Backout bug 967975 (cset bd81c8232ffa) temporarily to make uplifting OCSP patches easier, r=me, a=will-reland-immediately
authorBrian Smith <brian@briansmith.org>
Thu, 27 Feb 2014 01:15:12 -0800
changeset 183046 8a368aa4a72a3a2ecfed28a699bab302466575f8
parent 183045 db0cfa150cdd374876e1853d6153a17b9696e558
child 183047 4c7749cb2702f6d1fe282059fc069652252137eb
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme, will-reland-immediately
bugs967975
milestone29.0a2
Backout bug 967975 (cset bd81c8232ffa) temporarily to make uplifting OCSP patches easier, r=me, a=will-reland-immediately
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/tlsserver/cert8.db
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
security/manager/ssl/tests/unit/tlsserver/default-ee.der
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
security/manager/ssl/tests/unit/tlsserver/key3.db
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
security/manager/ssl/tests/unit/tlsserver/secmod.db
security/manager/ssl/tests/unit/tlsserver/test-ca.der
security/manager/ssl/tests/unit/xpcshell.ini
testing/mochitest/Makefile.in
toolkit/components/telemetry/Histograms.json
toolkit/mozapps/installer/packager.mk
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -286,37 +286,16 @@ private:
   const PRErrorCode mDefaultErrorCodeToReport;
   const uint32_t mCollectedErrors;
   const PRErrorCode mErrorCodeTrust;
   const PRErrorCode mErrorCodeMismatch;
   const PRErrorCode mErrorCodeExpired;
   const uint32_t mProviderFlags;
 };
 
-// A probe value of 1 means "no error".
-uint32_t
-MapCertErrorToProbeValue(PRErrorCode errorCode)
-{
-  switch (errorCode)
-  {
-    case SEC_ERROR_UNKNOWN_ISSUER:                     return  2;
-    case SEC_ERROR_CA_CERT_INVALID:                    return  3;
-    case SEC_ERROR_UNTRUSTED_ISSUER:                   return  4;
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:         return  5;
-    case SEC_ERROR_UNTRUSTED_CERT:                     return  6;
-    case SEC_ERROR_INADEQUATE_KEY_USAGE:               return  7;
-    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:  return  8;
-    case SSL_ERROR_BAD_CERT_DOMAIN:                    return  9;
-    case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
-  }
-  NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
-             "handle everything in PRErrorCodeToOverrideType?");
-  return 0;
-}
-
 SSLServerCertVerificationResult*
 CertErrorRunnable::CheckCertOverrides()
 {
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("[%p][%p] top of CheckCertOverrides\n",
                                     mFdForLogging, this));
 
   if (!NS_IsMainThread()) {
     NS_ERROR("CertErrorRunnable::CheckCertOverrides called off main thread");
@@ -373,32 +352,16 @@ CertErrorRunnable::CheckCertOverrides()
       if (NS_SUCCEEDED(nsrv) && haveOverride)
       {
        // remove the errors that are already overriden
         remaining_display_errors &= ~overrideBits;
       }
     }
 
     if (!remaining_display_errors) {
-      // This can double- or triple-count one certificate with multiple
-      // different types of errors. Since this is telemetry and we just
-      // want a ballpark answer, we don't care.
-      if (mErrorCodeTrust != 0) {
-        uint32_t probeValue = MapCertErrorToProbeValue(mErrorCodeTrust);
-        Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
-      }
-      if (mErrorCodeMismatch != 0) {
-        uint32_t probeValue = MapCertErrorToProbeValue(mErrorCodeMismatch);
-        Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
-      }
-      if (mErrorCodeExpired != 0) {
-        uint32_t probeValue = MapCertErrorToProbeValue(mErrorCodeExpired);
-        Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, probeValue);
-      }
-
       // all errors are covered by override rules, so let's accept the cert
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
              ("[%p][%p] All errors covered by override rules\n",
              mFdForLogging, this));
       return new SSLServerCertVerificationResult(mInfoObject, 0);
     }
   } else {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@@ -984,17 +947,16 @@ SSLServerCertVerificationJob::Run()
                                    mStapledOCSPResponse, mProviderFlags,
                                    mTime);
     if (rv == SECSuccess) {
       uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
       RefPtr<SSLServerCertVerificationResult> restart(
         new SSLServerCertVerificationResult(mInfoObject, 0,
                                             successTelemetry, interval));
       restart->Dispatch();
-      Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
       return NS_OK;
     }
 
