bug 929617 - disregard expired stapled OCSP responses, acquire fresh ones r=briansmith
authorDavid Keeler <dkeeler@mozilla.com>
Mon, 25 Nov 2013 15:40:11 -0800
changeset 157686 fc7b76d9da1ec1b461410baf1553687441c94b64
parent 157685 e781364ed4f8ad008659a0076dd3f73ebabfd621
child 157687 53c0f65599fe8747e115196470da47bbb1e9ad58
push id25719
push usercbook@mozilla.com
push dateWed, 27 Nov 2013 09:57:23 +0000
treeherdermozilla-central@2e3d89ed5dc7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith
bugs929617
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 929617 - disregard expired stapled OCSP responses, acquire fresh ones r=briansmith
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/tlsserver/cert8.db
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
security/manager/ssl/tests/unit/tlsserver/key3.db
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
security/manager/ssl/tests/unit/tlsserver/test-ca.der
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -890,17 +890,24 @@ AuthCertificate(TransportSecurityInfo * 
 
   SECStatus rv;
   if (stapledOCSPResponse) {
     CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
     rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
                                                stapledOCSPResponse,
                                                infoObject);
     if (rv != SECSuccess) {
-      return rv;
+      // Due to buggy servers that will staple expired OCSP responses
+      // (see for example http://trac.nginx.org/nginx/ticket/425),
+      // don't terminate the connection if the stapled response is expired.
+      // We will fall back to fetching revocation information.
+      PRErrorCode ocspErrorCode = PR_GetError();
+      if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
+        return rv;
+      }
     }
   }
 
   CERTCertList *verifyCertChain = nullptr;
   SECOidTag evOidPolicy;
   rv = PSM_SSL_PKIX_AuthCertificate(cert, infoObject, infoObject->GetHostNameRaw(),
                                     &verifyCertChain, &evOidPolicy);
 
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -61,42 +61,59 @@ function addCertFromFile(certdb, filenam
 }
 
 function getXPCOMStatusFromNSS(statusNSS) {
   let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
                            .getService(Ci.nsINSSErrorsService);
   return nssErrorsService.getXPCOMFromNSSError(statusNSS);
 }
 
-function clearOCSPCache() {
+function _getLibraryFunctionWithNoArguments(functionName, libraryName) {
   // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
-  let path = ctypes.libraryName("nss3");
+  let path = ctypes.libraryName(libraryName);
 
   // XXX really want to be able to pass specific dlopen flags here.
   let nsslib;
   try {
     nsslib = ctypes.open(path);
   } catch(e) {
     // In case opening the library without a full path fails,
     // try again with a full path.
-    let directoryService = Cc["@mozilla.org/file/directory_service;1"]
-                             .getService(Ci.nsIProperties);
-    let greDir = directoryService.get("GreD", Ci.nsILocalFile);
+    let file = Services.dirsvc.get("GreD", Ci.nsILocalFile);
     file.append(path);
     nsslib = ctypes.open(file.path);
   }
 
   let SECStatus = ctypes.int;
-  let CERT_ClearOCSPCache = nsslib.declare("CERT_ClearOCSPCache",
-                                           ctypes.default_abi, SECStatus);
+  let func = nsslib.declare(functionName, ctypes.default_abi, SECStatus);
+  return func;
+}
+
+function clearOCSPCache() {
+  let CERT_ClearOCSPCache =
+    _getLibraryFunctionWithNoArguments("CERT_ClearOCSPCache", "nss3");
   if (CERT_ClearOCSPCache() != 0) {
     throw "Failed to clear OCSP cache";
   }
 }
 
