy)
@@ -947,17 +440,17 @@ CertVerifier::VerifySSLServerCert(CERTCe
     return SECFailure;
   }
 
   // CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
   // if VerifyCert succeeded.
   ScopedCERTCertList validationChain;
   SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
                             hostname, 0, stapledOCSPResponse, &validationChain,
-                            evOidPolicy, nullptr);
+                            evOidPolicy);
   if (rv != SECSuccess) {
     return rv;
   }
 
   rv = CERT_VerifyCertName(peerCert, hostname);
   if (rv != SECSuccess) {
     return rv;
   }
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -21,91 +21,62 @@ public:
   // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
   static const Flags FLAG_LOCAL_ONLY;
   // Don't perform fallback DV validation on EV validation failure.
   static const Flags FLAG_MUST_BE_EV;
 
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
   // Only one usage per verification is supported.
   SECStatus VerifyCert(CERTCertificate* cert,
-                       const SECCertificateUsage usage,
-                       const PRTime time,
+                       SECCertificateUsage usage,
+                       PRTime time,
                        void* pinArg,
                        const char* hostname,
-                       const Flags flags = 0,
+                       Flags flags = 0,
        /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
       /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
-      /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
-      /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
+      /*optional out*/ SECOidTag* evOidPolicy = nullptr);
 
   SECStatus VerifySSLServerCert(
                     CERTCertificate* peerCert,
        /*optional*/ const SECItem* stapledOCSPResponse,
                     PRTime time,
        /*optional*/ void* pinarg,
                     const char* hostname,
                     bool saveIntermediatesInPermanentDatabase = false,
    /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
    /*optional out*/ SECOidTag* evOidPolicy = nullptr);
 
-
-  enum implementation_config {
-    classic = 0,
-#ifndef NSS_NO_LIBPKIX
-    libpkix = 1,
-#endif
-    mozillapkix = 2
-  };
-
   enum pinning_enforcement_config {
     pinningDisabled = 0,
     pinningAllowUserCAMITM = 1,
     pinningStrict = 2,
     pinningEnforceTestMode = 3
   };
 
   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
   enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
   enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
 
   bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
 
-  CertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
-               missing_cert_download_config ac, crl_download_config cdc,
-#endif
-               ocsp_download_config odc, ocsp_strict_config osc,
+  CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
                ocsp_get_config ogc,
                pinning_enforcement_config pinningEnforcementLevel);
   ~CertVerifier();
 
   void ClearOCSPCache() { mOCSPCache.Clear(); }
 
-  const implementation_config mImplementation;
-#ifndef NSS_NO_LIBPKIX
-  const bool mMissingCertDownloadEnabled;
-  const bool mCRLDownloadEnabled;
-#endif
   const bool mOCSPDownloadEnabled;
   const bool mOCSPStrict;
   const bool mOCSPGETEnabled;
   const pinning_enforcement_config mPinningEnforcementLevel;
 
 private:
-  SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
-      const SECCertificateUsage usage,
-      const PRTime time,
-      void* pinArg,
-      const Flags flags,
-      ChainValidationCallbackState* callbackState,
-      /*optional*/ const SECItem* stapledOCSPResponse,
-      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
-      /*optional out*/ SECOidTag* evOidPolicy);
-
   OCSPCache mOCSPCache;
 };
 
 void InitCertVerifierLog();
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm__CertVerifier_h
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -881,65 +881,31 @@ register_oid(const SECItem* oid_item, co
   od.oid.data = oid_item->data;
   od.offset = SEC_OID_UNKNOWN;
   od.desc = oid_name;
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
-#ifndef NSS_NO_LIBPKIX
-static void
-addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
-  CERTCertTrust nssTrust;
-  if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
-    return;
-  }
-  unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
-
-  if (flags & CERTDB_TRUSTED_CA) {
-    CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
-  }
-}
-#endif
-
 static bool
 isEVPolicy(SECOidTag policyOIDTag)
 {
   for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
     nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
     if (policyOIDTag == entry.oid_tag) {
       return true;
     }
   }
 
   return false;
 }
 
 namespace mozilla { namespace psm {
 
-#ifndef NSS_NO_LIBPKIX
-CERTCertList*
-GetRootsForOid(SECOidTag oid_tag)
-{
-  CERTCertList* certList = CERT_NewCertList();
-  if (!certList)
-    return nullptr;
-
-  for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
-    nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
-    if (entry.oid_tag == oid_tag) {
-      addToCertListIfTrusted(certList, entry.cert);
-    }
-  }
-
-  return certList;
-}
-#endif
-
 bool
 CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
                                const mozilla::pkix::CertPolicyId& policy)
 {
   PR_ASSERT(cert);
   if (!cert) {
     return false;
   }
--- a/security/certverifier/ExtendedValidation.h
+++ b/security/certverifier/ExtendedValidation.h
@@ -21,15 +21,11 @@ SECStatus GetFirstEVPolicy(CERTCertifica
                            /*out*/ SECOidTag& policyOidTag);
 
 // CertIsAuthoritativeForEVPolicy does NOT evaluate whether the cert is trusted
 // or distrusted.
 bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
                                     const mozilla::pkix::CertPolicyId& policy);
 #endif
 
-#ifndef NSS_NO_LIBPKIX
-CERTCertList* GetRootsForOid(SECOidTag oid_tag);
-#endif
-
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm_ExtendedValidation_h
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -9,17 +9,16 @@
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "NSSErrorsService.h"
 #include "OCSPRequestor.h"
 #include "certdb.h"
 #include "mozilla/Telemetry.h"
 #include "nss.h"
-#include "ocsp.h"
 #include "pk11pub.h"
 #include "pkix/pkix.h"
 #include "prerror.h"
 #include "prmem.h"
 #include "prprf.h"
 #include "secerr.h"
 #include "secmod.h"
 
@@ -691,42 +690,16 @@ UnloadLoadableRoots(const char* modNameU
   PR_ASSERT(modNameUTF8);
   ScopedSECMODModule rootsModule(SECMOD_FindModule(modNameUTF8));
 
   if (rootsModule) {
     SECMOD_UnloadUserModule(rootsModule.get());
   }
 }
 
-void
-SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
-                       CertVerifier::ocsp_strict_config strict,
-                       CertVerifier::ocsp_get_config get)
-{
-  CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-  if (enabled == CertVerifier::ocsp_off) {
-    CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
-  } else {
-    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-  }
-
-  SEC_OcspFailureMode failureMode = strict == CertVerifier::ocsp_strict
-                                  ? ocspMode_FailureIsVerificationFailure
-                                  : ocspMode_FailureIsNotAVerificationFailure;
-  (void) CERT_SetOCSPFailureMode(failureMode);
-
-  CERT_ForcePostMethodForOCSP(get != CertVerifier::ocsp_get_enabled);
-
-  uint32_t OCSPTimeoutSeconds = 3u;
-  if (strict == CertVerifier::ocsp_strict) {
-    OCSPTimeoutSeconds = 10u;
-  }
-  CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
-}
-
 char*
 DefaultServerNicknameForCert(CERTCertificate* cert)
 {
   char* nickname = nullptr;
   int count;
   bool conflict;
   char* servername = nullptr;
 
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -27,24 +27,16 @@ void PORT_Free_string(char* str);
 //
 // The modNameUTF8 parameter should usually be
 // BUILTIN_ROOTS_MODULE_DEFAULT_NAME.
 SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
                             const char* modNameUTF8);
 
 void UnloadLoadableRoots(const char* modNameUTF8);
 
-// Controls the OCSP fetching behavior of the classic verification mode. In the
-// classic mode, the OCSP fetching behavior is set globally instead of per
-// validation.
-void
-SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
-                       CertVerifier::ocsp_strict_config strict,
-                       CertVerifier::ocsp_get_config get);
-
 // Caller must free the result with PR_Free
 char* DefaultServerNicknameForCert(CERTCertificate* cert);
 
 void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
 
 class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
 {
 
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -100,17 +100,16 @@
 #include "CertVerifier.h"
 #include "CryptoTask.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
 #include "nsISiteSecurityService.h"
 #include "nsNSSComponent.h"
-#include "nsNSSCleaner.h"
 #include "nsRecentBadCerts.h"
 #include "nsNSSIOLayer.h"
 #include "nsNSSShutDown.h"
 
 #include "mozilla/Assertions.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/unused.h"
@@ -122,29 +121,25 @@
 #include "PSMRunnable.h"
 #include "SharedSSLState.h"
 #include "nsContentUtils.h"
 
 #include "ssl.h"
 #include "secerr.h"
 #include "secport.h"
 #include "sslerr.h"
-#include "ocsp.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 namespace {
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
-
 // do not use a nsCOMPtr to avoid static initializer/destructor
 nsIThreadPool* gCertVerificationThreadPool = nullptr;
 
 // We avoid using a mutex for the success case to avoid lock-related
 // performance issues. However, we do use a lock in the error case to simplify
 // the code, since performance in the error case is not important.
 Mutex* gSSLVerificationTelemetryMutex = nullptr;
 