     // Note: the interval is not calculated once as PR_GetError MUST be called
     // before any other  function call
     error = PR_GetError();
     {
       TimeStamp now = TimeStamp::Now();
@@ -1136,17 +1098,16 @@ AuthCertificateHook(void* arg, PRFileDes
   // We can't do certificate verification on a background thread, because the
   // thread doing the network I/O may not interrupt its network I/O on receipt
   // of our SSLServerCertVerificationResult event, and/or it might not even be
   // a non-blocking socket.
 
   SECStatus rv = AuthCertificate(*certVerifier, socketInfo, serverCert,
                                  stapledOCSPResponse, providerFlags, now);
   if (rv == SECSuccess) {
-    Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
     return SECSuccess;
   }
 
   PRErrorCode error = PR_GetError();
   if (error != 0) {
     RefPtr<CertErrorRunnable> runnable(
         CreateCertErrorRunnable(*certVerifier, error, socketInfo, serverCert,
                                 stapledOCSPResponse,
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -14,42 +14,33 @@ let { HttpServer } = Cu.import("resource
 let { ctypes } = Cu.import("resource://gre/modules/ctypes.jsm");
 
 let gIsWindows = ("@mozilla.org/windows-registry-key;1" in Cc);
 
 const isDebugBuild = Cc["@mozilla.org/xpcom/debug;1"]
                        .getService(Ci.nsIDebug2).isDebugBuild;
 
 const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
-const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
 
 // Sort in numerical order
-const SEC_ERROR_EXPIRED_CERTIFICATE                     = SEC_ERROR_BASE +  11;
 const SEC_ERROR_REVOKED_CERTIFICATE                     = SEC_ERROR_BASE +  12;
 const SEC_ERROR_UNKNOWN_ISSUER                          = SEC_ERROR_BASE +  13;
 const SEC_ERROR_BAD_DATABASE                            = SEC_ERROR_BASE +  18;
 const SEC_ERROR_UNTRUSTED_ISSUER                        = SEC_ERROR_BASE +  20;
-const SEC_ERROR_UNTRUSTED_CERT                          = SEC_ERROR_BASE +  21;
-const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE              = SEC_ERROR_BASE +  30;
 const SEC_ERROR_EXTENSION_NOT_FOUND                     = SEC_ERROR_BASE +  35;
-const SEC_ERROR_CA_CERT_INVALID                         = SEC_ERROR_BASE +  36;
-const SEC_ERROR_INADEQUATE_KEY_USAGE                    = SEC_ERROR_BASE +  90;
 const SEC_ERROR_OCSP_MALFORMED_REQUEST                  = SEC_ERROR_BASE + 120;
 const SEC_ERROR_OCSP_SERVER_ERROR                       = SEC_ERROR_BASE + 121;
 const SEC_ERROR_OCSP_TRY_SERVER_LATER                   = SEC_ERROR_BASE + 122;
 const SEC_ERROR_OCSP_REQUEST_NEEDS_SIG                  = SEC_ERROR_BASE + 123;
 const SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST               = SEC_ERROR_BASE + 124;
 const SEC_ERROR_OCSP_UNKNOWN_CERT                       = SEC_ERROR_BASE + 126;
 const SEC_ERROR_OCSP_MALFORMED_RESPONSE                 = SEC_ERROR_BASE + 129;
 const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE              = SEC_ERROR_BASE + 130;
 const SEC_ERROR_OCSP_OLD_RESPONSE                       = SEC_ERROR_BASE + 132;
 const SEC_ERROR_OCSP_INVALID_SIGNING_CERT               = SEC_ERROR_BASE + 144;
-const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED       = SEC_ERROR_BASE + 176;
-
-const SSL_ERROR_BAD_CERT_DOMAIN                         = SSL_ERROR_BASE +  12;
 