+function clearSessionCache() {
+  let SSL_ClearSessionCache = null;
+  try {
+    SSL_ClearSessionCache =
+      _getLibraryFunctionWithNoArguments("SSL_ClearSessionCache", "ssl3");
+  } catch (e) {
+    // On Windows, this is actually in the nss3 library.
+    SSL_ClearSessionCache =
+      _getLibraryFunctionWithNoArguments("SSL_ClearSessionCache", "nss3");
+  }
+  if (!SSL_ClearSessionCache || SSL_ClearSessionCache() != 0) {
+    throw "Failed to clear SSL session cache";
+  }
+}
 
 // Set up a TLS testing environment that has a TLS server running and
 // ready to accept connections. This async function starts the server and
 // waits for the server to indicate that it is ready.
 //
 // Each test should have its own subdomain of example.com, for example
 // my-first-connection-test.example.com. The server can use the server
 // name (passed through the SNI TLS extension) to determine what behavior
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -3,28 +3,39 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 "use strict";
 
 // In which we connect to a number of domains (as faked by a server running
 // locally) with and without OCSP stapling enabled to determine that good
 // things happen and bad things don't.
 
+let gExpectOCSPRequest;
+
 function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
   add_connection_test(aHost, aExpectedResult,
     function() {
+      gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
+      clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
 function run_test() {
   do_get_profile();
 
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    do_check_true(gExpectOCSPRequest);
+  });
+  fakeOCSPResponder.start(8080);
+
   add_tls_server_setup("OCSPStaplingServer");
 
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
@@ -74,19 +85,28 @@ function run_test() {
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true);
   add_ocsp_test("ocsp-stapling-unauthorized.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST),
                 true);
   add_ocsp_test("ocsp-stapling-unknown.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
   add_ocsp_test("ocsp-stapling-good-other.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
-  // If the server doesn't send an OCSP response, we continue as normal.
-  add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, true);
+  // If the server doesn't staple an OCSP response, we continue as normal
+  // (this means that even though stapling is enabled, we expect an OCSP
+  // request).
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+    function() {
+      gExpectOCSPRequest = true;
+      clearOCSPCache();
+      clearSessionCache();
+      Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+    }
+  );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
-  add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), true);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), true);
+  // ocsp-stapling-expired.example.com and
+  // ocsp-stapling-expired-fresh-ca.example.com are handled in
+  // test_ocsp_stapling_expired.js
 
