Bug 975229: Remove NSS-based certificate verification, r=keeler
authorBrian Smith <brian@briansmith.org>
Mon, 16 Jun 2014 23:13:29 -0700
changeset 203705 b3ebf7675c7bd1d85ed1b7290e1d2c3ae28a0490
parent 203704 83977d2750a225aa095b018c841d4c2169118209
child 203706 feaac6c10dc6dd76e908bdc9185cc8849bbb8595
push idunknown
push userunknown
push dateunknown
reviewerskeeler
bugs975229
milestone33.0a1
Bug 975229: Remove NSS-based certificate verification, r=keeler
netwerk/base/public/security-prefs.js
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/certverifier/ExtendedValidation.cpp
security/certverifier/ExtendedValidation.h
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/ScopedNSSTypes.h
security/manager/ssl/src/SharedCertVerifier.h
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSCallbacks.h
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/tests/unit/test_cert_eku.js
security/manager/ssl/tests/unit/test_cert_eku/generate.py
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_trust.js
security/manager/ssl/tests/unit/test_cert_version.js
security/manager/ssl/tests/unit/test_certificate_usages.js
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_getchain.js
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
security/manager/ssl/tests/unit/test_ocsp_timeout.js
security/manager/ssl/tests/unit/test_ocsp_url.js
toolkit/components/telemetry/Histograms.json
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -49,10 +49,8 @@ pref("security.ssl3.rsa_seed_sha", false
 pref("security.default_personal_cert",   "Ask Every Time");
 pref("security.remember_cert_checkbox_default_setting", true);
 pref("security.ask_for_password",        0);
 pref("security.password_lifetime",       30);
 
 pref("security.OCSP.enabled", 1);
 pref("security.OCSP.require", false);
 pref("security.OCSP.GET.enabled", false);
-
-pref("security.use_mozillapkix_verification", true);
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -8,17 +8,16 @@
 
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "NSSErrorsService.h"
 #include "PublicKeyPinningService.h"
 #include "cert.h"
-#include "ocsp.h"
 #include "pk11pub.h"
 #include "pkix/pkix.h"
 #include "prerror.h"
 #include "secerr.h"
 #include "sslerr.h"
 
 // ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
 // mozilla::ScopedXXX.
@@ -29,31 +28,21 @@ using namespace mozilla::psm;
 PRLogModuleInfo* gCertVerifierLog = nullptr;
 #endif
 
 namespace mozilla { namespace psm {
 
 const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
 const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
 
-CertVerifier::CertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
-                           missing_cert_download_config mcdc,
-                           crl_download_config cdc,
-#endif
-                           ocsp_download_config odc,
+CertVerifier::CertVerifier(ocsp_download_config odc,
                            ocsp_strict_config osc,
                            ocsp_get_config ogc,
                            pinning_enforcement_config pel)
-  : mImplementation(ic)
-#ifndef NSS_NO_LIBPKIX
-  , mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
-  , mCRLDownloadEnabled(cdc == crl_download_allowed)
-#endif
-  , mOCSPDownloadEnabled(odc == ocsp_on)
+  : mOCSPDownloadEnabled(odc == ocsp_on)
   , mOCSPStrict(osc == ocsp_strict)
   , mOCSPGETEnabled(ogc == ocsp_get_enabled)
   , mPinningEnforcementLevel(pel)
 {
 }
 
 CertVerifier::~CertVerifier()
 {
@@ -64,47 +53,16 @@ InitCertVerifierLog()
 {
 #ifdef PR_LOGGING
   if (!gCertVerifierLog) {
     gCertVerifierLog = PR_NewLogModule("certverifier");
   }
 #endif
 }
 
-// Once we migrate to mozilla::pkix or change the overridable error
-// logic this will become unnecesary.
-static SECStatus
-insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
-                         CERTVerifyLog* verifyLog){
-  CERTVerifyLogNode* node;
-  node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
-                                              sizeof(CERTVerifyLogNode));
-  if (!node) {
-    PR_SetError(PR_UNKNOWN_ERROR, 0);
-    return SECFailure;
-  }
-  node->cert = CERT_DupCertificate(cert);
-  node->error = err;
-  node->depth = 0;
-  node->arg = nullptr;
-  //and at to head!
-  node->prev = nullptr;
-  node->next = verifyLog->head;
-  if (verifyLog->head) {
-    verifyLog->head->prev = node;
-  }
-  verifyLog->head = node;
-  if (!verifyLog->tail) {
-    verifyLog->tail = node;
-  }
-  verifyLog->count++;
-
-  return SECSuccess;
-}
-
 SECStatus
 IsCertBuiltInRoot(CERTCertificate* cert, bool& result) {
   result = false;
   ScopedPtr<PK11SlotList, PK11_FreeSlotList> slots;
   slots = PK11_GetAllSlotsForCert(cert, nullptr);
   if (!slots) {
     if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {
       // no list
@@ -194,118 +152,16 @@ SECStatus chainValidationCallback(void* 
   *chainOK = PublicKeyPinningService::
     ChainHasValidPins(certList, callbackState->hostname, callbackState->time,
                       enforceTestMode);
 
   return SECSuccess;
 }
 
 static SECStatus
-ClassicVerifyCert(CERTCertificate* cert,
-                  const SECCertificateUsage usage,
-                  const PRTime time,
-                  void* pinArg,
-                  ChainValidationCallbackState* callbackState,
-                  /*optional out*/ ScopedCERTCertList* validationChain,
-                  /*optional out*/ CERTVerifyLog* verifyLog)
-{
-  SECStatus rv;
-  SECCertUsage enumUsage;
-  switch (usage) {
-    case certificateUsageSSLClient:
-      enumUsage = certUsageSSLClient;
-      break;
-    case certificateUsageSSLServer:
-      enumUsage = certUsageSSLServer;
-      break;
-    case certificateUsageSSLCA:
-      enumUsage = certUsageSSLCA;
-      break;
-    case certificateUsageEmailSigner:
-      enumUsage = certUsageEmailSigner;
-      break;
-    case certificateUsageEmailRecipient:
-      enumUsage = certUsageEmailRecipient;
-      break;
-    case certificateUsageObjectSigner:
-      enumUsage = certUsageObjectSigner;
-      break;
-    case certificateUsageVerifyCA:
-      enumUsage = certUsageVerifyCA;
-      break;
-    case certificateUsageStatusResponder:
-      enumUsage = certUsageStatusResponder;
-      break;
-    default:
-      PR_NOT_REACHED("unexpected usage");
-      PORT_SetError(SEC_ERROR_INVALID_ARGS);
-      return SECFailure;
-  }
-  if (usage == certificateUsageSSLServer) {
-    // SSL server cert verification has always used CERT_VerifyCert, so we
-    // continue to use it for SSL cert verification to minimize the risk of
-    // there being any differnce in results between CERT_VerifyCert and
-    // CERT_VerifyCertificate.
-    rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), cert, true,
-                         certUsageSSLServer, time, pinArg, verifyLog);
-  } else {
-    rv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert, true,
-                                usage, time, pinArg, verifyLog, nullptr);
-  }
-
-  if (rv == SECSuccess &&
-      (validationChain || usage == certificateUsageSSLServer)) {
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
-           ("VerifyCert: getting chain in 'classic' \n"));
-    ScopedCERTCertList certChain(CERT_GetCertChainFromCert(cert, time,
-                                                           enumUsage));
-    if (!certChain) {
-      return SECFailure;
-    }
-    if (usage == certificateUsageSSLServer) {
-      PRBool chainOK = PR_FALSE;
-      SECStatus srv = chainValidationCallback(callbackState, certChain.get(),
-                                              &chainOK);
-      if (srv != SECSuccess) {
-        return srv;
-      }
-      if (chainOK != PR_TRUE) {
-        if (verifyLog) {
-          insertErrorIntoVerifyLog(cert,
-                                   PSM_ERROR_KEY_PINNING_FAILURE,
-                                   verifyLog);
-        }
-        PR_SetError(PSM_ERROR_KEY_PINNING_FAILURE, 0);
-        return SECFailure;
-      }
-    }
-    if (rv == SECSuccess && validationChain) {
-      *validationChain = certChain.release();
-    }
-  }
-
-  return rv;
-}
-
-#ifndef NSS_NO_LIBPKIX
-static void
-destroyCertListThatShouldNotExist(CERTCertList** certChain)
-{
-  PR_ASSERT(certChain);
-  PR_ASSERT(!*certChain);
-  if (certChain && *certChain) {
-    // There SHOULD not be a validation chain on failure, asserion here for
-    // the debug builds AND a fallback for production builds
-    CERT_DestroyCertList(*certChain);
-    *certChain = nullptr;
-  }
-}
-#endif
-
-static SECStatus
 BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
                              PRTime time, KeyUsage ku1, KeyUsage ku2,
                              KeyUsage ku3, KeyPurposeId eku,
                              const CertPolicyId& requiredPolicy,
                              const SECItem* stapledOCSPResponse,
                              ScopedCERTCertList& builtChain)
 {
   SECStatus rv = BuildCertChain(trustDomain, cert, time,
@@ -326,28 +182,24 @@ BuildCertChainForOneKeyUsage(TrustDomain
         PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
       }
     }
   }
   return rv;
 }
 
 SECStatus
-CertVerifier::MozillaPKIXVerifyCert(
-                   CERTCertificate* cert,
-                   const SECCertificateUsage usage,
-                   const PRTime time,
-                   void* pinArg,
-                   const Flags flags,
-                   ChainValidationCallbackState* callbackState,
-      /*optional*/ const SECItem* stapledOCSPResponse,
-  /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
-  /*optional out*/ SECOidTag* evOidPolicy)
+CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
+                         PRTime time, void* pinArg, const char* hostname,
+                         const Flags flags,
+            /*optional*/ const SECItem* stapledOCSPResponse,
+        /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
+        /*optional out*/ SECOidTag* evOidPolicy)
 {
-  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
+  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n"));
 
   PR_ASSERT(cert);
   PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
 
   if (validationChain) {
     *validationChain = nullptr;
   }
   if (evOidPolicy) {
@@ -355,19 +207,22 @@ CertVerifier::MozillaPKIXVerifyCert(
   }
 
   if (!cert ||
       (usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) {
     PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
     return SECFailure;
   }
 
+  ChainValidationCallbackState callbackState = {
+    hostname, mPinningEnforcementLevel, usage, time
+  };
   CERTChainVerifyCallback callbackContainer;
   callbackContainer.isChainValid = chainValidationCallback;
-  callbackContainer.isChainValidArg = callbackState;
+  callbackContainer.isChainValidArg = &callbackState;
 
   NSSCertDBTrustDomain::OCSPFetching ocspFetching
     = !mOCSPDownloadEnabled ||
       (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
     : !mOCSPStrict              ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
                                 : NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
 
   ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled
@@ -554,378 +409,16 @@ CertVerifier::MozillaPKIXVerifyCert(
   if (validationChain && rv == SECSuccess) {
     *validationChain = builtChain.release();
   }
 
   return rv;
 }
 
 SECStatus
-CertVerifier::VerifyCert(CERTCertificate* cert,
-                         const SECCertificateUsage usage,
-                         const PRTime time,
-                         void* pinArg,
-                         const char* hostname,
-                         const Flags flags,
-                         /*optional in*/ const SECItem* stapledOCSPResponse,
-                         /*optional out*/ ScopedCERTCertList* validationChain,
-                         /*optional out*/ SECOidTag* evOidPolicy,
-                         /*optional out*/ CERTVerifyLog* verifyLog)
-{
-  ChainValidationCallbackState callbackState = { hostname,
-                                                 mPinningEnforcementLevel,
-                                                 usage,
-                                                 time };
-
-  if (mImplementation == mozillapkix) {
-    return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
-                                 &callbackState, stapledOCSPResponse,
-                                 validationChain, evOidPolicy);
-  }
-
-  if (!cert)
-  {
-    PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
-    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    return SECFailure;
-  }
-  if (validationChain) {
-    *validationChain = nullptr;
-  }
-  if (evOidPolicy) {
-    *evOidPolicy = SEC_OID_UNKNOWN;
-  }
-
-  switch(usage){
-    case certificateUsageSSLClient:
-    case certificateUsageSSLServer:
-    case certificateUsageSSLCA:
-    case certificateUsageEmailSigner:
-    case certificateUsageEmailRecipient:
-    case certificateUsageObjectSigner:
-    case certificateUsageVerifyCA:
-    case certificateUsageStatusResponder:
-      break;
-    default:
-      PORT_SetError(SEC_ERROR_INVALID_ARGS);
-      return SECFailure;
-  }
-
-  if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) {
-      PORT_SetError(SEC_ERROR_INVALID_ARGS);
-      return SECFailure;
-  }
-
-#ifndef NSS_NO_LIBPKIX
-  ScopedCERTCertList trustAnchors;
-  SECStatus rv;
-  SECOidTag evPolicy = SEC_OID_UNKNOWN;
-
-  // Do EV checking only for sslserver usage
-  if (usage == certificateUsageSSLServer) {
-    CertPolicyId unusedPolicyId;
-    SECStatus srv = GetFirstEVPolicy(cert, unusedPolicyId, evPolicy);
-    if (srv == SECSuccess) {
-      if (evPolicy != SEC_OID_UNKNOWN) {
-        trustAnchors = GetRootsForOid(evPolicy);
-      }
-      if (!trustAnchors) {
-        return SECFailure;
-      }
-      // pkix ignores an empty trustanchors list and
-      // decides then to use the whole set of trust in the DB
-      // so we set the evPolicy to unkown in this case
-      if (CERT_LIST_EMPTY(trustAnchors)) {
-        evPolicy = SEC_OID_UNKNOWN;
-      }
-    } else {
-      // No known EV policy found
-      if (flags & FLAG_MUST_BE_EV) {
-        PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-        return SECFailure;
-      }
-      // Do not setup EV verification params
-      evPolicy = SEC_OID_UNKNOWN;
-    }
-    if ((evPolicy == SEC_OID_UNKNOWN) && (flags & FLAG_MUST_BE_EV)) {
-      PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-      return SECFailure;
-    }
-  }
-
-  PR_ASSERT(evPolicy == SEC_OID_UNKNOWN || trustAnchors);
-
-  size_t i = 0;
-  size_t validationChainLocation = 0;
-  size_t validationTrustAnchorLocation = 0;
-  CERTValOutParam cvout[4];
-  if (verifyLog) {
-     cvout[i].type = cert_po_errorLog;
-     cvout[i].value.pointer.log = verifyLog;
-     ++i;
-  }
-  if (validationChain) {
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: setting up validation chain outparam.\n"));
-    validationChainLocation = i;
-    cvout[i].type = cert_po_certList;
-    cvout[i].value.pointer.chain = nullptr;
-    ++i;
-    validationTrustAnchorLocation = i;
-    cvout[i].type = cert_po_trustAnchor;
-    cvout[i].value.pointer.cert = nullptr;
-    ++i;
-  }
-  cvout[i].type = cert_po_end;
-
-  CERTRevocationFlags rev;
-
-  CERTRevocationMethodIndex revPreferredMethods[2];
-  rev.leafTests.preferred_methods =
-  rev.chainTests.preferred_methods = revPreferredMethods;
-
-  uint64_t revFlagsPerMethod[2];
-  rev.leafTests.cert_rev_flags_per_method =
-  rev.chainTests.cert_rev_flags_per_method = revFlagsPerMethod;
-  rev.leafTests.number_of_preferred_methods =
-  rev.chainTests.number_of_preferred_methods = 1;
-
-  rev.leafTests.number_of_defined_methods =
-  rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1;
-
-  const bool localOnly = flags & FLAG_LOCAL_ONLY;
-  CERTValInParam cvin[7];
-
-  // Parameters for both EV and DV validation
-  cvin[0].type = cert_pi_useAIACertFetch;
-  cvin[0].value.scalar.b = mMissingCertDownloadEnabled && !localOnly;
-  cvin[1].type = cert_pi_revocationFlags;
-  cvin[1].value.pointer.revocation = &rev;
-  cvin[2].type = cert_pi_date;
-  cvin[2].value.scalar.time = time;
-  i = 3;
-
-  CERTChainVerifyCallback callbackContainer;
-  if (usage == certificateUsageSSLServer) {
-    callbackContainer.isChainValid = chainValidationCallback;
-    callbackContainer.isChainValidArg = &callbackState;
-    cvin[i].type = cert_pi_chainVerifyCallback;
-    cvin[i].value.pointer.chainVerifyCallback = &callbackContainer;
-    ++i;
-  }
-
-  const size_t evParamLocation = i;
-
-  if (evPolicy != SEC_OID_UNKNOWN) {
-    // EV setup!
-    // XXX 859872 The current flags are not quite correct. (use
-    // of ocsp flags for crl preferences).
-    uint64_t ocspRevMethodFlags =
-      CERT_REV_M_TEST_USING_THIS_METHOD
-      | ((mOCSPDownloadEnabled && !localOnly) ?
-          CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-      | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
-      | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
-      | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
-      | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
-      | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
-
-    rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl]
-      = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
-
-    rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
-      = ocspRevMethodFlags;
-
-    rev.leafTests.cert_rev_method_independent_flags =
-    rev.chainTests.cert_rev_method_independent_flags =
-      // avoiding the network is good, let's try local first
-      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
-      // is overall revocation requirement strict or relaxed?
-      |  CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
-      ;
-
-    rev.leafTests.preferred_methods[0] =
-    rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
-
-    cvin[i].type = cert_pi_policyOID;
-    cvin[i].value.arraySize = 1;
-    cvin[i].value.array.oids = &evPolicy;
-    ++i;
-    PR_ASSERT(trustAnchors);
-    cvin[i].type = cert_pi_trustAnchors;
-    cvin[i].value.pointer.chain = trustAnchors.get();
-    ++i;
-
-    cvin[i].type = cert_pi_end;
-
-    rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
-    if (rv == SECSuccess) {
-      if (evOidPolicy) {
-        *evOidPolicy = evPolicy;
-      }
-      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
-             ("VerifyCert: successful CERT_PKIXVerifyCert(ev) \n"));
-      goto pkix_done;
-    }
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
-           ("VerifyCert: failed CERT_PKIXVerifyCert(ev)\n"));
-    if (flags & FLAG_MUST_BE_EV) {
-      return rv;
-    }
-    if (validationChain) {
-      destroyCertListThatShouldNotExist(
-        &cvout[validationChainLocation].value.pointer.chain);
-    }
-
-    if (verifyLog) {
-      // Cleanup the log so that it is ready the the next validation
-      CERTVerifyLogNode* i_node;
-      for (i_node = verifyLog->head; i_node; i_node = i_node->next) {
-         //destroy cert if any.
-         if (i_node->cert) {
-           CERT_DestroyCertificate(i_node->cert);
-         }
-         // No need to cleanup the actual nodes in the arena.
-      }
-      verifyLog->count = 0;
-      verifyLog->head = nullptr;
-      verifyLog->tail = nullptr;
-    }
-
-  }
-#endif
-
-  // If we're here, PKIX EV verification failed.
-  // If requested, don't do DV fallback.
-  if (flags & FLAG_MUST_BE_EV) {
-    PR_ASSERT(*evOidPolicy == SEC_OID_UNKNOWN);
-#ifdef NSS_NO_LIBPKIX
-    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
-#else
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
-#endif
-    return SECFailure;
-  }
-
-  if (mImplementation == classic) {
-    // XXX: we do not care about the localOnly flag (currently) as the
-    // caller that wants localOnly should disable and reenable the fetching.
-    return ClassicVerifyCert(cert, usage, time, pinArg, &callbackState,
-                             validationChain, verifyLog);
-  }
-
-#ifdef NSS_NO_LIBPKIX
-  PR_NOT_REACHED("libpkix implementation chosen but not even compiled in");
-  PR_SetError(PR_INVALID_STATE_ERROR, 0);
-  return SECFailure;
-#else
-  PR_ASSERT(mImplementation == libpkix);
-
-  // The current flags check the chain the same way as the leafs
-  rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-  rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
-    // implicit default source - makes no sense for CRLs
-    CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
-
-    // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
-    | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
-
-    // no fresh CRL? well, let other flag decide whether to fail or not
-    | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
-
-    // testing using local CRLs is always allowed
-    | CERT_REV_M_TEST_USING_THIS_METHOD
-
-    // no local crl and don't know where to get it from? ignore
-    | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
-
-    // crl download based on parameter
-    | ((mCRLDownloadEnabled && !localOnly) ?
-        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-    ;
-
-  rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-  rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-    // use OCSP
-      CERT_REV_M_TEST_USING_THIS_METHOD
-
-    // if app has a default OCSP responder configured, let's use it
-    | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
-
-    // of course OCSP doesn't work without a source. let's accept such certs
-    | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
-
-    // if ocsp is required stop on lack of freshness
-    | (mOCSPStrict ?
-       CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
-
-    // ocsp success is sufficient
-    | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
-
-    // ocsp enabled controls network fetching, too
-    | ((mOCSPDownloadEnabled && !localOnly) ?
-        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-
-    | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
-    ;
-
-  rev.leafTests.preferred_methods[0] =
-  rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
-
-  rev.leafTests.cert_rev_method_independent_flags =
-  rev.chainTests.cert_rev_method_independent_flags =
-    // avoiding the network is good, let's try local first
-    CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
-
-  // Skip EV parameters
-  cvin[evParamLocation].type = cert_pi_end;
-
-  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: calling CERT_PKIXVerifyCert(dv) \n"));
-  rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
-
-pkix_done:
-  if (validationChain) {
-    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: validation chain requested\n"));
-    ScopedCERTCertificate trustAnchor(cvout[validationTrustAnchorLocation].value.pointer.cert);
-
-    if (rv == SECSuccess) {
-      if (! cvout[validationChainLocation].value.pointer.chain) {
-        PR_SetError(PR_UNKNOWN_ERROR, 0);
-        return SECFailure;
-      }
-      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: I have a chain\n"));
-      *validationChain = cvout[validationChainLocation].value.pointer.chain;
-      if (trustAnchor) {
-        // we should only add the issuer to the chain if it is not already
-        // present. On CA cert checking, the issuer is the same cert, so in
-        // that case we do not add the cert to the chain.
-        if (!CERT_CompareCerts(trustAnchor.get(), cert)) {
-          PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert:  adding issuer to tail for display\n"));
-          // note: rv is reused to catch errors on cert creation!
-          ScopedCERTCertificate tempCert(CERT_DupCertificate(trustAnchor.get()));
-          rv = CERT_AddCertToListTail(validationChain->get(), tempCert.get());
-          if (rv == SECSuccess) {
-            tempCert.release(); // ownership traferred to validationChain
-          } else {
-            *validationChain = nullptr;
-          }
-        }
-      }
-    } else {
-      destroyCertListThatShouldNotExist(
-        &cvout[validationChainLocation].value.pointer.chain);
-    }
-  }
-
-  return rv;
-#endif
-}
-
-SECStatus
 CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
                      /*optional*/ const SECItem* stapledOCSPResponse,
                                   PRTime time,
                      /*optional*/ void* pinarg,
                                   const char* hostname,
                                   bool saveIntermediatesInPermanentDatabase,
                  /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
                  /*optional out*/ SECOidTag* evOidPolicy)
@@ -947,17 +440,17 @@ CertVerifier::VerifySSLServerCert(CERTCe
     return SECFailure;
   }
 
   // CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
   // if VerifyCert succeeded.
   ScopedCERTCertList validationChain;
   SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
                             hostname, 0, stapledOCSPResponse, &validationChain,
-                            evOidPolicy, nullptr);
+                            evOidPolicy);
   if (rv != SECSuccess) {
     return rv;
   }
 
   rv = CERT_VerifyCertName(peerCert, hostname);
   if (rv != SECSuccess) {
     return rv;
   }
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -21,91 +21,62 @@ public:
   // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
   static const Flags FLAG_LOCAL_ONLY;
   // Don't perform fallback DV validation on EV validation failure.
   static const Flags FLAG_MUST_BE_EV;
 
