Backed out 3 changesets (bug 1004149) for Windows build failures in CertVerifier.cpp
authorWes Kocher <wkocher@mozilla.com>
Fri, 18 Mar 2016 11:07:55 -0700
changeset 289385 905d35af02ec40d89e06be71faa05ac584b9ccdb
parent 289384 e14e69dd0ff619f21e8b3072bafc0545fc5c77c5
child 289386 0c6d4e1ef9cbb2c1579338c2395f1c085283adec
push id30102
push userryanvm@gmail.com
push dateSat, 19 Mar 2016 15:23:17 +0000
treeherdermozilla-central@720fb3d55e28 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1004149
milestone48.0a1
backs oute14e69dd0ff619f21e8b3072bafc0545fc5c77c5
7c6888880270b6108fa51dd63d4fa058a1df5741
f164ff25450e14362813120e1c21937d2f5b1012
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 3 changesets (bug 1004149) for Windows build failures in CertVerifier.cpp Backed out changeset e14e69dd0ff6 (bug 1004149) Backed out changeset 7c6888880270 (bug 1004149) Backed out changeset f164ff25450e (bug 1004149) MozReview-Commit-ID: GIbe3devuSe
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/OCSPRequestor.cpp
security/certverifier/OCSPRequestor.h
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCallbacks.h
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/tests/unit/test_ocsp_url.js
security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem
security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/moz.build
security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -544,25 +544,22 @@ NSSCertDBTrustDomain::CheckRevocation(En
       return rv;
     }
     SECItem ocspRequestItem = {
       siBuffer,
       ocspRequest,
       static_cast<unsigned int>(ocspRequestLength)
     };
     // Owned by arena
-    SECItem* responseSECItem = nullptr;
-    Result tempRV =
+    const SECItem* responseSECItem =
       DoOCSPRequest(arena.get(), url, &ocspRequestItem,
                     OCSPFetchingTypeToTimeoutTime(mOCSPFetching),
-                    mOCSPGetConfig == CertVerifier::ocspGetEnabled,
-                    responseSECItem);
-    MOZ_ASSERT((tempRV != Success) || responseSECItem);
-    if (tempRV != Success) {
-      rv = tempRV;
+                    mOCSPGetConfig == CertVerifier::ocspGetEnabled);
+    if (!responseSECItem) {
+      rv = MapPRErrorCodeToResult(PR_GetError());
     } else if (response.Init(responseSECItem->data, responseSECItem->len)
                  != Success) {
       rv = Result::ERROR_OCSP_MALFORMED_RESPONSE; // too big
     }
     attemptedRequest = true;
   } else {
     rv = cachedResponseResult;
     attemptedRequest = false;
--- a/security/certverifier/OCSPRequestor.cpp
+++ b/security/certverifier/OCSPRequestor.cpp
@@ -65,87 +65,95 @@ AppendEscapedBase64Item(const SECItem* e
   // http://tools.ietf.org/html/rfc5019#section-5
   base64Request.ReplaceSubstring("+", "%2B");
   base64Request.ReplaceSubstring("/", "%2F");
   base64Request.ReplaceSubstring("=", "%3D");
   path.Append(base64Request);
   return NS_OK;
 }
 
-Result
+SECItem*
 DoOCSPRequest(PLArenaPool* arena, const char* url,
               const SECItem* encodedRequest, PRIntervalTime timeout,
-              bool useGET,
-      /*out*/ SECItem*& encodedResponse)
+              bool useGET)
 {
   if (!arena || !url || !encodedRequest || !encodedRequest->data) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
+    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+    return nullptr;
   }
   uint32_t urlLen = PL_strlen(url);
   if (urlLen > static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
+    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+    return nullptr;
   }
 
   nsCOMPtr<nsIURLParser> urlParser = do_GetService(NS_STDURLPARSER_CONTRACTID);
   if (!urlParser) {
-    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+    return nullptr;
   }
 
   uint32_t schemePos;
   int32_t schemeLen;
   uint32_t authorityPos;
   int32_t authorityLen;
   uint32_t pathPos;
   int32_t pathLen;
-  nsresult nsrv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen),
-                                      &schemePos, &schemeLen,
-                                      &authorityPos, &authorityLen,
-                                      &pathPos, &pathLen);
-  if (NS_FAILED(nsrv)) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+  nsresult rv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen),
+                                    &schemePos, &schemeLen,
+                                    &authorityPos, &authorityLen,
+                                    &pathPos, &pathLen);
+  if (NS_FAILED(rv)) {
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   if (schemeLen < 0 || authorityLen < 0) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   nsAutoCString scheme(url + schemePos,
                        static_cast<nsAutoCString::size_type>(schemeLen));
   if (!scheme.LowerCaseEqualsLiteral("http")) {
-    // We don't support HTTPS to avoid loops. See Bug 92923.
-    // We also in general only support HTTP.
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    // We dont support https:// to avoid loops see Bug 92923
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
 
   uint32_t hostnamePos;
   int32_t hostnameLen;
   int32_t port;
-  // We ignore user:password sections: if one is present, we send an OCSP
-  // request to the URL as normal without sending the username or password.
-  nsrv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
-                                   nullptr, nullptr, nullptr, nullptr,
-                                   &hostnamePos, &hostnameLen, &port);
-  if (NS_FAILED(nsrv)) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+  // We do not support urls with user@pass sections in the URL,
+  // In cas we find them we will ignore and try to connect with
+  rv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
+                                 nullptr, nullptr, nullptr, nullptr,
+                                 &hostnamePos, &hostnameLen, &port);
+  if (NS_FAILED(rv)) {
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   if (hostnameLen < 0) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   if (port == -1) {
     port = 80;
   } else if (port < 0 || port > 0xffff) {
-    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+    PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
+    return nullptr;
   }
   nsAutoCString
     hostname(url + authorityPos + hostnamePos,
              static_cast<nsACString_internal::size_type>(hostnameLen));
 