@@ -306,23 +301,22 @@ MapCertErrorToProbeValue(PRErrorCode err
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in PRErrorCodeToOverrideType?");
   return 0;
 }
 
 SECStatus
-MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
-                                       const char* hostName, PRTime now,
-                                       PRErrorCode defaultErrorCodeToReport,
-                                       /*out*/ uint32_t& collectedErrors,
-                                       /*out*/ PRErrorCode& errorCodeTrust,
-                                       /*out*/ PRErrorCode& errorCodeMismatch,
-                                       /*out*/ PRErrorCode& errorCodeExpired)
+DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
+                            PRTime now, PRErrorCode defaultErrorCodeToReport,
+                            /*out*/ uint32_t& collectedErrors,
+                            /*out*/ PRErrorCode& errorCodeTrust,
+                            /*out*/ PRErrorCode& errorCodeMismatch,
+                            /*out*/ PRErrorCode& errorCodeExpired)
 {
   MOZ_ASSERT(cert);
   MOZ_ASSERT(hostName);
   MOZ_ASSERT(collectedErrors == 0);
   MOZ_ASSERT(errorCodeTrust == 0);
   MOZ_ASSERT(errorCodeMismatch == 0);
   MOZ_ASSERT(errorCodeExpired == 0);
 
@@ -543,139 +537,16 @@ CertErrorRunnable::RunOnTargetThread()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   mResult = CheckCertOverrides();
 
   MOZ_ASSERT(mResult);
 }
 
-// Converts a PRErrorCode into one of
-//   nsICertOverrideService::ERROR_UNTRUSTED,
-//   nsICertOverrideService::ERROR_MISMATCH,
-//   nsICertOverrideService::ERROR_TIME
-// if the given error code is an overridable error.
-// If it is not, then 0 is returned.
-uint32_t
-PRErrorCodeToOverrideType(PRErrorCode errorCode)
-{
-  switch (errorCode)
-  {
-    case SEC_ERROR_UNKNOWN_ISSUER:
-    case SEC_ERROR_UNTRUSTED_ISSUER:
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-    case SEC_ERROR_UNTRUSTED_CERT:
-    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
-      // We group all these errors as "cert not trusted"
-      return nsICertOverrideService::ERROR_UNTRUSTED;
-    case SSL_ERROR_BAD_CERT_DOMAIN:
-      return nsICertOverrideService::ERROR_MISMATCH;
-    case SEC_ERROR_EXPIRED_CERTIFICATE:
-      return nsICertOverrideService::ERROR_TIME;
-    default:
-      return 0;
-  }
-}
-
-SECStatus
-NSSDetermineCertOverrideErrors(CertVerifier& certVerifier,
-                               CERTCertificate* cert,
-                               const SECItem* stapledOCSPResponse,
-                               TransportSecurityInfo* infoObject,
-                               PRTime now,
-                               PRErrorCode defaultErrorCodeToReport,
-                               /*out*/ uint32_t& collectedErrors,
-                               /*out*/ PRErrorCode& errorCodeTrust,
-                               /*out*/ PRErrorCode& errorCodeMismatch,
-                               /*out*/ PRErrorCode& errorCodeExpired)
-{
-  MOZ_ASSERT(cert);
-  MOZ_ASSERT(infoObject);
-  MOZ_ASSERT(defaultErrorCodeToReport != 0);
-  MOZ_ASSERT(collectedErrors == 0);
-  MOZ_ASSERT(errorCodeTrust == 0);
-  MOZ_ASSERT(errorCodeMismatch == 0);
-  MOZ_ASSERT(errorCodeExpired == 0);
-
-  if (defaultErrorCodeToReport == 0) {
-    NS_ERROR("No error code set during certificate validation failure.");
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
-    return SECFailure;
-  }
-
-  // We only allow overrides for certain errors. Return early if the error
-  // is not one of them. This is to avoid doing revocation fetching in the
-  // case of OCSP stapling and probably for other reasons.
-  if (PRErrorCodeToOverrideType(defaultErrorCodeToReport) == 0) {
-    PR_SetError(defaultErrorCodeToReport, 0);
-    return SECFailure;
-  }
-
-  PLArenaPool* log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
-  if (!log_arena) {
-    NS_ERROR("PORT_NewArena failed");
-    return SECFailure; // PORT_NewArena set error code
-  }
-
-  CERTVerifyLog* verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog);
-  if (!verify_log) {
-    NS_ERROR("PORT_ArenaZNew failed");
-    return SECFailure; // PORT_ArenaZNew set error code
-  }
-  CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log);
-  verify_log->arena = log_arena;
-
-  // We ignore the result code of the cert verification (i.e. VerifyCert's rv)
-  // Either it is a failure, which is expected, and we'll process the
-  //                         verify log below.
-  // Or it is a success, then a domain mismatch is the only
-  //                     possible failure.
-  // XXX TODO: convert to VerifySSLServerCert
-  // XXX TODO: get rid of error log
-  certVerifier.VerifyCert(cert, certificateUsageSSLServer,
-                          now, infoObject, infoObject->GetHostNameRaw(),
-                          0, stapledOCSPResponse, nullptr, nullptr, verify_log);
-
-  // Check the name field against the desired hostname.
-  if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) {
-    collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
-    errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
-  }
-
-  CERTVerifyLogNode* i_node;
-  for (i_node = verify_log->head; i_node; i_node = i_node->next) {
-    uint32_t overrideType = PRErrorCodeToOverrideType(i_node->error);
-    // If this isn't an overridable error, set the error and return.
-    if (overrideType == 0) {
-      PR_SetError(i_node->error, 0);
-      return SECFailure;
-    }
-    collectedErrors |= overrideType;
-    if (overrideType == nsICertOverrideService::ERROR_UNTRUSTED) {
-      if (errorCodeTrust == 0) {
-        errorCodeTrust = i_node->error;
-      }
-    } else if (overrideType == nsICertOverrideService::ERROR_MISMATCH) {
-      if (errorCodeMismatch == 0) {
-        errorCodeMismatch = i_node->error;
-      }
-    } else if (overrideType == nsICertOverrideService::ERROR_TIME) {
-      if (errorCodeExpired == 0) {
-        errorCodeExpired = i_node->error;
-      }
-    } else {
-      MOZ_CRASH("unexpected return value from PRErrorCodeToOverrideType");
-    }
-  }
-
-  return SECSuccess;
-}
-
 // Returns null with the error code (PR_GetError()) set if it does not create
 // the CertErrorRunnable.
 CertErrorRunnable*
 CreateCertErrorRunnable(CertVerifier& certVerifier,
                         PRErrorCode defaultErrorCodeToReport,
                         TransportSecurityInfo* infoObject,
                         CERTCertificate* cert,
                         const SECItem* stapledOCSPResponse,
@@ -685,47 +556,20 @@ CreateCertErrorRunnable(CertVerifier& ce
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   uint32_t collected_errors = 0;
   PRErrorCode errorCodeTrust = 0;
   PRErrorCode errorCodeMismatch = 0;
   PRErrorCode errorCodeExpired = 0;
-
-  SECStatus rv;
-  switch (certVerifier.mImplementation) {
-    case CertVerifier::classic:
-#ifndef NSS_NO_LIBPKIX
-    case CertVerifier::libpkix:
-#endif
-      rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
-                                          infoObject, now,
-                                          defaultErrorCodeToReport,
-                                          collected_errors, errorCodeTrust,
-                                          errorCodeMismatch, errorCodeExpired);
-      break;
-
-    case CertVerifier::mozillapkix:
-      rv = MozillaPKIXDetermineCertOverrideErrors(cert,
-                                                  infoObject->GetHostNameRaw(),
-                                                  now, defaultErrorCodeToReport,
-                                                  collected_errors,
-                                                  errorCodeTrust,
-                                                  errorCodeMismatch,
-                                                  errorCodeExpired);
-      break;
-
-    default:
-      MOZ_CRASH("unexpected CertVerifier implementation");
-      PR_SetError(defaultErrorCodeToReport, 0);
-      return nullptr;
-
-  }
-  if (rv != SECSuccess) {
+  if (DetermineCertOverrideErrors(cert, infoObject->GetHostNameRaw(), now,
+                                  defaultErrorCodeToReport, collected_errors,
+                                  errorCodeTrust, errorCodeMismatch,
+                                  errorCodeExpired) != SECSuccess) {
     return nullptr;
   }
 
   RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert));
   if (!nssCert) {
     NS_ERROR("nsNSSCertificate::Create failed");
     PR_SetError(SEC_ERROR_NO_MEMORY, 0);
     return nullptr;
@@ -901,67 +745,16 @@ AuthCertificate(CertVerifier& certVerifi
                 CERTCertificate* cert, SECItem* stapledOCSPResponse,
                 uint32_t providerFlags, PRTime time)
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   SECStatus rv;
 
