| author | David Keeler <dkeeler@mozilla.com> |
| Mon, 25 Nov 2013 15:40:11 -0800 | |
| changeset 157686 | fc7b76d9da1ec1b461410baf1553687441c94b64 |
| parent 157685 | e781364ed4f8ad008659a0076dd3f73ebabfd621 |
| child 157687 | 53c0f65599fe8747e115196470da47bbb1e9ad58 |
| push id | 25719 |
| push user | cbook@mozilla.com |
| push date | Wed, 27 Nov 2013 09:57:23 +0000 |
| treeherder | mozilla-central@2e3d89ed5dc7 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | briansmith |
| bugs | 929617 |
| milestone | 28.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp +++ b/security/manager/ssl/src/SSLServerCertVerification.cpp @@ -890,17 +890,24 @@ AuthCertificate(TransportSecurityInfo * SECStatus rv; if (stapledOCSPResponse) { CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(), stapledOCSPResponse, infoObject); if (rv != SECSuccess) { - return rv; + // Due to buggy servers that will staple expired OCSP responses + // (see for example http://trac.nginx.org/nginx/ticket/425), + // don't terminate the connection if the stapled response is expired. + // We will fall back to fetching revocation information. + PRErrorCode ocspErrorCode = PR_GetError(); + if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) { + return rv; + } } } CERTCertList *verifyCertChain = nullptr; SECOidTag evOidPolicy; rv = PSM_SSL_PKIX_AuthCertificate(cert, infoObject, infoObject->GetHostNameRaw(), &verifyCertChain, &evOidPolicy);
--- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -61,42 +61,59 @@ function addCertFromFile(certdb, filenam } function getXPCOMStatusFromNSS(statusNSS) { let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"] .getService(Ci.nsINSSErrorsService); return nssErrorsService.getXPCOMFromNSSError(statusNSS); } -function clearOCSPCache() { +function _getLibraryFunctionWithNoArguments(functionName, libraryName) { // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js - let path = ctypes.libraryName("nss3"); + let path = ctypes.libraryName(libraryName); // XXX really want to be able to pass specific dlopen flags here. let nsslib; try { nsslib = ctypes.open(path); } catch(e) { // In case opening the library without a full path fails, // try again with a full path. - let directoryService = Cc["@mozilla.org/file/directory_service;1"] - .getService(Ci.nsIProperties); - let greDir = directoryService.get("GreD", Ci.nsILocalFile); + let file = Services.dirsvc.get("GreD", Ci.nsILocalFile); file.append(path); nsslib = ctypes.open(file.path); } let SECStatus = ctypes.int; - let CERT_ClearOCSPCache = nsslib.declare("CERT_ClearOCSPCache", - ctypes.default_abi, SECStatus); + let func = nsslib.declare(functionName, ctypes.default_abi, SECStatus); + return func; +} + +function clearOCSPCache() { + let CERT_ClearOCSPCache = + _getLibraryFunctionWithNoArguments("CERT_ClearOCSPCache", "nss3"); if (CERT_ClearOCSPCache() != 0) { throw "Failed to clear OCSP cache"; } } +function clearSessionCache() { + let SSL_ClearSessionCache = null; + try { + SSL_ClearSessionCache = + _getLibraryFunctionWithNoArguments("SSL_ClearSessionCache", "ssl3"); + } catch (e) { + // On Windows, this is actually in the nss3 library. + SSL_ClearSessionCache = + _getLibraryFunctionWithNoArguments("SSL_ClearSessionCache", "nss3"); + } + if (!SSL_ClearSessionCache || SSL_ClearSessionCache() != 0) { + throw "Failed to clear SSL session cache"; + } +} // Set up a TLS testing environment that has a TLS server running and // ready to accept connections. This async function starts the server and // waits for the server to indicate that it is ready. // // Each test should have its own subdomain of example.com, for example // my-first-connection-test.example.com. The server can use the server // name (passed through the SNI TLS extension) to determine what behavior
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -3,28 +3,39 @@ // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. "use strict"; // In which we connect to a number of domains (as faked by a server running // locally) with and without OCSP stapling enabled to determine that good // things happen and bad things don't. +let gExpectOCSPRequest; + function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) { add_connection_test(aHost, aExpectedResult, function() { + gExpectOCSPRequest = !aStaplingEnabled; clearOCSPCache(); + clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", aStaplingEnabled); }); } function run_test() { do_get_profile(); + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + do_check_true(gExpectOCSPRequest); + }); + fakeOCSPResponder.start(8080); + add_tls_server_setup("OCSPStaplingServer"); // In the absence of OCSP stapling, these should actually all work. add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false); @@ -74,19 +85,28 @@ function run_test() { getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true); add_ocsp_test("ocsp-stapling-unauthorized.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST), true); add_ocsp_test("ocsp-stapling-unknown.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true); add_ocsp_test("ocsp-stapling-good-other.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true); - // If the server doesn't send an OCSP response, we continue as normal. - add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, true); + // If the server doesn't staple an OCSP response, we continue as normal + // (this means that even though stapling is enabled, we expect an OCSP + // request). + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, + function() { + gExpectOCSPRequest = true; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + } + ); add_ocsp_test("ocsp-stapling-empty.