   SEC_HTTP_SERVER_SESSION serverSessionPtr = nullptr;
-  Result rv = nsNSSHttpInterface::createSessionFcn(
-    hostname.BeginReading(), static_cast<uint16_t>(port), &serverSessionPtr);
-  if (rv != Success) {
-    return rv;
+  if (nsNSSHttpInterface::createSessionFcn(hostname.BeginReading(),
+                                           static_cast<uint16_t>(port),
+                                           &serverSessionPtr) != SECSuccess) {
+    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+    return nullptr;
   }
   ScopedHTTPServerSession serverSession(
     reinterpret_cast<nsNSSHttpServerSession*>(serverSessionPtr));
 
   nsAutoCString path;
   if (pathLen > 0) {
     path.Assign(url + pathPos, static_cast<nsAutoCString::size_type>(pathLen));
   } else {
@@ -155,58 +163,64 @@ DoOCSPRequest(PLArenaPool* arena, const 
          ("Setting up OCSP request: pre all path =%s  pathlen=%d\n", path.get(),
           pathLen));
   nsAutoCString method("POST");
   if (useGET) {
     method.Assign("GET");
     if (!StringEndsWith(path, NS_LITERAL_CSTRING("/"))) {
       path.Append("/");
     }
-    nsresult nsrv = AppendEscapedBase64Item(encodedRequest, path);
-    if (NS_WARN_IF(NS_FAILED(nsrv))) {
-      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    nsresult rv = AppendEscapedBase64Item(encodedRequest, path);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return nullptr;
     }
   }
 
   SEC_HTTP_REQUEST_SESSION requestSessionPtr;
-  rv = nsNSSHttpInterface::createFcn(serverSession.get(), "http", path.get(),
-                                     method.get(), timeout, &requestSessionPtr);
-  if (rv != Success) {
-    return rv;
+  if (nsNSSHttpInterface::createFcn(serverSession.get(), "http",
+                                    path.get(), method.get(),
+                                    timeout, &requestSessionPtr)
+        != SECSuccess) {
+    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+    return nullptr;
   }
 
   ScopedHTTPRequestSession requestSession(
     reinterpret_cast<nsNSSHttpRequestSession*>(requestSessionPtr));
 
   if (!useGET) {
-    rv = nsNSSHttpInterface::setPostDataFcn(
-      requestSession.get(), reinterpret_cast<char*>(encodedRequest->data),
-      encodedRequest->len, "application/ocsp-request");
-    if (rv != Success) {
-      return rv;
+    if (nsNSSHttpInterface::setPostDataFcn(requestSession.get(),
+          reinterpret_cast<char*>(encodedRequest->data), encodedRequest->len,
+          "application/ocsp-request") != SECSuccess) {
+      PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+      return nullptr;
     }
   }
 
   uint16_t httpResponseCode;
   const char* httpResponseData;
   uint32_t httpResponseDataLen = 0; // 0 means any response size is acceptable
-  rv = nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
-                                                &httpResponseCode, nullptr,
-                                                nullptr, &httpResponseData,
-                                                &httpResponseDataLen);
-  if (rv != Success) {
-    return rv;
+  if (nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
+                                               &httpResponseCode, nullptr,
+                                               nullptr, &httpResponseData,
+                                               &httpResponseDataLen)
+        != SECSuccess) {
+    PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0);
+    return nullptr;
   }
 
   if (httpResponseCode != 200) {
-    return Result::ERROR_OCSP_SERVER_ERROR;
+    PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0);
+    return nullptr;
   }
 
-  encodedResponse = SECITEM_AllocItem(arena, nullptr, httpResponseDataLen);
+  SECItem* encodedResponse = SECITEM_AllocItem(arena, nullptr,
+                                               httpResponseDataLen);
   if (!encodedResponse) {
-    return Result::FATAL_ERROR_NO_MEMORY;
+    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
+    return nullptr;
   }
 
   memcpy(encodedResponse->data, httpResponseData, httpResponseDataLen);
-  return Success;
+  return encodedResponse;
 }
 
 } } // namespace mozilla::psm
--- a/security/certverifier/OCSPRequestor.h
+++ b/security/certverifier/OCSPRequestor.h
@@ -7,17 +7,16 @@
 #ifndef mozilla_psm_OCSPRequestor_h
 #define mozilla_psm_OCSPRequestor_h
 
 #include "CertVerifier.h"
 #include "secmodt.h"
 
 namespace mozilla { namespace psm {
 
-// The memory returned via |encodedResponse| is owned by the given arena.
-Result DoOCSPRequest(PLArenaPool* arena, const char* url,
-                     const SECItem* encodedRequest, PRIntervalTime timeout,
-                     bool useGET,
-             /*out*/ SECItem*& encodedResponse);
+// The memory returned is owned by the given arena.
+SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url,
+                       const SECItem* encodedRequest, PRIntervalTime timeout,
+                       bool useGET);
 
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm_OCSPRequestor_h
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -93,17 +93,18 @@ nsHTTPDownloadEvent::Run()
                    nsContentUtils::GetSystemPrincipal(),
                    nullptr, // aTriggeringPrincipal
                    nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
                    nsIContentPolicy::TYPE_OTHER,
                    getter_AddRefs(chan));
   NS_ENSURE_STATE(chan);
 
   // Security operations scheduled through normal HTTP channels are given
-  // high priority to accommodate real time OCSP transactions.
+  // high priority to accommodate real time OCSP transactions. Background CRL
+  // fetches happen through a different path (CRLDownloadEvent).
   nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(chan);
   if (priorityChannel)
     priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST);
 
   chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
                      nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
 
   // Create a loadgroup for this new channel.  This way if the channel
@@ -125,17 +126,17 @@ nsHTTPDownloadEvent::Run()
     rv = uploadChannel->SetUploadStream(uploadStream, 
                                         mRequestSession->mPostContentType,
                                         -1);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
   // Do not use SPDY for internal security operations. It could result
   // in the silent upgrade to ssl, which in turn could require an SSL
-  // operation to fulfill something like an OCSP fetch, which is an
+  // operation to fufill something like a CRL fetch, which is an
   // endless loop.
   nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
   if (internalChannel) {
     rv = internalChannel->SetAllowSpdy(false);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
   nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
@@ -179,59 +180,52 @@ struct nsCancelHTTPDownloadEvent : nsRun
 
   NS_IMETHOD Run() {
     mListener->FreeLoadGroup(true);
     mListener = nullptr;
     return NS_OK;
   }
 };
 