 // Supported Certificate Usages
 const certificateUsageSSLClient              = 0x0001;
 const certificateUsageSSLServer              = 0x0002;
 const certificateUsageSSLCA                  = 0x0008;
 const certificateUsageEmailSigner            = 0x0010;
 const certificateUsageEmailRecipient         = 0x0020;
 const certificateUsageObjectSigner           = 0x0040;
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ /dev/null
@@ -1,103 +0,0 @@
-// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-"use strict";
-
-// Tests the certificate overrides we allow.
-// add_cert_override_test will queue a test that does the following:
-// 1. Attempt to connect to the given host. This should fail with the
-//    given error and override bits.
-// 2. Add an override for that host/port/certificate/override bits.
-// 3. Connect again. This should succeed.
-
-function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                               .SSLStatus;
-  let bits =
-    (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
-    (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
-    (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
-  do_check_eq(bits, aExpectedBits);
-  let cert = sslstatus.serverCert;
-  let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
-                              .getService(Ci.nsICertOverrideService);
-  certOverrideService.rememberValidityOverride(aHost, 8443, cert, aExpectedBits,
-                                               true);
-}
-
-function add_cert_override_test(aHost, aExpectedBits, aExpectedError) {
-  add_connection_test(aHost, aExpectedError, null,
-                      add_cert_override.bind(this, aHost, aExpectedBits));
-  add_connection_test(aHost, Cr.NS_OK);
-}
-
-function check_telemetry() {
-  let histogram = Cc["@mozilla.org/base/telemetry;1"]
-                    .getService(Ci.nsITelemetry)
-                    .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
-                    .snapshot();
-  do_check_eq(histogram.counts[ 0], 0);
-  do_check_eq(histogram.counts[ 1], 1);
-  do_check_eq(histogram.counts[ 2], 1);
-  do_check_eq(histogram.counts[ 3], 1);
-  do_check_eq(histogram.counts[ 4], 1);
-  do_check_eq(histogram.counts[ 5], 1);
-  do_check_eq(histogram.counts[ 6], 1);
-  do_check_eq(histogram.counts[ 7], 1);
-  do_check_eq(histogram.counts[ 8], 1);
-  do_check_eq(histogram.counts[ 9], 1);
-  do_check_eq(histogram.counts[10], 1);
-  run_next_test();
-}
-
-function run_test() {
-  do_get_profile();
-  add_tls_server_setup("BadCertServer");
-  add_cert_override_test("expired.example.com",
-                         Ci.nsICertOverrideService.ERROR_TIME,
-                         getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
-  add_cert_override_test("selfsigned.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_CA_CERT_INVALID));
-  add_cert_override_test("unknownissuer.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
-  add_cert_override_test("expiredissuer.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
-  add_cert_override_test("md5signature.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
-  add_cert_override_test("inadequatekeyusage.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
-  add_cert_override_test("mismatch.example.com",
-                         Ci.nsICertOverrideService.ERROR_MISMATCH,
-                         getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
-  // Before we specifically distrust this certificate, it should be trusted.