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
   // Only one usage per verification is supported.
   SECStatus VerifyCert(CERTCertificate* cert,
-                       const SECCertificateUsage usage,
-                       const PRTime time,
+                       SECCertificateUsage usage,
+                       PRTime time,
                        void* pinArg,
                        const char* hostname,
-                       const Flags flags = 0,
+                       Flags flags = 0,
        /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
       /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
-      /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
-      /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
+      /*optional out*/ SECOidTag* evOidPolicy = nullptr);
 
   SECStatus VerifySSLServerCert(
                     CERTCertificate* peerCert,
        /*optional*/ const SECItem* stapledOCSPResponse,
                     PRTime time,
        /*optional*/ void* pinarg,
                     const char* hostname,
                     bool saveIntermediatesInPermanentDatabase = false,
    /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
    /*optional out*/ SECOidTag* evOidPolicy = nullptr);
 
-
-  enum implementation_config {
-    classic = 0,
-#ifndef NSS_NO_LIBPKIX
-    libpkix = 1,
-#endif
-    mozillapkix = 2
-  };
-
   enum pinning_enforcement_config {
     pinningDisabled = 0,
     pinningAllowUserCAMITM = 1,
     pinningStrict = 2,
     pinningEnforceTestMode = 3
   };
 
   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
   enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
   enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
 
   bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
 
-  CertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
-               missing_cert_download_config ac, crl_download_config cdc,
-#endif
-               ocsp_download_config odc, ocsp_strict_config osc,
+  CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
                ocsp_get_config ogc,
                pinning_enforcement_config pinningEnforcementLevel);
   ~CertVerifier();
 
   void ClearOCSPCache() { mOCSPCache.Clear(); }
 
-  const implementation_config mImplementation;
-#ifndef NSS_NO_LIBPKIX
-  const bool mMissingCertDownloadEnabled;
-  const bool mCRLDownloadEnabled;
-#endif
   const bool mOCSPDownloadEnabled;
   const bool mOCSPStrict;
   const bool mOCSPGETEnabled;
   const pinning_enforcement_config mPinningEnforcementLevel;
 
 private:
-  SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
-      const SECCertificateUsage usage,
-      const PRTime time,
-      void* pinArg,
-      const Flags flags,
-      ChainValidationCallbackState* callbackState,
-      /*optional*/ const SECItem* stapledOCSPResponse,
-      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
-      /*optional out*/ SECOidTag* evOidPolicy);
-
   OCSPCache mOCSPCache;
 };
 
 void InitCertVerifierLog();
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm__CertVerifier_h
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -881,65 +881,31 @@ register_oid(const SECItem* oid_item, co
   od.oid.data = oid_item->data;
   od.offset = SEC_OID_UNKNOWN;
   od.desc = oid_name;
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
-#ifndef NSS_NO_LIBPKIX
-static void
-addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
-  CERTCertTrust nssTrust;
-  if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
-    return;
-  }
-  unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
-
-  if (flags & CERTDB_TRUSTED_CA) {
-    CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
-  }
-}
-#endif
-
 static bool
 isEVPolicy(SECOidTag policyOIDTag)
 {
   for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
     nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
     if (policyOIDTag == entry.oid_tag) {
       return true;
     }
   }
 
   return false;
 }
 
 namespace mozilla { namespace psm {
 
-#ifndef NSS_NO_LIBPKIX
-CERTCertList*
-GetRootsForOid(SECOidTag oid_tag)
-{
-  CERTCertList* certList = CERT_NewCertList();
-  if (!certList)
-    return nullptr;
-
-  for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
-    nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
-    if (entry.oid_tag == oid_tag) {
-      addToCertListIfTrusted(certList, entry.cert);
-    }
-  }
-
-  return certList;
-}
-#endif
-
 bool
 CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
                                const mozilla::pkix::CertPolicyId& policy)
 {
   PR_ASSERT(cert);
   if (!cert) {
     return false;
   }
--- a/security/certverifier/ExtendedValidation.h
+++ b/security/certverifier/ExtendedValidation.h
@@ -21,15 +21,11 @@ SECStatus GetFirstEVPolicy(CERTCertifica
                            /*out*/ SECOidTag& policyOidTag);
 
 // CertIsAuthoritativeForEVPolicy does NOT evaluate whether the cert is trusted
 // or distrusted.
 bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
                                     const mozilla::pkix::CertPolicyId& policy);
 #endif
 
-#ifndef NSS_NO_LIBPKIX
-CERTCertList* GetRootsForOid(SECOidTag oid_tag);
-#endif
-
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm_ExtendedValidation_h
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -9,17 +9,16 @@
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "NSSErrorsService.h"
 #include "OCSPRequestor.h"
 #include "certdb.h"
 #include "mozilla/Telemetry.h"
 #include "nss.h"
-#include "ocsp.h"
 #include "pk11pub.h"
 #include "pkix/pkix.h"
 #include "prerror.h"
 #include "prmem.h"
 #include "prprf.h"
 #include "secerr.h"
 #include "secmod.h"
 
@@ -691,42 +690,16 @@ UnloadLoadableRoots(const char* modNameU
   PR_ASSERT(modNameUTF8);
   ScopedSECMODModule rootsModule(SECMOD_FindModule(modNameUTF8));
 
   if (rootsModule) {
     SECMOD_UnloadUserModule(rootsModule.get());
   }
 }
 
-void
-SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
-                       CertVerifier::ocsp_strict_config strict,
-                       CertVerifier::ocsp_get_config get)
-{
-  CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-  if (enabled == CertVerifier::ocsp_off) {
-    CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
-  } else {
-    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-  }
-
-  SEC_OcspFailureMode failureMode = strict == CertVerifier::ocsp_strict
-                                  ? ocspMode_FailureIsVerificationFailure
-                                  : ocspMode_FailureIsNotAVerificationFailure;
-  (void) CERT_SetOCSPFailureMode(failureMode);
-
-  CERT_ForcePostMethodForOCSP(get != CertVerifier::ocsp_get_enabled);
-
-  uint32_t OCSPTimeoutSeconds = 3u;
-  if (strict == CertVerifier::ocsp_strict) {
-    OCSPTimeoutSeconds = 10u;
-  }
-  CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
-}
-
 char*
 DefaultServerNicknameForCert(CERTCertificate* cert)
 {
   char* nickname = nullptr;
   int count;
   bool conflict;
   char* servername = nullptr;
 
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -27,24 +27,16 @@ void PORT_Free_string(char* str);
 //
 // The modNameUTF8 parameter should usually be
 // BUILTIN_ROOTS_MODULE_DEFAULT_NAME.
 SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
                             const char* modNameUTF8);
 
 void UnloadLoadableRoots(const char* modNameUTF8);
 
-// Controls the OCSP fetching behavior of the classic verification mode. In the
-// classic mode, the OCSP fetching behavior is set globally instead of per
-// validation.
-void
-SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
-                       CertVerifier::ocsp_strict_config strict,
-                       CertVerifier::ocsp_get_config get);
-
 // Caller must free the result with PR_Free
 char* DefaultServerNicknameForCert(CERTCertificate* cert);
 
 void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
 
 class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
 {
 
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -100,17 +100,16 @@
 #include "CertVerifier.h"
 #include "CryptoTask.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
 #include "nsISiteSecurityService.h"
 #include "nsNSSComponent.h"
-#include "nsNSSCleaner.h"
 #include "nsRecentBadCerts.h"
 #include "nsNSSIOLayer.h"
 #include "nsNSSShutDown.h"
 
 #include "mozilla/Assertions.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/unused.h"
@@ -122,29 +121,25 @@
 #include "PSMRunnable.h"
 #include "SharedSSLState.h"
 #include "nsContentUtils.h"
 
 #include "ssl.h"
 #include "secerr.h"
 #include "secport.h"
 #include "sslerr.h"
-#include "ocsp.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 namespace {
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
-
 // do not use a nsCOMPtr to avoid static initializer/destructor
 nsIThreadPool* gCertVerificationThreadPool = nullptr;
 
 // We avoid using a mutex for the success case to avoid lock-related
 // performance issues. However, we do use a lock in the error case to simplify
 // the code, since performance in the error case is not important.
 Mutex* gSSLVerificationTelemetryMutex = nullptr;
 
@@ -306,23 +301,22 @@ MapCertErrorToProbeValue(PRErrorCode err
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in PRErrorCodeToOverrideType?");
   return 0;
 }
 
 SECStatus
-MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
-                                       const char* hostName, PRTime now,
-                                       PRErrorCode defaultErrorCodeToReport,
-                                       /*out*/ uint32_t& collectedErrors,
-                                       /*out*/ PRErrorCode& errorCodeTrust,
-                                       /*out*/ PRErrorCode& errorCodeMismatch,
-                                       /*out*/ PRErrorCode& errorCodeExpired)
+DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
+                            PRTime now, PRErrorCode defaultErrorCodeToReport,
+                            /*out*/ uint32_t& collectedErrors,
+                            /*out*/ PRErrorCode& errorCodeTrust,
+                            /*out*/ PRErrorCode& errorCodeMismatch,
+                            /*out*/ PRErrorCode& errorCodeExpired)
 {
   MOZ_ASSERT(cert);
   MOZ_ASSERT(hostName);
   MOZ_ASSERT(collectedErrors == 0);
   MOZ_ASSERT(errorCodeTrust == 0);
   MOZ_ASSERT(errorCodeMismatch == 0);
   MOZ_ASSERT(errorCodeExpired == 0);
 
@@ -543,139 +537,16 @@ CertErrorRunnable::RunOnTargetThread()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   mResult = CheckCertOverrides();
 