-Result
-nsNSSHttpServerSession::createSessionFcn(const char* host,
-                                         uint16_t portnum,
-                                         SEC_HTTP_SERVER_SESSION* pSession)
+SECStatus nsNSSHttpServerSession::createSessionFcn(const char *host,
+                                                   uint16_t portnum,
+                                                   SEC_HTTP_SERVER_SESSION *pSession)
 {
-  if (!host || !pSession) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
-  }
+  if (!host || !pSession)
+    return SECFailure;
 
-  nsNSSHttpServerSession* hss = new nsNSSHttpServerSession;
-  if (!hss) {
-    return Result::FATAL_ERROR_NO_MEMORY;
-  }
+  nsNSSHttpServerSession *hss = new nsNSSHttpServerSession;
+  if (!hss)
+    return SECFailure;
 
   hss->mHost = host;
   hss->mPort = portnum;
 
   *pSession = hss;
-  return Success;
+  return SECSuccess;
 }
 
-Result
-nsNSSHttpRequestSession::createFcn(SEC_HTTP_SERVER_SESSION session,
-                                   const char* http_protocol_variant,
-                                   const char* path_and_query_string,
-                                   const char* http_request_method,
-                                   const PRIntervalTime timeout,
-                                   SEC_HTTP_REQUEST_SESSION* pRequest)
+SECStatus nsNSSHttpRequestSession::createFcn(SEC_HTTP_SERVER_SESSION session,
+                                             const char *http_protocol_variant,
+                                             const char *path_and_query_string,
+                                             const char *http_request_method, 
+                                             const PRIntervalTime timeout, 
+                                             SEC_HTTP_REQUEST_SESSION *pRequest)
 {
-  if (!session || !http_protocol_variant || !path_and_query_string ||
-      !http_request_method || !pRequest) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
-  }
+  if (!session || !http_protocol_variant || !path_and_query_string || 
+      !http_request_method || !pRequest)
+    return SECFailure;
 
   nsNSSHttpServerSession* hss = static_cast<nsNSSHttpServerSession*>(session);
-  if (!hss) {
-    return Result::FATAL_ERROR_INVALID_ARGS;
-  }
+  if (!hss)
+    return SECFailure;
 
-  nsNSSHttpRequestSession* rs = new nsNSSHttpRequestSession;
-  if (!rs) {
-    return Result::FATAL_ERROR_NO_MEMORY;
-  }
+  nsNSSHttpRequestSession *rs = new nsNSSHttpRequestSession;
+  if (!rs)
+    return SECFailure;
 
   rs->mTimeoutInterval = timeout;
 
   // Use a maximum timeout value of 10 seconds because of bug 404059.
   // FIXME: Use a better approach once 406120 is ready.
   uint32_t maxBug404059Timeout = PR_TicksPerSecond() * 10;
   if (timeout > maxBug404059Timeout) {
     rs->mTimeoutInterval = maxBug404059Timeout;
@@ -242,67 +236,84 @@ nsNSSHttpRequestSession::createFcn(SEC_H
   rs->mURL.Append(hss->mHost);
   rs->mURL.Append(':');
   rs->mURL.AppendInt(hss->mPort);
   rs->mURL.Append(path_and_query_string);
 
   rs->mRequestMethod = http_request_method;
 
   *pRequest = (void*)rs;
-  return Success;
+  return SECSuccess;
 }
 
-Result
-nsNSSHttpRequestSession::setPostDataFcn(const char* http_data,
-                                        const uint32_t http_data_len,
-                                        const char* http_content_type)
+SECStatus nsNSSHttpRequestSession::setPostDataFcn(const char *http_data, 
+                                                  const uint32_t http_data_len,
+                                                  const char *http_content_type)
 {
   mHasPostData = true;
   mPostData.Assign(http_data, http_data_len);
   mPostContentType.Assign(http_content_type);
 
-  return Success;
+  return SECSuccess;
 }
 
-Result
-nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc** pPollDesc,
-                                              uint16_t* http_response_code,
-                                              const char** http_response_content_type,
-                                              const char** http_response_headers,
-                                              const char** http_response_data,
-                                              uint32_t* http_response_data_len)
+SECStatus nsNSSHttpRequestSession::addHeaderFcn(const char *http_header_name, 
+                                                const char *http_header_value)
+{
+  return SECFailure; // not yet implemented
+
+  // All http code needs to be postponed to the UI thread.
+  // Once this gets implemented, we need to add a string list member to
+  // nsNSSHttpRequestSession and queue up the headers,
+  // so they can be added in HandleHTTPDownloadPLEvent.
+  //
+  // The header will need to be set using 
+  //   mHttpChannel->SetRequestHeader(nsDependentCString(http_header_name), 
+  //                                  nsDependentCString(http_header_value), 
+  //                                  false)));
+}
+
+SECStatus nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc **pPollDesc,
+                                                        uint16_t *http_response_code, 
+                                                        const char **http_response_content_type, 
+                                                        const char **http_response_headers, 
+                                                        const char **http_response_data, 
+                                                        uint32_t *http_response_data_len)
 {
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
          ("nsNSSHttpRequestSession::trySendAndReceiveFcn to %s\n", mURL.get()));
 
   bool onSTSThread;
   nsresult nrv;
   nsCOMPtr<nsIEventTarget> sts
     = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
   if (NS_FAILED(nrv)) {
     NS_ERROR("Could not get STS service");
-    return Result::FATAL_ERROR_INVALID_STATE;
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
   }
 
   nrv = sts->IsOnCurrentThread(&onSTSThread);
   if (NS_FAILED(nrv)) {
     NS_ERROR("IsOnCurrentThread failed");
-    return Result::FATAL_ERROR_INVALID_STATE;
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
   }
 
   if (onSTSThread) {
     NS_ERROR("nsNSSHttpRequestSession::trySendAndReceiveFcn called on socket "
              "thread; this will not work.");
-    return Result::FATAL_ERROR_INVALID_STATE;
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
   }
 
   const int max_retries = 2;
   int retry_count = 0;
   bool retryable_error = false;
-  Result rv = Result::ERROR_UNKNOWN_ERROR;
+  SECStatus result_sec_status = SECFailure;
 
   do
   {
     if (retry_count > 0)
     {
       if (retryable_error)
       {
         MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
@@ -311,17 +322,17 @@ nsNSSHttpRequestSession::trySendAndRecei
       }
 