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); - add_ocsp_test("ocsp-stapling-expired.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), true); - add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), true); + // ocsp-stapling-expired.example.com and + // ocsp-stapling-expired-fresh-ca.example.com are handled in + // test_ocsp_stapling_expired.js + add_test(function() { fakeOCSPResponder.stop(run_next_test); }); run_next_test(); }
new file mode 100644 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -0,0 +1,85 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a number of domains (as faked by a server running +// locally) with OCSP stapling enabled to determine that good things happen +// and bad things don't, specifically with respect to various expired OCSP +// responses (stapled and otherwise). + +let gCurrentOCSPResponse = null; +let gOCSPRequestCount = 0; + +function add_ocsp_test(aHost, aExpectedResult, aOCSPResponseToServe) { + add_connection_test(aHost, aExpectedResult, + function() { + clearOCSPCache(); + clearSessionCache(); + gCurrentOCSPResponse = aOCSPResponseToServe; + gOCSPRequestCount = 0; + }, + function() { + do_check_eq(gOCSPRequestCount, 1); + }); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + let args = [ ["good", "localhostAndExampleCom", "unused" ], + ["expiredresponse", "localhostAndExampleCom", "unused"], + ["oldvalidperiod", "localhostAndExampleCom", "unused"], + ["revoked", "localhostAndExampleCom", "unused"] ]; + let ocspResponses = generateOCSPResponses(args, "tlsserver"); + // Fresh response, certificate is good. + let ocspResponseGood = ocspResponses[0]; + // Expired response, certificate is good. + let expiredOCSPResponseGood = ocspResponses[1]; + // Fresh signature, old validity period, certificate is good. + let oldValidityPeriodOCSPResponseGood = ocspResponses[2]; + // Fresh signature, certificate is revoked. + let ocspResponseRevoked = ocspResponses[3]; + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gCurrentOCSPResponse); + gOCSPRequestCount++; + }); + ocspResponder.start(8080); + + add_tls_server_setup("OCSPStaplingServer"); + + // In these tests, the OCSP stapling server gives us a stapled + // response based on the host name ("ocsp-stapling-expired" or + // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're + // properly falling back to fetching revocation information. + // For ocsp-stapling-expired.example.com, the OCSP stapling server + // staples an expired OCSP response. The certificate has not expired. + // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling + // server staples an OCSP response with a recent signature but with an + // out-of-date validity period. The