-  // TODO: Remove this after we switch to mozilla::pkix as the
-  // only option
-  if (certVerifier.mImplementation == CertVerifier::classic) {
-    if (stapledOCSPResponse) {
-      CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
-      rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
-                                                 stapledOCSPResponse,
-                                                 infoObject);
-      if (rv != SECSuccess) {
-        // Due to buggy servers that will staple expired OCSP responses
-        // (see for example http://trac.nginx.org/nginx/ticket/425),
-        // don't terminate the connection if the stapled response is expired.
-        // We will fall back to fetching revocation information.
-        PRErrorCode ocspErrorCode = PR_GetError();
-        if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
-          // stapled OCSP response present but invalid for some reason
-          Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
-          return rv;
-        } else {
-          // stapled OCSP response present but expired
-          Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
-        }
-      } else {
-        // stapled OCSP response present and good
-        Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
-      }
-    } else {
-      // no stapled OCSP response
-      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
-
-      uint32_t reasonsForNotFetching = 0;
-
-      char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
-      if (!ocspURI) {
-        reasonsForNotFetching |= 1; // invalid/missing OCSP URI
-      } else {
-        if (std::strncmp(ocspURI, "http://", 7)) { // approximation
-          reasonsForNotFetching |= 1; // invalid/missing OCSP URI
-        }
-        PORT_Free(ocspURI);
-      }
-
-      if (!certVerifier.mOCSPDownloadEnabled) {
-        reasonsForNotFetching |= 2;
-      }
-
-      Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
-                            reasonsForNotFetching);
-    }
-  }
-
   // We want to avoid storing any intermediate cert information when browsing
   // in private, transient contexts.
   bool saveIntermediates =
     !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
 
   mozilla::pkix::ScopedCERTCertList certList;
   SECOidTag evOidPolicy;
   rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
@@ -1073,44 +866,21 @@ SSLServerCertVerificationJob::Run()
           ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
 
   PRErrorCode error;
 
   nsNSSShutDownPreventionLock nssShutdownPrevention;
   if (mInfoObject->isAlreadyShutDown()) {
     error = SEC_ERROR_USER_CANCELLED;
   } else {
-    Telemetry::ID successTelemetry;
-    Telemetry::ID failureTelemetry;
-    switch (mCertVerifier->mImplementation) {
-      case CertVerifier::classic:
-        successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
-        failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
-        break;
-      case CertVerifier::mozillapkix:
-        successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
-        failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
-        break;
-#ifndef NSS_NO_LIBPKIX
-      case CertVerifier::libpkix:
-        successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
-        failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
-        break;
-#endif
-      default:
-        MOZ_CRASH("Unknown CertVerifier mode");
-    }
+    Telemetry::ID successTelemetry
+      = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
+    Telemetry::ID failureTelemetry
+      = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
 
-    // XXX
     // Reset the error code here so we can detect if AuthCertificate fails to
     // set the error code if/when it fails.
     PR_SetError(0, 0);
     SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert.get(),
                                    mStapledOCSPResponse, mProviderFlags,
                                    mTime);
     if (rv == SECSuccess) {
       uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
--- a/security/manager/ssl/src/ScopedNSSTypes.h
+++ b/security/manager/ssl/src/ScopedNSSTypes.h
@@ -17,17 +17,16 @@
 #include "cert.h"
 #include "cms.h"
 #include "keyhi.h"
 #include "cryptohi.h"
 #include "pk11pub.h"
 #include "sechash.h"
 #include "secpkcs7.h"
 #include "prerror.h"
-#include "ocsp.h"
 
 namespace mozilla {
 
 // It is very common to cast between char* and uint8_t* when doing crypto stuff.
 // Here, we provide more type-safe wrappers around reinterpret_cast so you don't
 // shoot yourself in the foot by reinterpret_casting completely unrelated types.
 
 inline char *
@@ -78,19 +77,16 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLAT
                                           CERTCertList,
                                           CERT_DestroyCertList)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName,
                                           CERTName,
                                           CERT_DestroyName)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames,
                                           CERTCertNicknames,
                                           CERT_FreeNicknames)
-MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID,
-                                          CERTOCSPCertID,
-                                          CERT_DestroyOCSPCertID)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo,
                                           CERTSubjectPublicKeyInfo,
                                           SECKEY_DestroySubjectPublicKeyInfo)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTValidity,
                                           CERTValidity,
                                           CERT_DestroyValidity)
 
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedNSSCMSMessage,
--- a/security/manager/ssl/src/SharedCertVerifier.h
+++ b/security/manager/ssl/src/SharedCertVerifier.h
@@ -14,28 +14,19 @@ namespace mozilla { namespace psm {
 class SharedCertVerifier : public mozilla::psm::CertVerifier
 {
 protected:
   ~SharedCertVerifier();
 
 public:
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
 
-  SharedCertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
-                     missing_cert_download_config ac, crl_download_config cdc,
-#endif
-                     ocsp_download_config odc, ocsp_strict_config osc,
+  SharedCertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
                      ocsp_get_config ogc,
                      pinning_enforcement_config pinningEnforcementLevel)
-    : mozilla::psm::CertVerifier(ic,
-#ifndef NSS_NO_LIBPKIX
-                                 ac, cdc,
-#endif
-                                 odc, osc, ogc,
-                                 pinningEnforcementLevel)
+    : mozilla::psm::CertVerifier(odc, osc, ogc, pinningEnforcementLevel)
   {
   }
 };
 
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm__SharedCertVerifier_h
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -581,26 +581,16 @@ void nsNSSHttpInterface::initTable()
   v1.createFcn = createFcn;
   v1.setPostDataFcn = setPostDataFcn;
   v1.addHeaderFcn = addHeaderFcn;
   v1.trySendAndReceiveFcn = trySendAndReceiveFcn;
   v1.cancelFcn = cancelFcn;
   v1.freeFcn = freeFcn;
 }
 
-void nsNSSHttpInterface::registerHttpClient()
-{
-  SEC_RegisterDefaultHttpClient(&sNSSInterfaceTable);
-}
-
-void nsNSSHttpInterface::unregisterHttpClient()
-{
-  SEC_RegisterDefaultHttpClient(nullptr);
-}
-
 nsHTTPListener::nsHTTPListener()
 : mResultData(nullptr),
   mResultLen(0),
   mLock("nsHTTPListener.mLock"),
   mCondition(mLock, "nsHTTPListener.mCondition"),
   mWaitFlag(true),
   mResponsibleForDoneSignal(false),
   mLoadGroup(nullptr),
--- a/security/manager/ssl/src/nsNSSCallbacks.h
+++ b/security/manager/ssl/src/nsNSSCallbacks.h
@@ -215,14 +215,11 @@ public:
   static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request)
   {
     return static_cast<nsNSSHttpRequestSession*>(request)
             ->freeFcn();
   }
 
   static void initTable();
   static SEC_HttpClientFcn sNSSInterfaceTable;
-
-  void registerHttpClient();
-  void unregisterHttpClient();
 };
 
 #endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -44,17 +44,16 @@
 
 #include "nspr.h"
 #include "certdb.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "ssl.h"
-#include "ocsp.h"
 #include "plbase64.h"
 
 using namespace mozilla;
 using namespace mozilla::psm;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -42,17 +42,16 @@
 
 #include "nspr.h"
 #include "certdb.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "ssl.h"
-#include "ocsp.h"
 #include "plbase64.h"
 
 using namespace mozilla;
 using namespace mozilla::psm;
 using mozilla::psm::SharedSSLState;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
@@ -1811,19 +1810,11 @@ nsNSSCertificateDB::ClearOCSPCache()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
-  if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
-    certVerifier->ClearOCSPCache();
-  } else {
-    SECStatus srv = CERT_ClearOCSPCache();
-    if (srv != SECSuccess) {
-      return MapSECStatus(srv);
-    }
-  }
-
+  certVerifier->ClearOCSPCache();
   return NS_OK;
 }
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -53,17 +53,16 @@
 #include "SharedSSLState.h"
 #include "NSSErrorsService.h"
 
 #include "nss.h"
 #include "ssl.h"
 #include "sslproto.h"
 #include "secmod.h"
 #include "secmime.h"
-#include "ocsp.h"
 #include "secerr.h"
 #include "sslerr.h"
 
 #include "nsXULAppAPI.h"
 
 #ifdef XP_WIN
 #include "nsILocalFileWin.h"
 #endif
@@ -238,20 +237,20 @@ bool EnsureNSSInitialized(EnsureNSSOpera
 
   default:
     NS_ASSERTION(false, "Bad operator to EnsureNSSInitialized");
     return false;
   }
 }
 
 static void
-SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
-                                /*out*/ CertVerifier::ocsp_strict_config* osc,
-                                /*out*/ CertVerifier::ocsp_get_config* ogc,
-                                const MutexAutoLock& /*proofOfLock*/)
+GetOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
+                         /*out*/ CertVerifier::ocsp_strict_config* osc,
+                         /*out*/ CertVerifier::ocsp_get_config* ogc,
+                         const MutexAutoLock& /*proofOfLock*/)
 {
   MOZ_ASSERT(NS_IsMainThread());
   MOZ_ASSERT(odc);
   MOZ_ASSERT(osc);
   MOZ_ASSERT(ogc);
 