   MOZ_ASSERT(mResult);
 }
 
-// Converts a PRErrorCode into one of
-//   nsICertOverrideService::ERROR_UNTRUSTED,
-//   nsICertOverrideService::ERROR_MISMATCH,
-//   nsICertOverrideService::ERROR_TIME
-// if the given error code is an overridable error.
-// If it is not, then 0 is returned.
-uint32_t
-PRErrorCodeToOverrideType(PRErrorCode errorCode)
-{
-  switch (errorCode)
-  {
-    case SEC_ERROR_UNKNOWN_ISSUER:
-    case SEC_ERROR_UNTRUSTED_ISSUER:
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-    case SEC_ERROR_UNTRUSTED_CERT:
-    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
-      // We group all these errors as "cert not trusted"
-      return nsICertOverrideService::ERROR_UNTRUSTED;
-    case SSL_ERROR_BAD_CERT_DOMAIN:
-      return nsICertOverrideService::ERROR_MISMATCH;
-    case SEC_ERROR_EXPIRED_CERTIFICATE:
-      return nsICertOverrideService::ERROR_TIME;
-    default:
-      return 0;
-  }
-}
-
-SECStatus
-NSSDetermineCertOverrideErrors(CertVerifier& certVerifier,
-                               CERTCertificate* cert,
-                               const SECItem* stapledOCSPResponse,
-                               TransportSecurityInfo* infoObject,
-                               PRTime now,
-                               PRErrorCode defaultErrorCodeToReport,
-                               /*out*/ uint32_t& collectedErrors,
-                               /*out*/ PRErrorCode& errorCodeTrust,
-                               /*out*/ PRErrorCode& errorCodeMismatch,
-                               /*out*/ PRErrorCode& errorCodeExpired)
-{
-  MOZ_ASSERT(cert);
-  MOZ_ASSERT(infoObject);
-  MOZ_ASSERT(defaultErrorCodeToReport != 0);
-  MOZ_ASSERT(collectedErrors == 0);
-  MOZ_ASSERT(errorCodeTrust == 0);
-  MOZ_ASSERT(errorCodeMismatch == 0);
-  MOZ_ASSERT(errorCodeExpired == 0);
-
-  if (defaultErrorCodeToReport == 0) {
-    NS_ERROR("No error code set during certificate validation failure.");
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
-    return SECFailure;
-  }
-
-  // We only allow overrides for certain errors. Return early if the error
-  // is not one of them. This is to avoid doing revocation fetching in the
-  // case of OCSP stapling and probably for other reasons.
-  if (PRErrorCodeToOverrideType(defaultErrorCodeToReport) == 0) {
-    PR_SetError(defaultErrorCodeToReport, 0);
-    return SECFailure;
-  }
-
-  PLArenaPool* log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
-  if (!log_arena) {
-    NS_ERROR("PORT_NewArena failed");
-    return SECFailure; // PORT_NewArena set error code
-  }
-
-  CERTVerifyLog* verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog);
-  if (!verify_log) {
-    NS_ERROR("PORT_ArenaZNew failed");
-    return SECFailure; // PORT_ArenaZNew set error code
-  }
-  CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log);
-  verify_log->arena = log_arena;
-
-  // We ignore the result code of the cert verification (i.e. VerifyCert's rv)
-  // Either it is a failure, which is expected, and we'll process the
-  //                         verify log below.
-  // Or it is a success, then a domain mismatch is the only
-  //                     possible failure.
-  // XXX TODO: convert to VerifySSLServerCert
-  // XXX TODO: get rid of error log
-  certVerifier.VerifyCert(cert, certificateUsageSSLServer,
-                          now, infoObject, infoObject->GetHostNameRaw(),
-                          0, stapledOCSPResponse, nullptr, nullptr, verify_log);
-
-  // Check the name field against the desired hostname.
-  if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) {
-    collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
-    errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
-  }
-
-  CERTVerifyLogNode* i_node;
-  for (i_node = verify_log->head; i_node; i_node = i_node->next) {
-    uint32_t overrideType = PRErrorCodeToOverrideType(i_node->error);
-    // If this isn't an overridable error, set the error and return.
-    if (overrideType == 0) {
-      PR_SetError(i_node->error, 0);
-      return SECFailure;
-    }
-    collectedErrors |= overrideType;
-    if (overrideType == nsICertOverrideService::ERROR_UNTRUSTED) {
-      if (errorCodeTrust == 0) {
-        errorCodeTrust = i_node->error;
-      }
-    } else if (overrideType == nsICertOverrideService::ERROR_MISMATCH) {
-      if (errorCodeMismatch == 0) {
-        errorCodeMismatch = i_node->error;
-      }
-    } else if (overrideType == nsICertOverrideService::ERROR_TIME) {
-      if (errorCodeExpired == 0) {
-        errorCodeExpired = i_node->error;
-      }
-    } else {
-      MOZ_CRASH("unexpected return value from PRErrorCodeToOverrideType");
-    }
-  }
-
-  return SECSuccess;
-}
-
 // Returns null with the error code (PR_GetError()) set if it does not create
 // the CertErrorRunnable.
 CertErrorRunnable*
 CreateCertErrorRunnable(CertVerifier& certVerifier,
                         PRErrorCode defaultErrorCodeToReport,
                         TransportSecurityInfo* infoObject,
                         CERTCertificate* cert,
                         const SECItem* stapledOCSPResponse,
@@ -685,47 +556,20 @@ CreateCertErrorRunnable(CertVerifier& ce
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   uint32_t collected_errors = 0;
   PRErrorCode errorCodeTrust = 0;
   PRErrorCode errorCodeMismatch = 0;
   PRErrorCode errorCodeExpired = 0;
-
-  SECStatus rv;
-  switch (certVerifier.mImplementation) {
-    case CertVerifier::classic:
-#ifndef NSS_NO_LIBPKIX
-    case CertVerifier::libpkix:
-#endif
-      rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
-                                          infoObject, now,
-                                          defaultErrorCodeToReport,
-                                          collected_errors, errorCodeTrust,
-                                          errorCodeMismatch, errorCodeExpired);
-      break;
-
-    case CertVerifier::mozillapkix:
-      rv = MozillaPKIXDetermineCertOverrideErrors(cert,
-                                                  infoObject->GetHostNameRaw(),
-                                                  now, defaultErrorCodeToReport,
-                                                  collected_errors,
-                                                  errorCodeTrust,
-                                                  errorCodeMismatch,
-                                                  errorCodeExpired);
-      break;
-
-    default:
-      MOZ_CRASH("unexpected CertVerifier implementation");
-      PR_SetError(defaultErrorCodeToReport, 0);
-      return nullptr;
-
-  }
-  if (rv != SECSuccess) {
+  if (DetermineCertOverrideErrors(cert, infoObject->GetHostNameRaw(), now,
+                                  defaultErrorCodeToReport, collected_errors,
+                                  errorCodeTrust, errorCodeMismatch,
+                                  errorCodeExpired) != SECSuccess) {
     return nullptr;
   }
 
   RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert));
   if (!nssCert) {
     NS_ERROR("nsNSSCertificate::Create failed");
     PR_SetError(SEC_ERROR_NO_MEMORY, 0);
     return nullptr;
@@ -901,67 +745,16 @@ AuthCertificate(CertVerifier& certVerifi
                 CERTCertificate* cert, SECItem* stapledOCSPResponse,
                 uint32_t providerFlags, PRTime time)
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   SECStatus rv;
 
-  // TODO: Remove this after we switch to mozilla::pkix as the
-  // only option
-  if (certVerifier.mImplementation == CertVerifier::classic) {
-    if (stapledOCSPResponse) {
-      CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
-      rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
-                                                 stapledOCSPResponse,
-                                                 infoObject);
-      if (rv != SECSuccess) {
-        // Due to buggy servers that will staple expired OCSP responses
-        // (see for example http://trac.nginx.org/nginx/ticket/425),
-        // don't terminate the connection if the stapled response is expired.
-        // We will fall back to fetching revocation information.
-        PRErrorCode ocspErrorCode = PR_GetError();
-        if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
-          // stapled OCSP response present but invalid for some reason
-          Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
-          return rv;
-        } else {
-          // stapled OCSP response present but expired
-          Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
-        }
-      } else {
-        // stapled OCSP response present and good
-        Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
-      }
-    } else {
-      // no stapled OCSP response
-      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
-
-      uint32_t reasonsForNotFetching = 0;
-
-      char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
-      if (!ocspURI) {
-        reasonsForNotFetching |= 1; // invalid/missing OCSP URI
-      } else {
-        if (std::strncmp(ocspURI, "http://", 7)) { // approximation
-          reasonsForNotFetching |= 1; // invalid/missing OCSP URI
-        }
-        PORT_Free(ocspURI);
-      }
-
-      if (!certVerifier.mOCSPDownloadEnabled) {
-        reasonsForNotFetching |= 2;
-      }
-
-      Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
-                            reasonsForNotFetching);
-    }
-  }
-
   // We want to avoid storing any intermediate cert information when browsing
   // in private, transient contexts.
   bool saveIntermediates =
     !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
 
   mozilla::pkix::ScopedCERTCertList certList;
   SECOidTag evOidPolicy;
   rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
@@ -1073,44 +866,21 @@ SSLServerCertVerificationJob::Run()
           ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
 
   PRErrorCode error;
 
   nsNSSShutDownPreventionLock nssShutdownPrevention;
   if (mInfoObject->isAlreadyShutDown()) {
     error = SEC_ERROR_USER_CANCELLED;
   } else {
-    Telemetry::ID successTelemetry;
-    Telemetry::ID failureTelemetry;
-    switch (mCertVerifier->mImplementation) {
-      case CertVerifier::classic:
-        successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
-        failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
-        break;
-      case CertVerifier::mozillapkix:
-        successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
-        failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
-        break;
-#ifndef NSS_NO_LIBPKIX
-      case CertVerifier::libpkix:
-        successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
-        failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
-        break;
-#endif
-      default:
-        MOZ_CRASH("Unknown CertVerifier mode");
-    }
+    Telemetry::ID successTelemetry
+      = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
+    Telemetry::ID failureTelemetry
+      = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
 
-    // XXX
     // Reset the error code here so we can detect if AuthCertificate fails to
     // set the error code if/when it fails.
     PR_SetError(0, 0);
     SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert.get(),
                                    mStapledOCSPResponse, mProviderFlags,
                                    mTime);
     if (rv == SECSuccess) {
       uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
--- a/security/manager/ssl/src/ScopedNSSTypes.h
+++ b/security/manager/ssl/src/ScopedNSSTypes.h
@@ -17,17 +17,16 @@
 #include "cert.h"
 #include "cms.h"
 #include "keyhi.h"
 #include "cryptohi.h"
 #include "pk11pub.h"
 #include "sechash.h"
 #include "secpkcs7.h"
 #include "prerror.h"
-#include "ocsp.h"
 
 namespace mozilla {
 
 // It is very common to cast between char* and uint8_t* when doing crypto stuff.
 // Here, we provide more type-safe wrappers around reinterpret_cast so you don't
 // shoot yourself in the foot by reinterpret_casting completely unrelated types.
 
 inline char *
@@ -78,19 +77,16 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLAT
                                           CERTCertList,
                                           CERT_DestroyCertList)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName,
                                           CERTName,
                                           CERT_DestroyName)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames,
                                           CERTCertNicknames,
                                           CERT_FreeNicknames)
-MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID,
-                                          CERTOCSPCertID,
-                                          CERT_DestroyOCSPCertID)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo,
                                           CERTSubjectPublicKeyInfo,
                                           SECKEY_DestroySubjectPublicKeyInfo)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTValidity,
                                           CERTValidity,
                                           CERT_DestroyValidity)
 
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedNSSCMSMessage,
--- a/security/manager/ssl/src/SharedCertVerifier.h
+++ b/security/manager/ssl/src/SharedCertVerifier.h
@@ -14,28 +14,19 @@ namespace mozilla { namespace psm {
 class SharedCertVerifier : public mozilla::psm::CertVerifier
 {
 protected:
   ~SharedCertVerifier();
 
 public:
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
 
-  SharedCertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
-                     missing_cert_download_config ac, crl_download_config cdc,
-#endif
-                     ocsp_download_config odc, ocsp_strict_config osc,
+  SharedCertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
                      ocsp_get_config ogc,
                      pinning_enforcement_config pinningEnforcementLevel)
-    : mozilla::psm::CertVerifier(ic,
-#ifndef NSS_NO_LIBPKIX
-                                 ac, cdc,
-#endif
-                                 odc, osc, ogc,
-                                 pinningEnforcementLevel)
+    : mozilla::psm::CertVerifier(odc, osc, ogc, pinningEnforcementLevel)
   {
   }
 };
 
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm__SharedCertVerifier_h
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -581,26 +581,16 @@ void nsNSSHttpInterface::initTable()
   v1.createFcn = createFcn;
   v1.setPostDataFcn = setPostDataFcn;
   v1.addHeaderFcn = addHeaderFcn;
   v1.trySendAndReceiveFcn = trySendAndReceiveFcn;
   v1.cancelFcn = cancelFcn;
   v1.freeFcn = freeFcn;
 }
 
-void nsNSSHttpInterface::registerHttpClient()
-{
-  SEC_RegisterDefaultHttpClient(&sNSSInterfaceTable);
-}
-
-void nsNSSHttpInterface::unregisterHttpClient()
-{
-  SEC_RegisterDefaultHttpClient(nullptr);
-}
-
 nsHTTPListener::nsHTTPListener()
 : mResultData(nullptr),
   mResultLen(0),
   mLock("nsHTTPListener.mLock"),
   mCondition(mLock, "nsHTTPListener.mCondition"),
   mWaitFlag(true),
   mResponsibleForDoneSignal(false),
   mLoadGroup(nullptr),
--- a/security/manager/ssl/src/nsNSSCallbacks.h
+++ b/security/manager/ssl/src/nsNSSCallbacks.h
@@ -215,14 +215,11 @@ public:
   static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request)
   {
     return static_cast<nsNSSHttpRequestSession*>(request)
             ->freeFcn();
   }
 
   static void initTable();
   static SEC_HttpClientFcn sNSSInterfaceTable;
-
-  void registerHttpClient();
-  void unregisterHttpClient();
 };
 
 #endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -44,17 +44,16 @@
 
 #include "nspr.h"
 #include "certdb.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "ssl.h"
-#include "ocsp.h"
 #include "plbase64.h"
 
 using namespace mozilla;
 using namespace mozilla::psm;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -42,17 +42,16 @@
 