-  add_connection_test("untrusted.example.com", Cr.NS_OK);
-  add_test(function() {
-    let certdb = Cc["@mozilla.org/security/x509certdb;1"]
-                    .getService(Ci.nsIX509CertDB);
-    // A trust argument of "pu" means the cert is actively distrusted.
-    addCertFromFile(certdb, "tlsserver/default-ee.der", "pu,,");
-    clearSessionCache();
-    run_next_test();
-  });
-  add_cert_override_test("untrusted.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT));
-  add_test(function() {
-    let certdb = Cc["@mozilla.org/security/x509certdb;1"]
-                    .getService(Ci.nsIX509CertDB);
-    // A trust argument of "pu" means the cert is actively distrusted.
-    addCertFromFile(certdb, "tlsserver/other-test-ca.der", "pu,,");
-    run_next_test();
-  });
-  add_cert_override_test("untrustedissuer.example.com",
-                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
-                         getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
-  add_test(check_telemetry);
-  run_next_test();
-}
index 95fa54f725bb28cd3add0789062a5359c143a101..ac0939405ba15d6f36089591a35b411aab673c5d
GIT binary patch
literal 65536
zc%1FsdpuNm9|!O=7h|GHE+rE+sJ1I-keE!vO3^(@8>z&^yuyen)OyMka*4K^F0|W)
z&`lR5$x4Y@vPe|4T~}M%#Ynn)W=wh7Ug+t0?epxup4aE?bzU>`n&0o7ne+Rc<FD^`
z2u3eYf*_~_L9ZkTTlrI>2SHE><wh{yKcT*Vq_sV^y+vp%o^J{Wze6Zd-*5kOOv+zz
zQ~&?~0000000000000000000000000000000001hKaUR4B6ueFT~H;sDA*^66CB}h
z;?Loa<7<z8#=FQn#yeoO$!dYs*H%p<i$*q$Yy|)S0000000000000000000000000
z0001h{~jiVpxY|`sKW?dQcC@blv39HK%-KqR0^GBF}e+na*S$WQ79@Z1gXzulYJPp
znRJ@Ari(CG!f^_a2!s5E-Xc$lknE?+;+k{K<Qr*Dnp?Z+vMfG+Ne<@@B?l{K8@A1M
z2=E>u43LN<VVn?=#P^STi}?QIqf=A}TEtp{jEJE|L=f5cdL+^7Cr;0=%XC;ex!`0$
zn!~oCC0S#)nx(W>4O9tvlkhTixx<Mh;+27)=g?`A*1LW!HnXLNSW6<atl1+>onMxB
zZ<%VM!mif$)*F_5TyS#1os>rhHd|6d)his!Ewd+Crmb;`N~j3Si0a>RWYE<e!HZ{2
zOq50R{c86f_O<C$8ik<j7Lh)rvHbfOXwvmbwzQj{*vr$;R~#&nvWA)nLp}Wi{e&i7
zVt>+%!5qerpFmX#g+7QJKpK5`O;VzI`${B%JX6#5$vi94iZms=D|W0+p|sMeB=N~Q
z(B!8e#oKT4@JT&_XM~i`TswbN{Y#+*J?G$6mmzojho((%YN+5?&UU8{i^!TCHFxNn
zAon?XqEWw!=m$p~vY5*<boo(Fyll`e6}8)yHtRLUtMm02e!qR;w(k}g_CDr#&17S$
z2G7^0*|%hOVE>gg;z32raZ#ZK=cf8QH`nFVD|JS;T4Jx@KnI6e@@4yY)d+cJx(o@E
zN)RSrmIP`ihiXqQMMf~?seLTpX1z}??bGCHaeI<Ilt)x;JEFbaXY<;1+PlhU+Ai9~
z?1wqh&7(wBBTmndG;9iMW@R+w8hgB*#a{ko`las-E>-nRxyM&=U%L3h+g-h#nY*8w
z#Hv3sSlC<>v%hHf^?|47Tqsb#btXAiyDs4egL)Rj(eFm1^{{IPqHiCq81T+8`P7&-
zbrN5n9{hW0J;PO4YKgIow>ylERce$AQkD6fKsx?M(bH;=9+PCqAE=a$0=ROxEXGEb
z?W1GTyy5zgXX`K5{j4!O)%8hu@ZjQ{#MP~$;KWp_L&21bseAY2_024~dAN?YqR%GP
zeYeKYYPIuEt-Z&NG+XE!dZe^kPqndp@3Eta=`&gzZD&MVsm4zXFMP3Npy?zFtEC$o
zyS>Rx-+Vv!Ov82Y=Hkk`N5jsGPtk@*<SXJd#f6Zsbq9;fq$z%ynn@5Jh7r98qQjB2
z&jhyp{;1J*e^i&JO!7WulrK-2)gM!4<wml(eaPO*IU1i_3teXHfsRa6vtvVM^sKGY
znMbXs|L~86yw=xqpSo>L(C}DV`ugR~I?hrvR~OdvLHC#5ePvg8qwjGiPRPMtm9#n9
z=A(YqnwB}t{#?_NeJ^fhtShYxRXuCq)g-J<Sdb)QKVPY0S5m6((4x_AJ2lU;Pkx{M
zhnkG}O}Q-_L)DyhW*&$>cJ^;@5A5#edOeKv7}fOcnkRKO-m&Ug%bi{fOutZn>watL
zR}*uWu8*;=j+s}u=;gYc^s`QWgHm(ng{tMml`*2cpE~{?fB2c*=(~0ehB*@xMY?xN
zstuoQ)mdm5`Y_#Tb@IWTY5vwOj;FXY)r_sHpPYEPvvGBSaRp&+S?QMXIJPRGyga4-
z^V$V?J1D=az1W|S=c3a@>JmgJvlIdCa3Za%h$w#TyteHoc&_axSRmhqDC4O@q`Z<1
z_%xz@xV=do<-S-`CBDKSj^y7AYUeY%ifR7rT_(nhG+drdKF82%ShP-)a&^tQshp|b
z_6VwPvWOqPeU*C5sbx81lV|zt(tSu}?YZIQpldn0qWTc!>#fH!oFZ*sh>G@V`dzVD
zHKWmBt=o#qLK8CZO;U^Y$O7l9&hE8?>LsH`f5*8SoHG5y$(22yPafY}7R+8?)0%N1
zexgUcGN$rR-ob6{)9Y7}DWffWLvEk-IAJ$9&S`w%i86Ke;@AF?qTkZS**mnZcv_n6
z5w6aA{bQ!C$|YIW`iGTf=k;Bi=4GS^;*LuV4$%^;1KB&jDYA+mx4I@UA){Z`jtQo}
zELlw1p%+Q<39mj{W8&1y{!u)Az}(H_-PfIrJz{#B%zu#TyR3Ns5jE2weS5Lu%-Y+@