+  add_test(function() { fakeOCSPResponder.stop(run_next_test); });
   run_next_test();
 }
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -0,0 +1,85 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with OCSP stapling enabled to determine that good things happen
+// and bad things don't, specifically with respect to various expired OCSP
+// responses (stapled and otherwise).
+
+let gCurrentOCSPResponse = null;
+let gOCSPRequestCount = 0;
+
+function add_ocsp_test(aHost, aExpectedResult, aOCSPResponseToServe) {
+  add_connection_test(aHost, aExpectedResult,
+    function() {
+      clearOCSPCache();
+      clearSessionCache();
+      gCurrentOCSPResponse = aOCSPResponseToServe;
+      gOCSPRequestCount = 0;
+    },
+    function() {
+      do_check_eq(gOCSPRequestCount, 1);
+    });
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+  let args = [ ["good", "localhostAndExampleCom", "unused" ],
+               ["expiredresponse", "localhostAndExampleCom", "unused"],
+               ["oldvalidperiod", "localhostAndExampleCom", "unused"],
+               ["revoked", "localhostAndExampleCom", "unused"] ];
+  let ocspResponses = generateOCSPResponses(args, "tlsserver");
+  // Fresh response, certificate is good.
+  let ocspResponseGood = ocspResponses[0];
+  // Expired response, certificate is good.
+  let expiredOCSPResponseGood = ocspResponses[1];
+  // Fresh signature, old validity period, certificate is good.
+  let oldValidityPeriodOCSPResponseGood = ocspResponses[2];
+  // Fresh signature, certificate is revoked.
+  let ocspResponseRevoked = ocspResponses[3];
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function(request, response) {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.setHeader("Content-Type", "application/ocsp-response");
+    response.write(gCurrentOCSPResponse);
+    gOCSPRequestCount++;
+  });
+  ocspResponder.start(8080);
+
+  add_tls_server_setup("OCSPStaplingServer");
+
+  // In these tests, the OCSP stapling server gives us a stapled
+  // response based on the host name ("ocsp-stapling-expired" or
+  // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
+  // properly falling back to fetching revocation information.
+  // For ocsp-stapling-expired.example.com, the OCSP stapling server
+  // staples an expired OCSP response. The certificate has not expired.
+  // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
+  // server staples an OCSP response with a recent signature but with an
+  // out-of-date validity period. The certificate has not expired.
+  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+                expiredOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+                expiredOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+                oldValidityPeriodOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+                oldValidityPeriodOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                ocspResponseRevoked);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                ocspResponseRevoked);