 #include "nspr.h"
 #include "certdb.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "ssl.h"
-#include "ocsp.h"
 #include "plbase64.h"
 
 using namespace mozilla;
 using namespace mozilla::psm;
 using mozilla::psm::SharedSSLState;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
@@ -1811,19 +1810,11 @@ nsNSSCertificateDB::ClearOCSPCache()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
-  if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
-    certVerifier->ClearOCSPCache();
-  } else {
-    SECStatus srv = CERT_ClearOCSPCache();
-    if (srv != SECSuccess) {
-      return MapSECStatus(srv);
-    }
-  }
-
+  certVerifier->ClearOCSPCache();
   return NS_OK;
 }
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -53,17 +53,16 @@
 #include "SharedSSLState.h"
 #include "NSSErrorsService.h"
 
 #include "nss.h"
 #include "ssl.h"
 #include "sslproto.h"
 #include "secmod.h"
 #include "secmime.h"
-#include "ocsp.h"
 #include "secerr.h"
 #include "sslerr.h"
 
 #include "nsXULAppAPI.h"
 
 #ifdef XP_WIN
 #include "nsILocalFileWin.h"
 #endif
@@ -238,20 +237,20 @@ bool EnsureNSSInitialized(EnsureNSSOpera
 
   default:
     NS_ASSERTION(false, "Bad operator to EnsureNSSInitialized");
     return false;
   }
 }
 
 static void
-SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
-                                /*out*/ CertVerifier::ocsp_strict_config* osc,
-                                /*out*/ CertVerifier::ocsp_get_config* ogc,
-                                const MutexAutoLock& /*proofOfLock*/)
+GetOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
+                         /*out*/ CertVerifier::ocsp_strict_config* osc,
+                         /*out*/ CertVerifier::ocsp_get_config* ogc,
+                         const MutexAutoLock& /*proofOfLock*/)
 {
   MOZ_ASSERT(NS_IsMainThread());
   MOZ_ASSERT(odc);
   MOZ_ASSERT(osc);
   MOZ_ASSERT(ogc);
 
   // 0 = disabled, otherwise enabled
   *odc = Preferences::GetInt("security.OCSP.enabled", 1)
@@ -262,18 +261,16 @@ SetClassicOCSPBehaviorFromPrefs(/*out*/ 
        ? CertVerifier::ocsp_strict
        : CertVerifier::ocsp_relaxed;
 
   // XXX: Always use POST for OCSP; see bug 871954 for undoing this.
   *ogc = Preferences::GetBool("security.OCSP.GET.enabled", false)
        ? CertVerifier::ocsp_get_enabled
        : CertVerifier::ocsp_get_disabled;
 
-  SetClassicOCSPBehavior(*odc, *osc, *ogc);
-
   SSL_ClearSessionCache();
 }
 
 nsNSSComponent::nsNSSComponent()
   :mutex("nsNSSComponent.mutex"),
    mNSSInitialized(false),
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
    mThreadList(nullptr),
@@ -986,92 +983,38 @@ void nsNSSComponent::setValidationOption
 
   // We measure the setting of the pref at startup only to minimize noise by
   // addons that may muck with the settings, though it probably doesn't matter.
   if (isInitialSetting) {
     Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled);
     Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
   }
 
-#ifndef NSS_NO_LIBPKIX
-  bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
-                                             false);
-  bool aiaDownloadEnabled =
-    Preferences::GetBool("security.missing_cert_download.enabled", false);
-
-#endif
   bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
                                                   true);
   PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
   PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
 
-  CertVerifier::implementation_config certVerifierImplementation
-    = CertVerifier::classic;
-
-  // The mozilla::pkix pref overrides the libpkix pref
-  if (Preferences::GetBool("security.use_mozillapkix_verification", true)) {
-    certVerifierImplementation = CertVerifier::mozillapkix;
-  } else {
-#ifndef NSS_NO_LIBPKIX
-  if (Preferences::GetBool("security.use_libpkix_verification", false)) {
-    certVerifierImplementation = CertVerifier::libpkix;
-  }
-#endif
-  }
-
-  if (isInitialSetting) {
-    if (certVerifierImplementation == CertVerifier::classic) {
-      Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 1);
-#ifndef NSS_NO_LIBPKIX
-    } else if (certVerifierImplementation == CertVerifier::libpkix) {
-      Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 2);
-#endif
-    } else if (certVerifierImplementation == CertVerifier::mozillapkix) {
-      Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 3);
-    }
-  }
-
   // Default pinning enforcement level is disabled.
   CertVerifier::pinning_enforcement_config
     pinningEnforcementLevel =
       static_cast<CertVerifier::pinning_enforcement_config>
         (Preferences::GetInt("security.cert_pinning.enforcement_level",
                              CertVerifier::pinningDisabled));
   if (pinningEnforcementLevel > CertVerifier::pinningEnforceTestMode) {
     pinningEnforcementLevel = CertVerifier::pinningDisabled;
   }
 
   CertVerifier::ocsp_download_config odc;
   CertVerifier::ocsp_strict_config osc;
   CertVerifier::ocsp_get_config ogc;
 
-  SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
-  mDefaultCertVerifier = new SharedCertVerifier(
-      certVerifierImplementation,
-#ifndef NSS_NO_LIBPKIX
-      aiaDownloadEnabled ?
-        CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
-      crlDownloading ?
-        CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
-#endif
-      odc, osc, ogc, pinningEnforcementLevel);
-
-  // mozilla::pkix has its own OCSP cache, so disable the NSS cache
-  // if appropriate.
-  if (certVerifierImplementation == CertVerifier::mozillapkix) {
-    // Using -1 disables the cache. The other arguments are the default
-    // values and aren't exposed by the API.
-    CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
-  } else {
-    // Using 1000 enables the cache with the default size of 1000. Again,
-    // these values are not exposed by the API.
-    CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
-  }
-
-  CERT_ClearOCSPCache();
+  GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
+  mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
+                                                pinningEnforcementLevel);
 }
 
 // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
 // version) and TLS 1.2 (max version) when the prefs aren't set or set to
 // invalid values.
 nsresult
 nsNSSComponent::setEnabledTLSVersions()
 {
@@ -1270,17 +1213,16 @@ nsNSSComponent::InitializeNSS()
     PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to initialize cipher suite settings\n"));
     return NS_ERROR_FAILURE;
   }
 
   // dynamic options from prefs
   setValidationOptions(true, lock);
 
   mHttpForNSS.initTable();
-  mHttpForNSS.registerHttpClient();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   LaunchSmartCardThreads();
 #endif
 
   RegisterPSMErrorTable();
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
@@ -1296,17 +1238,16 @@ nsNSSComponent::ShutdownNSS()
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ShutdownNSS\n"));
 
   MutexAutoLock lock(mutex);
 
   if (mNSSInitialized) {
     mNSSInitialized = false;
 
     PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
-    mHttpForNSS.unregisterHttpClient();
 
     Preferences::RemoveObserver(this, "security.");
     if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) {
       PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("nsNSSComponent::ShutdownNSS cannot stop observing cipher suite change\n"));
     }
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
     ShutdownSmartCardThreads();
@@ -1665,24 +1606,19 @@ nsNSSComponent::Observe(nsISupports* aSu
       SSL_OptionSetDefault(SSL_ENABLE_NPN,
                            Preferences::GetBool("security.ssl.enable_npn",
                                                 NPN_ENABLED_DEFAULT));
     } else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) {
       SSL_OptionSetDefault(SSL_ENABLE_ALPN,
                            Preferences::GetBool("security.ssl.enable_alpn",
                                                 ALPN_ENABLED_DEFAULT));
     } else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
-               prefName.EqualsLiteral("security.CRL_download.enabled") ||
-               prefName.EqualsLiteral("security.fresh_revocation_info.require") ||
-               prefName.EqualsLiteral("security.missing_cert_download.enabled") ||
                prefName.EqualsLiteral("security.OCSP.require") ||
                prefName.EqualsLiteral("security.OCSP.GET.enabled") ||
                prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
-               prefName.EqualsLiteral("security.use_mozillapkix_verification") ||
-               prefName.EqualsLiteral("security.use_libpkix_verification") ||
                prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) {
       MutexAutoLock lock(mutex);
       setValidationOptions(false, lock);
     } else if (prefName.EqualsLiteral("network.ntlm.send-lm-response")) {
       bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
                                          SEND_LM_DEFAULT);
       nsNTLMAuthModule::SetSendLM(sendLM);
       clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -8,16 +8,17 @@
 
 #include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Casting.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/Telemetry.h"
 
 #include "prlog.h"
+#include "prmem.h"
 #include "prnetdb.h"
 #include "nsIPrefService.h"
 #include "nsIClientAuthDialogs.h"
 #include "nsClientAuthRemember.h"
 #include "nsISSLErrorListener.h"
 
 #include "nsNetUtil.h"
 #include "nsPrintfCString.h"
--- a/security/manager/ssl/tests/unit/test_cert_eku.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -18,17 +18,16 @@ function cert_from_file(filename) {
 function load_cert(cert_name, trust_string) {
   var cert_filename = cert_name + ".der";
   addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
   return cert_from_file(cert_filename);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
   checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
--- a/security/manager/ssl/tests/unit/test_cert_eku/generate.py
+++ b/security/manager/ssl/tests/unit/test_cert_eku/generate.py
@@ -64,17 +64,16 @@ function cert_from_file(filename) {
 function load_cert(cert_name, trust_string) {
   var cert_filename = cert_name + ".der";
   addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
   return cert_from_file(cert_filename);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
 """
 
 js_file_footer = """}
 """
 
 def gen_int_js_output(int_string):
     expectedResult = "SEC_ERROR_INADEQUATE_CERT_TYPE"
     # For a certificate to verify successfully as a SSL CA, it must either
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -47,214 +47,150 @@ function add_non_overridable_test(aHost,
 }
 
 function check_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                     .snapshot();
   do_check_eq(histogram.counts[ 0], 0);
-  do_check_eq(histogram.counts[ 2], 8 + 1); // SEC_ERROR_UNKNOWN_ISSUER
-  do_check_eq(histogram.counts[ 3], 0);     // SEC_ERROR_CA_CERT_INVALID
-  do_check_eq(histogram.counts[ 4], 0 + 5); // SEC_ERROR_UNTRUSTED_ISSUER
-  do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
-  do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
-  do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
-  do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
-  do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
-  do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
+  do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER
+  do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
+  do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
+  do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
+  do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
+  do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
+  do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
+  do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
   run_next_test();
 }
 
 function run_test() {
   add_tls_server_setup("BadCertServer");
 
   let fakeOCSPResponder = new HttpServer();
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
   });
   fakeOCSPResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_simple_tests();
+  add_combo_tests();
+  add_distrust_tests();
 
   add_test(function () {
     fakeOCSPResponder.stop(check_telemetry);
   });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
-  add_simple_tests(useMozillaPKIX);
-  add_combo_tests(useMozillaPKIX);
-  add_distrust_tests(useMozillaPKIX);
-
-  add_test(function () {
-    certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
-    run_next_test();
-  });
-}
-
-function add_simple_tests(useMozillaPKIX) {
+function add_simple_tests() {
   add_cert_override_test("expired.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
-  if (useMozillaPKIX) {
-    add_cert_override_test("selfsigned.example.com",
-                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                           getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
-  } else {
-    add_non_overridable_test("selfsigned.example.com",
-                             SEC_ERROR_CA_CERT_INVALID);
-  }
+  add_cert_override_test("selfsigned.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("unknownissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("expiredissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
 
   // A Microsoft IIS utility generates self-signed certificates with
   // properties similar to the one this "host" will present (see
   // tlsserver/generate_certs.sh).
-  // One of the errors classic verification collects is that this
-  // certificate has an inadequate key usage to sign a certificate
-  // (i.e. itself). As a result, to be able to override this,
-  // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
-  // confusingly, this isn't the main error reported).
-  // mozilla::pkix just says this certificate's issuer is unknown.
-  if (useMozillaPKIX) {
-    add_cert_override_test("selfsigned-inadequateEKU.example.com",
-                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                           getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
-  } else {
-    add_non_overridable_test("selfsigned-inadequateEKU.example.com",
-                             SEC_ERROR_CA_CERT_INVALID);
-  }
+  add_cert_override_test("selfsigned-inadequateEKU.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
 