zqtdo|ot|{XKT>w*Z&N?)M=?&PqgYWDBNYP(f^ZcE1&hQ1gck8okT2LHsO6vL$M6^P
zr}1t096pm@WpmnQ122~6!?WTwTmNL;Z2ebvDgXcg0000000000000000000000000
z000000Qf)FUYOiTp9P{nL42mG1MSN?Iw)#V`*poX>W8}hf7Rcs5!$4b${?i_@%#FF
z>Yvf&p%+)1)Ktz<Q<l)$3xgzG)->l%^VCdtd*PlJT~bq{Z(LxcsyfEz?f!@d5vn)!
zQ>*&rdOw|;%{l!l`Q0+cWAU~g10$0UdK5~3wwcp^Z^(g-dMn@F858w5xVz9cK5e0R
z*&5rycAP`kUev0`jo%V-yyQg9B-2HuKh^fFO?^v^XmOo?HzQA=qLDW)TIN5&%{qqr
zHz>U~uReNKxR*Zi%E0`zFunXcO>r8#msGp!mrPjZKi@1f;8r)o=3*Ca-Z_hXXUoQT
zmr2U<SSQaUcH_C{xjmP~uG8RIgw4>|Qgk#+D!cb=tWkY9`*qmCh6U1Sed$TftaM-9
zMM9=*n$Z)VeMe434wj9xbg<D`@$;EgT2+mU=@q0Rt8J?#&zVD8%m{fLIxV}`R;K%t
z8H$qo4kyt%NrfV~x}Cg7?ce~4@%mkr?^8Qz2GHKV;zJp?;v)P^ML4aCV)6Da0Xc-K
z`~o^A-wZzL5@7siG_vSuPFGh^v1gvw{X5*UH-)jAHw`cvv9cR;f4?c7+rk>>r+JUk
z9Gk6rNp_8M-i&|Ce_WieSa@}tzc?q&Q#6jyS;;CZZj5#|U%&kE!v*0L&JFBHhU=q*
zkfJ0;&O5i)<!a6E>ZgpIS6J`SE2z?`r*9ue_WkbheKV6^XiHMphkd`OOvN(kOFIMX
z?0+M8$UjofWpX*^`_FxJ@i)zYIojTO?7PMLw(s%M+O8FEZm?Yt>Dy1O=aXxj%C0nZ
z*R5(QuKMX|b?r3sce3<?qR3GCO}&=O?v2m$Yf3ye)E1a;;3Yn?zcEH_(bZc9wcN+6
zx0t<7%Kl|zE`wuKdU?)a-`2yI3z*$|1;%}oIpcl3K1I1;okm?%+4Dq^89ilYIvm_#
sFO;``bvG&i00000000000000000000000000000000000003zHCn#~jWB>pF
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ /dev/null
@@ -1,74 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a standalone server that uses various bad certificates.
-// The client is expected to connect, initiate an SSL handshake (with SNI
-// to indicate which "server" to connect to), and verify the certificate.
-// If all is good, the client then sends one encrypted byte and receives that
-// same byte back.
-// This server also has the ability to "call back" another process waiting on
-// it. That is, when the server is all set up and ready to receive connections,
-// it will connect to a specified port and issue a simple HTTP request.
-
-#include <stdio.h>
-
-#include "TLSServer.h"
-
-using namespace mozilla;
-using namespace mozilla::test;
-
-struct BadCertHost
-{
-  const char *mHostName;
-  const char *mCertName;
-};
-
-const BadCertHost sBadCertHosts[] =
-{
-  { "expired.example.com", "expired" },
-  { "selfsigned.example.com", "selfsigned" },
-  { "unknownissuer.example.com", "unknownissuer" },
-  { "mismatch.example.com", "mismatch" },
-  { "expiredissuer.example.com", "expiredissuer" },
-  { "md5signature.example.com", "md5signature" },
-  { "untrusted.example.com", "localhostAndExampleCom" },
-  { "inadequatekeyusage.example.com", "inadequatekeyusage" },
-  { "untrustedissuer.example.com", "untrustedissuer" },
-  { nullptr, nullptr }
-};
-
-int32_t
-DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
-                  uint32_t aSrvNameArrSize, void *aArg)
-{
-  const BadCertHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
-                                          sBadCertHosts);
-  if (!host) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  if (gDebugLevel >= DEBUG_VERBOSE) {
-    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
-  }
-
-  ScopedCERTCertificate cert;
-  SSLKEAType certKEA;
-  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName,
-                                                    &cert, &certKEA)) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  return 0;
-}
-
-int
-main(int argc, char *argv[])
-{
-  if (argc != 2) {
-    fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
-    return 1;
-  }
-
-  return StartServer(argv[1], DoSNISocketConfig, nullptr);
-}
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -2,16 +2,15 @@
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 FAIL_ON_WARNINGS = True
 