+  add_test(function() { ocspResponder.stop(run_next_test); });
+  run_next_test();
+}
index 590f59078ca48d911a7dffe52b0b6bdc55a1560e..6c82819df43f97267ab26d670f22b4487a471436
GIT binary patch
literal 65536
zc%1Fsc~BEs9tZH(9gctmMQ(;mL3crc4uY^DAu<d&pm7vL5mc}s3pga<$bf)M4LB>h
z40vmKfHIy1!h*88q6{dmN>)bEDdch~WnF|3DAWb7kxdBWSW`glR$0sb@%^N_x|8>Q
z-7l|y{pasB(K22~2%!nlxI@SS<ss20gd*yVutyK*(LHNqKhi`vs^dM<%ub?4k8b~S
zY-%#D3IG5A0000000000000000000000000000000002+;pmYe;d9{=;a#CZSR%|7
zo)PR3tQPnS488uvGxQn;00000000000000000000000000000000000m~3o{Xe>~D
z=&8h%$)=|;*_8YUi>7Frq8N^rj^pM}HxF?rN>h_C)49_aeJxgq2Fp-;xj0#F>+8c<
zn{v4GxQr{8>*?<9>K10oaeMzOW5G3JOw=(`M`HY>(N1EiJWig*WF3D03X~>cW#thj
zYb%|VMe1#j)t;EOKHod*%Nr3!e>2Mr3wjtmdrwW1yW^|Q{f1K-Qoj9r4Nbx$YrbzO
zV;dicyy5HO`g})fen;`^;r8=RihpiNb)bx_smvu`9xLC(;eKYu4L>bg{|Eb`_<aUV
zbvZ$~O|2~s6`bcq-v^%%*~iB$jGgKFd5^&g!9Z!;=5U%t5$b3h6T{dkM{i}IVaZrz
z>%_~V*2TxllI7VPM`!Vdb&`a5v2&D6!nkU&=V&P>Nt>cHW;6E8%%8tA)Mk@dxjcdA
z;_@z-=gD|7E{vY)#D)|#tU)v6S98r$PC<TG#HlEeG@&u|MoA1^D6QcJhNey{{=t2H
zQRsf7#VtnZl?Q5L)33_|QyZ3kle=clT2}A0l`XT5rjgK<7G`zS-bi5@=U|5;oAErC
zQE0j?Ss_}s_3V9Cch9bm`k6=lmrBI>Ma7op@~b*_*13wGj7k?Dl1L>{>7`C{gF<ER
z#_J=E_EY~?Uzvm`^J0udV6#*&OE)ECoG4<fY#%F-HBpMF-ge%sN>A!4VJlO!R=GK-
z(^Hcaq~x3YIz`R6CXA8#T%6D3vEn3K`G1(G<3~=ErY~H6_myX*rT#s$)V=dXj(#~B
zFCCI{&CBRJr#`kVyKtp^{;C4S<0KwWbJJzEv@OZR)#grF%C?Z54IBR&yn9YWK*P7I
z@~(y4%BvS0ef6elufO!=Y4hlv)uHYiFPP5RXY}y+*FHh|>7PH4WIpK(kwl;TB!95?
zN~DD(F{37j`@~9}rpl2s)8Azio6%D4XlksSYP-O1`BXB4SvPR1`T5~3g^NuCKIy7I
zuDRVI&37R0V|V94f6ca<FwGbH#rch`i)=1f9$f#nApENx=MMQ4ynbeuX!j<(J;=f<
z++b00`MtodZvtEU++LL5H}mK_CA_%i&8DlOtmEakL+<zWDYic-+CEe>p#5ao#zMES
zdT&{B)oht+W_^8>sWNi+#+`IFO^C(#&GgUbQS~z#E3If%PgMs($O>^%a-2*`^vRFH
z?}W#M&4OydRzad*semuA6|e<&`PKYgyhPqE-ej*(0000000000000000000000000
z00000000000F&&O`g>hs$Yj%6Og1GOt-q%~ME$)n*N`z#$LOj{Xnn;=@(F92D+2yR
z9X#KAS(pF7r>Ar8@|;I`p(mUoj)}i+P4C~f$aly5S23Xmy1I|Mw*)s=*wvjq)3M}I
ziJy*D@6Be{tV+JwU|vFG2$QySN_1<{fiLD6&It)hxg8p?OY`(J<Ma9U?KdtzU7Oms
za7q2?yLv-x%G%etPQJ*h+{-w(|8zlC_y0lZ{nmcZNdEAZ0Bd<spsRQ3;5_RoJuc@P
z=bo(dUwG-<%#4nDX^Tyr_eEX9_#e)tS6LaY*2ydWO_0-LFPU(`5<BPejRLRlcD~$O
zE~)D8sU7-r$>V3kO~T-tjy&<%eMVgd6#wOnOq-;}I~SgLvr;;OUFw%PmzB16KNVj4
z;^tG5B8y5+7`a=1(rCYtN_e77hjGj94G9?|LRE4<W)N$ftWXtGn~u{)k8uH2f6Ix=
z_vvvK15l5etsM1e88@*}J_{39gtI0n7Js)&z+Z^A@&T$;ZdUKD5@7rx9;C5iCVGm7
z@-0q^g5z64FM4pQ(mkHpRQ4rbyKNu2TGF8BcRxNd`Aqn96Mow3%fFpvzC)_TZC}<b
z+F-Kq`rU?=f%3Ov|J`k(vz-ZU87Ah6E~!Vb{-Nq?F}r?@bS`w;xXsUAI#8K0ThY<y
zA-7?bME;}TN{lvZ?Qv)Qht)3}k7oE(EKmGzR|fcfK7T|19}P4I^^#{OKDyPlJZaDI
zO|91EyxLnL|AEd2-DMG_F+n@3=LUE5N=l{&-HmA*N=wvRHLZt}W9i!+%;~we-y^Ix
zd1vF)r7PYB=ZLh17Zg2eY;tIQZOXHYDXutd-crSvA6cWYsJQOEJ5y(Q+15Qp196Iu
zC}XE1;T@y(`jq;HjhpJ)gpBqi=IWdovomX~AAg$c)m8ui00000000000000000000
T0000000000000000ATpvzp?Lg
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -70,32 +70,33 @@ function make_CA {
                                                    -t "CT,," \
                                                    -x $COMMON_ARGS
   $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
 }
 