-  // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
-  // classic verification, but not for mozilla::pkix verification.
-  if (useMozillaPKIX) {
-    add_non_overridable_test("inadequatekeyusage.example.com",
-                             SEC_ERROR_INADEQUATE_KEY_USAGE);
-  } else {
-    add_cert_override_test("inadequatekeyusage.example.com",
-                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                           getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
-  }
+  add_non_overridable_test("inadequatekeyusage.example.com",
+                           SEC_ERROR_INADEQUATE_KEY_USAGE);
 
   // Bug 990603: Apache documentation has recommended generating a self-signed
   // test certificate with basic constraints: CA:true. For compatibility, this
   // is a scenario in which an override is allowed.
   add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
 }
 
-function add_combo_tests(useMozillaPKIX) {
-  // Note that "untrusted" here really is "unknown issuer" in the
-  // mozilla::pkix case.
-
+function add_combo_tests() {
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
   add_cert_override_test("mismatch-untrusted.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("mismatch-untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(
-                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                           : SEC_ERROR_UNTRUSTED_ISSUER));
+                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
 
   add_cert_override_test("md5signature-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
 }
 
-function add_distrust_tests(useMozillaPKIX) {
+function add_distrust_tests() {
   // Before we specifically distrust this certificate, it should be trusted.
   add_connection_test("untrusted.example.com", Cr.NS_OK);
 
-  // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
-  // verification is used.
   add_distrust_override_test("tlsserver/default-ee.der",
                              "untrusted.example.com",
-                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
-                             useMozillaPKIX
-                                ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
-                                : Cr.NS_OK);
+                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT));
 
-  // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
-  // verification is used.
   add_distrust_override_test("tlsserver/other-test-ca.der",
                              "untrustedissuer.example.com",
-                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
-                             useMozillaPKIX
-                                ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
-                                : Cr.NS_OK);
+                             getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
 }
 
-function add_distrust_override_test(certFileName, hostName,
-                                    expectedResultBefore, expectedResultAfter) {
+function add_distrust_override_test(certFileName, hostName, expectedResult) {
   let certToDistrust = constructCertFromFile(certFileName);
 
   add_test(function () {
     // Add an entry to the NSS certDB that says to distrust the cert
     setCertTrust(certToDistrust, "pu,,");
     clearSessionCache();
     run_next_test();
   });
-  add_connection_test(hostName, expectedResultBefore, null,
+  add_connection_test(hostName, expectedResult, null,
                       function (securityInfo) {
                         securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
                         // XXX(Bug 754369): SSLStatus isn't available for
                         // non-overridable errors.
                         if (securityInfo.SSLStatus) {
                           certOverrideService.rememberValidityOverride(
                               hostName, 8443, securityInfo.SSLStatus.serverCert,
                               Ci.nsICertOverrideService.ERROR_UNTRUSTED, true);
                         } else {
                           // A missing SSLStatus probably means (due to bug
                           // 754369) that the error was non-overridable, which
                           // is what we're trying to test, though we'd rather
                           // not test it this way.
-                          do_check_neq(expectedResultAfter, Cr.NS_OK);
+                          do_check_neq(expectedResult, Cr.NS_OK);
                         }
                         clearSessionCache();
                       });
-  add_connection_test(hostName, expectedResultAfter, null,
+  add_connection_test(hostName, expectedResult, null,
                       function () {
                         setCertTrust(certToDistrust, "u,,");
                       });
 }
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -40,39 +40,29 @@ function check_ca(ca_name) {
 }
 
 function run_test() {
   // Load the ca into mem
   load_ca("ca-rsa");
   load_ca("ca-p384");
   load_ca("ca-dsa");
 
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
-
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
   check_ca("ca-rsa");
   check_ca("ca-p384");
   check_ca("ca-dsa");
 
   // mozilla::pkix does not allow CA certs to be validated for end-entity
   // usages.
-  let int_usage = useMozillaPKIX
-                ? 'SSL CA'
-                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+  const int_usage = 'SSL CA';
 
   // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
-  const ee_usage = useMozillaPKIX
-                 ? 'Client,Server,Sign,Encrypt,Object Signer'
-                 : 'Client,Server,Sign,Encrypt';
+  const ee_usage = 'Client,Server,Sign,Encrypt,Object Signer';
 
   let cert2usage = {
     // certs without the "int" prefix are end entity certs.
     'int-rsa-valid': int_usage,
     'rsa-valid': ee_usage,
     'int-p384-valid': int_usage,
     'p384-valid': ee_usage,
     'int-dsa-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -34,223 +34,166 @@ function check_cert_err_generic(cert, ex
   do_print("cert issuer cn=" + cert.issuerCommonName);
   let hasEVPolicy = {};
   let verifiedChain = {};
   let error = certdb.verifyCertNow(cert, usage,
                                    NO_FLAGS, verifiedChain, hasEVPolicy);
   do_check_eq(error,  expected_error);
 };
 
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
   // On reset most usages are successful
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);  // expected no bc
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, 0,
                          certificateUsageObjectSigner); // expected
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   // mozilla::pkix enforces that certificase must have a basic constraints
   // extension with cA:true to be a CA certificate,  whereas classic does not
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder); //expected
 
 
   // Test of active distrust. No usage should pass.
   setCertTrust(cert_to_modify_trust, 'p,p,p');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   // In mozilla::pkix (but not classic verification), certificate chain
   // properties are checked before the end-entity. Thus, if we're using
   // mozilla::pkix and the root certificate has been distrusted, the error
   // will be "untrusted issuer" and not "inadequate cert type".
-  check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
-                                    ? SEC_ERROR_UNTRUSTED_ISSUER
-                                    : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert,
+                         !isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
+                                   : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
-
   // Trust set to T  -  trusted CA to issue client certs, where client cert is
   // usageSSLClient.
   setCertTrust(cert_to_modify_trust, 'T,T,T');
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLServer);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
-                                                            : 0
-                                           : 0,
+  // XXX(Bug 982340)
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE
-                                           : useMozillaPKIX ? 0
-                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   // Now tests on the SSL trust bit
   setCertTrust(cert_to_modify_trust, 'p,C,C');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0  //XXX Bug 982340
-                                                 : SEC_ERROR_UNTRUSTED_ISSUER,
-                         certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+
+  //XXX(Bug 982340)
+  check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
-  // In mozilla::pkix (but not classic verification), certificate chain
-  // properties are checked before the end-entity. Thus, if we're using
-  // mozilla::pkix and the root certificate has been distrusted, the error
-  // will be "untrusted issuer" and not "inadequate cert type".
-  check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
-                                    ? SEC_ERROR_UNTRUSTED_ISSUER
-                                    : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert,
+                         isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
+                                  : SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageStatusResponder);
 
   // Inherited trust SSL
   setCertTrust(cert_to_modify_trust, ',C,C');
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0  // XXX Bug 982340
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
-                         certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  // XXX(Bug 982340)
+  check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
   // Now tests on the EMAIL trust bit
   setCertTrust(cert_to_modify_trust, 'C,p,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
-                                           : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
-                                                            : 0, // mozilla::pkix is OK, NSS bug
+  check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   //inherited EMAIL Trust
   setCertTrust(cert_to_modify_trust, 'C,,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageSSLCA);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                                            : SEC_ERROR_UNTRUSTED_ISSUER
-                                           : 0,
+  check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
-                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
-                         certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
-                                                 : 0,
+  check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+  check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 }
 
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
+  for (let i = 0 ; i < certList.length; i++) {
+    load_cert(certList[i], ',,');
+  }
 
   let ca_cert = certdb.findCertByNickname(null, 'ca');
   do_check_false(!ca_cert)
   let int_cert = certdb.findCertByNickname(null, 'int');
   do_check_false(!int_cert)
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
+  test_ca_distrust(ee_cert, ca_cert, true);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
+  test_ca_distrust(ee_cert, int_cert, false);
 }
-
-function run_test() {
-  for (let i = 0 ; i < certList.length; i++) {
-    load_cert(certList[i], ',,');
-  }
-
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_cert_version.js
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -39,31 +39,30 @@ function check_ca_err(cert, expected_err
 function check_ok(x) {
   return check_cert_err(x, 0);
 }
 
 function check_ok_ca(x) {
   return check_cert_err_generic(x, 0, certificateUsageSSLCA);
 }
 
-function run_tests_in_mode(useMozillaPKIX)
-{
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                             useMozillaPKIX);
+function run_test() {
+  load_cert("v1_ca", "CTu,CTu,CTu");
+  load_cert("v1_ca_bc", "CTu,CTu,CTu");
+  load_cert("v2_ca", "CTu,CTu,CTu");
+  load_cert("v2_ca_bc", "CTu,CTu,CTu");
+  load_cert("v3_ca", "CTu,CTu,CTu");
+  load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
 
   check_ok_ca(cert_from_file('v1_ca.der'));
-  check_ca_err(cert_from_file('v1_ca_bc.der'),
-               useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
-  check_ca_err(cert_from_file('v2_ca.der'),
-               useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
-  check_ca_err(cert_from_file('v2_ca_bc.der'),
-               useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
+  check_ca_err(cert_from_file('v1_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
+  check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
+  check_ca_err(cert_from_file('v2_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
   check_ok_ca(cert_from_file('v3_ca.der'));
-  check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
-               useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
+  check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
 
   // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
   // intermediates when they have a v3 basic constraints extenstion (which
   // makes them invalid certs). Insanity only allows v1 certs to be CA in
   // anchor position (even if they have invalid encodings), v2 certs are not
   // considered CAs in any position.
   // Note that currently there are no change of behavior based on the
   // version of the end entity.
@@ -71,714 +70,476 @@ function run_tests_in_mode(useMozillaPKI
   let ee_error = 0;
   let ca_error = 0;
 
   //////////////
   // v1 CA supersection
   //////////////////
 
   // v1 intermediate with v1 trust anchor
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
 
   // v1 intermediate with v3 extensions. CA is invalid.
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
 
   // A v2 intermediate with a v1 CA
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
 
   // A v2 intermediate with basic constraints (not allowed in insanity)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
 
   // Section is OK. A x509 v3 CA MUST have bc
   // http://tools.ietf.org/html/rfc5280#section-4.2.1.9
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
- check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
+  check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
 
   // It is valid for a v1 ca to sign a v3 intemediate.
   check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
   check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
   check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
   check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
   check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
 
   // The next groups change the v1 ca for a v1 ca with base constraints
   // (invalid trust anchor). The error pattern is the same as the groups
   // above
 
   // Using A v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
 
   // Using a v1 intermediate with v3 extenstions (invalid).
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
 
   // Using v2 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
 
   // Using a v2 intermediate with basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
 
   // Using a v3 intermediate that is missing basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
 
   // these should pass assuming we are OK with v1 ca signing v3 intermediates
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
 
 
   //////////////
   // v2 CA supersection
   //////////////////
 
   // v2 ca, v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
 
   // v2 ca, v1 intermediate with basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
 
   // v2 ca, v2 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
 
   // v2 ca, v2 intermediate with basic constraints (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
 
   // v2 ca, v3 intermediate missing basic constraints
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
 
   // v2 ca, v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
 
   // v2 ca, v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
 
   // v2 ca, v1 intermediate with bc (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
 
   // v2 ca, v2 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
 
   // v2 ca, v2 intermediate with bc (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
 
   // v2 ca, invalid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
 
   // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
 
   //////////////
   // v3 CA supersection
   //////////////////
 
   // v3 ca, v1 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
 
   // A v1 intermediate with v3 extensions
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
 
   // reject a v2 cert as intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
 
   // v2 intermediate with bc (invalid)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
 
   // invalid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
 
   // I dont think that v3 intermediates should be allowed to sign v1 or v2
   // certs, but other thanthat this  is what we usually get in the wild.
   check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
   check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
   check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
   check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
   check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
 
   // v3 CA, invalid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
 
   // Int v1 with BC that is just invalid (classic fail insanity OK)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
 
