Backed out 3 changesets (bug 1004149) for Windows build failures in CertVerifier.cpp
authorWes Kocher <wkocher@mozilla.com>
Fri, 18 Mar 2016 11:07:55 -0700
changeset 289444 905d35af02ec40d89e06be71faa05ac584b9ccdb
parent 289443 e14e69dd0ff619f21e8b3072bafc0545fc5c77c5
child 289445 0c6d4e1ef9cbb2c1579338c2395f1c085283adec
push id19656
push usergwagner@mozilla.com
push dateMon, 04 Apr 2016 13:43:23 +0000
treeherderb2g-inbound@e99061fde28a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1004149
milestone48.0a1
backs oute14e69dd0ff619f21e8b3072bafc0545fc5c77c5
7c6888880270b6108fa51dd63d4fa058a1df5741
f164ff25450e14362813120e1c21937d2f5b1012
Backed out 3 changesets (bug 1004149) for Windows build failures in CertVerifier.cpp Backed out changeset e14e69dd0ff6 (bug 1004149) Backed out changeset 7c6888880270 (bug 1004149) Backed out changeset f164ff25450e (bug 1004149) MozReview-Commit-ID: GIbe3devuSe
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/OCSPRequestor.cpp
security/certverifier/OCSPRequestor.h
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCallbacks.h
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/tests/unit/test_ocsp_url.js
security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem
security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/moz.build
security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -544,25 +544,22 @@ NSSCertDBTrustDomain::CheckRevocation(En
       return rv;
     }
     SECItem ocspRequestItem = {
       siBuffer,
       ocspRequest,
       static_cast<unsigned int>(ocspRequestLength)
     };
     // Owned by arena
-    SECItem* responseSECItem = nullptr;
-    Result tempRV =
+    const SECItem* responseSECItem =
       DoOCSPRequest(arena.get(), url, &ocspRequestItem,
                     OCSPFetchingTypeToTimeoutTime(mOCSPFetching),
-                    mOCSPGetConfig == CertVerifier::ocspGetEnabled,
-                    responseSECItem);
-    MOZ_ASSERT((tempRV != Success) || responseSECItem);
-    if (tempRV != Success) {
-      rv = tempRV;
+                    mOCSPGetConfig == CertVerifier::ocspGetEnabled);
+    if (!responseSECItem) {
+      rv = MapPRErrorCodeToResult(PR_GetError());
     } else if (response.Init(responseSECItem->data, responseSECItem->len)
                  != Success) {
       rv = Result::ERROR_OCSP_MALFORMED_RESPONSE; // too big
     }
     attemptedRequest = true;
   } else {
     rv = cachedResponseResult;
     attemptedRequest = false;
--- a/security/certverifier/OCSPRequestor.cpp
+++ b/security/certverifier/OCSPRequestor.cpp
@@ -65,87 +65,95 @@ AppendEscapedBase64Item(const SECItem* e
   // http://tools.ietf.org/html/rfc5019#section-5
   base64Request.ReplaceSubstring("+", "%2B");
   base64Request.ReplaceSubstring("/", "%2F");
   base64Request.ReplaceSubstring("=", "%3D");
   path.Append(base64Request);
   return NS_OK;
 }
 
-Result
+SECItem*
 DoOCSPRequest(PLArenaPool* arena, const char* url,
               const SECItem* encodedRequest, PRIntervalTime timeout,
-              bool useGET,
-      /*out*/ SECItem*& encodedResponse)
+              bool useGET)
 {
   if (!arena || !url || !encodedRequest || !encodedRequest->data) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
+    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+    return nullptr;
   }
   uint32_t urlLen = PL_strlen(url);
   if (urlLen > static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
+    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+    return nullptr;
   }
 
   nsCOMPtr<nsIURLParser> urlParser = do_GetService(NS_STDURLPARSER_CONTRACTID);
   if (!urlParser) {
-    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+    return nullptr;
   }
 
   uint32_t schemePos;
   int32_t schemeLen;
   uint32_t authorityPos;
   int32_t authorityLen;
   uint32_t pathPos;
   int32_t pathLen;
-  nsresult nsrv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen),
-                                      &schemePos, &schemeLen,
-                                      &authorityPos, &authorityLen,
-                                      &pathPos, &pathLen);
-  if (NS_FAILED(nsrv)) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+  nsresult rv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen),
+                                    &schemePos, &schemeLen,
+                                    &authorityPos, &authorityLen,
+                                    &pathPos, &pathLen);
+  if (NS_FAILED(rv)) {
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   if (schemeLen < 0 || authorityLen < 0) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   nsAutoCString scheme(url + schemePos,
                        static_cast<nsAutoCString::size_type>(schemeLen));
   if (!scheme.LowerCaseEqualsLiteral("http")) {
-    // We don't support HTTPS to avoid loops. See Bug 92923.
-    // We also in general only support HTTP.
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    // We dont support https:// to avoid loops see Bug 92923
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
 
   uint32_t hostnamePos;
   int32_t hostnameLen;
   int32_t port;
-  // We ignore user:password sections: if one is present, we send an OCSP
-  // request to the URL as normal without sending the username or password.
-  nsrv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
-                                   nullptr, nullptr, nullptr, nullptr,
-                                   &hostnamePos, &hostnameLen, &port);
-  if (NS_FAILED(nsrv)) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+  // We do not support urls with user@pass sections in the URL,
+  // In cas we find them we will ignore and try to connect with
+  rv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
+                                 nullptr, nullptr, nullptr, nullptr,
+                                 &hostnamePos, &hostnameLen, &port);
+  if (NS_FAILED(rv)) {
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   if (hostnameLen < 0) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   if (port == -1) {
     port = 80;
   } else if (port < 0 || port > 0xffff) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   nsAutoCString
     hostname(url + authorityPos + hostnamePos,
              static_cast<nsACString_internal::size_type>(hostnameLen));
 