   // 0 = disabled, otherwise enabled
   *odc = Preferences::GetInt("security.OCSP.enabled", 1)
@@ -262,18 +261,16 @@ SetClassicOCSPBehaviorFromPrefs(/*out*/ 
        ? CertVerifier::ocsp_strict
        : CertVerifier::ocsp_relaxed;
 
   // XXX: Always use POST for OCSP; see bug 871954 for undoing this.
   *ogc = Preferences::GetBool("security.OCSP.GET.enabled", false)
        ? CertVerifier::ocsp_get_enabled
        : CertVerifier::ocsp_get_disabled;
 
-  SetClassicOCSPBehavior(*odc, *osc, *ogc);
-
   SSL_ClearSessionCache();
 }
 
 nsNSSComponent::nsNSSComponent()
   :mutex("nsNSSComponent.mutex"),
    mNSSInitialized(false),
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
    mThreadList(nullptr),
@@ -986,92 +983,38 @@ void nsNSSComponent::setValidationOption
 
   // We measure the setting of the pref at startup only to minimize noise by
   // addons that may muck with the settings, though it probably doesn't matter.
   if (isInitialSetting) {
     Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled);
     Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
   }
 
-#ifndef NSS_NO_LIBPKIX
-  bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
-                                             false);
-  bool aiaDownloadEnabled =
-    Preferences::GetBool("security.missing_cert_download.enabled", false);
-
-#endif
   bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
                                                   true);
   PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
   PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
 
-  CertVerifier::implementation_config certVerifierImplementation
-    = CertVerifier::classic;
-
-  // The mozilla::pkix pref overrides the libpkix pref
-  if (Preferences::GetBool("security.use_mozillapkix_verification", true)) {
-    certVerifierImplementation = CertVerifier::mozillapkix;
-  } else {
-#ifndef NSS_NO_LIBPKIX
-  if (Preferences::GetBool("security.use_libpkix_verification", false)) {
-    certVerifierImplementation = CertVerifier::libpkix;
-  }
-#endif
-  }
-
-  if (isInitialSetting) {
-    if (certVerifierImplementation == CertVerifier::classic) {
-      Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 1);
-#ifndef NSS_NO_LIBPKIX
-    } else if (certVerifierImplementation == CertVerifier::libpkix) {
-      Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 2);
-#endif
-    } else if (certVerifierImplementation == CertVerifier::mozillapkix) {
-      Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 3);
-    }
-  }
-
   // Default pinning enforcement level is disabled.
   CertVerifier::pinning_enforcement_config
     pinningEnforcementLevel =
       static_cast<CertVerifier::pinning_enforcement_config>
         (Preferences::GetInt("security.cert_pinning.enforcement_level",
                              CertVerifier::pinningDisabled));
   if (pinningEnforcementLevel > CertVerifier::pinningEnforceTestMode) {
     pinningEnforcementLevel = CertVerifier::pinningDisabled;
   }
 
   CertVerifier::ocsp_download_config odc;
   CertVerifier::ocsp_strict_config osc;
   CertVerifier::ocsp_get_config ogc;
 
-  SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
-  mDefaultCertVerifier = new SharedCertVerifier(
-      certVerifierImplementation,
-#ifndef NSS_NO_LIBPKIX
-      aiaDownloadEnabled ?
-        CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
-      crlDownloading ?
-        CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
-#endif
-      odc, osc, ogc, pinningEnforcementLevel);
-
-  // mozilla::pkix has its own OCSP cache, so disable the NSS cache
-  // if appropriate.
-  if (certVerifierImplementation == CertVerifier::mozillapkix) {
-    // Using -1 disables the cache. The other arguments are the default
-    // values and aren't exposed by the API.
-    CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
-  } else {
-    // Using 1000 enables the cache with the default size of 1000. Again,
-    // these values are not exposed by the API.
-    CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
-  }
-
-  CERT_ClearOCSPCache();
+  GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
+  mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
+                                                pinningEnforcementLevel);
 }
 
 // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
 // version) and TLS 1.2 (max version) when the prefs aren't set or set to
 // invalid values.
 nsresult
 nsNSSComponent::setEnabledTLSVersions()
 {
@@ -1270,17 +1213,16 @@ nsNSSComponent::InitializeNSS()
     PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to initialize cipher suite settings\n"));
     return NS_ERROR_FAILURE;
   }
 
   // dynamic options from prefs
   setValidationOptions(true, lock);
 
   mHttpForNSS.initTable();
-  mHttpForNSS.registerHttpClient();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   LaunchSmartCardThreads();
 #endif
 
   RegisterPSMErrorTable();
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
@@ -1296,17 +1238,16 @@ nsNSSComponent::ShutdownNSS()
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ShutdownNSS\n"));
 
   MutexAutoLock lock(mutex);
 
   if (mNSSInitialized) {
     mNSSInitialized = false;
 
     PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
-    mHttpForNSS.unregisterHttpClient();
 
     Preferences::RemoveObserver(this, "security.");
     if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) {
       PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("nsNSSComponent::ShutdownNSS cannot stop observing cipher suite change\n"));
     }
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
     ShutdownSmartCardThreads();
@@ -1665,24 +1606,19 @@ nsNSSComponent::Observe(nsISupports* aSu
       SSL_OptionSetDefault(SSL_ENABLE_NPN,
                            Preferences::GetBool("security.ssl.enable_npn",
                                                 NPN_ENABLED_DEFAULT));
     } else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) {
       SSL_OptionSetDefault(SSL_ENABLE_ALPN,
                            Preferences::GetBool("security.ssl.enable_alpn",
                                                 ALPN_ENABLED_DEFAULT));
     } else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
-               prefName.EqualsLiteral("security.CRL_download.enabled") ||
-               prefName.EqualsLiteral("security.fresh_revocation_info.require") ||
-               prefName.EqualsLiteral("security.missing_cert_download.enabled") ||
                prefName.EqualsLiteral("security.OCSP.require") ||
                prefName.EqualsLiteral("security.OCSP.GET.enabled") ||
                prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
-               prefName.EqualsLiteral("security.use_mozillapkix_verification") ||
-               prefName.EqualsLiteral("security.use_libpkix_verification") ||
                prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) {
       MutexAutoLock lock(mutex);
       setValidationOptions(false, lock);
     } else if (prefName.EqualsLiteral("network.ntlm.send-lm-response")) {
       bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
                                          SEND_LM_DEFAULT);
       nsNTLMAuthModule::SetSendLM(sendLM);
       clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -8,16 +8,17 @@
 
 #include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Casting.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/Telemetry.h"
 
 #include "prlog.h"
+#include "prmem.h"
 #include "prnetdb.h"
 #include "nsIPrefService.h"
 #include "nsIClientAuthDialogs.h"
 #include "nsClientAuthRemember.h"
 #include "nsISSLErrorListener.h"
 
 #include "nsNetUtil.h"
 #include "nsPrintfCString.h"
--- a/security/manager/ssl/tests/unit/test_cert_eku.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -18,17 +18,16 @@ function cert_from_file(filename) {
 function load_cert(cert_name, trust_string) {
   var cert_filename = cert_name + ".der";
   addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
   return cert_from_file(cert_filename);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
--- a/security/manager/ssl/tests/unit/test_cert_eku/generate.py
+++ b/security/manager/ssl/tests/unit/test_cert_eku/generate.py
@@ -64,17 +64,16 @@ function cert_from_file(filename) {
 function load_cert(cert_name, trust_string) {
   var cert_filename = cert_name + ".der";
   addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
   return cert_from_file(cert_filename);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
 """
 
 js_file_footer = """}
 """
 
 def gen_int_js_output(int_string):
     expectedResult = "SEC_ERROR_INADEQUATE_CERT_TYPE"
     # For a certificate to verify successfully as a SSL CA, it must either
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -47,214 +47,150 @@ function add_non_overridable_test(aHost,
 }
 
 function check_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                     .snapshot();
   do_check_eq(histogram.counts[ 0], 0);
-  do_check_eq(histogram.counts[ 2], 8 + 1); // SEC_ERROR_UNKNOWN_ISSUER
-  do_check_eq(histogram.counts[ 3], 0);     // SEC_ERROR_CA_CERT_INVALID
-  do_check_eq(histogram.counts[ 4], 0 + 5); // SEC_ERROR_UNTRUSTED_ISSUER
-  do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
-  do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
-  do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
-  do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
-  do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
-  do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
+  do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER
+  do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
+  do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
+  do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
+  do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
+  do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
+  do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
+  do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
   run_next_test();
 }
 
 function run_test() {
   add_tls_server_setup("BadCertServer");
 
   let fakeOCSPResponder = new HttpServer();
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
   });
   fakeOCSPResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_simple_tests();
+  add_combo_tests();
+  add_distrust_tests();
 
   add_test(function () {
     fakeOCSPResponder.stop(check_telemetry);
   });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
-  add_simple_tests(useMozillaPKIX);
-  add_combo_tests(useMozillaPKIX);
-  add_distrust_tests(useMozillaPKIX);
-
-  add_test(function () {
-    certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
-    run_next_test();
-  });
-}
-
-function add_simple_tests(useMozillaPKIX) {
+function add_simple_tests() {
   add_cert_override_test("expired.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
-  if (useMozillaPKIX) {
-    add_cert_override_test("selfsigned.example.com",
-                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                           getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
-  } else {
-    add_non_overridable_test("selfsigned.example.com",
-                             SEC_ERROR_CA_CERT_INVALID);
-  }
+  add_cert_override_test("selfsigned.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("unknownissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("expiredissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
 