certificate has not expired. + add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, + ocspResponseGood); + add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, + ocspResponseGood); + add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, + expiredOCSPResponseGood); + add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, + expiredOCSPResponseGood); + add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, + oldValidityPeriodOCSPResponseGood); + add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, + oldValidityPeriodOCSPResponseGood); + add_ocsp_test("ocsp-stapling-expired.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), + ocspResponseRevoked); + add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), + ocspResponseRevoked); + add_test(function() { ocspResponder.stop(run_next_test); }); + run_next_test(); +}
index 590f59078ca48d911a7dffe52b0b6bdc55a1560e..6c82819df43f97267ab26d670f22b4487a471436 GIT binary patch literal 65536 zc%1Fsc~BEs9tZH(9gctmMQ(;mL3crc4uY^DAu<d&pm7vL5mc}s3pga<$bf)M4LB>h z40vmKfHIy1!h*88q6{dmN>)bEDdch~WnF|3DAWb7kxdBWSW`glR$0sb@%^N_x|8>Q z-7l|y{pasB(K22~2%!nlxI@SS<ss20gd*yVutyK*(LHNqKhi`vs^dM<%ub?4k8b~S zY-%#D3IG5A0000000000000000000000000000000002+;pmYe;d9{=;a#CZSR%|7 zo)PR3tQPnS488uvGxQn;00000000000000000000000000000000000m~3o{Xe>~D z=&8h%$)=|;*_8YUi>7Frq8N^rj^pM}HxF?rN>h_C)49_aeJxgq2Fp-;xj0#F>+8c< zn{v4GxQr{8>*?<9>K10oaeMzOW5G3JOw=(`M`HY>(N1EiJWig*WF3D03X~>cW#thj zYb%|VMe1#j)t;EOKHod*%Nr3!e>2Mr3wjtmdrwW1yW^|Q{f1K-Qoj9r4Nbx$YrbzO zV;dicyy5HO`g})fen;`^;r8=RihpiNb)bx_smvu`9xLC(;eKYu4L>bg{|Eb`_<aUV zbvZ$~O|2~s6`bcq-v^%%*~iB$jGgKFd5^&g!9Z!;=5U%t5$b3h6T{dkM{i}IVaZrz z>%_~V*2TxllI7VPM`!Vdb&`a5v2&D6!nkU&=V&P>Nt>cHW;6E8%%8tA)Mk@dxjcdA z;_@z-=gD|7E{vY)#D)|#tU)v6S98r$PC<TG#HlEeG@&u|MoA1^D6QcJhNey{{=t2H zQRsf7#VtnZl?Q5L)33_|QyZ3kle=clT2}A0l`XT5rjgK<7G`zS-bi5@=U|5;oAErC zQE0j?Ss_}s_3V9Cch9bm`k6=lmrBI>Ma7op@~b*_*13wGj7k?Dl1L>{>7`C{gF<ER z#_J=E_EY~?Uzvm`^J0udV6#*&OE)ECoG4<fY#%F-HBpMF-ge%sN>A!4VJlO!R=GK- z(^Hcaq~x3YIz`R6CXA8#T%6D3vEn3K`G1(G<3~=ErY~H6_myX*rT#s$)V=dXj(#~B zFCCI{&CBRJr#`kVyKtp^{;C4S<0KwWbJJzEv@OZR)#grF%C?Z54IBR&yn9YWK*P7I z@~(y4%BvS0ef6elufO!=Y4hlv)uHYiFPP5RXY}y+*FHh|>7PH4WIpK(kwl;TB!95? zN~DD(F{37j`@~9}rpl2s)8Azio6%D4XlksSYP-O1`BXB4SvPR1`T5~3g^NuCKIy7I zuDRVI&37R0V|V94f6ca<FwGbH#rch`i)=1f9$f#nApENx=MMQ4ynbeuX!j<(J;=f< z++b00`MtodZvtEU++LL5H}mK_CA_%i&8DlOtmEakL+<zWDYic-+CEe>p#5ao#zMES zdT&{B)oht+W_^8>sWNi+#+`IFO^C(#&GgUbQS~z#E3If%PgMs($O>^%a-2*`^vRFH z?}W#M&4OydRzad*semuA6|e<&`PKYgyhPqE-ej*(0000000000000000000000000 z00000000000F&&O`g>hs$Yj%6Og1GOt-q%~ME$)n*N`z#$LOj{Xnn;=@(F92D+2yR z9X#KAS(pF7r>Ar8@|;I`p(mUoj)}i+P4C~f$aly5S23Xmy1I|Mw*)s=*wvjq)3M}I ziJy*D@6Be{tV+JwU|vFG2$QySN_1<{fiLD6&It)hxg8p?OY`(J<Ma9U?KdtzU7Oms za7q2?yLv-x%G%etPQJ*h+{-w(|8zlC_y0lZ{nmcZNdEAZ0Bd<spsRQ3;5_RoJuc@P z=bo(dUwG-<%#4nDX^Tyr_eEX9_#e)tS6LaY*2ydWO_0-LFPU(`5<BPejRLRlcD~$O zE~)D8sU7-r$>V3kO~T-tjy&<%eMVgd6#wOnOq-;}I~SgLvr;;OUFw%PmzB16KNVj4 z;^tG5B8y5+7`a=1(rCYtN_e77hjGj94G9?