   SEC_HTTP_SERVER_SESSION serverSessionPtr = nullptr;
-  Result rv = nsNSSHttpInterface::createSessionFcn(
-    hostname.BeginReading(), static_cast<uint16_t>(port), &serverSessionPtr);
-  if (rv != Success) {
-    return rv;
+  if (nsNSSHttpInterface::createSessionFcn(hostname.BeginReading(),
+                                           static_cast<uint16_t>(port),
+                                           &serverSessionPtr) != SECSuccess) {
+    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+    return nullptr;
   }
   ScopedHTTPServerSession serverSession(
     reinterpret_cast<nsNSSHttpServerSession*>(serverSessionPtr));
 
   nsAutoCString path;
   if (pathLen > 0) {
     path.Assign(url + pathPos, static_cast<nsAutoCString::size_type>(pathLen));
   } else {
@@ -155,58 +163,64 @@ DoOCSPRequest(PLArenaPool* arena, const 
          ("Setting up OCSP request: pre all path =%s  pathlen=%d\n", path.get(),
           pathLen));
   nsAutoCString method("POST");
   if (useGET) {
     method.Assign("GET");
     if (!StringEndsWith(path, NS_LITERAL_CSTRING("/"))) {
       path.Append("/");
     }
-    nsresult nsrv = AppendEscapedBase64Item(encodedRequest, path);
-    if (NS_WARN_IF(NS_FAILED(nsrv))) {
-      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    nsresult rv = AppendEscapedBase64Item(encodedRequest, path);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return nullptr;
     }
   }
 
   SEC_HTTP_REQUEST_SESSION requestSessionPtr;
-  rv = nsNSSHttpInterface::createFcn(serverSession.get(), "http", path.get(),
-                                     method.get(), timeout, &requestSessionPtr);
-  if (rv != Success) {
-    return rv;
+  if (nsNSSHttpInterface::createFcn(serverSession.get(), "http",
+                                    path.get(), method.get(),
+                                    timeout, &requestSessionPtr)
+        != SECSuccess) {
+    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+    return nullptr;
   }
 
   ScopedHTTPRequestSession requestSession(
     reinterpret_cast<nsNSSHttpRequestSession*>(requestSessionPtr));
 
   if (!useGET) {
-    rv = nsNSSHttpInterface::setPostDataFcn(
-      requestSession.get(), reinterpret_cast<char*>(encodedRequest->data),
-      encodedRequest->len, "application/ocsp-request");
-    if (rv != Success) {
-      return rv;
+    if (nsNSSHttpInterface::setPostDataFcn(requestSession.get(),
+          reinterpret_cast<char*>(encodedRequest->data), encodedRequest->len,
+          "application/ocsp-request") != SECSuccess) {
+      PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+      return nullptr;
     }
   }
 
   uint16_t httpResponseCode;
   const char* httpResponseData;
   uint32_t httpResponseDataLen = 0; // 0 means any response size is acceptable
-  rv = nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
-                                                &httpResponseCode, nullptr,
-                                                nullptr, &httpResponseData,
-                                                &httpResponseDataLen);
-  if (rv != Success) {
-    return rv;
+  if (nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
+                                               &httpResponseCode, nullptr,
+                                               nullptr, &httpResponseData,
+                                               &httpResponseDataLen)
+        != SECSuccess) {
+    PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0);
+    return nullptr;
   }
 
   if (httpResponseCode != 200) {
-    return Result::ERROR_OCSP_SERVER_ERROR;
+    PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0);
+    return nullptr;
   }
 
-  encodedResponse = SECITEM_AllocItem(arena, nullptr, httpResponseDataLen);
+  SECItem* encodedResponse = SECITEM_AllocItem(arena, nullptr,
+                                               httpResponseDataLen);
   if (!encodedResponse) {
-    return Result::FATAL_ERROR_NO_MEMORY;
+    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+    return nullptr;
   }
 
   memcpy(encodedResponse->data, httpResponseData, httpResponseDataLen);
-  return Success;
+  return encodedResponse;
 }
 
 } } // namespace mozilla::psm
--- a/security/certverifier/OCSPRequestor.h
+++ b/security/certverifier/OCSPRequestor.h
@@ -7,17 +7,16 @@
 #ifndef mozilla_psm_OCSPRequestor_h
 #define mozilla_psm_OCSPRequestor_h
 
 #include "CertVerifier.h"
 #include "secmodt.h"
 
 namespace mozilla { namespace psm {
 
-// The memory returned via |encodedResponse| is owned by the given arena.
-Result DoOCSPRequest(PLArenaPool* arena, const char* url,
-                     const SECItem* encodedRequest, PRIntervalTime timeout,
-                     bool useGET,
-             /*out*/ SECItem*& encodedResponse);
+// The memory returned is owned by the given arena.
+SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url,
+                       const SECItem* encodedRequest, PRIntervalTime timeout,
+                       bool useGET);
 
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm_OCSPRequestor_h
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -93,17 +93,18 @@ nsHTTPDownloadEvent::Run()
                    nsContentUtils::GetSystemPrincipal(),
                    nullptr, // aTriggeringPrincipal
                    nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
                    nsIContentPolicy::TYPE_OTHER,
                    getter_AddRefs(chan));
   NS_ENSURE_STATE(chan);
 
   // Security operations scheduled through normal HTTP channels are given
-  // high priority to accommodate real time OCSP transactions.
+  // high priority to accommodate real time OCSP transactions. Background CRL
+  // fetches happen through a different path (CRLDownloadEvent).
   nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(chan);
   if (priorityChannel)
     priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST);
 
   chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
                      nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
 
   // Create a loadgroup for this new channel.  This way if the channel
@@ -125,17 +126,17 @@ nsHTTPDownloadEvent::Run()
     rv = uploadChannel->SetUploadStream(uploadStream, 
                                         mRequestSession->mPostContentType,
                                         -1);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
   // Do not use SPDY for internal security operations. It could result
   // in the silent upgrade to ssl, which in turn could require an SSL
-  // operation to fulfill something like an OCSP fetch, which is an
+  // operation to fufill something like a CRL fetch, which is an
   // endless loop.
   nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
   if (internalChannel) {
     rv = internalChannel->SetAllowSpdy(false);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
   nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
@@ -179,59 +180,52 @@ struct nsCancelHTTPDownloadEvent : nsRun
 
   NS_IMETHOD Run() {
     mListener->FreeLoadGroup(true);
     mListener = nullptr;
     return NS_OK;
   }
 };
 