   // A Microsoft IIS utility generates self-signed certificates with
   // properties similar to the one this "host" will present (see
   // tlsserver/generate_certs.sh).
-  // One of the errors classic verification collects is that this
-  // certificate has an inadequate key usage to sign a certificate
-  // (i.e. itself). As a result, to be able to override this,
-  // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
-  // confusingly, this isn't the main error reported).
-  // mozilla::pkix just says this certificate's issuer is unknown.
-  if (useMozillaPKIX) {
-    add_cert_override_test("selfsigned-inadequateEKU.example.com",
-                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                           getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
-  } else {
-    add_non_overridable_test("selfsigned-inadequateEKU.example.com",
-                             SEC_ERROR_CA_CERT_INVALID);
-  }
+  add_cert_override_test("selfsigned-inadequateEKU.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
 
-  // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
-  // classic verification, but not for mozilla::pkix verification.
-  if (useMozillaPKIX) {
-    add_non_overridable_test("inadequatekeyusage.example.com",
-                             SEC_ERROR_INADEQUATE_KEY_USAGE);
-  } else {
-    add_cert_override_test("inadequatekeyusage.example.com",
-                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                           getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
-  }
+  add_non_overridable_test("inadequatekeyusage.example.com",
+                           SEC_ERROR_INADEQUATE_KEY_USAGE);
 
   // Bug 990603: Apache documentation has recommended generating a self-signed
   // test certificate with basic constraints: CA:true. For compatibility, this
   // is a scenario in which an override is allowed.
   add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
 }
 
-function add_combo_tests(useMozillaPKIX) {
-  // Note that "untrusted" here really is "unknown issuer" in the
-  // mozilla::pkix case.
-
+function add_combo_tests() {
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
   add_cert_override_test("mismatch-untrusted.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("mismatch-untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
 
   add_cert_override_test("md5signature-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
 }
 
-function add_distrust_tests(useMozillaPKIX) {
+function add_distrust_tests() {
   // Before we specifically distrust this certificate, it should be trusted.
   add_connection_test("untrusted.example.com", Cr.NS_OK);
 
-  // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
-  // verification is used.
   add_distrust_override_test("tlsserver/default-ee.der",
                              "untrusted.example.com",
-                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
-                             useMozillaPKIX
-                                ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
-                                : Cr.NS_OK);
+                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT));
 
-  // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
-  // verification is used.
   add_distrust_override_test("tlsserver/other-test-ca.der",
                              "untrustedissuer.example.com",
-                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
-                             useMozillaPKIX
-                                ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
-                                : Cr.NS_OK);
+                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
 }
 
-function add_distrust_override_test(certFileName, hostName,
-                                    expectedResultBefore, expectedResultAfter) {
+function add_distrust_override_test(certFileName, hostName, expectedResult) {
   let certToDistrust = constructCertFromFile(certFileName);
 
   add_test(function () {
     // Add an entry to the NSS certDB that says to distrust the cert
     setCertTrust(certToDistrust, "pu,,");
     clearSessionCache();
     run_next_test();
   });
-  add_connection_test(hostName, expectedResultBefore, null,
+  add_connection_test(hostName, expectedResult, null,
                       function (securityInfo) {
                         securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
                         // XXX(Bug 754369): SSLStatus isn't available for
                         // non-overridable errors.
                         if (securityInfo.SSLStatus) {
                           certOverrideService.rememberValidityOverride(
                               hostName, 8443, securityInfo.SSLStatus.serverCert,
                               Ci.nsICertOverrideService.ERROR_UNTRUSTED, true);
                         } else {
                           // A missing SSLStatus probably means (due to bug
                           // 754369) that the error was non-overridable, which
                           // is what we're trying to test, though we'd rather
                           // not test it this way.
-                          do_check_neq(expectedResultAfter, Cr.NS_OK);
+                          do_check_neq(expectedResult, Cr.NS_OK);
                         }
                         clearSessionCache();
                       });
-  add_connection_test(hostName, expectedResultAfter, null,
+  add_connection_test(hostName, expectedResult, null,
                       function () {
                         setCertTrust(certToDistrust, "u,,");
                       });
 }
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -40,39 +40,29 @@ function check_ca(ca_name) {
 }
 
 function run_test() {
   // Load the ca into mem
   load_ca("ca-rsa");
   load_ca("ca-p384");
   load_ca("ca-dsa");
 
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
-
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
   check_ca("ca-rsa");
   check_ca("ca-p384");
   check_ca("ca-dsa");
 
   // mozilla::pkix does not allow CA certs to be validated for end-entity
   // usages.
-  let int_usage = useMozillaPKIX
-                ? 'SSL CA'
-                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+  const int_usage = 'SSL CA';
 
   // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
-  const ee_usage = useMozillaPKIX
-                 ? 'Client,Server,Sign,Encrypt,Object Signer'
-                 : 'Client,Server,Sign,Encrypt';
+  const ee_usage = 'Client,Server,Sign,Encrypt,Object Signer';
 
   let cert2usage = {
     // certs without the "int" prefix are end entity certs.
     'int-rsa-valid': int_usage,
     'rsa-valid': ee_usage,
     'int-p384-valid': int_usage,
     'p384-valid': ee_usage,
     'int-dsa-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -34,223 +34,166 @@ function check_cert_err_generic(cert, ex
   do_print("cert issuer cn=" + cert.issuerCommonName);
   let hasEVPolicy = {};
   let verifiedChain = {};
   let error = certdb.verifyCertNow(cert, usage,
                                    NO_FLAGS, verifiedChain, hasEVPolicy);
   do_check_eq(error,  expected_error);
 };
 
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
   // On reset most usages are successful
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);  // expected no bc
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, 0,
                          certificateUsageObjectSigner); // expected
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   // mozilla::pkix enforces that certificase must have a basic constraints
   // extension with cA:true to be a CA certificate,  whereas classic does not
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder); //expected
 
 
   // Test of active distrust. No usage should pass.
   setCertTrust(cert_to_modify_trust, 'p,p,p');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   // In mozilla::pkix (but not classic verification), certificate chain
   // properties are checked before the end-entity. Thus, if we're using
   // mozilla::pkix and the root certificate has been distrusted, the error
   // will be "untrusted issuer" and not "inadequate cert type".
-  check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
-                                    ? SEC_ERROR_UNTRUSTED_ISSUER
-                                    : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert,
+                         !isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
+                                   : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
-
   // Trust set to T  -  trusted CA to issue client certs, where client cert is
   // usageSSLClient.
   setCertTrust(cert_to_modify_trust, 'T,T,T');
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLServer);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
-                                                            : 0
-                                           : 0,
+  // XXX(Bug 982340)
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE
-                                           : useMozillaPKIX ? 0
-                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   // Now tests on the SSL trust bit
   setCertTrust(cert_to_modify_trust, 'p,C,C');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0  //XXX Bug 982340
-                                                 : SEC_ERROR_UNTRUSTED_ISSUER,
-                         certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+
+  //XXX(Bug 982340)
+  check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
-  // In mozilla::pkix (but not classic verification), certificate chain
-  // properties are checked before the end-entity. Thus, if we're using
-  // mozilla::pkix and the root certificate has been distrusted, the error
-  // will be "untrusted issuer" and not "inadequate cert type".
-  check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
-                                    ? SEC_ERROR_UNTRUSTED_ISSUER
-                                    : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert,
+                         isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
+                                  : SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageStatusResponder);
 
   // Inherited trust SSL
   setCertTrust(cert_to_modify_trust, ',C,C');
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0  // XXX Bug 982340
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
-                         certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  // XXX(Bug 982340)
+  check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
   // Now tests on the EMAIL trust bit
   setCertTrust(cert_to_modify_trust, 'C,p,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
-                                           : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
-                                                            : 0, // mozilla::pkix is OK, NSS bug
+  check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   //inherited EMAIL Trust
   setCertTrust(cert_to_modify_trust, 'C,,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 }
 