       PR_Sleep( PR_MillisecondsToInterval(300) * retry_count );
     }
 
     ++retry_count;
     retryable_error = false;
 
-    rv =
+    result_sec_status =
       internal_send_receive_attempt(retryable_error, pPollDesc, http_response_code,
                                     http_response_content_type, http_response_headers,
                                     http_response_data, http_response_data_len);
   }
   while (retryable_error &&
          retry_count < max_retries);
 
   if (retry_count > 1)
@@ -330,17 +341,17 @@ nsNSSHttpRequestSession::trySendAndRecei
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
              ("nsNSSHttpRequestSession::trySendAndReceiveFcn - still failing, giving up...\n"));
     else
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
              ("nsNSSHttpRequestSession::trySendAndReceiveFcn - success at attempt %d\n",
               retry_count));
   }
 
-  return rv;
+  return result_sec_status;
 }
 
 void
 nsNSSHttpRequestSession::AddRef()
 {
   ++mRefCount;
 }
 
@@ -348,17 +359,17 @@ void
 nsNSSHttpRequestSession::Release()
 {
   int32_t newRefCount = --mRefCount;
   if (!newRefCount) {
     delete this;
   }
 }
 
-Result
+SECStatus
 nsNSSHttpRequestSession::internal_send_receive_attempt(bool &retryable_error,
                                                        PRPollDesc **pPollDesc,
                                                        uint16_t *http_response_code,
                                                        const char **http_response_content_type,
                                                        const char **http_response_headers,
                                                        const char **http_response_data,
                                                        uint32_t *http_response_data_len)
 {
@@ -370,39 +381,38 @@ nsNSSHttpRequestSession::internal_send_r
 
   uint32_t acceptableResultSize = 0;
 
   if (http_response_data_len)
   {
     acceptableResultSize = *http_response_data_len;
     *http_response_data_len = 0;
   }
-
-  if (!mListener) {
-    return Result::FATAL_ERROR_INVALID_STATE;
-  }
+  
+  if (!mListener)
+    return SECFailure;
 
   Mutex& waitLock = mListener->mLock;
   CondVar& waitCondition = mListener->mCondition;
   volatile bool &waitFlag = mListener->mWaitFlag;
   waitFlag = true;
 
   RefPtr<nsHTTPDownloadEvent> event(new nsHTTPDownloadEvent);
-  if (!event) {
-    return Result::FATAL_ERROR_NO_MEMORY;
-  }
+  if (!event)
+    return SECFailure;
 
   event->mListener = mListener;
   this->AddRef();
   event->mRequestSession = this;
 
   nsresult rv = NS_DispatchToMainThread(event);
-  if (NS_FAILED(rv)) {
+  if (NS_FAILED(rv))
+  {
     event->mResponsibleForDoneSignal = false;
-    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    return SECFailure;
   }
 
   bool request_canceled = false;
 
   {
     MutexAutoLock locker(waitLock);
 
     const PRIntervalTime start_time = PR_IntervalNow();
@@ -489,67 +499,102 @@ nsNSSHttpRequestSession::internal_send_r
         Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME,
         event->mStartTime, TimeStamp::Now());
     }
   }
   else {
     Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
   }
 
-  if (request_canceled) {
-    return Result::ERROR_OCSP_SERVER_ERROR;
-  }
+  if (request_canceled)
+    return SECFailure;
 
-  if (NS_FAILED(mListener->mResultCode)) {
-    if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED ||
-        mListener->mResultCode == NS_ERROR_NET_RESET) {
+  if (NS_FAILED(mListener->mResultCode))
+  {
+    if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED
+        ||
+        mListener->mResultCode == NS_ERROR_NET_RESET)
+    {
       retryable_error = true;
     }
-    return Result::ERROR_OCSP_SERVER_ERROR;
+    return SECFailure;
   }
 
   if (http_response_code)
     *http_response_code = mListener->mHttpResponseCode;
 
-  if (mListener->mHttpRequestSucceeded && http_response_data &&
-      http_response_data_len) {
-    *http_response_data_len = mListener->mResultLen;
+  if (mListener->mHttpRequestSucceeded && http_response_data && http_response_data_len) {
 
+    *http_response_data_len = mListener->mResultLen;
+  
     // acceptableResultSize == 0 means: any size is acceptable
-    if (acceptableResultSize != 0 &&
-        acceptableResultSize < mListener->mResultLen) {
-      return Result::ERROR_OCSP_SERVER_ERROR;
+    if (acceptableResultSize != 0
+        &&
+        acceptableResultSize < mListener->mResultLen)
+    {
+      return SECFailure;
     }
 
-    // Return data by reference, result data will be valid until "this" gets
-    // destroyed.
+    // return data by reference, result data will be valid 
+    // until "this" gets destroyed by NSS
     *http_response_data = (const char*)mListener->mResultData;
   }
 
   if (mListener->mHttpRequestSucceeded && http_response_content_type) {
     if (mListener->mHttpResponseContentType.Length()) {
       *http_response_content_type = mListener->mHttpResponseContentType.get();
     }
   }
 
-  return Success;
+  return SECSuccess;
+}
+
+SECStatus nsNSSHttpRequestSession::cancelFcn()
+{
+  // As of today, only the blocking variant of the http interface
+  // has been implemented. Implementing cancelFcn will be necessary
+  // as soon as we implement the nonblocking variant.
+  return SECSuccess;
+}
+
+SECStatus nsNSSHttpRequestSession::freeFcn()
+{
+  Release();
+  return SECSuccess;
 }
 
 nsNSSHttpRequestSession::nsNSSHttpRequestSession()
 : mRefCount(1),
   mHasPostData(false),
   mTimeoutInterval(0),
   mListener(new nsHTTPListener)
 {
 }
 