-Result
-nsNSSHttpServerSession::createSessionFcn(const char* host,
-                                         uint16_t portnum,
-                                         SEC_HTTP_SERVER_SESSION* pSession)
+SECStatus nsNSSHttpServerSession::createSessionFcn(const char *host,
+                                                   uint16_t portnum,
+                                                   SEC_HTTP_SERVER_SESSION *pSession)
 {
-  if (!host || !pSession) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
-  }
+  if (!host || !pSession)
+    return SECFailure;
 
-  nsNSSHttpServerSession* hss = new nsNSSHttpServerSession;
-  if (!hss) {
-    return Result::FATAL_ERROR_NO_MEMORY;
-  }
+  nsNSSHttpServerSession *hss = new nsNSSHttpServerSession;
+  if (!hss)
+    return SECFailure;
 
   hss->mHost = host;
   hss->mPort = portnum;
 
   *pSession = hss;
-  return Success;
+  return SECSuccess;
 }
 
-Result
-nsNSSHttpRequestSession::createFcn(SEC_HTTP_SERVER_SESSION session,
-                                   const char* http_protocol_variant,
-                                   const char* path_and_query_string,
-                                   const char* http_request_method,
-                                   const PRIntervalTime timeout,
-                                   SEC_HTTP_REQUEST_SESSION* pRequest)
+SECStatus nsNSSHttpRequestSession::createFcn(SEC_HTTP_SERVER_SESSION session,
+                                             const char *http_protocol_variant,
+                                             const char *path_and_query_string,
+                                             const char *http_request_method, 
+                                             const PRIntervalTime timeout, 
+                                             SEC_HTTP_REQUEST_SESSION *pRequest)
 {
-  if (!session || !http_protocol_variant || !path_and_query_string ||
-      !http_request_method || !pRequest) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
-  }
+  if (!session || !http_protocol_variant || !path_and_query_string || 
+      !http_request_method || !pRequest)
+    return SECFailure;
 
   nsNSSHttpServerSession* hss = static_cast<nsNSSHttpServerSession*>(session);
-  if (!hss) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
-  }
+  if (!hss)
+    return SECFailure;
 
-  nsNSSHttpRequestSession* rs = new nsNSSHttpRequestSession;
-  if (!rs) {
-    return Result::FATAL_ERROR_NO_MEMORY;
-  }
+  nsNSSHttpRequestSession *rs = new nsNSSHttpRequestSession;
+  if (!rs)
+    return SECFailure;
 
   rs->mTimeoutInterval = timeout;
 
   // Use a maximum timeout value of 10 seconds because of bug 404059.
   // FIXME: Use a better approach once 406120 is ready.
   uint32_t maxBug404059Timeout = PR_TicksPerSecond() * 10;
   if (timeout > maxBug404059Timeout) {
     rs->mTimeoutInterval = maxBug404059Timeout;
@@ -242,67 +236,84 @@ nsNSSHttpRequestSession::createFcn(SEC_H
   rs->mURL.Append(hss->mHost);
   rs->mURL.Append(':');
   rs->mURL.AppendInt(hss->mPort);
   rs->mURL.Append(path_and_query_string);
 
   rs->mRequestMethod = http_request_method;
 
   *pRequest = (void*)rs;
-  return Success;
+  return SECSuccess;
 }
 
-Result
-nsNSSHttpRequestSession::setPostDataFcn(const char* http_data,
-                                        const uint32_t http_data_len,
-                                        const char* http_content_type)
+SECStatus nsNSSHttpRequestSession::setPostDataFcn(const char *http_data, 
+                                                  const uint32_t http_data_len,
+                                                  const char *http_content_type)
 {
   mHasPostData = true;
   mPostData.Assign(http_data, http_data_len);
   mPostContentType.Assign(http_content_type);
 
-  return Success;
+  return SECSuccess;
 }
 
-Result
-nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc** pPollDesc,
-                                              uint16_t* http_response_code,
-                                              const char** http_response_content_type,
-                                              const char** http_response_headers,
-                                              const char** http_response_data,
-                                              uint32_t* http_response_data_len)
+SECStatus nsNSSHttpRequestSession::addHeaderFcn(const char *http_header_name, 
+                                                const char *http_header_value)
+{
+  return SECFailure; // not yet implemented
+
+  // All http code needs to be postponed to the UI thread.
+  // Once this gets implemented, we need to add a string list member to
+  // nsNSSHttpRequestSession and queue up the headers,
+  // so they can be added in HandleHTTPDownloadPLEvent.
+  //
+  // The header will need to be set using 
+  //   mHttpChannel->SetRequestHeader(nsDependentCString(http_header_name), 
+  //                                  nsDependentCString(http_header_value), 
+  //                                  false)));
+}
+
+SECStatus nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc **pPollDesc,
+                                                        uint16_t *http_response_code, 
+                                                        const char **http_response_content_type, 
+                                                        const char **http_response_headers, 
+                                                        const char **http_response_data, 
+                                                        uint32_t *http_response_data_len)
 {
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
          ("nsNSSHttpRequestSession::trySendAndReceiveFcn to %s\n", mURL.get()));
 
   bool onSTSThread;
   nsresult nrv;
   nsCOMPtr<nsIEventTarget> sts
     = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
   if (NS_FAILED(nrv)) {
     NS_ERROR("Could not get STS service");
-    return Result::FATAL_ERROR_INVALID_STATE;
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
   }
 
   nrv = sts->IsOnCurrentThread(&onSTSThread);
   if (NS_FAILED(nrv)) {
     NS_ERROR("IsOnCurrentThread failed");
-    return Result::FATAL_ERROR_INVALID_STATE;
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
   }
 
   if (onSTSThread) {
     NS_ERROR("nsNSSHttpRequestSession::trySendAndReceiveFcn called on socket "
              "thread; this will not work.");
-    return Result::FATAL_ERROR_INVALID_STATE;
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
   }
 
   const int max_retries = 2;
   int retry_count = 0;
   bool retryable_error = false;
-  Result rv = Result::ERROR_UNKNOWN_ERROR;
+  SECStatus result_sec_status = SECFailure;
 
   do
   {
     if (retry_count > 0)
     {
       if (retryable_error)
       {
         MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
@@ -311,17 +322,17 @@ nsNSSHttpRequestSession::trySendAndRecei
       }
 