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
+  for (let i = 0 ; i < certList.length; i++) {
+    load_cert(certList[i], ',,');
+  }
 
   let ca_cert = certdb.findCertByNickname(null, 'ca');
   do_check_false(!ca_cert)
   let int_cert = certdb.findCertByNickname(null, 'int');
   do_check_false(!int_cert)
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
+  test_ca_distrust(ee_cert, ca_cert, true);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
+  test_ca_distrust(ee_cert, int_cert, false);
 }
-
-function run_test() {
-  for (let i = 0 ; i < certList.length; i++) {
-    load_cert(certList[i], ',,');
-  }
-
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_cert_version.js
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -39,31 +39,30 @@ function check_ca_err(cert, expected_err
 function check_ok(x) {
   return check_cert_err(x, 0);
 }
 
 function check_ok_ca(x) {
   return check_cert_err_generic(x, 0, certificateUsageSSLCA);
 }
 
-function run_tests_in_mode(useMozillaPKIX)
-{
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                             useMozillaPKIX);
+function run_test() {
+  load_cert("v1_ca", "CTu,CTu,CTu");
+  load_cert("v1_ca_bc", "CTu,CTu,CTu");
+  load_cert("v2_ca", "CTu,CTu,CTu");
+  load_cert("v2_ca_bc", "CTu,CTu,CTu");
+  load_cert("v3_ca", "CTu,CTu,CTu");
+  load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
 
   check_ok_ca(cert_from_file('v1_ca.der'));
-  check_ca_err(cert_from_file('v1_ca_bc.der'),
-               useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
-  check_ca_err(cert_from_file('v2_ca.der'),
-               useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
-  check_ca_err(cert_from_file('v2_ca_bc.der'),
-               useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
+  check_ca_err(cert_from_file('v1_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
+  check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
+  check_ca_err(cert_from_file('v2_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
   check_ok_ca(cert_from_file('v3_ca.der'));
-  check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
-               useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
+  check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
 
   // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
   // intermediates when they have a v3 basic constraints extenstion (which
   // makes them invalid certs). Insanity only allows v1 certs to be CA in
   // anchor position (even if they have invalid encodings), v2 certs are not
   // considered CAs in any position.
   // Note that currently there are no change of behavior based on the
   // version of the end entity.
@@ -71,714 +70,476 @@ function run_tests_in_mode(useMozillaPKI
   let ee_error = 0;
   let ca_error = 0;
 
   //////////////
   // v1 CA supersection
   //////////////////
 
   // v1 intermediate with v1 trust anchor
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
 
   // v1 intermediate with v3 extensions. CA is invalid.
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
 
   // A v2 intermediate with a v1 CA
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
 
   // A v2 intermediate with basic constraints (not allowed in insanity)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
 
   // Section is OK. A x509 v3 CA MUST have bc
   // http://tools.ietf.org/html/rfc5280#section-4.2.1.9
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
- check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
+  check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
 
   // It is valid for a v1 ca to sign a v3 intemediate.
   check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
   check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
   check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
   check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
   check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
 
   // The next groups change the v1 ca for a v1 ca with base constraints
   // (invalid trust anchor). The error pattern is the same as the groups
   // above
 
   // Using A v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
 
   // Using a v1 intermediate with v3 extenstions (invalid).
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
 
   // Using v2 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
 
   // Using a v2 intermediate with basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
 
   // Using a v3 intermediate that is missing basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
 
   // these should pass assuming we are OK with v1 ca signing v3 intermediates
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
 
 
   //////////////
   // v2 CA supersection
   //////////////////
 
   // v2 ca, v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
 
   // v2 ca, v1 intermediate with basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
 
   // v2 ca, v2 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
 
   // v2 ca, v2 intermediate with basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
 
   // v2 ca, v3 intermediate missing basic constraints
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
 
   // v2 ca, v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
 
   // v2 ca, v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
 
   // v2 ca, v1 intermediate with bc (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
 
   // v2 ca, v2 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
 
   // v2 ca, v2 intermediate with bc (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
 
   // v2 ca, invalid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
 
   // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
 
   //////////////
   // v3 CA supersection
   //////////////////
 
   // v3 ca, v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
 
   // A v1 intermediate with v3 extensions
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
 
   // reject a v2 cert as intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
 
   // v2 intermediate with bc (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
 
   // invalid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
 
   // I dont think that v3 intermediates should be allowed to sign v1 or v2
   // certs, but other thanthat this  is what we usually get in the wild.
   check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
   check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
   check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
   check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
   check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
 
   // v3 CA, invalid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
 
   // Int v1 with BC that is just invalid (classic fail insanity OK)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
 
   // Good section (all fail)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
 
   // v2 intermediate (even with basic constraints) is invalid
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
 
   // v3 intermediate missing basic constraints is invalid
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
 
   // With a v3 root missing bc and valid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
 }
-
-function run_test() {
-  load_cert("v1_ca", "CTu,CTu,CTu");
-  load_cert("v1_ca_bc", "CTu,CTu,CTu");
-  load_cert("v2_ca", "CTu,CTu,CTu");
-  load_cert("v2_ca_bc", "CTu,CTu,CTu");
-  load_cert("v3_ca", "CTu,CTu,CTu");
-  load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
-
-  run_tests_in_mode(false);
-  run_tests_in_mode(true);
-}
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -26,96 +26,74 @@ function run_test() {
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var ca_filename = ca_name + ".der";
     addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu");
     do_print("ca_name=" + ca_name);
     var cert = certdb.findCertByNickname(null, ca_name);
   }
 
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
-
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
-  clearOCSPCache();
-  clearSessionCache();
-
-  // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
-  var allCAUsages = useMozillaPKIX
-                  ? 'SSL CA'
-                  : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
-
   // mozilla::pkix doesn't allow CA certificates to have the Status Responder
   // EKU.
-  var ca_usages = [allCAUsages,
+  var ca_usages = ['SSL CA',
                    'SSL CA',
-                   allCAUsages,
-                   useMozillaPKIX ? ''
-                                  : 'Client,Server,Sign,Encrypt,Status Responder'];
+                   'SSL CA',
+                   ''];
 
   // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
-  var basicEndEntityUsages = useMozillaPKIX
-                           ? 'Client,Server,Sign,Encrypt,Object Signer'
-                           : 'Client,Server,Sign,Encrypt';
+  var basicEndEntityUsages = 'Client,Server,Sign,Encrypt,Object Signer';
   var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
 
-  // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
+  // mozilla::pkix won't let a certificate with the 'Status Responder' EKU get
   // validated for any other usage.
-  var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
-  var statusResponderUsagesFull
-      = useMozillaPKIX ? statusResponderUsages
-                       : basicEndEntityUsages + ',Object Signer,Status Responder';
-
   var ee_usages = [
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
-      statusResponderUsagesFull,
+      'Status Responder',
       'Client,Server',
       'Sign,Encrypt,Object Signer',
-      statusResponderUsages
+      'Status Responder'
     ],
 
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
-      statusResponderUsagesFull,
+      'Status Responder',
       'Client,Server',
       'Sign,Encrypt,Object Signer',
-      statusResponderUsages
+      'Status Responder'
     ],
 
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
-      statusResponderUsagesFull,
+      'Status Responder',
       'Client,Server',
       'Sign,Encrypt,Object Signer',
-      statusResponderUsages
+      'Status Responder'
     ],
 
     // The CA has isCA=true without keyCertSign.
     //
     // The 'classic' NSS mode uses the 'union' of the
     // capabilites so the cert is considered a CA.
     // mozilla::pkix and libpkix use the intersection of
     // capabilites, so the cert is NOT considered a CA.
-    [ useMozillaPKIX ? '' : basicEndEntityUsages,
-      useMozillaPKIX ? '' : basicEndEntityUsages,
-      useMozillaPKIX ? '' : basicEndEntityUsages,
+    [ '',
+      '',
+      '',
       '',
-      useMozillaPKIX ? '' : statusResponderUsagesFull,
-      useMozillaPKIX ? '' : 'Client,Server',
-      useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
-      useMozillaPKIX ? '' : 'Server,Status Responder'
+      '',
+      '',
+      '',
+      ''
      ]
   ];
 
   do_check_eq(gNumCAs, ca_usages.length);
 
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -75,28 +75,16 @@ function run_test() {
     addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
   }
   load_ca("evroot");
   load_ca("non-evroot-ca");
 
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
 
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
     check_ee_for_ev("ev-valid", isDebugBuild);
     ocspResponder.stop(run_next_test);
@@ -133,19 +121,17 @@ function add_tests_in_mode(useMozillaPKI
   // bug 917380: Chcek that an untrusted EV root is untrusted.
   const nsIX509Cert = Ci.nsIX509Cert;
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
 
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("ev-valid",
-                   useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                  : SEC_ERROR_UNTRUSTED_ISSUER);
+    check_cert_err("ev-valid",SEC_ERROR_UNKNOWN_ISSUER);
     ocspResponder.stop(run_next_test);
   });
 
   // bug 917380: Chcek that a trusted EV root is trusted after disabling and
   // re-enabling trust.
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
@@ -157,34 +143,25 @@ function add_tests_in_mode(useMozillaPKI
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
     check_ee_for_ev("ev-valid", isDebugBuild);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function () {
-    check_no_ocsp_requests("ev-valid",
-      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
+    check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
   add_test(function () {
-    check_no_ocsp_requests("non-ev-root",
-      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                     : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
-                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
+    check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
   add_test(function () {
-    check_no_ocsp_requests("no-ocsp-url-cert",
-      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
+    check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
 