 nsNSSHttpRequestSession::~nsNSSHttpRequestSession()
 {
 }
 
+SEC_HttpClientFcn nsNSSHttpInterface::sNSSInterfaceTable;
+
+void nsNSSHttpInterface::initTable()
+{
+  sNSSInterfaceTable.version = 1;
+  SEC_HttpClientFcnV1 &v1 = sNSSInterfaceTable.fcnTable.ftable1;
+  v1.createSessionFcn = createSessionFcn;
+  v1.keepAliveSessionFcn = keepAliveFcn;
+  v1.freeSessionFcn = freeSessionFcn;
+  v1.createFcn = createFcn;
+  v1.setPostDataFcn = setPostDataFcn;
+  v1.addHeaderFcn = addHeaderFcn;
+  v1.trySendAndReceiveFcn = trySendAndReceiveFcn;
+  v1.cancelFcn = cancelFcn;
+  v1.freeFcn = freeFcn;
+}
+
 nsHTTPListener::nsHTTPListener()
 : mResultData(nullptr),
   mResultLen(0),
   mLock("nsHTTPListener.mLock"),
   mCondition(mLock, "nsHTTPListener.mCondition"),
   mWaitFlag(true),
   mResponsibleForDoneSignal(false),
   mLoadGroup(nullptr),
--- a/security/manager/ssl/nsNSSCallbacks.h
+++ b/security/manager/ssl/nsNSSCallbacks.h
@@ -1,41 +1,37 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef nsNSSCallbacks_h
-#define nsNSSCallbacks_h
+#ifndef _NSNSSCALLBACKS_H_
+#define _NSNSSCALLBACKS_H_
 
-#include "mozilla/Attributes.h"
-#include "mozilla/CondVar.h"
-#include "mozilla/Mutex.h"
 #include "nsAutoPtr.h"
 #include "nsCOMPtr.h"
+#include "pk11func.h"
+#include "nspr.h"
+#include "ocspt.h"
 #include "nsIStreamLoader.h"
-#include "nspr.h"
+#include "mozilla/CondVar.h"
+#include "mozilla/Mutex.h"
+#include "mozilla/Attributes.h"
 #include "nsString.h"
-#include "pk11func.h"
-#include "pkix/pkixtypes.h"
-
-#include "ocspt.h" // Must be included after pk11func.h.
 
 class nsILoadGroup;
 
 char*
 PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);
 
 void HandshakeCallback(PRFileDesc *fd, void *client_data);
 SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data,
                                 PRBool *canFalseStart);
 
-typedef mozilla::pkix::Result Result;
-
 class nsHTTPListener final : public nsIStreamLoaderObserver
 {
 private:
   // For XPCOM implementations that are not a base class for some other
   // class, it is good practice to make the destructor non-virtual and
   // private.  Then the only way to delete the object is via Release.
 #ifdef _MSC_VER
   // C4265: Class has virtual members but destructor is not virtual
@@ -54,135 +50,176 @@ public:
   nsresult mResultCode;
 
   bool mHttpRequestSucceeded;
   uint16_t mHttpResponseCode;
   nsCString mHttpResponseContentType;
 
   const uint8_t* mResultData; // allocated in loader, but owned by listener
   uint32_t mResultLen;
-
+  
   mozilla::Mutex mLock;
   mozilla::CondVar mCondition;
   volatile bool mWaitFlag;
-
+  
   bool mResponsibleForDoneSignal;
   void send_done_signal();
 
   // no nsCOMPtr. When I use it, I get assertions about
   //   loadgroup not being thread safe.
   // So, let's use a raw pointer and ensure we only create and destroy
   // it on the network thread ourselves.
   nsILoadGroup *mLoadGroup;
   PRThread *mLoadGroupOwnerThread;
   void FreeLoadGroup(bool aCancelLoad);
 };
 
 class nsNSSHttpServerSession
 {
 public:
   nsCString mHost;
-  uint16_t mPort;
+  uint16_t mPort;  
 
-  static Result createSessionFcn(const char* host,
-                                 uint16_t portnum,
-                                 SEC_HTTP_SERVER_SESSION* pSession);
+  static SECStatus createSessionFcn(const char *host,
+                                    uint16_t portnum,
+                                    SEC_HTTP_SERVER_SESSION *pSession);
 };
 
 class nsNSSHttpRequestSession
 {
 protected:
   mozilla::ThreadSafeAutoRefCnt mRefCount;
 
 public:
-  static Result createFcn(SEC_HTTP_SERVER_SESSION session,
-                          const char* httpProtocolVariant,
-                          const char* pathAndQueryString,
-                          const char* httpRequestMethod,
-                          const PRIntervalTime timeout,
-                          SEC_HTTP_REQUEST_SESSION* pRequest);
+  static SECStatus createFcn(SEC_HTTP_SERVER_SESSION session,
+                             const char *http_protocol_variant,
+                             const char *path_and_query_string,
+                             const char *http_request_method, 
+                             const PRIntervalTime timeout, 
+                             SEC_HTTP_REQUEST_SESSION *pRequest);
+
+  SECStatus setPostDataFcn(const char *http_data, 
+                           const uint32_t http_data_len,
+                           const char *http_content_type);
 
-  Result setPostDataFcn(const char* httpData,
-                        const uint32_t httpDataLen,
-                        const char* httpContentType);
+  SECStatus addHeaderFcn(const char *http_header_name, 
+                         const char *http_header_value);
 
-  Result trySendAndReceiveFcn(PRPollDesc** pPollDesc,
-                              uint16_t* httpResponseCode,
-                              const char** httpResponseContentType,
-                              const char** httpResponseHeaders,
-                              const char** httpResponseData,
-                              uint32_t* httpResponseDataLen);
+  SECStatus trySendAndReceiveFcn(PRPollDesc **pPollDesc,
+                                 uint16_t *http_response_code, 
+                                 const char **http_response_content_type, 
+                                 const char **http_response_headers, 
+                                 const char **http_response_data, 
+                                 uint32_t *http_response_data_len);
+
+  SECStatus cancelFcn();
+  SECStatus freeFcn();
 
   void AddRef();
   void Release();
 
   nsCString mURL;
   nsCString mRequestMethod;
-
+  
   bool mHasPostData;
   nsCString mPostData;
   nsCString mPostContentType;
-
+  
   PRIntervalTime mTimeoutInterval;
-
+  
   RefPtr<nsHTTPListener> mListener;
-
+  
 protected:
   nsNSSHttpRequestSession();
   ~nsNSSHttpRequestSession();
 