       PR_Sleep( PR_MillisecondsToInterval(300) * retry_count );
     }
 
     ++retry_count;
     retryable_error = false;
 
-    rv =
+    result_sec_status =
       internal_send_receive_attempt(retryable_error, pPollDesc, http_response_code,
                                     http_response_content_type, http_response_headers,
                                     http_response_data, http_response_data_len);
   }
   while (retryable_error &&
          retry_count < max_retries);
 
   if (retry_count > 1)
@@ -330,17 +341,17 @@ nsNSSHttpRequestSession::trySendAndRecei
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
              ("nsNSSHttpRequestSession::trySendAndReceiveFcn - still failing, giving up...\n"));
     else
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
              ("nsNSSHttpRequestSession::trySendAndReceiveFcn - success at attempt %d\n",
               retry_count));
   }
 
-  return rv;
+  return result_sec_status;
 }
 
 void
 nsNSSHttpRequestSession::AddRef()
 {
   ++mRefCount;
 }
 
@@ -348,17 +359,17 @@ void
 nsNSSHttpRequestSession::Release()
 {
   int32_t newRefCount = --mRefCount;
   if (!newRefCount) {
     delete this;
   }
 }
 
-Result
+SECStatus
 nsNSSHttpRequestSession::internal_send_receive_attempt(bool &retryable_error,
                                                        PRPollDesc **pPollDesc,
                                                        uint16_t *http_response_code,
                                                        const char **http_response_content_type,
                                                        const char **http_response_headers,
                                                        const char **http_response_data,
                                                        uint32_t *http_response_data_len)
 {
@@ -370,39 +381,38 @@ nsNSSHttpRequestSession::internal_send_r
 
   uint32_t acceptableResultSize = 0;
 
   if (http_response_data_len)
   {
     acceptableResultSize = *http_response_data_len;
     *http_response_data_len = 0;
   }
-
-  if (!mListener) {
-    return Result::FATAL_ERROR_INVALID_STATE;
-  }
+  
+  if (!mListener)
+    return SECFailure;
 
   Mutex& waitLock = mListener->mLock;
   CondVar& waitCondition = mListener->mCondition;
   volatile bool &waitFlag = mListener->mWaitFlag;
   waitFlag = true;
 
   RefPtr<nsHTTPDownloadEvent> event(new nsHTTPDownloadEvent);
-  if (!event) {
-    return Result::FATAL_ERROR_NO_MEMORY;
-  }
+  if (!event)
+    return SECFailure;
 
   event->mListener = mListener;
   this->AddRef();
   event->mRequestSession = this;
 
   nsresult rv = NS_DispatchToMainThread(event);
-  if (NS_FAILED(rv)) {
+  if (NS_FAILED(rv))
+  {
     event->mResponsibleForDoneSignal = false;
-    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    return SECFailure;
   }
 
   bool request_canceled = false;
 
   {
     MutexAutoLock locker(waitLock);
 
     const PRIntervalTime start_time = PR_IntervalNow();
@@ -489,67 +499,102 @@ nsNSSHttpRequestSession::internal_send_r
         Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME,
         event->mStartTime, TimeStamp::Now());
     }
   }
   else {
     Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
   }
 
-  if (request_canceled) {
-    return Result::ERROR_OCSP_SERVER_ERROR;
-  }
+  if (request_canceled)
+    return SECFailure;
 
-  if (NS_FAILED(mListener->mResultCode)) {
-    if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED ||
-        mListener->mResultCode == NS_ERROR_NET_RESET) {
+  if (NS_FAILED(mListener->mResultCode))
+  {
+    if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED
+        ||
+        mListener->mResultCode == NS_ERROR_NET_RESET)
+    {
       retryable_error = true;
     }
-    return Result::ERROR_OCSP_SERVER_ERROR;
+    return SECFailure;
   }
 
   if (http_response_code)
     *http_response_code = mListener->mHttpResponseCode;
 
-  if (mListener->mHttpRequestSucceeded && http_response_data &&
-      http_response_data_len) {
-    *http_response_data_len = mListener->mResultLen;
+  if (mListener->mHttpRequestSucceeded && http_response_data && http_response_data_len) {
 
+    *http_response_data_len = mListener->mResultLen;
+  
     // acceptableResultSize == 0 means: any size is acceptable
-    if (acceptableResultSize != 0 &&
-        acceptableResultSize < mListener->mResultLen) {
-      return Result::ERROR_OCSP_SERVER_ERROR;
+    if (acceptableResultSize != 0
+        &&
+        acceptableResultSize < mListener->mResultLen)
+    {
+      return SECFailure;
     }
 
-    // Return data by reference, result data will be valid until "this" gets
-    // destroyed.
+    // return data by reference, result data will be valid 
+    // until "this" gets destroyed by NSS
     *http_response_data = (const char*)mListener->mResultData;
   }
 
   if (mListener->mHttpRequestSucceeded && http_response_content_type) {
     if (mListener->mHttpResponseContentType.Length()) {
       *http_response_content_type = mListener->mHttpResponseContentType.get();
     }
   }
 
-  return Success;
+  return SECSuccess;
+}
+
+SECStatus nsNSSHttpRequestSession::cancelFcn()
+{
+  // As of today, only the blocking variant of the http interface
+  // has been implemented. Implementing cancelFcn will be necessary
+  // as soon as we implement the nonblocking variant.
+  return SECSuccess;
+}
+
+SECStatus nsNSSHttpRequestSession::freeFcn()
+{
+  Release();
+  return SECSuccess;
 }
 
 nsNSSHttpRequestSession::nsNSSHttpRequestSession()
 : mRefCount(1),
   mHasPostData(false),
   mTimeoutInterval(0),
   mListener(new nsHTTPListener)
 {
 }
 