|LRE4<W)N$ftWXtGn~u{)k8uH2f6Ix= z_vvvK15l5etsM1e88@*}J_{39gtI0n7Js)&z+Z^A@&T$;ZdUKD5@7rx9;C5iCVGm7 z@-0q^g5z64FM4pQ(mkHpRQ4rbyKNu2TGF8BcRxNd`Aqn96Mow3%fFpvzC)_TZC}<b z+F-Kq`rU?=f%3Ov|J`k(vz-ZU87Ah6E~!Vb{-Nq?F}r?@bS`w;xXsUAI#8K0ThY<y zA-7?bME;}TN{lvZ?Qv)Qht)3}k7oE(EKmGzR|fcfK7T|19}P4I^^#{OKDyPlJZaDI zO|91EyxLnL|AEd2-DMG_F+n@3=LUE5N=l{&-HmA*N=wvRHLZt}W9i!+%;~we-y^Ix zd1vF)r7PYB=ZLh17Zg2eY;tIQZOXHYDXutd-crSvA6cWYsJQOEJ5y(Q+15Qp196Iu zC}XE1;T@y(`jq;HjhpJ)gpBqi=IWdovomX~AAg$c)m8ui00000000000000000000 T0000000000000000ATpvzp?Lg
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh +++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh @@ -70,32 +70,33 @@ function make_CA { -t "CT,," \ -x $COMMON_ARGS $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE } SERIALNO=1 function make_cert { - CERT_RESPONSES="n\n\ny" + CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n" NICKNAME="${1}" SUBJECT="${2}" CA="${3}" SUBJECT_ALT_NAME="${4}" if [ -n "$SUBJECT_ALT_NAME" ]; then SUBJECT_ALT_NAME="-8 $SUBJECT_ALT_NAME" fi echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \ -n $NICKNAME \ -s "$SUBJECT" \ $SUBJECT_ALT_NAME \ -c $CA \ -t ",," \ -m $SERIALNO \ + --extAIA \ $COMMON_ARGS SERIALNO=$(($SERIALNO + 1)) } make_CA testCA 'CN=Test CA' test-ca.der make_CA otherCA 'CN=Other test CA' other-test-ca.der make_cert localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com" # A cert that is like localhostAndExampleCom, but with a different serial number for
index bfd268e76a0f71d01ac41f6f6e400efe9a14fb5a..4ccb58b7b73ea4bb8524451b013eb58005b7fa23 GIT binary patch literal 16384 zc%1FoS5VXYwg>QpUXmcvdk+MpN>Q3LL3#;2C;^FdklqoHj`Uu)AfU7$(wj(CQF;{+ z1QZ0KAOevV&N=(|aG&<vmwWe|Gyl)bnzd$r55K4H%UU2Z20IW4L<9nnOoBj{{yBmm zAP^Yz?*dW$9*BN-;y?SJPayJt&DkDd>!5!l`d$C;D8PTmuK)l500000000000Q~2G zfR1T?(QMPS(A3c6(lF83K~||nC~GJVN#{rpNiP5Z008jcgct+{NkkE0C4|VRg=25U z;-O#&DVSJ-g@k@)G=#tOyDlYLfBnZI>&|c?`2Hm#FqkBYC}MHIfa@AYB_nGikg)@g z)rg&;yQ*h}yC$1af(gyzL`%x09_bcb<`r6A=xJwPXV2aDGWx(2+H7%JDftE-uqZ2j z^irB$)U)HRlOS=Ys>R)4FwE}0p1Q@vwkU&aJb409VmAb_a^$GXL%5ys+?d;6Y+IPg z`cg+H?usb0-qdIwCr_ZrAWl0{xz)eD7DGurVy-xIeOUgQ2lB-&6T5ihZGLxjAMLV{ z8mUAfAHM+HJ7=gxaZY8ZTG^E?qpYmk*+Z835yJa1tE(D?vE-*JMytJVRta@5c8M>? z%L`I%p>K{QDf^E{(kwnYbdlkcG^ND@ofEeZ<eaOU6Y}JPZ>9y~^>3fS8V+^Ja&;%U zo~A%pV+-ef+iab3nBBN)t(0{%+Vo+p0|kw@7_a5>x@(22r)y<2(zG!l9$ef+9X-5o zQTU{}k~ZIIb}|8<>#F-Aqyy0;yq7-8{+X25tcyHQduuLn{BB$}v3ICh-Fk!