 SERIALNO=1
 
 function make_cert {
-  CERT_RESPONSES="n\n\ny"
+  CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
   SUBJECT_ALT_NAME="${4}"
   if [ -n "$SUBJECT_ALT_NAME" ]; then
     SUBJECT_ALT_NAME="-8 $SUBJECT_ALT_NAME"
   fi
 
   echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
                                                      -n $NICKNAME \
                                                      -s "$SUBJECT" \
                                                      $SUBJECT_ALT_NAME \
                                                      -c $CA \
                                                      -t ",," \
                                                      -m $SERIALNO \
+                                                     --extAIA \
                                                      $COMMON_ARGS
   SERIALNO=$(($SERIALNO + 1))
 }
 
 make_CA testCA 'CN=Test CA' test-ca.der
 make_CA otherCA 'CN=Other test CA' other-test-ca.der
 make_cert localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com"
 # A cert that is like localhostAndExampleCom, but with a different serial number for
index bfd268e76a0f71d01ac41f6f6e400efe9a14fb5a..4ccb58b7b73ea4bb8524451b013eb58005b7fa23
GIT binary patch
literal 16384
zc%1FoS5VXYwg>QpUXmcvdk+MpN>Q3LL3#;2C;^FdklqoHj`Uu)AfU7$(wj(CQF;{+
z1QZ0KAOevV&N=(|aG&<vmwWe|Gyl)bnzd$r55K4H%UU2Z20IW4L<9nnOoBj{{yBmm
zAP^Yz?*dW$9*BN-;y?SJPayJt&DkDd>!5!l`d$C;D8PTmuK)l500000000000Q~2G
zfR1T?(QMPS(A3c6(lF83K~||nC~GJVN#{rpNiP5Z008jcgct+{NkkE0C4|VRg=25U
z;-O#&DVSJ-g@k@)G=#tOyDlYLfBnZI>&|c?`2Hm#FqkBYC}MHIfa@AYB_nGikg)@g
z)rg&;yQ*h}yC$1af(gyzL`%x09_bcb<`r6A=xJwPXV2aDGWx(2+H7%JDftE-uqZ2j
z^irB$)U)HRlOS=Ys>R)4FwE}0p1Q@vwkU&aJb409VmAb_a^$GXL%5ys+?d;6Y+IPg
z`cg+H?usb0-qdIwCr_ZrAWl0{xz)eD7DGurVy-xIeOUgQ2lB-&6T5ihZGLxjAMLV{
z8mUAfAHM+HJ7=gxaZY8ZTG^E?qpYmk*+Z835yJa1tE(D?vE-*JMytJVRta@5c8M>?
z%L`I%p>K{QDf^E{(kwnYbdlkcG^ND@ofEeZ<eaOU6Y}JPZ>9y~^>3fS8V+^Ja&;%U