 nsNSSHttpRequestSession::~nsNSSHttpRequestSession()
 {
 }
 
+SEC_HttpClientFcn nsNSSHttpInterface::sNSSInterfaceTable;
+
+void nsNSSHttpInterface::initTable()
+{
+  sNSSInterfaceTable.version = 1;
+  SEC_HttpClientFcnV1 &v1 = sNSSInterfaceTable.fcnTable.ftable1;
+  v1.createSessionFcn = createSessionFcn;
+  v1.keepAliveSessionFcn = keepAliveFcn;
+  v1.freeSessionFcn = freeSessionFcn;
+  v1.createFcn = createFcn;
+  v1.setPostDataFcn = setPostDataFcn;
+  v1.addHeaderFcn = addHeaderFcn;
+  v1.trySendAndReceiveFcn = trySendAndReceiveFcn;
+  v1.cancelFcn = cancelFcn;
+  v1.freeFcn = freeFcn;
+}
+
 nsHTTPListener::nsHTTPListener()
 : mResultData(nullptr),
   mResultLen(0),
   mLock("nsHTTPListener.mLock"),
   mCondition(mLock, "nsHTTPListener.mCondition"),
   mWaitFlag(true),
   mResponsibleForDoneSignal(false),
   mLoadGroup(nullptr),
--- a/security/manager/ssl/nsNSSCallbacks.h
+++ b/security/manager/ssl/nsNSSCallbacks.h
@@ -1,41 +1,37 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef nsNSSCallbacks_h
-#define nsNSSCallbacks_h
+#ifndef _NSNSSCALLBACKS_H_
+#define _NSNSSCALLBACKS_H_
 
-#include "mozilla/Attributes.h"
-#include "mozilla/CondVar.h"
-#include "mozilla/Mutex.h"
 #include "nsAutoPtr.h"
 #include "nsCOMPtr.h"
+#include "pk11func.h"
+#include "nspr.h"
+#include "ocspt.h"
 #include "nsIStreamLoader.h"
-#include "nspr.h"
+#include "mozilla/CondVar.h"
+#include "mozilla/Mutex.h"
+#include "mozilla/Attributes.h"
 #include "nsString.h"
-#include "pk11func.h"
-#include "pkix/pkixtypes.h"
-
-#include "ocspt.h" // Must be included after pk11func.h.
 
 class nsILoadGroup;
 
 char*
 PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);
 
 void HandshakeCallback(PRFileDesc *fd, void *client_data);
 SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data,
                                 PRBool *canFalseStart);
 
-typedef mozilla::pkix::Result Result;
-
 class nsHTTPListener final : public nsIStreamLoaderObserver
 {
 private:
   // For XPCOM implementations that are not a base class for some other
   // class, it is good practice to make the destructor non-virtual and
   // private.  Then the only way to delete the object is via Release.
 #ifdef _MSC_VER
   // C4265: Class has virtual members but destructor is not virtual
@@ -54,135 +50,176 @@ public:
   nsresult mResultCode;
 
   bool mHttpRequestSucceeded;
   uint16_t mHttpResponseCode;
   nsCString mHttpResponseContentType;
 
   const uint8_t* mResultData; // allocated in loader, but owned by listener
   uint32_t mResultLen;
-
+  
   mozilla::Mutex mLock;
   mozilla::CondVar mCondition;
   volatile bool mWaitFlag;
-
+  
   bool mResponsibleForDoneSignal;
   void send_done_signal();
 
   // no nsCOMPtr. When I use it, I get assertions about
   //   loadgroup not being thread safe.
   // So, let's use a raw pointer and ensure we only create and destroy
   // it on the network thread ourselves.
   nsILoadGroup *mLoadGroup;
   PRThread *mLoadGroupOwnerThread;
   void FreeLoadGroup(bool aCancelLoad);
 };
 
 class nsNSSHttpServerSession
 {
 public:
   nsCString mHost;
-  uint16_t mPort;
+  uint16_t mPort;  
 
-  static Result createSessionFcn(const char* host,
-                                 uint16_t portnum,
-                                 SEC_HTTP_SERVER_SESSION* pSession);
+  static SECStatus createSessionFcn(const char *host,
+                                    uint16_t portnum,
+                                    SEC_HTTP_SERVER_SESSION *pSession);
 };
 
 class nsNSSHttpRequestSession
 {
 protected:
   mozilla::ThreadSafeAutoRefCnt mRefCount;
 
 public:
-  static Result createFcn(SEC_HTTP_SERVER_SESSION session,
-                          const char* httpProtocolVariant,
-                          const char* pathAndQueryString,
-                          const char* httpRequestMethod,
-                          const PRIntervalTime timeout,
-                          SEC_HTTP_REQUEST_SESSION* pRequest);
+  static SECStatus createFcn(SEC_HTTP_SERVER_SESSION session,
+                             const char *http_protocol_variant,
+                             const char *path_and_query_string,
+                             const char *http_request_method, 
+                             const PRIntervalTime timeout, 
+                             SEC_HTTP_REQUEST_SESSION *pRequest);
+
+  SECStatus setPostDataFcn(const char *http_data, 
+                           const uint32_t http_data_len,
+                           const char *http_content_type);
 
-  Result setPostDataFcn(const char* httpData,
-                        const uint32_t httpDataLen,
-                        const char* httpContentType);
+  SECStatus addHeaderFcn(const char *http_header_name, 
+                         const char *http_header_value);
 
-  Result trySendAndReceiveFcn(PRPollDesc** pPollDesc,
-                              uint16_t* httpResponseCode,
-                              const char** httpResponseContentType,
-                              const char** httpResponseHeaders,
-                              const char** httpResponseData,
-                              uint32_t* httpResponseDataLen);
+  SECStatus trySendAndReceiveFcn(PRPollDesc **pPollDesc,
+                                 uint16_t *http_response_code, 
+                                 const char **http_response_content_type, 
+                                 const char **http_response_headers, 
+                                 const char **http_response_data, 
+                                 uint32_t *http_response_data_len);
+
+  SECStatus cancelFcn();
+  SECStatus freeFcn();
 
   void AddRef();
   void Release();
 
   nsCString mURL;
   nsCString mRequestMethod;
-
+  
   bool mHasPostData;
   nsCString mPostData;
   nsCString mPostContentType;
-
+  
   PRIntervalTime mTimeoutInterval;
-
+  
   RefPtr<nsHTTPListener> mListener;
-
+  
 protected:
   nsNSSHttpRequestSession();
   ~nsNSSHttpRequestSession();
 