&41Z!p z6!iJ{On#b5nD^sVF-;qUm9q4AsprG3kVC_=7AG&KK0dY_hGinj9UKa?tCT@kcB7%f zqyz-Hn|DjZ`GLbsN_8(LR@|yM<1ma=?Z8dKcZ2!YG}R-T8IU+l^x9S%KIu`8=}BBk zzmt^92ydvUz?omZf`4IU^80CTe>>M2%do@SBj;ygAP+-?mfJ(_6Qxg8Kb?D>D#A~F z0$$DeFAY~En1v{A>!wa<MaIch`}tW<)nprdu;b$JU5wvB;<~n)oM7C8YcopLW^qYq zHBOW$=5FfAZeVM}MyE20_+rsQq(qkfx<Px(I7!;xuUSF9PrEV=5Zn%fFU^-nYm(PW z&$AE>+V$YV)^EL3imR&I>p7-zUy>~=MQzJ5(F?)5sk-XvvL}v~v{Y1Ix8jlW4SfBL zFIEh?YHm_;e0x7H71^Z7e3X12Z6*<9MD4IpTHtq;PQ=W_f80_#leG2{Lu(5E(wpA> zI|1Ld4BpmGLGTn{PIa+<UtNyp3JgiRwZ)NJe~}tj`5W0eClB|W5`|fl^y{Tx7W6Iu zP7Qo68ucT4J!{K86Wbo6nyzQy@@kT=4b(OeJ&w#T+~uoS-SMQi{@}gaQ@#TUJLH&K zN>~LsptY#yw6wAHX$H<A*Ht3fUpE{2AMOgt)>xk3kk1i|c9LyXxJ`D;Ldlxi?}!Jj z)>C9An)>=wU3vWdUQaQE<qL7rv&HmOqMP($ln<edT`@|y#1G{XQHc2^FBjXaz<`68 znq~Y+2qPz<Uu%#sfs<x_(P}JY3L6A9!p`wCUm?hDmkooHd9F_nNMHEIkzKWwwu~Qd zEX;<cNN_<Lb(lMH{7<7Y&Uw9Qhc=grIv^&{O9ci<AFd^d0Zdt;p|U9LL9-g%U|(S& zbdwhq7GmIaYT_Vtyj=1$ZKu9Zdz*kQWXRU5sw{tz<%EI-w|imwd1_ZGM`WLPIcQ86 zCB-v6(^Zyir1<pq{tx_gQOw%9W~0#-A8~|pW2NllbDw0INzHCkwpZz$q`&CP-)H_x zr_(6g4(1p5mT`KcEjGB5HtxlR6&F8r+kt1MRk(7DdiU3`3f{)J368HiFg1#qsSRQl zpFmM!qY$v^YlG+q_!u2%s!Gyhzr0y{_V!G?9e=j>Qo(Zvs9vQw(wpL>D>me!p$_@x zZtC(mM-I$(`9#RZMRF#m{PrA2^-Ib3{f9KcqOG{&hf~FTW?j^(EN0GZh3Q;6i?aqf zo@Oh>(RA<HLIoGC{-_|XZ{$^+rA#YEa>`PI4|X$`Y8hLq6T<C$8YLQHW<E))3=3Ks z`WR`mYRgmFtByk|EDdLpez<c7X2}c<$V*KA47{O{{QUDis=5FlwbQL@!e4NS(3?IO zS|d^Sp!mr2a`>~2;*I8sjE!I7*CVbqvBTz=19D{bg>S}@93#AwSg=Hs&(yfF?S0Q> zt%`@gddtg`KJ2CNSoCI;;+n+zr<!GqgbpIJL~ON3%B+%y%*K-6>OVO->&VgcIId-J z$mq6|32kQ*$)#Vbh*mX$1-q`ghvC-E+#Q~3q#S+gL$kVjh4jQp;yC^yHO^g&6;VTW zEMD+_h^c(UoR_)4%J0<B`hdS|Zez8I6xgM1lSh@RDpOfnxOpnb8Jn6S8*A(+6J%Ng zqP6q$W@H{>Xp=ejg@)brJ#0I;H%Qx_2B*hOFS?N`;gpk~8QuUFachpDbKlO*FZz?( zSH%>Igp88iaHlIZQmRkDSHay!`Hh7~wB~9Zn_g{gzt}4<kU7xd>=u0EWc)P9Rz;@! zx%=av{T#%TtWsCb*~YJMRNGV#f^MHb`<OOnA|d*@L>*c&B=wwS+Jk_A)+X9%3oYk_ zOA55XqpPi;yREFDwc`sI^CxJ2N5tOLULW&CcLg=CN8f{cb?jALqZQqgJMBJVfqGo4 zH~6XB>_4ap8d0;I76eBxG$vMFb6zdoA-A@#4tc8Kb>I~6hpCHBnP&+NcxxIe%-I-S zEk}rn#f@^45a<YJNhcw>P&a1vv^-->21f5)8(L*{hg-P1sSV3`C?~;Ne~YzGW&9(P z;<-W3?3#cK7KZ5D%(tIN6OY{De&DXfzd4>{?64#iwG)p`J?aZC_#VOWOQxNkzpB!| z16!4!Z#bnG0`0ZA7Z|ecTzJ^=nTd^grU_i9fhI_U&1@gx5=5gxdepNrA35Ko9*E%m z%!R+!Cs1@(7%!DKH_RXIZDqvTXkKqeczj)(DjR~ly1F@WVyZBJ4T<MMP}E(VLk9zg z!1~ppT-M=BNWYq8#UHw*ZfnQYJEPw+1>C|0)^5FQ)*{t`qb&MFoQI<DS2==WB)kkz zyCilg$*RRhypN|X=?awvTrbOFbqWs2I_@}K&ioPnY}a+{-Kx7vhPvgJ{rTpoPuYjM zdseStmmaUG#!(Q5MS69dRv{66Jz9I-W1)pQl*h$p_!QQs`bf7AmYs6Yj$pZ;TutA7 zhQ|5PHtr*kn;+fKJ}*$085M(0dxZp8(mlu|myGB20~xhmPmNgU_!2OhS&RCO>-VKY z7+HolJ>-zEqV6Hb%pJ5?iF9b{O@5CbO(F2%mG5%CT*Ni#&&7R?<ivL>#9(XPzl5KJ zs5Y2-5uv_jB;9$~-lE}^-ldY;6_C%C@95@fZ|5fJW9Q~eOb@;iG+!E?#_gUp#|f*4 zRq^a+3;BZnXTrFeEIDJ56xU}$({K8n)#u%}^YIDr^mY)v>x8-MN^Fkt_Hp*~AOc0u z3`1T)h9Q6VCISEe0000000000{<r>O(V*s`DOpJ-{S!etStwEu_b$8AJn(zbaPbyi z_VvE#^>~V|5|XqALYnWSrfCiFgvZ9cdPmgu_rU2Z{7=%S@)OGT4F{NOOe5$|S_m7f zc9DCt&SY$Exg|=yzVuXs72>pYL|P%safec0{Y@XNHN1*?>wbH<yz<+5?-+wlmQr4} z>{D>G7L!hKb_@1$<2mcZJpsB+HZ-5`0sKBIo)H{2cHuoXn%kZsxG5T*SxMTEj|C4s zBX5?^f491v&nP_$VI-PX#D{SYz{akGpbi!