bug 1227638 - deterministically load EV information r=Cykesiopka,mgoodwin
authorDavid Keeler <dkeeler@mozilla.com>
Fri, 30 Sep 2016 18:08:08 -0700
changeset 319272 6810346363585085e260d47a58cf5b7d58542d44
parent 319271 c7ad8590b1e78f9bad9dccd8dc64fc34717819db
child 319273 e45221018bdd6365ce904ade9ad0698420e67f42
push id83120
push usercbook@mozilla.com
push dateTue, 25 Oct 2016 08:47:23 +0000
treeherdermozilla-inbound@4ee669700dc8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka, mgoodwin
bugs1227638
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1227638 - deterministically load EV information r=Cykesiopka,mgoodwin Previously PSM would load EV information on-demand (i.e. just before verifying a certificate). This simplifies this operation, removes a dubious optimization (loading the EV information on another thread while opening a network connection), and relocates the loading operation to when we are likely to have good disk locality (i.e. when we've just loaded the built-in roots module). This also removes the now-unused MOZ_NO_EV_CERTS build flag. MozReview-Commit-ID: 8Rnl4ozF95V
b2g/confvars.sh
old-configure.in
security/certverifier/CertVerifier.cpp
security/certverifier/ExtendedValidation.cpp
security/certverifier/ExtendedValidation.h
security/certverifier/NSSCertDBTrustDomain.cpp
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/SSLServerCertVerification.h
security/manager/ssl/nsNSSCertHelper.cpp
security/manager/ssl/nsNSSCertificate.cpp
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsSSLStatus.cpp
--- a/b2g/confvars.sh
+++ b/b2g/confvars.sh
@@ -14,17 +14,16 @@ MOZ_B2G_VERSION=2.6.0.0-prerelease
 MOZ_B2G_OS_NAME=Boot2Gecko
 
 MOZ_BRANDING_DIRECTORY=b2g/branding/unofficial
 MOZ_OFFICIAL_BRANDING_DIRECTORY=b2g/branding/official
 # MOZ_APP_DISPLAYNAME is set by branding/configure.sh
 
 MOZ_NO_SMART_CARDS=1
 MOZ_APP_STATIC_INI=1
-MOZ_NO_EV_CERTS=1
 
 if test "$OS_TARGET" = "Android"; then
 MOZ_CAPTURE=1
 MOZ_RAW=1
 MOZ_AUDIO_CHANNEL_MANAGER=1
 fi
 
 # use custom widget for html:select
--- a/old-configure.in
+++ b/old-configure.in
@@ -3953,24 +3953,16 @@ dnl ====================================
 dnl = Disable smartcard support
 dnl ========================================================
 if test -n "$MOZ_NO_SMART_CARDS"; then
     AC_DEFINE(MOZ_NO_SMART_CARDS)
 fi
 AC_SUBST(MOZ_NO_SMART_CARDS)
 
 dnl ========================================================
-dnl = Disable EV certificate verification
-dnl ========================================================
-if test -n "$MOZ_NO_EV_CERTS"; then
-    AC_DEFINE(MOZ_NO_EV_CERTS)
-fi
-AC_SUBST(MOZ_NO_EV_CERTS)
-
-dnl ========================================================
 dnl = Sandboxing support
 dnl ========================================================
 if test -n "$MOZ_TSAN" -o -n "$MOZ_ASAN"; then
     # Bug 1182565: TSan conflicts with sandboxing on Linux.
     # Bug 1287971: LSan also conflicts with sandboxing on Linux.
     case $OS_TARGET in
     Linux|Android)
         MOZ_SANDBOX=
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -457,17 +457,16 @@ CertVerifier::VerifyCert(CERTCertificate
       size_t sha1ModeConfigurationsCount = MOZ_ARRAY_LENGTH(sha1ModeConfigurations);
 
       static_assert(MOZ_ARRAY_LENGTH(sha1ModeConfigurations) ==
                     MOZ_ARRAY_LENGTH(sha1ModeResults),
                     "digestAlgorithm array lengths differ");
 
       rv = Result::ERROR_UNKNOWN_ERROR;
 