   // Good section (all fail)
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
 
   // v2 intermediate (even with basic constraints) is invalid
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
 
   // v3 intermediate missing basic constraints is invalid
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
-    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  }
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
 
   // With a v3 root missing bc and valid v3 intermediate
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_CA_CERT_INVALID;
-    ee_error = SEC_ERROR_CA_CERT_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_CA_CERT_INVALID;
+  ee_error = SEC_ERROR_CA_CERT_INVALID;
   check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
   check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
-  if (useMozillaPKIX) {
-    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
-  } else {
-    ca_error = 0;
-    ee_error = 0;
-  }
+  ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
   check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
   check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
 }
-
-function run_test() {
-  load_cert("v1_ca", "CTu,CTu,CTu");
-  load_cert("v1_ca_bc", "CTu,CTu,CTu");
-  load_cert("v2_ca", "CTu,CTu,CTu");
-  load_cert("v2_ca_bc", "CTu,CTu,CTu");
-  load_cert("v3_ca", "CTu,CTu,CTu");
-  load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
-
-  run_tests_in_mode(false);
-  run_tests_in_mode(true);
-}
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -26,96 +26,74 @@ function run_test() {
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var ca_filename = ca_name + ".der";
     addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu");
     do_print("ca_name=" + ca_name);
     var cert = certdb.findCertByNickname(null, ca_name);
   }
 
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
-
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
-  clearOCSPCache();
-  clearSessionCache();
-
-  // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
-  var allCAUsages = useMozillaPKIX
-                  ? 'SSL CA'
-                  : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
-
   // mozilla::pkix doesn't allow CA certificates to have the Status Responder
   // EKU.
-  var ca_usages = [allCAUsages,
+  var ca_usages = ['SSL CA',
                    'SSL CA',
-                   allCAUsages,
-                   useMozillaPKIX ? ''
-                                  : 'Client,Server,Sign,Encrypt,Status Responder'];
+                   'SSL CA',
+                   ''];
 
   // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
-  var basicEndEntityUsages = useMozillaPKIX
-                           ? 'Client,Server,Sign,Encrypt,Object Signer'
-                           : 'Client,Server,Sign,Encrypt';
+  var basicEndEntityUsages = 'Client,Server,Sign,Encrypt,Object Signer';
   var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
 
-  // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
+  // mozilla::pkix won't let a certificate with the 'Status Responder' EKU get
   // validated for any other usage.
-  var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
-  var statusResponderUsagesFull
-      = useMozillaPKIX ? statusResponderUsages
-                       : basicEndEntityUsages + ',Object Signer,Status Responder';
-
   var ee_usages = [
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
-      statusResponderUsagesFull,
+      'Status Responder',
       'Client,Server',
       'Sign,Encrypt,Object Signer',
-      statusResponderUsages
+      'Status Responder'
     ],
 
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
-      statusResponderUsagesFull,
+      'Status Responder',
       'Client,Server',
       'Sign,Encrypt,Object Signer',
-      statusResponderUsages
+      'Status Responder'
     ],
 
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
-      statusResponderUsagesFull,
+      'Status Responder',
       'Client,Server',
       'Sign,Encrypt,Object Signer',
-      statusResponderUsages
+      'Status Responder'
     ],
 
     // The CA has isCA=true without keyCertSign.
     //
     // The 'classic' NSS mode uses the 'union' of the
     // capabilites so the cert is considered a CA.
     // mozilla::pkix and libpkix use the intersection of
     // capabilites, so the cert is NOT considered a CA.
-    [ useMozillaPKIX ? '' : basicEndEntityUsages,
-      useMozillaPKIX ? '' : basicEndEntityUsages,
-      useMozillaPKIX ? '' : basicEndEntityUsages,
+    [ '',
+      '',
+      '',
       '',
-      useMozillaPKIX ? '' : statusResponderUsagesFull,
-      useMozillaPKIX ? '' : 'Client,Server',
-      useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
-      useMozillaPKIX ? '' : 'Server,Status Responder'
+      '',
+      '',
+      '',
+      ''
      ]
   ];
 
   do_check_eq(gNumCAs, ca_usages.length);
 
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -75,28 +75,16 @@ function run_test() {
     addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
   }
   load_ca("evroot");
   load_ca("non-evroot-ca");
 
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
 
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
     check_ee_for_ev("ev-valid", isDebugBuild);
     ocspResponder.stop(run_next_test);
@@ -133,19 +121,17 @@ function add_tests_in_mode(useMozillaPKI
   // bug 917380: Chcek that an untrusted EV root is untrusted.
   const nsIX509Cert = Ci.nsIX509Cert;
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
 
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("ev-valid",
-                   useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
-                                  : SEC_ERROR_UNTRUSTED_ISSUER);
+    check_cert_err("ev-valid",SEC_ERROR_UNKNOWN_ISSUER);
     ocspResponder.stop(run_next_test);
   });
 
   // bug 917380: Chcek that a trusted EV root is trusted after disabling and
   // re-enabling trust.
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
@@ -157,34 +143,25 @@ function add_tests_in_mode(useMozillaPKI
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
     check_ee_for_ev("ev-valid", isDebugBuild);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function () {
-    check_no_ocsp_requests("ev-valid",
-      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
+    check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
   add_test(function () {
-    check_no_ocsp_requests("non-ev-root",
-      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                     : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
-                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
+    check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
   add_test(function () {
-    check_no_ocsp_requests("no-ocsp-url-cert",
-      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
+    check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
 
   // Test the EV continues to work with flags after successful EV verification
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
@@ -198,19 +175,17 @@ function add_tests_in_mode(useMozillaPKI
       let verifiedChain = {};
       let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
                   Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
 
       let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
                                        flags, verifiedChain, hasEVPolicy);
       do_check_eq(hasEVPolicy.value, isDebugBuild);
       do_check_eq(error,
-                  isDebugBuild ? 0
-                               : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                                                 : SEC_ERROR_EXTENSION_NOT_FOUND));
+                  isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
       failingOcspResponder.stop(run_next_test);
     });
   });
 
   // Bug 991815 old but valid intermediates are OK
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
@@ -230,50 +205,44 @@ function add_tests_in_mode(useMozillaPKI
   add_test(function () {
     clearOCSPCache();
     // Since Mozilla::pkix does not consider the old amost invalid OCSP
     // response valid, it does not cache the old response and thus
     // makes a separate request for DV
     let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
     let debugResponseArray = ["good", "longvalidityalmostold",
                               "longvalidityalmostold"];
-    if (!useMozillaPKIX) {
-      debugCertNickArray = ["int-ev-valid", "ev-valid"];
-      debugResponseArray = ["good", "longvalidityalmostold"];
-    }
     let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
                           "test_ev_certs",
                           isDebugBuild ? debugCertNickArray : ["ev-valid"],
                           [], [],
                           isDebugBuild ? debugResponseArray
                                        : ["longvalidityalmostold"]);
-    check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
+    check_ee_for_ev("ev-valid", false);
     ocspResponder.stop(run_next_test);
   });
 
   // Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
   // EV (still OK for soft fail DV)
   add_test(function () {
     clearOCSPCache();
     let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
     let debugResponseArray = ["good", "ancientstillvalid",
                               "ancientstillvalid"];
-    if (!useMozillaPKIX) {
-      debugCertNickArray = ["int-ev-valid", "ev-valid"];
-      debugResponseArray = ["good", "ancientstillvalid"];
-    }
     let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
                           "test_ev_certs",
                           isDebugBuild ? debugCertNickArray : ["ev-valid"],
                           [], [],
                           isDebugBuild ? debugResponseArray
                                        : ["ancientstillvalid"]);
-    check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
+    check_ee_for_ev("ev-valid", false);
     ocspResponder.stop(run_next_test);
   });
+
+  run_next_test();
 }
 
 // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
 // to prevent spurious OCSP requests that race with OCSP stapling.
 // This has the side-effect of saying an EV certificate is not EV if
 // it hasn't already been verified (e.g. on the verification thread when
 // connecting to a site).
 // This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -65,31 +65,25 @@ function check_getchain(ee_cert, ssl_ca,
   certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
   check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
   certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
   // Do a final test on the case of no trust. The results must
   // be cosistent (the actual value is non-deterministic).
   check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
 }
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
   clearOCSPCache();
   clearSessionCache();
 
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
 
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
 
   let ca = get_ca_array();
 
   check_getchain(ee_cert, ca[1], ca[2]);
   // Swap ca certs to deal alternate trust settings.
   check_getchain(ee_cert, ca[2], ca[1]);
 }
-
-function run_test() {
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -33,30 +33,24 @@ function test_cert_for_usages(certChainN
   let cert = certs[0];
   let verified = {};
   let usages = {};
   cert.getUsagesString(true, verified, usages);
   do_print("usages.value = " + usages.value);
   do_check_eq(expected_usages_string, usages.value);
 }
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
-
+function run_test() {
   // mozilla::pkix doesn't support the obsolete Netscape object signing
   // extension, but NSS does.
-  let ee_usage1 = useMozillaPKIX
-                ? 'Client,Server,Sign,Encrypt,Object Signer'
-                : 'Client,Server,Sign,Encrypt'
+  let ee_usage1 = 'Client,Server,Sign,Encrypt,Object Signer';
 
   // mozilla::pkix doesn't validate CA certificates for non-CA uses, but
   // NSS does.
-  let ca_usage1 = useMozillaPKIX
-                ? "SSL CA"
-                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+  let ca_usage1 = "SSL CA";
 
   // Load the ca into mem
   let ca_name = "ca";
   load_cert(ca_name, "CTu,CTu,CTu");
   do_print("ca_name = " + ca_name);
   test_cert_for_usages([ca_name], ca_usage1);
 
   // A certificate with no basicConstraints extension is considered an EE.
@@ -82,36 +76,32 @@ function run_test_in_mode(useMozillaPKIX
 
   // ca
   //   int-limited-depth (cA==true, pathLenConstraint==0)
   //      int-limited-depth-invalid (cA==true)
   //
   // XXX: It seems the NSS code does not consider the path length of the
   // certificate we're validating, but mozilla::pkix does. mozilla::pkix's
   // behavior is correct.
-  test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
-                       useMozillaPKIX ? "" : ca_usage1);
+  test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], "");
   test_cert_for_usages(["ee-int-limited-depth-invalid",
                         "int-limited-depth-invalid",
                         "int-limited-depth"],
                        "");
 
   // int-valid-ku-no-eku has keyCertSign
   test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
   test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
                        ee_usage1);
 
   // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
   // but the KU extension is missing keyCertSign. Note that mozilla::pkix
   // doesn't validate certificates with basicConstraints.Ca==true for non-CA
   // uses, but NSS does.
-  test_cert_for_usages(["int-bad-ku-no-eku"],
-                       useMozillaPKIX
-                          ? ""
-                          : 'Client,Server,Sign,Encrypt,Status Responder');
+  test_cert_for_usages(["int-bad-ku-no-eku"], "");
   test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
 
   // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
   // We treat a missing KU as "any key usage is OK".
   test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
   test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
 
   // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
@@ -127,13 +117,8 @@ function run_test_in_mode(useMozillaPKIX
                        "");
 
   // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
   // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
   test_cert_for_usages(["int-no-ku-server-eku"], "SSL CA");
   test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
                        "Client,Server");
 }
-
-function run_test() {
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -45,18 +45,19 @@ function check_ok_ca (x) {
 function check_fail(x) {
   return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
 }
 
 function check_fail_ca(x) {
   return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
 }
 
-function run_test_in_mode(useMozillaPKIX) {
-  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
+  load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
+  load_cert("ca-nc", "CTu,CTu,CTu");
 
   // Note that CN is only looked at when there is NO subjectAltName!
 