-  Result internal_send_receive_attempt(bool& retryableError,
-                                       PRPollDesc** pPollDesc,
-                                       uint16_t* httpResponseCode,
-                                       const char** httpResponseContentType,
-                                       const char** httpResponseHeaders,
-                                       const char** httpResponseData,
-                                       uint32_t* httpResponseDataLen);
+  SECStatus internal_send_receive_attempt(bool &retryable_error,
+                                          PRPollDesc **pPollDesc,
+                                          uint16_t *http_response_code,
+                                          const char **http_response_content_type,
+                                          const char **http_response_headers,
+                                          const char **http_response_data,
+                                          uint32_t *http_response_data_len);
 };
 
 class nsNSSHttpInterface
 {
 public:
-  static Result createSessionFcn(const char* host,
-                                 uint16_t portnum,
-                                 SEC_HTTP_SERVER_SESSION* pSession)
+  static SECStatus createSessionFcn(const char *host,
+                                    uint16_t portnum,
+                                    SEC_HTTP_SERVER_SESSION *pSession)
   {
     return nsNSSHttpServerSession::createSessionFcn(host, portnum, pSession);
   }
 
-  static Result createFcn(SEC_HTTP_SERVER_SESSION session,
-                          const char* httpProtocolVariant,
-                          const char* pathAndQueryString,
-                          const char* httpRequestMethod,
-                          const PRIntervalTime timeout,
-                          SEC_HTTP_REQUEST_SESSION* pRequest)
+  static SECStatus keepAliveFcn(SEC_HTTP_SERVER_SESSION session,
+                                PRPollDesc **pPollDesc)
   {
-    return nsNSSHttpRequestSession::createFcn(session, httpProtocolVariant,
-                                              pathAndQueryString,
-                                              httpRequestMethod, timeout,
-                                              pRequest);
+    // Not yet implemented, however, Necko does transparent keep-alive 
+    // anyway, when enabled in Necko's prefs.
+    return SECSuccess;
+  }
+
+  static SECStatus freeSessionFcn(SEC_HTTP_SERVER_SESSION session)
+  {
+    delete static_cast<nsNSSHttpServerSession*>(session);
+    return SECSuccess;
   }
 
-  static Result setPostDataFcn(SEC_HTTP_REQUEST_SESSION request,
-                               const char* httpData,
-                               const uint32_t httpDataLen,
-                               const char* httpContentType)
+  static SECStatus createFcn(SEC_HTTP_SERVER_SESSION session,
+                             const char *http_protocol_variant,
+                             const char *path_and_query_string,
+                             const char *http_request_method, 
+                             const PRIntervalTime timeout, 
+                             SEC_HTTP_REQUEST_SESSION *pRequest)
+  {
+    return nsNSSHttpRequestSession::createFcn(session, http_protocol_variant,
+                                     path_and_query_string, http_request_method, 
+                                     timeout, pRequest);
+  }
+
+  static SECStatus setPostDataFcn(SEC_HTTP_REQUEST_SESSION request, 
+                                  const char *http_data, 
+                                  const uint32_t http_data_len,
+                                  const char *http_content_type)
   {
     return static_cast<nsNSSHttpRequestSession*>(request)
-      ->setPostDataFcn(httpData, httpDataLen, httpContentType);
+            ->setPostDataFcn(http_data, http_data_len, http_content_type);
+  }
+
+  static SECStatus addHeaderFcn(SEC_HTTP_REQUEST_SESSION request,
+                                const char *http_header_name, 
+                                const char *http_header_value)
+  {
+    return static_cast<nsNSSHttpRequestSession*>(request)
+            ->addHeaderFcn(http_header_name, http_header_value);
   }
 
-  static Result trySendAndReceiveFcn(SEC_HTTP_REQUEST_SESSION request,
-                                     PRPollDesc** pPollDesc,
-                                     uint16_t* httpResponseCode,
-                                     const char** httpResponseContentType,
-                                     const char** httpResponseHeaders,
-                                     const char** httpResponseData,
-                                     uint32_t* httpResponseDataLen)
+  static SECStatus trySendAndReceiveFcn(SEC_HTTP_REQUEST_SESSION request, 
+                                        PRPollDesc **pPollDesc,
+                                        uint16_t *http_response_code, 
+                                        const char **http_response_content_type, 
+                                        const char **http_response_headers, 
+                                        const char **http_response_data, 
+                                        uint32_t *http_response_data_len)
   {
     return static_cast<nsNSSHttpRequestSession*>(request)
-      ->trySendAndReceiveFcn(pPollDesc, httpResponseCode,
-                             httpResponseContentType, httpResponseHeaders,
-                             httpResponseData, httpResponseDataLen);
+            ->trySendAndReceiveFcn(pPollDesc, http_response_code, http_response_content_type, 
+                     http_response_headers, http_response_data, http_response_data_len);
+  }
+
+  static SECStatus cancelFcn(SEC_HTTP_REQUEST_SESSION request)
+  {
+    return static_cast<nsNSSHttpRequestSession*>(request)
+            ->cancelFcn();
   }
+
+  static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request)
+  {
+    return static_cast<nsNSSHttpRequestSession*>(request)
+            ->freeFcn();
+  }
+
+  static void initTable();
+  static SEC_HttpClientFcn sNSSInterfaceTable;
 };
 
-#endif // nsNSSCallbacks_h
+#endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1098,16 +1098,18 @@ nsNSSComponent::InitializeNSS()
   nsCOMPtr<nsICertBlocklist> certList = do_GetService(NS_CERTBLOCKLIST_CONTRACTID);
   if (!certList) {
     return NS_ERROR_FAILURE;
   }
 
   // dynamic options from prefs
   setValidationOptions(true, lock);
 
+  mHttpForNSS.initTable();
+
 #ifndef MOZ_NO_SMART_CARDS
   LaunchSmartCardThreads();
 #endif
 
   mozilla::pkix::RegisterErrorTable();
 