#10&ShVb|@gi`vEW{ECO2^jX?AFYH(< zNJuP&sh$$3?2IB=Vdjgyf#YR;HpyJ+UBNGR=~@C`Vkhp*5;GJ}?dfcA_6^=s$h;@T zmsZEPZ^OOJ%@}ct3`Sh58J9|n@EC=zY|b;i4|bY-Fp9>#MhvhV^GM^n663vCm4(D{ zb1ux7v<w}-DXUq>Nx@AXsy13^Kqu&u)J1G}B0JPZ9FrS3wz5L2y&X2}tMaX=AxP{K zC#y3?bEfWvH5nWi8N@J)g9;2-J{i8;<m$Tc-AROp-=m9AlJbb`bk$b=lXH;K*%rvE zE%TAkppQ36`91g}3Ii8&1qFr{!TO;JtxBp0?upk@>?WR>dHvl5>)eU?AlCf*Q*-MB zsSQ~gU+gI}Q^ab9G%t-p7KkFhkFVLrn_Uj)(0dv31Cd!BaC|XFI#*`(-eI)|my{}7 z<Y>=9%S=BxQ=?By)R@L5s7B0#v+bIu89C$oI?9<R$@A<nWeNg{s_lRL$60RbA3So_ zWp0?eHtG7!5aQgE`<u$!mU1#z?Fo#I4TJr7a`M-gIo`@T_{-mk*_^A7sS?8^-#q9@ z>BQW!Xv}iipP;uj&%E=NyZlw9fJ=&UWcV9f`ghD>)+TEX@a&#h8R3)ld^+k8|FY#C zA`lAQGx`Bb!BBvHqb@FWkRFh-Qhj={)G9i>5g&j6({qBu48qHwKZHseGE1UrJzZk> zOWks5XZzz!l4ch^AR3?trK8A7eSSAbEhk<n*KJyJr5|<9v8eOE`xXTN0000000000 L0002s|J*+S-mE5v
index a978b7e0d5736e931166f1e22d7c5af4899432b9..b31ad5a3f844bbc02ff126173a03a3e2578642f6 GIT binary patch literal 452 zc$_n6Vmx5b#HhJ|nTe5!iIrh)S)Z5zFB_*;n@8JsUPeY%Rt5tJLoovpHs(+kW?^3c zl8n?Mg_6|b5(Q^R137VCLt{e&BSS+AQ&S_8C~;mBWG)_^jq{OhVPs`sZtP_+XzXNa zY-ISMZ`ok6MTYOXMENu`UoF>mmY<qM-ID8=F0F7<Shw@g2D8Yyr(P6US+O=B<jA{S zBxWRkX<b===%lkXM}wzm$9tY#6xn+$^nCA0-^IWF?3(75_j8S8%A~y!rZqdowWo_b zTH4|m#8;L5Ft_&2<Ivoc<t}~S-X2Pj$}Ozk-){IumWi2>fpIa=<px4Px62AMGX7`b zFkk~xOpFX@fx`@R@9mv7H$8F{4H7@DxbbCv$2=c#PnYK>m$FXKtaSd^>tw3;&5iZ; z{wUTTGgJF6-tv~;DKk6k-`wbiiQDEl&i(yaqEPuy^qn9n>u5pmRU58*J@4_l_0HtS xhPx8x?^f9Fj{Vbo#J6$jh6|y0-@Q9E;o-sw-}irHe-l_U&m`)kU4HQ{H2@S)tIhxb
index cb247f8e985d2c0cb52aa567d8653dd65ca62805..7d2283830dce7ba3caa86a517432381bffe9ab97 GIT binary patch literal 440 zc$_n6V%%cT#3;LfnTe5!iIrh)S)Zr@FB_*;n@8JsUPeY%Rt5thLjeOmHs(+kW?}Y_ z)Z!8aXGa4$ab81XLjxm2Lkm+=Ba<j`UK3<4Ry~dLkxgb~WngaXWiV*$WNK_=_}(YA z+&4JqX2foD-d$DZpXIl_D?WBXB_SsFERXBmoP^>{(L!Q2mA?;as7g-EV>7%Hc*D0s z%>DS~v*BJP|5Dwi-1go4xWJ@ZO!Cz8Jo8|_IeU+#Pkx=CH_xP|-&G~=<Cbc*Q}^GQ zm&h}(PIxl+P&zwv+)_QhM|*#0Ev|Ol7*fc@%*epFSj<4gKnUn+Sz$)T|12B^Y(R>M zkpV40n1Sw1>$9nN-zCWUji*@gl=S)MAw^S{Hs6wyv^sF!*X`ruhcDN~uT2k{xK}6m z{@dKuLP3|)Z-1{W<cSn`#oI39{4$vL)%BU?Q3r}AUE~i4`xo5q%l6-4;nR!PG;jSD rw^B}DwQ;`W&0RJn3t~@6Z9Hx_rIs^fUFXz=A2UzgPZrf(5Pcs2Q^TQ_
--- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -23,14 +23,19 @@ skip-if = os == "android" # Bug 676972: test hangs consistently on Android skip-if = os == "android" [test_hmac.js] # Bug 676972: test hangs consistently on Android skip-if = os == "android" [test_sts_preloadlist_perwindowpb.js] [test_sts_preloadlist_selfdestruct.js] [test_ocsp_stapling.js] +run-sequentially = hardcoded ports +# Bug 676972: test fails consistently on Android +fail-if = os == "android" +[test_ocsp_stapling_expired.js] +run-sequentially = hardcoded ports # Bug 676972: test fails consistently on Android fail-if = os == "android" [test_sts_ipv4_ipv6.js] [test_cert_signatures.js] # Bug 676972: test fails consistently on Android fail-if = os == "android"