   // Testing with a unconstrained root, and intermediate constrained to PERMIT
   // foo.com. All failures on this section are doe to the cert DNS names
   // not being under foo.com.
   check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
   // no dirName
@@ -264,16 +265,8 @@ function run_test_in_mode(useMozillaPKIX
   // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
   // NSS get it right.
   {
     let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
     check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
     check_cert_err_generic(cert, 0, certificateUsageSSLClient);
   }
 }
-
-function run_test() {
-  load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
-  load_cert("ca-nc", "CTu,CTu,CTu");
-
-  run_test_in_mode(true);
-  run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -35,30 +35,23 @@ function run_test() {
 
     do_print("returning 200 OK");
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(gGoodOCSPResponse);
   });
   ocspResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_tests();
 
   add_test(function() { ocspResponder.stop(run_next_test); });
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
+function add_tests() {
   // This test assumes that OCSPStaplingServer uses the same cert for
   // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
 
   // Get an Unknown response for the *.exmaple.com cert and put it in the
   // OCSP cache.
   add_connection_test("ocsp-stapling-unknown.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                       clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
@@ -33,29 +33,16 @@ function run_test() {
   addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function() {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
   add_test(function() {
     clearOCSPCache();
     Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
     let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
     check_cert_err("a", 0);
     ocspResponder.stop(run_next_test);
   });
 
@@ -67,18 +54,16 @@ function add_tests_in_mode(useMozillaPKI
     ocspResponder.stop(run_next_test);
   });
 
   // GET does fallback on bad entry
   add_test(function() {
     clearOCSPCache();
     Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
     // Bug 1016681 mozilla::pkix does not support fallback yet.
-    if (!useMozillaPKIX) {
-      let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
-      check_cert_err("a", 0);
-      ocspResponder.stop(run_next_test);
-    } else {
-      run_next_test();
-    }
+    // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
+    // check_cert_err("a", 0);
+    // ocspResponder.stop(run_next_test);
+    run_next_test();
   });
 
+  run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -23,40 +23,29 @@ function run_test() {
   let ocspResponder = new HttpServer();
   ocspResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(goodOCSPResponse);
   });
   ocspResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  // ocsp-stapling-none.example.com does not staple an OCSP response in the
+  // handshake, so the revocation checking code will attempt to fetch one.
+  // Since the domain of the certificate's OCSP AIA URI is an HSTS host
+  // (as added in the setup of this test, below), a buggy implementation would
+  // upgrade the OCSP request to HTTPS. We specifically prevent this. This
+  // test demonstrates that our implementation is correct in this regard.
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
+  add_test(function () { run_next_test(); });
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   let uri = Services.io.newURI("http://localhost", null, null);
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                           "max-age=10000", 0);
   do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
                                        "localhost", 0));
 
   run_next_test();
 }
-
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
-  // ocsp-stapling-none.example.com does not staple an OCSP response in the
-  // handshake, so the revocation checking code will attempt to fetch one.
-  // Since the domain of the certificate's OCSP AIA URI is an HSTS host
-  // (as added in the setup of this test), a buggy implementation would
-  // upgrade the OCSP request to HTTPS. We specifically prevent this. This
-  // test demonstrates that our implementation is correct in this regard.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
-  add_test(function () { run_next_test(); });
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -27,32 +27,25 @@ function run_test() {
   ocspResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(ocspResponseBadSignature);
     gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_tests();
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX)
+function add_tests()
 {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_test(function () {
     do_check_eq(gOCSPRequestCount, 1);
     gOCSPRequestCount = 0;
     run_next_test();
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,23 +16,17 @@ function add_ocsp_test(aHost, aExpectedR
       gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
-function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
+function add_tests(certDB, otherTestCA) {
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
@@ -110,26 +104,21 @@ function add_tests_in_mode(useMozillaPKI
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
     }
   );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
 
-  // TODO(bug 979070): NSS can't handle this yet.
-  if (useMozillaPKIX) {
-    add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
-  }
+  add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
 
   add_ocsp_test("ocsp-stapling-critical-extension.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
-                  : Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions
+                getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
                 true);
   add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
   // TODO(bug 997994): Disallow empty Extensions in responses
   add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true);
 
   add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true);
   add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true);
   add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
@@ -150,21 +139,21 @@ function add_tests_in_mode(useMozillaPKI
   // test_ocsp_stapling_expired.js
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426)
-  do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
-  do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426)
+  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
+  do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
+  do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses
   run_next_test();
 }
 
 function run_test() {
   do_get_profile();
 
   let certDB = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
@@ -176,17 +165,16 @@ function run_test() {
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     do_check_true(gExpectOCSPRequest);
   });
   fakeOCSPResponder.start(8080);
 
   add_tls_server_setup("OCSPStaplingServer");
 
-  add_tests_in_mode(true, certDB, otherTestCA);
-  add_tests_in_mode(false, certDB, otherTestCA);
+  add_tests(certDB, otherTestCA);
 
   add_test(function () {
     fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
   });
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -55,139 +55,112 @@ function run_test() {
     } else {
       response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
       response.write("Internal Server Error");
     }
     gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
   add_tls_server_setup("OCSPStaplingServer");
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  add_test(function () { ocspResponder.stop(run_next_test); });
-  add_test(check_ocsp_stapling_telemetry);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
 
   // In these tests, the OCSP stapling server gives us a stapled
   // response based on the host name ("ocsp-stapling-expired" or
   // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
   // properly falling back to fetching revocation information.
   // For ocsp-stapling-expired.example.com, the OCSP stapling server
   // staples an expired OCSP response. The certificate has not expired.
   // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
   // server staples an OCSP response with a recent signature but with an
   // out-of-date validity period. The certificate has not expired.
   add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
                 ocspResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
                 ocspResponseGood);
-  // With mozilla::pkix, if we can't fetch a more recent response when
+  // if we can't fetch a more recent response when
   // given an expired stapled response, we terminate the connection.
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 expiredOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 null);
   add_ocsp_test("ocsp-stapling-expired.example.com",
-                useMozillaPKIX
-                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
-                  : Cr.NS_OK,
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
                 null);
   // Of course, if the newer response indicates Revoked or Unknown,
   // that status must be returned.
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                 ocspResponseUnknown);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                 ocspResponseUnknown);
 
-  if (useMozillaPKIX) {
-    // If the response is expired but indicates Revoked or Unknown and a
-    // newer status can't be fetched, the Revoked or Unknown status will
-    // be returned.
-    add_ocsp_test("ocsp-stapling-revoked-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
-                  null);
-    add_ocsp_test("ocsp-stapling-unknown-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                  null);
-    // If the response is expired but indicates Revoked or Unknown and
-    // a newer status can be fetched and successfully verified, this
-    // should result in a successful certificate verification.
-    add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
-                  ocspResponseGood);
-    add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
-                  ocspResponseGood);
-    // If a newer status can be fetched but it fails to verify, the
-    // Revoked or Unknown status of the expired stapled response
-    // should be returned.
-    add_ocsp_test("ocsp-stapling-revoked-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
-                  expiredOCSPResponseGood);
-    add_ocsp_test("ocsp-stapling-unknown-old.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                  expiredOCSPResponseGood);
-  }
+  // If the response is expired but indicates Revoked or Unknown and a
+  // newer status can't be fetched, the Revoked or Unknown status will
+  // be returned.
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                null);
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                null);
+  // If the response is expired but indicates Revoked or Unknown and
+  // a newer status can be fetched and successfully verified, this
+  // should result in a successful certificate verification.
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  // If a newer status can be fetched but it fails to verify, the
+  // Revoked or Unknown status of the expired stapled response
+  // should be returned.
+  add_ocsp_test("ocsp-stapling-revoked-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                expiredOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-unknown-old.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                expiredOCSPResponseGood);
 
-  if (useMozillaPKIX) {
-    // These tests are verifying that an valid but very old response
-    // is rejected as a valid stapled response, requiring a fetch
-    // from the ocsp responder.
-    add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
-                  ocspResponseGood);
-    add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
-                  ocspResponseRevoked);
-    add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
-                  getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                  ocspResponseUnknown);
-  }
+  // These tests are verifying that an valid but very old response
+  // is rejected as a valid stapled response, requiring a fetch
+  // from the ocsp responder.
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                ocspResponseRevoked);
+  add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                ocspResponseUnknown);
+
+  add_test(function () { ocspResponder.stop(run_next_test); });
+  add_test(check_ocsp_stapling_telemetry);
+  run_next_test();
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
-  do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 2 * 12 + 9); // 12 connections with an expired response
-                                                // +9 more mozilla::pkix-only expired responses
-  do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
+  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
+  do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 21); // 21 connections with an expired response
+  do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -28,28 +28,17 @@ function run_test() {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     let body = "Refusing to return a response";
     response.bodyOutputStream.write(body, body.length);
   });
   ocspResponder.start(8080);
 
   add_tls_server_setup("OCSPStaplingServer");
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
+  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
 
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(function() {
     do_check_eq(gOCSPRequestCount, 0);
     run_next_test();
   });
   run_next_test();
 }
-
-function add_tests_in_mode(useMozillaPKIX) {
-  add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
-  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -33,30 +33,26 @@ function run_test() {
 
   add_tls_server_setup("OCSPStaplingServer");
 
   let socket = Cc["@mozilla.org/network/server-socket;1"]
                  .createInstance(Ci.nsIServerSocket);
   socket.init(8080, true, -1);
   socket.asyncListen(gSocketListener);
 
-  add_tests_in_mode(true, true);
-  add_tests_in_mode(false, true);
-  add_tests_in_mode(true, false);
-  add_tests_in_mode(false, false);
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
 
   add_test(function() { socket.close(); run_next_test(); });
   run_next_test();
 }
 
-function add_tests_in_mode(useMozillaPKIX, useHardFail) {
+function add_tests_in_mode(useHardFail) {
   let startTime;
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
     Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
     startTime = new Date();
     run_next_test();
   });
 
   add_connection_test("ocsp-stapling-none.example.com", useHardFail
                       ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR)
                       : Cr.NS_OK, clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -35,69 +35,48 @@ function run_test() {
   addCertFromFile(certdb, "test_ocsp_url/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   Services.prefs.setCharPref("network.dns.localDomains",
                              "www.example.com");
 
-  add_tests_in_mode(true);
-  add_tests_in_mode(false);
-  run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
-  add_test(function() {
-    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
-                               useMozillaPKIX);
-    run_next_test();
-  });
-
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("bad-scheme",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("empty-scheme-url",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("https-url",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
     check_cert_err("hTTp-url", 0);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("negative-port",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     // XXX Bug 1013615 parser accepts ":8888" as hostname
     check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
@@ -109,33 +88,28 @@ function add_tests_in_mode(useMozillaPKI
     let ocspResponder = start_ocsp_responder(["no-path-url"], ['']);
     check_cert_err("no-path-url", 0);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("no-scheme-host-port",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("no-scheme-url",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("unknown-scheme",
-                   useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
-                                  : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+    check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     ocspResponder.stop(run_next_test);
   });
 
+  run_next_test();
 }
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -1242,22 +1242,16 @@
   "CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 200,
     "extended_statistics_ok": true,
     "description": "ms elapsed time of OCSP etc.. that failed"
   },
-  "CERT_VALIDATION_LIBRARY": {
-    "expires_in_version": "never",
-    "kind": "enumerated",
-    "n_values": 4,
-    "description": "Which certificate validation library is in use? (1=classic, 2=libpkix, 3=mozilla::pkix)"
-  },
   "SSL_KEY_EXCHANGE_ALGORITHM_FULL": {
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 16,
     "description": "SSL Handshake Key Exchange Algorithm for full handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
   },
   "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED": {
     "expires_in_version": "never",
@@ -4493,56 +4487,24 @@
   "TELEMETRY_MEMORY_REPORTER_MS": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "5000",
     "n_buckets": 10,
     "extended_statistics_ok": true,
     "description": "Time (ms) it takes to run memory reporters when sending a telemetry ping"
   },
-  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX": {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on a successful cert verification in libpix mode (ms)"
-  },
-  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on a successful cert  verification in classic mode (ms)"
-  },
   "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
   },
-  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on an initially failed cert verification in libpix mode (ms)"
-  },
-  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
-    "expires_in_version": "never",
-    "kind": "exponential",
-    "high": "60000",
-    "n_buckets": 50,
-    "extended_statistics_ok": true,
-    "description": "Time spent on an initially failed cert  verification in classic mode (ms)"
-  },
   "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
   },