-#ifndef MOZ_NO_EV_CERTS
       // Try to validate for EV first.
       NSSCertDBTrustDomain::OCSPFetching evOCSPFetching
         = (mOCSPDownloadConfig == ocspOff) ||
           (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::LocalOnlyOCSPForEV
                                     : NSSCertDBTrustDomain::FetchOCSPForEV;
 
       CertPolicyId evPolicy;
       SECOidTag evPolicyOidTag;
@@ -532,17 +531,16 @@ CertVerifier::VerifyCert(CERTCertificate
           if (rv != Success) {
             break;
           }
         }
       }
       if (rv == Success) {
         break;
       }
-#endif
 
       if (flags & FLAG_MUST_BE_EV) {
         rv = Result::ERROR_POLICY_VALIDATION_FAILED;
         break;
       }
 
       // Now try non-EV.
       unsigned int keySizeOptions[] = {
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -6,16 +6,17 @@
 
 #include "ExtendedValidation.h"
 
 #include "base64.h"
 #include "cert.h"
 #include "certdb.h"
 #include "hasht.h"
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/Assertions.h"
 #include "mozilla/Casting.h"
 #include "mozilla/PodOperations.h"
 #include "pk11pub.h"
 #include "pkix/pkixtypes.h"
 #include "prerror.h"
 #include "prinit.h"
 #include "secerr.h"
 
@@ -1244,120 +1245,102 @@ CertIsAuthoritativeForEVPolicy(const Uni
         PodEqual(oidData->oid.data, policy.bytes, policy.numBytes)) {
       return true;
     }
   }
 
   return false;
 }
 
-static PRStatus
-IdentityInfoInit()
+nsresult
+LoadExtendedValidationInfo()
 {
   static const char* sCABForumOIDString = "2.23.140.1.1";
   static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID";
 
   mozilla::ScopedAutoSECItem cabforumOIDItem;
   if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0)
         != SECSuccess) {
-    return PR_FAILURE;
+    return NS_ERROR_FAILURE;
   }
   sCABForumEVOIDTag = RegisterOID(cabforumOIDItem, sCABForumOIDDescription);
   if (sCABForumEVOIDTag == SEC_OID_UNKNOWN) {
-    return PR_FAILURE;
+    return NS_ERROR_FAILURE;
   }
 
   for (size_t iEV = 0; iEV < mozilla::ArrayLength(myTrustedEVInfos); ++iEV) {
     nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
 
+    SECStatus srv;
+#ifdef DEBUG
+    // This section of code double-checks that we calculated the correct
+    // certificate hash given the issuer and serial number and that it is
+    // actually present in our loaded root certificates module. It is
+    // unnecessary to check this in non-debug builds since we will safely fall
+    // back to DV if the EV information is incorrect.
     mozilla::ScopedAutoSECItem derIssuer;
-    SECStatus rv = ATOB_ConvertAsciiToItem(&derIssuer, entry.issuer_base64);
-    PR_ASSERT(rv == SECSuccess);
-    if (rv != SECSuccess) {
-      return PR_FAILURE;
+    srv = ATOB_ConvertAsciiToItem(&derIssuer, entry.issuer_base64);
+    MOZ_ASSERT(srv == SECSuccess, "Could not base64-decode built-in EV issuer");
+    if (srv != SECSuccess) {
+      return NS_ERROR_FAILURE;
     }
 
     mozilla::ScopedAutoSECItem serialNumber;
-    rv = ATOB_ConvertAsciiToItem(&serialNumber, entry.serial_base64);
-    PR_ASSERT(rv == SECSuccess);
-    if (rv != SECSuccess) {
-      return PR_FAILURE;
+    srv = ATOB_ConvertAsciiToItem(&serialNumber, entry.serial_base64);
+    MOZ_ASSERT(srv == SECSuccess, "Could not base64-decode built-in EV serial");
+    if (srv != SECSuccess) {
+      return NS_ERROR_FAILURE;
     }
 
     CERTIssuerAndSN ias;
     ias.derIssuer.data = derIssuer.data;
     ias.derIssuer.len = derIssuer.len;
     ias.serialNumber.data = serialNumber.data;
     ias.serialNumber.len = serialNumber.len;
     ias.serialNumber.type = siUnsignedInteger;
 