zo~A%pV+-ef+iab3nBBN)t(0{%+Vo+p0|kw@7_a5>x@(22r)y<2(zG!l9$ef+9X-5o
zQTU{}k~ZIIb}|8<>#F-Aqyy0;yq7-8{+X25tcyHQduuLn{BB$}v3ICh-Fk!&41Z!p
z6!iJ{On#b5nD^sVF-;qUm9q4AsprG3kVC_=7AG&KK0dY_hGinj9UKa?tCT@kcB7%f
zqyz-Hn|DjZ`GLbsN_8(LR@|yM<1ma=?Z8dKcZ2!YG}R-T8IU+l^x9S%KIu`8=}BBk
zzmt^92ydvUz?omZf`4IU^80CTe>>M2%do@SBj;ygAP+-?mfJ(_6Qxg8Kb?D>D#A~F
z0$$DeFAY~En1v{A>!wa<MaIch`}tW<)nprdu;b$JU5wvB;<~n)oM7C8YcopLW^qYq
zHBOW$=5FfAZeVM}MyE20_+rsQq(qkfx<Px(I7!;xuUSF9PrEV=5Zn%fFU^-nYm(PW
z&$AE>+V$YV)^EL3imR&I>p7-zUy>~=MQzJ5(F?)5sk-XvvL}v~v{Y1Ix8jlW4SfBL
zFIEh?YHm_;e0x7H71^Z7e3X12Z6*<9MD4IpTHtq;PQ=W_f80_#leG2{Lu(5E(wpA>
zI|1Ld4BpmGLGTn{PIa+<UtNyp3JgiRwZ)NJe~}tj`5W0eClB|W5`|fl^y{Tx7W6Iu
zP7Qo68ucT4J!{K86Wbo6nyzQy@@kT=4b(OeJ&w#T+~uoS-SMQi{@}gaQ@#TUJLH&K
zN>~LsptY#yw6wAHX$H<A*Ht3fUpE{2AMOgt)>xk3kk1i|c9LyXxJ`D;Ldlxi?}!Jj
z)>C9An)>=wU3vWdUQaQE<qL7rv&HmOqMP($ln<edT`@|y#1G{XQHc2^FBjXaz<`68
znq~Y+2qPz<Uu%#sfs<x_(P}JY3L6A9!p`wCUm?hDmkooHd9F_nNMHEIkzKWwwu~Qd
zEX;<cNN_<Lb(lMH{7<7Y&Uw9Qhc=grIv^&{O9ci<AFd^d0Zdt;p|U9LL9-g%U|(S&
zbdwhq7GmIaYT_Vtyj=1$ZKu9Zdz*kQWXRU5sw{tz<%EI-w|imwd1_ZGM`WLPIcQ86
zCB-v6(^Zyir1<pq{tx_gQOw%9W~0#-A8~|pW2NllbDw0INzHCkwpZz$q`&CP-)H_x
zr_(6g4(1p5mT`KcEjGB5HtxlR6&F8r+kt1MRk(7DdiU3`3f{)J368HiFg1#qsSRQl
zpFmM!qY$v^YlG+q_!u2%s!Gyhzr0y{_V!G?9e=j>Qo(Zvs9vQw(wpL>D>me!p$_@x
zZtC(mM-I$(`9#RZMRF#m{PrA2^-Ib3{f9KcqOG{&hf~FTW?j^(EN0GZh3Q;6i?aqf
zo@Oh>(RA<HLIoGC{-_|XZ{$^+rA#YEa>`PI4|X$`Y8hLq6T<C$8YLQHW<E))3=3Ks
z`WR`mYRgmFtByk|EDdLpez<c7X2}c<$V*KA47{O{{QUDis=5FlwbQL@!e4NS(3?IO
zS|d^Sp!mr2a`>~2;*I8sjE!I7*CVbqvBTz=19D{bg>S}@93#AwSg=Hs&(yfF?S0Q>
zt%`@gddtg`KJ2CNSoCI;;+n+zr<!GqgbpIJL~ON3%B+%y%*K-6>OVO->&VgcIId-J
z$mq6|32kQ*$)#Vbh*mX$1-q`ghvC-E+#Q~3q#S+gL$kVjh4jQp;yC^yHO^g&6;VTW
zEMD+_h^c(UoR_)4%J0<B`hdS|Zez8I6xgM1lSh@RDpOfnxOpnb8Jn6S8*A(+6J%Ng
zqP6q$W@H{>Xp=ejg@)brJ#0I;H%Qx_2B*hOFS?N`;gpk~8QuUFachpDbKlO*FZz?(
zSH%>Igp88iaHlIZQmRkDSHay!`Hh7~wB~9Zn_g{gzt}4<kU7xd>=u0EWc)P9Rz;@!