-  Result internal_send_receive_attempt(bool& retryableError,
-                                       PRPollDesc** pPollDesc,
-                                       uint16_t* httpResponseCode,
-                                       const char** httpResponseContentType,
-                                       const char** httpResponseHeaders,
-                                       const char** httpResponseData,
-                                       uint32_t* httpResponseDataLen);
+  SECStatus internal_send_receive_attempt(bool &retryable_error,
+                                          PRPollDesc **pPollDesc,
+                                          uint16_t *http_response_code,
+                                          const char **http_response_content_type,
+                                          const char **http_response_headers,
+                                          const char **http_response_data,
+                                          uint32_t *http_response_data_len);
 };
 
 class nsNSSHttpInterface
 {
 public:
-  static Result createSessionFcn(const char* host,
-                                 uint16_t portnum,
-                                 SEC_HTTP_SERVER_SESSION* pSession)
+  static SECStatus createSessionFcn(const char *host,
+                                    uint16_t portnum,
+                                    SEC_HTTP_SERVER_SESSION *pSession)
   {
     return nsNSSHttpServerSession::createSessionFcn(host, portnum, pSession);
   }
 
-  static Result createFcn(SEC_HTTP_SERVER_SESSION session,
-                          const char* httpProtocolVariant,
-                          const char* pathAndQueryString,
-                          const char* httpRequestMethod,
-                          const PRIntervalTime timeout,
-                          SEC_HTTP_REQUEST_SESSION* pRequest)
+  static SECStatus keepAliveFcn(SEC_HTTP_SERVER_SESSION session,
+                                PRPollDesc **pPollDesc)
   {
-    return nsNSSHttpRequestSession::createFcn(session, httpProtocolVariant,
-                                              pathAndQueryString,
-                                              httpRequestMethod, timeout,
-                                              pRequest);
+    // Not yet implemented, however, Necko does transparent keep-alive 
+    // anyway, when enabled in Necko's prefs.
+    return SECSuccess;
+  }
+
+  static SECStatus freeSessionFcn(SEC_HTTP_SERVER_SESSION session)
+  {
+    delete static_cast<nsNSSHttpServerSession*>(session);
+    return SECSuccess;
   }
 
-  static Result setPostDataFcn(SEC_HTTP_REQUEST_SESSION request,
-                               const char* httpData,
-                               const uint32_t httpDataLen,
-                               const char* httpContentType)
+  static SECStatus createFcn(SEC_HTTP_SERVER_SESSION session,
+                             const char *http_protocol_variant,
+                             const char *path_and_query_string,
+                             const char *http_request_method, 
+                             const PRIntervalTime timeout, 
+                             SEC_HTTP_REQUEST_SESSION *pRequest)
+  {
+    return nsNSSHttpRequestSession::createFcn(session, http_protocol_variant,
+                                     path_and_query_string, http_request_method, 
+                                     timeout, pRequest);
+  }
+
+  static SECStatus setPostDataFcn(SEC_HTTP_REQUEST_SESSION request, 
+                                  const char *http_data, 
+                                  const uint32_t http_data_len,
+                                  const char *http_content_type)
   {
     return static_cast<nsNSSHttpRequestSession*>(request)
-      ->setPostDataFcn(httpData, httpDataLen, httpContentType);
+            ->setPostDataFcn(http_data, http_data_len, http_content_type);
+  }
+
+  static SECStatus addHeaderFcn(SEC_HTTP_REQUEST_SESSION request,
+                                const char *http_header_name, 
+                                const char *http_header_value)
+  {
+    return static_cast<nsNSSHttpRequestSession*>(request)
+            ->addHeaderFcn(http_header_name, http_header_value);
   }
 
-  static Result trySendAndReceiveFcn(SEC_HTTP_REQUEST_SESSION request,
-                                     PRPollDesc** pPollDesc,
-                                     uint16_t* httpResponseCode,
-                                     const char** httpResponseContentType,
-                                     const char** httpResponseHeaders,
-                                     const char** httpResponseData,
-                                     uint32_t* httpResponseDataLen)
+  static SECStatus trySendAndReceiveFcn(SEC_HTTP_REQUEST_SESSION request, 
+                                        PRPollDesc **pPollDesc,
+                                        uint16_t *http_response_code, 
+                                        const char **http_response_content_type, 
+                                        const char **http_response_headers, 
+                                        const char **http_response_data, 
+                                        uint32_t *http_response_data_len)
   {
     return static_cast<nsNSSHttpRequestSession*>(request)
-      ->trySendAndReceiveFcn(pPollDesc, httpResponseCode,
-                             httpResponseContentType, httpResponseHeaders,
-                             httpResponseData, httpResponseDataLen);
+            ->trySendAndReceiveFcn(pPollDesc, http_response_code, http_response_content_type, 
+                     http_response_headers, http_response_data, http_response_data_len);
+  }
+
+  static SECStatus cancelFcn(SEC_HTTP_REQUEST_SESSION request)
+  {
+    return static_cast<nsNSSHttpRequestSession*>(request)
+            ->cancelFcn();
   }
+
+  static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request)
+  {
+    return static_cast<nsNSSHttpRequestSession*>(request)
+            ->freeFcn();
+  }
+
+  static void initTable();
+  static SEC_HttpClientFcn sNSSInterfaceTable;
 };
 
-#endif // nsNSSCallbacks_h
+#endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1098,16 +1098,18 @@ nsNSSComponent::InitializeNSS()
   nsCOMPtr<nsICertBlocklist> certList = do_GetService(NS_CERTBLOCKLIST_CONTRACTID);
   if (!certList) {
     return NS_ERROR_FAILURE;
   }
 
   // dynamic options from prefs
   setValidationOptions(true, lock);
 
+  mHttpForNSS.initTable();
+
 #ifndef MOZ_NO_SMART_CARDS
   LaunchSmartCardThreads();
 #endif
 
   mozilla::pkix::RegisterErrorTable();
 