     UniqueCERTCertificate cert(CERT_FindCertByIssuerAndSN(nullptr, &ias));
 
     // If an entry is missing in the NSS root database, it may be because the
     // root database is out of sync with what we expect (e.g. a different
-    // version of system NSS is installed). We assert on debug builds, but
-    // silently continue on release builds. In both cases, the root cert does
-    // not get EV treatment.
+    // version of system NSS is installed).
     if (!cert) {
-#ifdef DEBUG
-      // The debug CA structs are at positions 0 to NUM_TEST_EV_ROOTS - 1, and
-      // are NOT in the NSS root DB.
-      if (iEV < NUM_TEST_EV_ROOTS) {
-        continue;
+      // The entries for the debug EV roots are at indices 0 through
+      // NUM_TEST_EV_ROOTS - 1. Since they're not built-in, they probably
+      // haven't been loaded yet.
+      MOZ_ASSERT(iEV < NUM_TEST_EV_ROOTS, "Could not find built-in EV root");
+    } else {
+      unsigned char certFingerprint[SHA256_LENGTH];
+      srv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint, cert->derCert.data,
+                         AssertedCast<int32_t>(cert->derCert.len));
+      MOZ_ASSERT(srv == SECSuccess, "Could not hash EV root");
+      if (srv != SECSuccess) {
+        return NS_ERROR_FAILURE;
       }
-#endif
-      PR_NOT_REACHED("Could not find EV root in NSS storage");
-      continue;
-    }
-
-    unsigned char certFingerprint[SHA256_LENGTH];
-    rv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint, cert->derCert.data,
-                      AssertedCast<int32_t>(cert->derCert.len));
-    PR_ASSERT(rv == SECSuccess);
-    if (rv == SECSuccess) {
-      bool same = !memcmp(certFingerprint, entry.ev_root_sha256_fingerprint,
-                          sizeof(certFingerprint));
-      PR_ASSERT(same);
-      if (same) {
-        mozilla::ScopedAutoSECItem evOIDItem;
-        rv = SEC_StringToOID(nullptr, &evOIDItem, entry.dotted_oid, 0);
-        PR_ASSERT(rv == SECSuccess);
-        if (rv == SECSuccess) {
-          entry.oid_tag = RegisterOID(evOIDItem, entry.oid_name);
-          if (entry.oid_tag == SEC_OID_UNKNOWN) {
-            rv = SECFailure;
-          }
-        }
-      } else {
-        PR_SetError(SEC_ERROR_BAD_DATA, 0);
-        rv = SECFailure;
+      bool same = PodEqual(certFingerprint, entry.ev_root_sha256_fingerprint);
+      MOZ_ASSERT(same, "EV root fingerprint mismatch");
+      if (!same) {
+        return NS_ERROR_FAILURE;
       }
     }
-
-    if (rv != SECSuccess) {
-      entry.oid_tag = SEC_OID_UNKNOWN;
-      return PR_FAILURE;
+#endif
+    // This is the code that actually enables these roots for EV.
+    mozilla::ScopedAutoSECItem evOIDItem;
+    srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dotted_oid, 0);
+    MOZ_ASSERT(srv == SECSuccess, "SEC_StringToOID failed");
+    if (srv != SECSuccess) {
+      return NS_ERROR_FAILURE;
+    }
+    entry.oid_tag = RegisterOID(evOIDItem, entry.oid_name);
+    if (entry.oid_tag == SEC_OID_UNKNOWN) {
+      return NS_ERROR_FAILURE;
     }
   }
 
-  return PR_SUCCESS;
-}
-
-static PRCallOnceType sIdentityInfoCallOnce;
-
-void
-EnsureIdentityInfoLoaded()
-{
-  (void) PR_CallOnce(&sIdentityInfoCallOnce, IdentityInfoInit);
-}
-
-void
-CleanupIdentityInfo()
-{
-  memset(&sIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
+  return NS_OK;
 }
 