   // Initialize the site security service
   nsCOMPtr<nsISiteSecurityService> sssService =
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -36,41 +36,30 @@ function run_test() {
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
-  // Note: We don't test the case of a well-formed HTTP URL with an empty port
-  //       because the OCSP code would then send a request to port 80, which we
-  //       can't use in tests.
-
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    ocspResponder.stop(run_next_test);
-  });
-
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
@@ -118,20 +107,10 @@ function run_test() {
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
-  // Note: We currently don't have anything that ensures user:pass sections
-  //       weren't sent. The following test simply checks that such sections
-  //       don't cause failures.
-  add_test(() => {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["user-pass"], [""]);
-    check_cert_err("user-pass", PRErrorCodeSuccess);
-    ocspResponder.stop(run_next_test);
-  });
-
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC4jCCAcygAwIBAgIUCUgBNVFlUc2p60KMe3dO6FhMipkwCwYJKoZIhvcNAQEL
+MIIC4TCCAcugAwIBAgIUSVV8GuYeHmRKCpxw+z10gaAfdogwCwYJKoZIhvcNAQEL
 MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
 MDAwWjAVMRMwEQYDVQQDDApiYWQtc2NoZW1lMIIBIjANBgkqhkiG9w0BAQEFAAOC
 AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
 4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
 SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
 kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
 owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
-Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozEwLzAtBggrBgEFBQcB
-AQQhMB8wHQYIKwYBBQUHMAGGES93d3cuZXhhbXBsZS5jb20vMAsGCSqGSIb3DQEB
-CwOCAQEAieSkH2D4uXmxuA+Mxs1Pt7GkcWSzzsyx7mohi7B/VPFeo8O+xseELYiZ
-dVMg4sUls18B1hBQmv1LmcCJDeLUMhlFSKzg8+YMbeVtmB+SeKrBDY/jihVFxe7R
-JzRZmnxIv0fo8IEI5yiLl/k/rLsJxhqQ3xjhVWVFkq6I+7dP6pmyAuW4Gb98Kil+
-7WjiLTxcQH9beepODFGemjJYhId5TjjH9PWgAK79BXbRvOise54pP5mS6gOG6Pmk
-KAI0c59vta09h8wBXsfDh3dYEPB15m9JAlsfHEc3BbAD9G9d1lRq3m3sBy7MQ6Sl
-tnXePhkS4Zs2u7iGvma6sR267hYQQw==
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAsBggrBgEFBQcB
+AQQgMB4wHAYIKwYBBQUHMAGGEC93d3cuZXhhbXBsZS5jb20wCwYJKoZIhvcNAQEL
+A4IBAQCLMA8cA3de38Jrr3CeIeugTXhWp7iixVDjeskpXhcWBAB6r4saVgodouDd
+rGDd93XqsZ/91iInL5nS4+HrNgpa40SZ9u3nXZj1ji7bhnXGuKIkioeqVC85wZsZ
+k0MfNn26t/9GbgKi0EhlBYfLLh7n74Ipf2jW0rNWWX74JSB4vfIILlngHt/7/XLW
+HAKZriC+lTWk/Hg4sxd0hzR7YXS1BWf2XWQh8jZcUA826gFWvxOWoPw/fL37MzAJ
+JzAnanJ21+1BrFjUd/X3gyTaCrTtv6FFBExxaKCONGZ+fsQVz474RsOYQTkiWk4E
+6gHtp2Ms+ZQq8s4LpXHQLVdv5wtP
 -----END CERTIFICATE-----
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
@@ -1,3 +1,3 @@
 issuer:int
 subject:bad-scheme
-extension:authorityInformationAccess:/www.example.com/
+extension:authorityInformationAccess:/www.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdOgAwIBAgIUa9Unq2D6UuzOdGrYZUJK1Cu/tAEwCwYJKoZIhvcNAQEL
+MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
+MDAwWjAVMRMwEQYDVQQDDAplbXB0eS1wb3J0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozgwNjA0BggrBgEFBQcB
+AQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly93d3cuZXhhbXBsZS5jb206LzALBgkq
+hkiG9w0BAQsDggEBACT8keBaJ83r+547Vnhz0Oeb7S5vUFgGD1ppqdRY61HGuH03
+NUeR6x185lFdgJgRj1fS420X3FML51UuldvrnKvBTqJGpVgAIfOKFDTe6myENDr5
+oXYArBR9vMsbafZFRZjskiqokjUmjp0wad6SFhGm+I9YoYI/iGF6zCg24mOmxpWg
+EHwoBQ3tF/o3X0oVQx6EAA2YvMdIffu+X++PWVV00GTIi5o2ihilq0ZQAFcsc3ua
+VDln/jmCl1KLS9Og4SCMnHIQDANJmBCB2vLBH9ZJDXK8GgqPwjd97LQiYLFApXyu
+BJn9Y2XHuJXr00/4sSnmmyPEyNYiVN54oBnAfYI=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:empty-port
+extension:authorityInformationAccess:http://www.example.com:/
--- a/security/manager/ssl/tests/unit/test_ocsp_url/moz.build
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/moz.build
@@ -3,28 +3,28 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 # Temporarily disabled. See bug 1256495.
 #test_certificates = (
 #    'bad-scheme.pem',
 #    'ca.pem',
+#    'empty-port.pem',
 #    'empty-scheme-url.pem',
 #    'ftp-url.pem',
 #    'hTTp-url.pem',
 #    'https-url.pem',
 #    'int.pem',
 #    'negative-port.pem',
 #    'no-host-url.pem',
 #    'no-path-url.pem',
 #    'no-scheme-host-port.pem',
 #    'no-scheme-url.pem',
 #    'unknown-scheme.pem',
-#    'user-pass.pem',
 #)
 #
 #for test_certificate in test_certificates:
 #    GeneratedTestCertificate(test_certificate)
 #
 #test_keys = (
 #    'int.key',
 #)
--- a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC7jCCAdigAwIBAgIUaRXYhHMxVLXv0jEa7DzCo4XP3kEwCwYJKoZIhvcNAQEL
+MIIC7TCCAdegAwIBAgIUKxb1IEwl2xxr9eYRaSRuSOPVR80wCwYJKoZIhvcNAQEL
 MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