   // Initialize the site security service
   nsCOMPtr<nsISiteSecurityService> sssService =
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -36,41 +36,30 @@ function run_test() {
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
-  // Note: We don't test the case of a well-formed HTTP URL with an empty port
-  //       because the OCSP code would then send a request to port 80, which we
-  //       can't use in tests.
-
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
-
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
@@ -118,20 +107,10 @@ function run_test() {
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
-  // Note: We currently don't have anything that ensures user:pass sections
-  //       weren't sent. The following test simply checks that such sections
-  //       don't cause failures.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["user-pass"], [""]);
-    check_cert_err("user-pass", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
-
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC4jCCAcygAwIBAgIUCUgBNVFlUc2p60KMe3dO6FhMipkwCwYJKoZIhvcNAQEL
+MIIC4TCCAcugAwIBAgIUSVV8GuYeHmRKCpxw+z10gaAfdogwCwYJKoZIhvcNAQEL
 MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
 MDAwWjAVMRMwEQYDVQQDDApiYWQtc2NoZW1lMIIBIjANBgkqhkiG9w0BAQEFAAOC
 AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
 4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
 SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
 kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
 owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
-Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozEwLzAtBggrBgEFBQcB
-AQQhMB8wHQYIKwYBBQUHMAGGES93d3cuZXhhbXBsZS5jb20vMAsGCSqGSIb3DQEB
-CwOCAQEAieSkH2D4uXmxuA+Mxs1Pt7GkcWSzzsyx7mohi7B/VPFeo8O+xseELYiZ
-dVMg4sUls18B1hBQmv1LmcCJDeLUMhlFSKzg8+YMbeVtmB+SeKrBDY/jihVFxe7R
-JzRZmnxIv0fo8IEI5yiLl/k/rLsJxhqQ3xjhVWVFkq6I+7dP6pmyAuW4Gb98Kil+
-7WjiLTxcQH9beepODFGemjJYhId5TjjH9PWgAK79BXbRvOise54pP5mS6gOG6Pmk
-KAI0c59vta09h8wBXsfDh3dYEPB15m9JAlsfHEc3BbAD9G9d1lRq3m3sBy7MQ6Sl
-tnXePhkS4Zs2u7iGvma6sR267hYQQw==
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAsBggrBgEFBQcB
+AQQgMB4wHAYIKwYBBQUHMAGGEC93d3cuZXhhbXBsZS5jb20wCwYJKoZIhvcNAQEL
+A4IBAQCLMA8cA3de38Jrr3CeIeugTXhWp7iixVDjeskpXhcWBAB6r4saVgodouDd
+rGDd93XqsZ/91iInL5nS4+HrNgpa40SZ9u3nXZj1ji7bhnXGuKIkioeqVC85wZsZ
+k0MfNn26t/9GbgKi0EhlBYfLLh7n74Ipf2jW0rNWWX74JSB4vfIILlngHt/7/XLW
+HAKZriC+lTWk/Hg4sxd0hzR7YXS1BWf2XWQh8jZcUA826gFWvxOWoPw/fL37MzAJ
+JzAnanJ21+1BrFjUd/X3gyTaCrTtv6FFBExxaKCONGZ+fsQVz474RsOYQTkiWk4E
+6gHtp2Ms+ZQq8s4LpXHQLVdv5wtP
 -----END CERTIFICATE-----
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
@@ -1,3 +1,3 @@
 issuer:int
 subject:bad-scheme
-extension:authorityInformationAccess:/www.example.com/
+extension:authorityInformationAccess:/www.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdOgAwIBAgIUa9Unq2D6UuzOdGrYZUJK1Cu/tAEwCwYJKoZIhvcNAQEL
+MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
+MDAwWjAVMRMwEQYDVQQDDAplbXB0eS1wb3J0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozgwNjA0BggrBgEFBQcB
+AQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly93d3cuZXhhbXBsZS5jb206LzALBgkq
+hkiG9w0BAQsDggEBACT8keBaJ83r+547Vnhz0Oeb7S5vUFgGD1ppqdRY61HGuH03
+NUeR6x185lFdgJgRj1fS420X3FML51UuldvrnKvBTqJGpVgAIfOKFDTe6myENDr5
+oXYArBR9vMsbafZFRZjskiqokjUmjp0wad6SFhGm+I9YoYI/iGF6zCg24mOmxpWg
+EHwoBQ3tF/o3X0oVQx6EAA2YvMdIffu+X++PWVV00GTIi5o2ihilq0ZQAFcsc3ua
+VDln/jmCl1KLS9Og4SCMnHIQDANJmBCB2vLBH9ZJDXK8GgqPwjd97LQiYLFApXyu
+BJn9Y2XHuJXr00/4sSnmmyPEyNYiVN54oBnAfYI=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:empty-port
+extension:authorityInformationAccess:http://www.example.com:/
--- a/security/manager/ssl/tests/unit/test_ocsp_url/moz.build
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/moz.build
@@ -3,28 +3,28 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 # Temporarily disabled. See bug 1256495.
 #test_certificates = (
 #    'bad-scheme.pem',
 #    'ca.pem',
+#    'empty-port.pem',
 #    'empty-scheme-url.pem',
 #    'ftp-url.pem',
 #    'hTTp-url.pem',
 #    'https-url.pem',
 #    'int.pem',
 #    'negative-port.pem',
 #    'no-host-url.pem',
 #    'no-path-url.pem',
 #    'no-scheme-host-port.pem',
 #    'no-scheme-url.pem',
 #    'unknown-scheme.pem',
-#    'user-pass.pem',
 #)
 #
 #for test_certificate in test_certificates:
 #    GeneratedTestCertificate(test_certificate)
 #
 #test_keys = (
 #    'int.key',
 #)
--- a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC7jCCAdigAwIBAgIUaRXYhHMxVLXv0jEa7DzCo4XP3kEwCwYJKoZIhvcNAQEL
+MIIC7TCCAdegAwIBAgIUKxb1IEwl2xxr9eYRaSRuSOPVR80wCwYJKoZIhvcNAQEL
 MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
 MDAwWjAYMRYwFAYDVQQDDA1uZWdhdGl2ZS1wb3J0MIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
 xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
 qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
 kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
 wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
-BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozowODA2BggrBgEF
-BQcBAQQqMCgwJgYIKwYBBQUHMAGGGmh0dHA6Ly93d3cuZXhhbXBsZS5jb206LTEv
-MAsGCSqGSIb3DQEBCwOCAQEASHTpE/+ZfMfU7A9B+PidfrUaHb1wIb1d56nLzZbw
-ZkaCWtos3W/foUS6fqh9N6IB/HnfrH5IYDKemYHX3bdVAKXEvdMIGFWbYq8DCh8G
-L6KmHMX96GRHUt6APgj5HnKDGK/gTPCgL7S60Udgt802FCHoprFEOrDP4l3KNOA6
-RkLJVqyTenMr8CNAw6TKOV4mezm1FRRybqSlQesCy6UDQCTyTnp+36tzMS6/znGz
-Eg049InNUTKTKV53BJiad14SAG0xcYSDBJ3JOCGprdMSyXViyEgEKY4yXXOEX7T+
-Dx92b/Y6wxgZmrE5vUOxotSwoZl1HvegwtM+yv3oJlPghQ==
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozkwNzA1BggrBgEF
+BQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly93d3cuZXhhbXBsZS5jb206LTEw
+CwYJKoZIhvcNAQELA4IBAQAw5TQzcQUOXkt6B7sPtCEbSZhYPTXT7S+tDmCOUbuu
+59pDHrqcicN6GHs2yjA0VQSppdHM4vJPBv73n3i/v0DtJeDAU0vDKXhL3XYoaiFc
+neLFP+igJVKVq+1YGFm6IJzQmAnWO3WaoVRal3i2Fsy9yzD9JfFPozhIDQSnQgOo
+jxB5zXAWfPCC6vZs6D2+ERDuGQ8U23iLGt93QRjA/1+jyEX+wVweHhQA0+ThEnQG
+P3dvmpxGJmEaN3VwQJJLX/Aa+HP8yIDgPfLWDlVD1GMIN+OzA/34uKUQCanBeKkk
+P+NSbiJAGbqck2GkhB1dJvAN4Rocxd1Zz2HwZOQqNEKw
 -----END CERTIFICATE-----
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
@@ -1,3 +1,3 @@
 issuer:int
 subject:negative-port
-extension:authorityInformationAccess:http://www.example.com:-1/
+extension:authorityInformationAccess:http://www.example.com:-1
--- a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC6zCCAdWgAwIBAgIUI5Tv1e1YLCHEMZT5XJ1qU6KnNgAwCwYJKoZIhvcNAQEL
+MIIC7jCCAdigAwIBAgIUc3XxC3XHk7zit5PqvQJY/KINaQowCwYJKoZIhvcNAQEL
 MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
-MDAwWjAZMRcwFQYDVQQDDA51bmtub3duLXNjaGVtZTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
-wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
-k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
-eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
-EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
-JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM2MDQwMgYIKwYB
-BQUHAQEEJjAkMCIGCCsGAQUFBzABhhZ0dHA6Ly93d3cuZXhhbXBsZS5jb20vMAsG
-CSqGSIb3DQEBCwOCAQEAtcV1bIruR8rwWC+rA+336IIjHD7za6wzDVJzUMnrfZ7u
-7e1amMhToNnFHulMKjpVRQaKoYIdtnd32cvvTebwKsIe3fnCcT9JA4w5Lf3T62YF
-bPzeoDO+602npGl9br7OmImNqhOLXVO/ISahmfLIyW9kiPrDx/L0jdyulamLCzAh
-jsLfawEZdN9n9gWUwVQglboS/SmmNHNhfvutBv9ZnFT/zvrVoV8aBKjkXQOL0G2g
-sToq4N+L2O2ow4MTdp0OM7RufMgdJyfBqFHC4/07/xednWUhQ+MeG4gRIidx9lR/
-x/fYCLkAZ/NDyt3Md8lLAPimBkOFt5ce+VGFriZSCw==
+MDAwWjAdMRswGQYDVQQDDBJ1bmtub3duLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEG
+CCsGAQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVdHRwOi8vd3d3LmV4YW1wbGUuY29t
+MAsGCSqGSIb3DQEBCwOCAQEAbWjhsr44kEsgozAd7LKUBy1UfiLcuLRK1//mkONB
+Gu9YoOy+/Gh60/fqKUlhEu/xAMqHdJ+LoM5mQvFXIvrNNWjE1TRuew5j0LACSboX
+UxDacgbvYckU/wJRTHURimGSU6FHHnIczm/4AzlfRF+RWZL2kmOC5mn7f7aRC/RP
+TG1JZqDRt5/7iFOnuRsuR8V5f7vd8d3F29fmnhvZpjvMnoJqqs+rJQCbn/M9bEdM
+kRcWrD4X3fEksEFAFcTs6kiLsxJ/UuSAlSXtzYqXqWOgr22LMtqBaOAM1TMwEaba
+NjyoWmLVK2i9vTSdRlIfV1PSpiVGNfZL29XO5lR0oR2HMw==
 -----END CERTIFICATE-----
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
@@ -1,3 +1,3 @@
 issuer:int
-subject:unknown-scheme
-extension:authorityInformationAccess:ttp://www.example.com/
+subject:unknown-scheme-url
+extension:authorityInformationAccess:ttp://www.example.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9jCCAeCgAwIBAgIUZwBIuhJsl6TtcbJBQ2j36UO5R+wwCwYJKoZIhvcNAQEL
-MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
-MDAwWjAUMRIwEAYDVQQDDAl1c2VyLXBhc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
-2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
-5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
-PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
-DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
-iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjRjBEMEIGCCsGAQUFBwEB
-BDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3VzZXI6cGFzc0B3d3cuZXhhbXBsZS5j
-b206ODg4OC8wCwYJKoZIhvcNAQELA4IBAQBVI4PnVdDg/lT6bZ/4COoPBbu9Ql0Q
-sGVhl/A1zH8xYx8OII0aI7U2OpXC1GNnESyt1nvsfEtnR6ETgGlaRdI8hXpOz0dI
-VXh1PZEv9ESdl4FWmqGFM26eOqSS1r6aU2oBfTSzO6Ki4cduSfmiBuCCFzGtuMdG
-pu+PWP7ffzgU9lteYvf+uXcD8u/Kz0WOtKwB4nuVWy0PcKlX8z/SizcoaCdG3v7+
-6j9GsLbD8G0mIZVM2Jyrv6M5+RSelp957gPXu3BoYG8QW5I9zSMfQg0w/Y81IR+5
-cXuQ0TBTvHx2QjkOHH4Iy8cIXKxCdiYyVUvlYS5UjTaaZLpcjmA5/Pl1
------END CERTIFICATE-----
\ No newline at end of file
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int
-subject:user-pass
-extension:authorityInformationAccess:http://user:pass@www.example.com:8888/