 // Find the first policy OID that is known to be an EV policy OID.
 SECStatus
 GetFirstEVPolicy(CERTCertificate* cert,
                  /*out*/ mozilla::pkix::CertPolicyId& policy,
                  /*out*/ SECOidTag& policyOidTag)
 {
--- a/security/certverifier/ExtendedValidation.h
+++ b/security/certverifier/ExtendedValidation.h
@@ -9,24 +9,21 @@
 #include "ScopedNSSTypes.h"
 #include "certt.h"
 #include "prtypes.h"
 
 namespace mozilla { namespace pkix { struct CertPolicyId; } }
 
 namespace mozilla { namespace psm {
 
-#ifndef MOZ_NO_EV_CERTS
-void EnsureIdentityInfoLoaded();
-void CleanupIdentityInfo();
+nsresult LoadExtendedValidationInfo();
 SECStatus GetFirstEVPolicy(CERTCertificate* cert,
                            /*out*/ mozilla::pkix::CertPolicyId& policy,
                            /*out*/ SECOidTag& policyOidTag);
 
 // CertIsAuthoritativeForEVPolicy does NOT evaluate whether the cert is trusted
 // or distrusted.
 bool CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert,
                                     const mozilla::pkix::CertPolicyId& policy);
-#endif
 
 } } // namespace mozilla::psm
 
 #endif // ExtendedValidation_h
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -168,22 +168,16 @@ NSSCertDBTrustDomain::FindIssuer(Input e
 }
 
 Result
 NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
                                    const CertPolicyId& policy,
                                    Input candidateCertDER,
                                    /*out*/ TrustLevel& trustLevel)
 {
-#ifdef MOZ_NO_EV_CERTS
-  if (!policy.IsAnyPolicy()) {
-    return Result::ERROR_POLICY_VALIDATION_FAILED;
-  }
-#endif
-
   // XXX: This would be cleaner and more efficient if we could get the trust
   // information without constructing a CERTCertificate here, but NSS doesn't
   // expose it in any other easy-to-use fashion. The use of
   // CERT_NewTempCertificate to get a CERTCertificate shouldn't be a
   // performance problem because NSS will just find the existing
   // CERTCertificate in its in-memory cache and return it.
   SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
   UniqueCERTCertificate candidateCert(
@@ -245,22 +239,20 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn
     // For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Gecko hasn't
     // needed to consider end-entity certs to be their own trust anchors since
     // Gecko implemented nsICertOverrideService.
     if (flags & CERTDB_TRUSTED_CA) {
       if (policy.IsAnyPolicy()) {
         trustLevel = TrustLevel::TrustAnchor;
         return Success;
       }
-#ifndef MOZ_NO_EV_CERTS
       if (CertIsAuthoritativeForEVPolicy(candidateCert, policy)) {
         trustLevel = TrustLevel::TrustAnchor;
         return Success;
       }
-#endif
     }
   }
 
   trustLevel = TrustLevel::InheritsTrust;
   return Success;
 }
 
 Result
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -1753,47 +1753,16 @@ AuthCertificateHook(void* arg, PRFileDes
     NS_ERROR("error code not set");
     error = PR_UNKNOWN_ERROR;
   }
 
   PR_SetError(error, 0);
   return SECFailure;
 }
 
-#ifndef MOZ_NO_EV_CERTS
-class InitializeIdentityInfo : public CryptoTask
-{
-  virtual nsresult CalculateResult() override
-  {
-    EnsureIdentityInfoLoaded();
-    return NS_OK;
-  }
-
-  virtual void ReleaseNSSResources() override { } // no-op
-  virtual void CallCallback(nsresult rv) override { } // no-op
-};
-#endif
-
-void EnsureServerVerificationInitialized()
-{
-#ifndef MOZ_NO_EV_CERTS
-  // Should only be called from socket transport thread due to the static
-  // variable and the reference to gCertVerificationThreadPool
-
-  static bool triggeredCertVerifierInit = false;
-  if (triggeredCertVerifierInit)
-    return;
-  triggeredCertVerifierInit = true;
-
-  RefPtr<InitializeIdentityInfo> initJob = new InitializeIdentityInfo();
-  if (gCertVerificationThreadPool)
-    gCertVerificationThreadPool->Dispatch(initJob, NS_DISPATCH_NORMAL);
-#endif
-}
-
 SSLServerCertVerificationResult::SSLServerCertVerificationResult(
         nsNSSSocketInfo* infoObject, PRErrorCode errorCode,
         Telemetry::ID telemetryID, uint32_t telemetryValue,
         SSLErrorMessageType errorMessageType)
   : mInfoObject(infoObject)
   , mErrorCode(errorCode)
   , mErrorMessageType(errorMessageType)
   , mTelemetryID(telemetryID)
--- a/security/manager/ssl/SSLServerCertVerification.h
+++ b/security/manager/ssl/SSLServerCertVerification.h
@@ -9,16 +9,11 @@
 #include "seccomon.h"
 #include "prio.h"
 
 namespace mozilla { namespace psm {
 
 SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
                               PRBool checkSig, PRBool isServer);
 