 MDAwWjAYMRYwFAYDVQQDDA1uZWdhdGl2ZS1wb3J0MIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
 xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
 qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
 kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
 wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
-BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozowODA2BggrBgEF
-BQcBAQQqMCgwJgYIKwYBBQUHMAGGGmh0dHA6Ly93d3cuZXhhbXBsZS5jb206LTEv
-MAsGCSqGSIb3DQEBCwOCAQEASHTpE/+ZfMfU7A9B+PidfrUaHb1wIb1d56nLzZbw
-ZkaCWtos3W/foUS6fqh9N6IB/HnfrH5IYDKemYHX3bdVAKXEvdMIGFWbYq8DCh8G
-L6KmHMX96GRHUt6APgj5HnKDGK/gTPCgL7S60Udgt802FCHoprFEOrDP4l3KNOA6
-RkLJVqyTenMr8CNAw6TKOV4mezm1FRRybqSlQesCy6UDQCTyTnp+36tzMS6/znGz
-Eg049InNUTKTKV53BJiad14SAG0xcYSDBJ3JOCGprdMSyXViyEgEKY4yXXOEX7T+
-Dx92b/Y6wxgZmrE5vUOxotSwoZl1HvegwtM+yv3oJlPghQ==
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozkwNzA1BggrBgEF
+BQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly93d3cuZXhhbXBsZS5jb206LTEw
+CwYJKoZIhvcNAQELA4IBAQAw5TQzcQUOXkt6B7sPtCEbSZhYPTXT7S+tDmCOUbuu
+59pDHrqcicN6GHs2yjA0VQSppdHM4vJPBv73n3i/v0DtJeDAU0vDKXhL3XYoaiFc
+neLFP+igJVKVq+1YGFm6IJzQmAnWO3WaoVRal3i2Fsy9yzD9JfFPozhIDQSnQgOo
+jxB5zXAWfPCC6vZs6D2+ERDuGQ8U23iLGt93QRjA/1+jyEX+wVweHhQA0+ThEnQG
+P3dvmpxGJmEaN3VwQJJLX/Aa+HP8yIDgPfLWDlVD1GMIN+OzA/34uKUQCanBeKkk
+P+NSbiJAGbqck2GkhB1dJvAN4Rocxd1Zz2HwZOQqNEKw
 -----END CERTIFICATE-----
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
@@ -1,3 +1,3 @@
 issuer:int
 subject:negative-port
-extension:authorityInformationAccess:http://www.example.com:-1/
+extension:authorityInformationAccess:http://www.example.com:-1
--- a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC6zCCAdWgAwIBAgIUI5Tv1e1YLCHEMZT5XJ1qU6KnNgAwCwYJKoZIhvcNAQEL
+MIIC7jCCAdigAwIBAgIUc3XxC3XHk7zit5PqvQJY/KINaQowCwYJKoZIhvcNAQEL
 MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
-MDAwWjAZMRcwFQYDVQQDDA51bmtub3duLXNjaGVtZTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
-wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
-k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
-eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
-EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
-JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM2MDQwMgYIKwYB
-BQUHAQEEJjAkMCIGCCsGAQUFBzABhhZ0dHA6Ly93d3cuZXhhbXBsZS5jb20vMAsG
-CSqGSIb3DQEBCwOCAQEAtcV1bIruR8rwWC+rA+336IIjHD7za6wzDVJzUMnrfZ7u
-7e1amMhToNnFHulMKjpVRQaKoYIdtnd32cvvTebwKsIe3fnCcT9JA4w5Lf3T62YF
-bPzeoDO+602npGl9br7OmImNqhOLXVO/ISahmfLIyW9kiPrDx/L0jdyulamLCzAh
-jsLfawEZdN9n9gWUwVQglboS/SmmNHNhfvutBv9ZnFT/zvrVoV8aBKjkXQOL0G2g
-sToq4N+L2O2ow4MTdp0OM7RufMgdJyfBqFHC4/07/xednWUhQ+MeG4gRIidx9lR/
-x/fYCLkAZ/NDyt3Md8lLAPimBkOFt5ce+VGFriZSCw==
+MDAwWjAdMRswGQYDVQQDDBJ1bmtub3duLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEG
+CCsGAQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVdHRwOi8vd3d3LmV4YW1wbGUuY29t
+MAsGCSqGSIb3DQEBCwOCAQEAbWjhsr44kEsgozAd7LKUBy1UfiLcuLRK1//mkONB
+Gu9YoOy+/Gh60/fqKUlhEu/xAMqHdJ+LoM5mQvFXIvrNNWjE1TRuew5j0LACSboX
+UxDacgbvYckU/wJRTHURimGSU6FHHnIczm/4AzlfRF+RWZL2kmOC5mn7f7aRC/RP
+TG1JZqDRt5/7iFOnuRsuR8V5f7vd8d3F29fmnhvZpjvMnoJqqs+rJQCbn/M9bEdM
+kRcWrD4X3fEksEFAFcTs6kiLsxJ/UuSAlSXtzYqXqWOgr22LMtqBaOAM1TMwEaba
+NjyoWmLVK2i9vTSdRlIfV1PSpiVGNfZL29XO5lR0oR2HMw==
 -----END CERTIFICATE-----
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
@@ -1,3 +1,3 @@
 issuer:int
-subject:unknown-scheme
-extension:authorityInformationAccess:ttp://www.example.com/
+subject:unknown-scheme-url
+extension:authorityInformationAccess:ttp://www.example.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9jCCAeCgAwIBAgIUZwBIuhJsl6TtcbJBQ2j36UO5R+wwCwYJKoZIhvcNAQEL
-MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw
-MDAwWjAUMRIwEAYDVQQDDAl1c2VyLXBhc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
-2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
-5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
-PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
-DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
-iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjRjBEMEIGCCsGAQUFBwEB
-BDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3VzZXI6cGFzc0B3d3cuZXhhbXBsZS5j
-b206ODg4OC8wCwYJKoZIhvcNAQELA4IBAQBVI4PnVdDg/lT6bZ/4COoPBbu9Ql0Q
-sGVhl/A1zH8xYx8OII0aI7U2OpXC1GNnESyt1nvsfEtnR6ETgGlaRdI8hXpOz0dI
-VXh1PZEv9ESdl4FWmqGFM26eOqSS1r6aU2oBfTSzO6Ki4cduSfmiBuCCFzGtuMdG
-pu+PWP7ffzgU9lteYvf+uXcD8u/Kz0WOtKwB4nuVWy0PcKlX8z/SizcoaCdG3v7+
-6j9GsLbD8G0mIZVM2Jyrv6M5+RSelp957gPXu3BoYG8QW5I9zSMfQg0w/Y81IR+5
-cXuQ0TBTvHx2QjkOHH4Iy8cIXKxCdiYyVUvlYS5UjTaaZLpcjmA5/Pl1
------END CERTIFICATE-----
\ No newline at end of file
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int
-subject:user-pass
-extension:authorityInformationAccess:http://user:pass@www.example.com:8888/