   // Test the EV continues to work with flags after successful EV verification
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
@@ -198,19 +175,17 @@ function add_tests_in_mode(useMozillaPKI
       let verifiedChain = {};
       let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
                   Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
 
       let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
                                        flags, verifiedChain, hasEVPolicy);
       do_check_eq(hasEVPolicy.value, isDebugBuild);
       do_check_eq(error,
-                  isDebugBuild ? 0
-                               : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                                                 : SEC_ERROR_EXTENSION_NOT_FOUND));
+                  isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
       failingOcspResponder.stop(run_next_test);
     });
   });
 
   // Bug 991815 old but valid intermediates are OK
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
@@ -230,50 +205,44 @@ function add_tests_in_mode(useMozillaPKI
   add_test(function () {
     clearOCSPCache();
     // Since Mozilla::pkix does not consider the old amost invalid OCSP
     // response valid, it does not cache the old response and thus
     // makes a separate request for DV
     let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
     let debugResponseArray = ["good", "longvalidityalmostold",
                               "longvalidityalmostold"];
-    if (!useMozillaPKIX) {
-      debugCertNickArray = ["int-ev-valid", "ev-valid"];
-      debugResponseArray = ["good", "longvalidityalmostold"];
-    }
     let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
                           "test_ev_certs",
                           isDebugBuild ? debugCertNickArray : ["ev-valid"],
                           [], [],
                           isDebugBuild ? debugResponseArray
                                        : ["longvalidityalmostold"]);
-    check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
+    check_ee_for_ev("ev-valid", false);
     ocspResponder.stop(run_next_test);
   });
 
   // Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
   // EV (still OK for soft fail DV)
   add_test(function () {
     clearOCSPCache();
     let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
     let debugResponseArray = ["good", "ancientstillvalid",
                               "ancientstillvalid"];
-    if (!useMozillaPKIX) {
-      debugCertNickArray = ["int-ev-valid", "ev-valid"];
-      debugResponseArray = ["good", "ancientstillvalid"];
-    }
     let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
                           "test_ev_certs",
                           isDebugBuild ? debugCertNickArray : ["ev-valid"],
                           [], [],
                           isDebugBuild ? debugResponseArray
                                        : ["ancientstillvalid"]);
-    check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
+    check_ee_for_ev("ev-valid", false);
     ocspResponder.stop(run_next_test);
   });
+
+  run_next_test();
 }
 
 // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
 // to prevent spurious OCSP requests that race with OCSP stapling.
 // This has the side-effect of saying an EV certificate is not EV if
 // it hasn't already been verified (e.g. on the verification thread when
 // connecting to a site).
 // This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -65,31 +65,25 @@ function check_getchain(ee_cert, ssl_ca,
   certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
   check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
   certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
   // Do a final test on the case of no trust. The results must
   // be cosistent (the actual value is non-deterministic).
   check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
 }
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
   clearOCSPCache();
   clearSessionCache();
 
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
 
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
 
   let ca = get_ca_array();
 
   check_getchain(ee_cert, ca[1], ca[2]);
   // Swap ca certs to deal alternate trust settings.
   check_getchain(ee_cert, ca[2], ca[1]);
 }
-
-function run_test() {
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -33,30 +33,24 @@ function test_cert_for_usages(certChainN
   let cert = certs[0];
   let verified = {};
   let usages = {};
   cert.getUsagesString(true, verified, usages);
   do_print("usages.value = " + usages.value);
   do_check_eq(expected_usages_string, usages.value);
 }
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
-
+function run_test() {
   // mozilla::pkix doesn't support the obsolete Netscape object signing
   // extension, but NSS does.
-  let ee_usage1 = useMozillaPKIX
-                ? 'Client,Server,Sign,Encrypt,Object Signer'
-                : 'Client,Server,Sign,Encrypt'
+  let ee_usage1 = 'Client,Server,Sign,Encrypt,Object Signer';
 
   // mozilla::pkix doesn't validate CA certificates for non-CA uses, but
   // NSS does.
-  let ca_usage1 = useMozillaPKIX
-                ? "SSL CA"
-                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+  let ca_usage1 = "SSL CA";
 
   // Load the ca into mem
   let ca_name = "ca";
   load_cert(ca_name, "CTu,CTu,CTu");
   do_print("ca_name = " + ca_name);
   test_cert_for_usages([ca_name], ca_usage1);
 
   // A certificate with no basicConstraints extension is considered an EE.
@@ -82,36 +76,32 @@ function run_test_in_mode(useMozillaPKIX
 
   // ca
   //   int-limited-depth (cA==true, pathLenConstraint==0)
   //      int-limited-depth-invalid (cA==true)
   //
   // XXX: It seems the NSS code does not consider the path length of the
   // certificate we're validating, but mozilla::pkix does. mozilla::pkix's
   // behavior is correct.
-  test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
-                       useMozillaPKIX ? "" : ca_usage1);
+  test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], "");
   test_cert_for_usages(["ee-int-limited-depth-invalid",
                         "int-limited-depth-invalid",
                         "int-limited-depth"],
                        "");
 
   // int-valid-ku-no-eku has keyCertSign
   test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
   test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
                        ee_usage1);
 
   // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
   // but the KU extension is missing keyCertSign. Note that mozilla::pkix
   // doesn't validate certificates with basicConstraints.Ca==true for non-CA
   // uses, but NSS does.
-  test_cert_for_usages(["int-bad-ku-no-eku"],
-                       useMozillaPKIX
-                          ? ""
-                          : 'Client,Server,Sign,Encrypt,Status Responder');
+  test_cert_for_usages(["int-bad-ku-no-eku"], "");
   test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
 
   // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
   // We treat a missing KU as "any key usage is OK".
   test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
   test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
 
   // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
@@ -127,13 +117,8 @@ function run_test_in_mode(useMozillaPKIX
                        "");
 
   // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
   // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
   test_cert_for_usages(["int-no-ku-server-eku"], "SSL CA");
   test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
                        "Client,Server");
 }
-
-function run_test() {
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -45,18 +45,19 @@ function check_ok_ca (x) {
 function check_fail(x) {
   return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
 }
 
 function check_fail_ca(x) {
   return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
 }
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
+  load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
+  load_cert("ca-nc", "CTu,CTu,CTu");
 
   // Note that CN is only looked at when there is NO subjectAltName!
 
   // Testing with a unconstrained root, and intermediate constrained to PERMIT
   // foo.com. All failures on this section are doe to the cert DNS names
   // not being under foo.com.
   check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
   // no dirName
@@ -264,16 +265,8 @@ function run_test_in_mode(useMozillaPKIX
   // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
   // NSS get it right.
   {
     let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
     check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
     check_cert_err_generic(cert, 0, certificateUsageSSLClient);
   }
 }
-
-function run_test() {
-  load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
-  load_cert("ca-nc", "CTu,CTu,CTu");
-
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -35,30 +35,23 @@ function run_test() {
 
     do_print("returning 200 OK");
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(gGoodOCSPResponse);
   });
   ocspResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_tests();
 
   add_test(function() { ocspResponder.stop(run_next_test); });
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
+function add_tests() {
   // This test assumes that OCSPStaplingServer uses the same cert for
   // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
 
   // Get an Unknown response for the *.exmaple.com cert and put it in the
   // OCSP cache.
   add_connection_test("ocsp-stapling-unknown.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                       clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
@@ -33,29 +33,16 @@ function run_test() {
   addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function() {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
   add_test(function() {
     clearOCSPCache();
     Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
     let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
     check_cert_err("a", 0);
     ocspResponder.stop(run_next_test);
   });
 
@@ -67,18 +54,16 @@ function add_tests_in_mode(useMozillaPKI
     ocspResponder.stop(run_next_test);
   });
 
   // GET does fallback on bad entry
   add_test(function() {
     clearOCSPCache();
     Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
     // Bug 1016681 mozilla::pkix does not support fallback yet.
-    if (!useMozillaPKIX) {
-      let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
-      check_cert_err("a", 0);
-      ocspResponder.stop(run_next_test);
-    } else {
-      run_next_test();
-    }
+    // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
+    // check_cert_err("a", 0);
+    // ocspResponder.stop(run_next_test);
+    run_next_test();
   });
 