-// EnsureServerVerificationInitialized() posts an event to a cert
-// verification thread to run nsINSSComponent::EnsureIdentityInfoLoaded()
-// exactly once. It must be called from socket thread.
-void EnsureServerVerificationInitialized();
-
 } } // namespace mozilla::psm
 
 #endif
--- a/security/manager/ssl/nsNSSCertHelper.cpp
+++ b/security/manager/ssl/nsNSSCertHelper.cpp
@@ -1963,25 +1963,25 @@ nsNSSCertificate::CreateTBSCertificateAS
     nssComponent->GetPIPNSSBundleString("CertDumpSubjectUniqueID", text);
     printableItem->SetDisplayName(text);
     asn1Objects->AppendElement(printableItem, false);
 
   }
   if (mCert->extensions) {
     SECOidTag ev_oid_tag = SEC_OID_UNKNOWN;
 
-#ifndef MOZ_NO_EV_CERTS
     bool validEV;
     rv = hasValidEVOidTag(ev_oid_tag, validEV);
-    if (NS_FAILED(rv))
+    if (NS_FAILED(rv)) {
       return rv;
+    }
 
-    if (!validEV)
+    if (!validEV) {
       ev_oid_tag = SEC_OID_UNKNOWN;
-#endif
+    }
 
     rv = ProcessExtensions(mCert->extensions, sequence, ev_oid_tag, nssComponent);
     if (NS_FAILED(rv))
       return rv;
   }
   sequence.forget(retSequence);
   return NS_OK;
 }
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -1129,26 +1129,23 @@ nsNSSCertificate::Equals(nsIX509Cert* ot
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
   UniqueCERTCertificate cert(other->GetCert());
   *result = (mCert.get() == cert.get());
   return NS_OK;
 }
 
-#ifndef MOZ_NO_EV_CERTS
-
 nsresult
 nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
 {
   nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
+  if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
-
-  EnsureIdentityInfoLoaded();
+  }
 
   RefPtr<mozilla::psm::SharedCertVerifier>
     certVerifier(mozilla::psm::GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
   validEV = false;
   resultOidTag = SEC_OID_UNKNOWN;
 
@@ -1191,41 +1188,34 @@ nsNSSCertificate::getValidEVOidTag(SECOi
     if (validEV) {
       mCachedEVOidTag = resultOidTag;
     }
     mCachedEVStatus = validEV ? ev_status_valid : ev_status_invalid;
   }
   return rv;
 }
 
-#endif // MOZ_NO_EV_CERTS
-
 nsresult
 nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
 {
-#ifdef MOZ_NO_EV_CERTS
-  *aIsEV = false;
-  return NS_OK;
-#else
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_ARG(aIsEV);
   *aIsEV = false;
 
   if (mCachedEVStatus != ev_status_unknown) {
     *aIsEV = (mCachedEVStatus == ev_status_valid);
     return NS_OK;
   }
 
   SECOidTag oid_tag;
   return getValidEVOidTag(oid_tag, *aIsEV);
-#endif
 }
 
 namespace mozilla {
 
 // TODO(bug 1036065): It seems like we only construct CERTCertLists for the
 // purpose of constructing nsNSSCertLists, so maybe we should change this
 // function to output an nsNSSCertList instead.
 SECStatus
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -1470,20 +1470,16 @@ VerifyCertAtTime(nsIX509Cert* aCert,
   NS_ENSURE_ARG_POINTER(aHasEVPolicy);
   NS_ENSURE_ARG_POINTER(aVerifiedChain);
   NS_ENSURE_ARG_POINTER(_retval);
 