zx%=av{T#%TtWsCb*~YJMRNGV#f^MHb`<OOnA|d*@L>*c&B=wwS+Jk_A)+X9%3oYk_
zOA55XqpPi;yREFDwc`sI^CxJ2N5tOLULW&CcLg=CN8f{cb?jALqZQqgJMBJVfqGo4
zH~6XB>_4ap8d0;I76eBxG$vMFb6zdoA-A@#4tc8Kb>I~6hpCHBnP&+NcxxIe%-I-S
zEk}rn#f@^45a<YJNhcw>P&a1vv^-->21f5)8(L*{hg-P1sSV3`C?~;Ne~YzGW&9(P
z;<-W3?3#cK7KZ5D%(tIN6OY{De&DXfzd4>{?64#iwG)p`J?aZC_#VOWOQxNkzpB!|
z16!4!Z#bnG0`0ZA7Z|ecTzJ^=nTd^grU_i9fhI_U&1@gx5=5gxdepNrA35Ko9*E%m
z%!R+!Cs1@(7%!DKH_RXIZDqvTXkKqeczj)(DjR~ly1F@WVyZBJ4T<MMP}E(VLk9zg
z!1~ppT-M=BNWYq8#UHw*ZfnQYJEPw+1>C|0)^5FQ)*{t`qb&MFoQI<DS2==WB)kkz
zyCilg$*RRhypN|X=?awvTrbOFbqWs2I_@}K&ioPnY}a+{-Kx7vhPvgJ{rTpoPuYjM
zdseStmmaUG#!(Q5MS69dRv{66Jz9I-W1)pQl*h$p_!QQs`bf7AmYs6Yj$pZ;TutA7
zhQ|5PHtr*kn;+fKJ}*$085M(0dxZp8(mlu|myGB20~xhmPmNgU_!2OhS&RCO>-VKY
z7+HolJ>-zEqV6Hb%pJ5?iF9b{O@5CbO(F2%mG5%CT*Ni#&&7R?<ivL>#9(XPzl5KJ
zs5Y2-5uv_jB;9$~-lE}^-ldY;6_C%C@95@fZ|5fJW9Q~eOb@;iG+!E?#_gUp#|f*4
zRq^a+3;BZnXTrFeEIDJ56xU}$({K8n)#u%}^YIDr^mY)v>x8-MN^Fkt_Hp*~AOc0u
z3`1T)h9Q6VCISEe0000000000{<r>O(V*s`DOpJ-{S!etStwEu_b$8AJn(zbaPbyi
z_VvE#^>~V|5|XqALYnWSrfCiFgvZ9cdPmgu_rU2Z{7=%S@)OGT4F{NOOe5$|S_m7f
zc9DCt&SY$Exg|=yzVuXs72>pYL|P%safec0{Y@XNHN1*?>wbH<yz<+5?-+wlmQr4}
z>{D>G7L!hKb_@1$<2mcZJpsB+HZ-5`0sKBIo)H{2cHuoXn%kZsxG5T*SxMTEj|C4s
zBX5?^f491v&nP_$VI-PX#D{SYz{akGpbi!#10&ShVb|@gi`vEW{ECO2^jX?AFYH(<
zNJuP&sh$$3?2IB=Vdjgyf#YR;HpyJ+UBNGR=~@C`Vkhp*5;GJ}?dfcA_6^=s$h;@T
zmsZEPZ^OOJ%@}ct3`Sh58J9|n@EC=zY|b;i4|bY-Fp9>#MhvhV^GM^n663vCm4(D{
zb1ux7v<w}-DXUq>Nx@AXsy13^Kqu&u)J1G}B0JPZ9FrS3wz5L2y&X2}tMaX=AxP{K
zC#y3?bEfWvH5nWi8N@J)g9;2-J{i8;<m$Tc-AROp-=m9AlJbb`bk$b=lXH;K*%rvE
zE%TAkppQ36`91g}3Ii8&1qFr{!TO;JtxBp0?upk@>?WR>dHvl5>)eU?AlCf*Q*-MB
zsSQ~gU+gI}Q^ab9G%t-p7KkFhkFVLrn_Uj)(0dv31Cd!BaC|XFI#*`(-eI)|my{}7
z<Y>=9%S=BxQ=?By)R@L5s7B0#v+bIu89C$oI?9<R$@A<nWeNg{s_lRL$60RbA3So_
zWp0?eHtG7!5aQgE`<u$!mU1#z?Fo#I4TJr7a`M-gIo`@T_{-mk*_^A7sS?8^-#q9@
z>BQW!Xv}iipP;uj&%E=NyZlw9fJ=&UWcV9f`ghD>)+TEX@a&#h8R3)ld^+k8|FY#C
zA`lAQGx`Bb!BBvHqb@FWkRFh-Qhj={)G9i>5g&j6({qBu48qHwKZHseGE1UrJzZk>