+  run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -23,40 +23,29 @@ function run_test() {
   let ocspResponder = new HttpServer();
   ocspResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(goodOCSPResponse);
   });
   ocspResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  // ocsp-stapling-none.example.com does not staple an OCSP response in the
+  // handshake, so the revocation checking code will attempt to fetch one.
+  // Since the domain of the certificate's OCSP AIA URI is an HSTS host
+  // (as added in the setup of this test, below), a buggy implementation would
+  // upgrade the OCSP request to HTTPS. We specifically prevent this. This
+  // test demonstrates that our implementation is correct in this regard.
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
+  add_test(function () { run_next_test(); });
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   let uri = Services.io.newURI("http://localhost", null, null);
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                           "max-age=10000", 0);
   do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                                        "localhost", 0));
 
   run_next_test();
 }
-
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
-  // ocsp-stapling-none.example.com does not staple an OCSP response in the
-  // handshake, so the revocation checking code will attempt to fetch one.
-  // Since the domain of the certificate's OCSP AIA URI is an HSTS host
-  // (as added in the setup of this test), a buggy implementation would
-  // upgrade the OCSP request to HTTPS. We specifically prevent this. This
-  // test demonstrates that our implementation is correct in this regard.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
-  add_test(function () { run_next_test(); });
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -27,32 +27,25 @@ function run_test() {
   ocspResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(ocspResponseBadSignature);
     gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_tests();
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX)
+function add_tests()
 {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_test(function () {
     do_check_eq(gOCSPRequestCount, 1);
     gOCSPRequestCount = 0;
     run_next_test();
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,23 +16,17 @@ function add_ocsp_test(aHost, aExpectedR
       gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
-function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
+function add_tests(certDB, otherTestCA) {
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
@@ -110,26 +104,21 @@ function add_tests_in_mode(useMozillaPKI
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
     }
   );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
 
-  // TODO(bug 979070): NSS can't handle this yet.
-  if (useMozillaPKIX) {
-    add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
-  }
+  add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
 
   add_ocsp_test("ocsp-stapling-critical-extension.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
-                  : Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions
+                getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
                 true);
   add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
   // TODO(bug 997994): Disallow empty Extensions in responses
   add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true);
 
   add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true);
   add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true);
   add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
@@ -150,21 +139,21 @@ function add_tests_in_mode(useMozillaPKI
   // test_ocsp_stapling_expired.js
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426)
-  do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
-  do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426)
+  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
+  do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
+  do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses
   run_next_test();
 }
 
 function run_test() {
   do_get_profile();
 
   let certDB = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
@@ -176,17 +165,16 @@ function run_test() {
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     do_check_true(gExpectOCSPRequest);
   });
   fakeOCSPResponder.start(8080);
 
   add_tls_server_setup("OCSPStaplingServer");
 
-  add_tests_in_mode(true, certDB, otherTestCA);
-  add_tests_in_mode(false, certDB, otherTestCA);
+  add_tests(certDB, otherTestCA);
 
   add_test(function () {
     fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
   });
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -55,139 +55,112 @@ function run_test() {
     } else {
       response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
       response.write("Internal Server Error");
     }
     gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
   add_tls_server_setup("OCSPStaplingServer");
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  add_test(function () { ocspResponder.stop(run_next_test); });
-  add_test(check_ocsp_stapling_telemetry);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
 
   // In these tests, the OCSP stapling server gives us a stapled
   // response based on the host name ("ocsp-stapling-expired" or
   // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
   // properly falling back to fetching revocation information.
   // For ocsp-stapling-expired.example.com, the OCSP stapling server
   // staples an expired OCSP response. The certificate has not expired.
   // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
   // server staples an OCSP response with a recent signature but with an
   // out-of-date validity period. The certificate has not expired.
   add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
                 ocspResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
                 ocspResponseGood);
-  // With mozilla::pkix, if we can't fetch a more recent response when
+  // if we can't fetch a more recent response when
   // given an expired stapled response, we terminate the connection.
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 null);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 null);
   // Of course, if the newer response indicates Revoked or Unknown,
   // that status must be returned.
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                 ocspResponseUnknown);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                 ocspResponseUnknown);
 
-  if (useMozillaPKIX) {
-    // If the response is expired but indicates Revoked or Unknown and a
-    // newer status can't be fetched, the Revoked or Unknown status will
-    // be returned.
-    add_ocsp_test("ocsp-stapling-revoked-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
-                  null);
-    add_ocsp_test("ocsp-stapling-unknown-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                  null);
-    // If the response is expired but indicates Revoked or Unknown and
-    // a newer status can be fetched and successfully verified, this
-    // should result in a successful certificate verification.
-    add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
-                  ocspResponseGood);
-    add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
-                  ocspResponseGood);
-    // If a newer status can be fetched but it fails to verify, the
-    // Revoked or Unknown status of the expired stapled response
-    // should be returned.
-    add_ocsp_test("ocsp-stapling-revoked-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
-                  expiredOCSPResponseGood);
-    add_ocsp_test("ocsp-stapling-unknown-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                  expiredOCSPResponseGood);
-  }
+  // If the response is expired but indicates Revoked or Unknown and a
+  // newer status can't be fetched, the Revoked or Unknown status will
+  // be returned.
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                null);
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                null);
+  // If the response is expired but indicates Revoked or Unknown and
+  // a newer status can be fetched and successfully verified, this
+  // should result in a successful certificate verification.
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  // If a newer status can be fetched but it fails to verify, the
+  // Revoked or Unknown status of the expired stapled response
+  // should be returned.
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                expiredOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                expiredOCSPResponseGood);
 
-  if (useMozillaPKIX) {
-    // These tests are verifying that an valid but very old response
-    // is rejected as a valid stapled response, requiring a fetch
-    // from the ocsp responder.
-    add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
-                  ocspResponseGood);
-    add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
-                  ocspResponseRevoked);
-    add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                  ocspResponseUnknown);
-  }
+  // These tests are verifying that an valid but very old response
+  // is rejected as a valid stapled response, requiring a fetch
+  // from the ocsp responder.
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                ocspResponseRevoked);
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                ocspResponseUnknown);
+
+  add_test(function () { ocspResponder.stop(run_next_test); });
+  add_test(check_ocsp_stapling_telemetry);
+  run_next_test();
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
-  do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 2 * 12 + 9); // 12 connections with an expired response
-                                                // +9 more mozilla::pkix-only expired responses
-  do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
+  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
+  do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 21); // 21 connections with an expired response
+  do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -28,28 +28,17 @@ function run_test() {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     let body = "Refusing to return a response";
     response.bodyOutputStream.write(body, body.length);
   });
   ocspResponder.start(8080);
 
   add_tls_server_setup("OCSPStaplingServer");
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
 
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(function() {
     do_check_eq(gOCSPRequestCount, 0);
     run_next_test();
   });
   run_next_test();
 }
-
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
-  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -33,30 +33,26 @@ function run_test() {
 
   add_tls_server_setup("OCSPStaplingServer");
 
   let socket = Cc["@mozilla.org/network/server-socket;1"]
                  .createInstance(Ci.nsIServerSocket);
   socket.init(8080, true, -1);
   socket.asyncListen(gSocketListener);
 
-  add_tests_in_mode(true, true);
-  add_tests_in_mode(false, true);
-  add_tests_in_mode(true, false);
-  add_tests_in_mode(false, false);
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
 
   add_test(function() { socket.close(); run_next_test(); });
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX, useHardFail) {
+function add_tests_in_mode(useHardFail) {
   let startTime;
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
     Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
     startTime = new Date();
     run_next_test();
   });
 
   add_connection_test("ocsp-stapling-none.example.com", useHardFail
                       ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR)
                       : Cr.NS_OK, clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -35,69 +35,48 @@ function run_test() {
   addCertFromFile(certdb, "test_ocsp_url/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function() {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("bad-scheme",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("empty-scheme-url",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("https-url",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
     check_cert_err("hTTp-url", 0);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("negative-port",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     // XXX Bug 1013615 parser accepts ":8888" as hostname
     check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
@@ -109,33 +88,28 @@ function add_tests_in_mode(useMozillaPKI
     let ocspResponder = start_ocsp_responder(["no-path-url"], ['']);
     check_cert_err("no-path-url", 0);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("no-scheme-host-port",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("no-scheme-url",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("unknown-scheme",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
+  run_next_test();
 }
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -1242,22 +1242,16 @@
   "CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 200,
     "extended_statistics_ok": true,
     "description": "ms elapsed time of OCSP etc.. that failed"
   },
-  "CERT_VALIDATION_LIBRARY": {
-    "expires_in_version": "never",
-    "kind": "enumerated",
-    "n_values": 4,
-    "description": "Which certificate validation library is in use? (1=classic, 2=libpkix, 3=mozilla::pkix)"
-  },
   "SSL_KEY_EXCHANGE_ALGORITHM_FULL": {
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 16,
     "description": "SSL Handshake Key Exchange Algorithm for full handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
   },
   "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED": {
     "expires_in_version": "never",
@@ -4493,56 +4487,24 @@
   "TELEMETRY_MEMORY_REPORTER_MS": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "5000",
     "n_buckets": 10,
     "extended_statistics_ok": true,
     "description": "Time (ms) it takes to run memory reporters when sending a telemetry ping"
   },
-  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX": {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on a successful cert verification in libpix mode (ms)"
-  },
-  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on a successful cert  verification in classic mode (ms)"
-  },
   "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
   },
-  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on an initially failed cert verification in libpix mode (ms)"
-  },
-  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on an initially failed cert  verification in classic mode (ms)"
-  },
   "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
   },