   *aVerifiedChain = nullptr;
   *aHasEVPolicy = false;
   *_retval = PR_UNKNOWN_ERROR;
 
-#ifndef MOZ_NO_EV_CERTS
-  EnsureIdentityInfoLoaded();
-#endif
-
   UniqueCERTCertificate nssCert(aCert->GetCert());
   if (!nssCert) {
     return NS_ERROR_INVALID_ARG;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
 
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1819,16 +1819,22 @@ nsNSSComponent::InitializeNSS()
   rv = setEnabledTLSVersions();
   if (NS_FAILED(rv)) {
     return NS_ERROR_UNEXPECTED;
   }
 
   DisableMD5();
   LoadLoadableRoots();
 
+  rv = LoadExtendedValidationInfo();
+  if (NS_FAILED(rv)) {
+    MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("failed to load EV info"));
+    return rv;
+  }
+
   MaybeEnableFamilySafetyCompatibility();
   MaybeImportEnterpriseRoots();
 
   ConfigureTLSSessionIdentifiers();
 
   bool requireSafeNegotiation =
     Preferences::GetBool("security.ssl.require_safe_negotiation",
                          REQUIRE_SAFE_NEGOTIATION_DEFAULT);
@@ -1936,19 +1942,17 @@ nsNSSComponent::ShutdownNSS()
 
 #ifndef MOZ_NO_SMART_CARDS
     ShutdownSmartCardThreads();
 #endif
     SSL_ClearSessionCache();
     // TLSServerSocket may be run with the session cache enabled. This ensures
     // those resources are cleaned up.
     Unused << SSL_ShutdownServerSessionIDCache();
-#ifndef MOZ_NO_EV_CERTS
-    CleanupIdentityInfo();
-#endif
+
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("evaporating psm resources"));
     if (NS_FAILED(nsNSSShutDownList::evaporateAllNSSResources())) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("failed to evaporate resources"));
       return;
     }
     UnloadLoadableRoots();
     EnsureNSSInitialized(nssShutdown);
     if (SECSuccess != ::NSS_Shutdown()) {
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -2434,20 +2434,16 @@ nsSSLIOLayerImportFD(PRFileDesc* fd,
     goto loser;
   }
 
   if (SECSuccess != SSL_SetURL(sslSock, host)) {
     NS_NOTREACHED("SSL_SetURL failed");
     goto loser;
   }
 
-  // This is an optimization to make sure the identity info dataset is parsed
-  // and loaded on a separate thread and can be overlapped with network latency.
-  EnsureServerVerificationInitialized();
-
   return sslSock;
 loser:
   if (sslSock) {
     PR_Close(sslSock);
   }
   return nullptr;
 }
 
--- a/security/manager/ssl/nsSSLStatus.cpp
+++ b/security/manager/ssl/nsSSLStatus.cpp
@@ -124,21 +124,17 @@ nsSSLStatus::GetIsExtendedValidation(boo
     return NS_OK;
   }
 
   if (mHasIsEVStatus) {
     *aIsEV = mIsEV;
     return NS_OK;
   }
 
-#ifdef MOZ_NO_EV_CERTS
-  return NS_OK;
-#else
   return NS_ERROR_NOT_AVAILABLE;
-#endif
 }
 
 NS_IMETHODIMP
 nsSSLStatus::Read(nsIObjectInputStream* aStream)
 {
   nsCOMPtr<nsISupports> cert;
   nsresult rv = aStream->ReadObject(true, getter_AddRefs(cert));
   NS_ENSURE_SUCCESS(rv, rv);
@@ -285,18 +281,16 @@ nsSSLStatus::SetServerCert(nsNSSCertific
   mServerCert = aServerCert;
 
   if (aEVStatus != nsNSSCertificate::ev_status_unknown) {
     mIsEV = (aEVStatus == nsNSSCertificate::ev_status_valid);
     mHasIsEVStatus = true;
     return;
   }
 
-#ifndef MOZ_NO_EV_CERTS
   if (aServerCert) {
     nsresult rv = aServerCert->GetIsExtendedValidation(&mIsEV);
     if (NS_FAILED(rv)) {
       return;
     }
     mHasIsEVStatus = true;
   }
-#endif
 }