zOWks5XZzz!l4ch^AR3?trK8A7eSSAbEhk<n*KJyJr5|<9v8eOE`xXTN0000000000
L0002s|J*+S-mE5v
index a978b7e0d5736e931166f1e22d7c5af4899432b9..b31ad5a3f844bbc02ff126173a03a3e2578642f6
GIT binary patch
literal 452
zc$_n6Vmx5b#HhJ|nTe5!iIrh)S)Z5zFB_*;n@8JsUPeY%Rt5tJLoovpHs(+kW?^3c
zl8n?Mg_6|b5(Q^R137VCLt{e&BSS+AQ&S_8C~;mBWG)_^jq{OhVPs`sZtP_+XzXNa
zY-ISMZ`ok6MTYOXMENu`UoF>mmY<qM-ID8=F0F7<Shw@g2D8Yyr(P6US+O=B<jA{S
zBxWRkX<b===%lkXM}wzm$9tY#6xn+$^nCA0-^IWF?3(75_j8S8%A~y!rZqdowWo_b
zTH4|m#8;L5Ft_&2<Ivoc<t}~S-X2Pj$}Ozk-){IumWi2>fpIa=<px4Px62AMGX7`b
zFkk~xOpFX@fx`@R@9mv7H$8F{4H7@DxbbCv$2=c#PnYK>m$FXKtaSd^>tw3;&5iZ;
z{wUTTGgJF6-tv~;DKk6k-`wbiiQDEl&i(yaqEPuy^qn9n>u5pmRU58*J@4_l_0HtS
xhPx8x?^f9Fj{Vbo#J6$jh6|y0-@Q9E;o-sw-}irHe-l_U&m`)kU4HQ{H2@S)tIhxb
index cb247f8e985d2c0cb52aa567d8653dd65ca62805..7d2283830dce7ba3caa86a517432381bffe9ab97
GIT binary patch
literal 440
zc$_n6V%%cT#3;LfnTe5!iIrh)S)Zr@FB_*;n@8JsUPeY%Rt5thLjeOmHs(+kW?}Y_
z)Z!8aXGa4$ab81XLjxm2Lkm+=Ba<j`UK3<4Ry~dLkxgb~WngaXWiV*$WNK_=_}(YA
z+&4JqX2foD-d$DZpXIl_D?WBXB_SsFERXBmoP^>{(L!Q2mA?;as7g-EV>7%Hc*D0s
z%>DS~v*BJP|5Dwi-1go4xWJ@ZO!Cz8Jo8|_IeU+#Pkx=CH_xP|-&G~=<Cbc*Q}^GQ
zm&h}(PIxl+P&zwv+)_QhM|*#0Ev|Ol7*fc@%*epFSj<4gKnUn+Sz$)T|12B^Y(R>M
zkpV40n1Sw1>$9nN-zCWUji*@gl=S)MAw^S{Hs6wyv^sF!*X`ruhcDN~uT2k{xK}6m
z{@dKuLP3|)Z-1{W<cSn`#oI39{4$vL)%BU?Q3r}AUE~i4`xo5q%l6-4;nR!PG;jSD
rw^B}DwQ;`W&0RJn3t~@6Z9Hx_rIs^fUFXz=A2UzgPZrf(5Pcs2Q^TQ_
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -23,14 +23,19 @@ skip-if = os == "android"
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_hmac.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
 [test_ocsp_stapling.js]
+run-sequentially = hardcoded ports
+# Bug 676972: test fails consistently on Android
+fail-if = os == "android"
+[test_ocsp_stapling_expired.js]
+run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_sts_ipv4_ipv6.js]
 [test_cert_signatures.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"