 SIMPLE_PROGRAMS = [
-    'BadCertServer',
     'GenerateOCSPResponse',
     'OCSPStaplingServer',
 ]
 
 SOURCES += [
     '%s.cpp' % s for s in SIMPLE_PROGRAMS
 ]
deleted file mode 100644
index d6ce471b8362ed4733bbc38e3765242a4c6eeef8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -74,69 +74,54 @@ function make_CA {
 
 SERIALNO=1
 
 function make_INT {
   INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
-  EXTRA_ARGS="${4}"
 
   echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
                                                     -n $NICKNAME \
                                                     -s "$SUBJECT" \
                                                     -c $CA \
                                                     -t ",," \
                                                     -m $SERIALNO \
                                                     --extAIA \
-                                                    $COMMON_ARGS \
-                                                    $EXTRA_ARGS
+                                                    $COMMON_ARGS
   SERIALNO=$(($SERIALNO + 1))
 }
 
 function make_EE {
   CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
   SUBJECT_ALT_NAME="${4}"
-  EXTRA_ARGS="${5}"
+  if [ -n "$SUBJECT_ALT_NAME" ]; then
+    SUBJECT_ALT_NAME="-8 $SUBJECT_ALT_NAME"
+  fi
 
   echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
                                                      -n $NICKNAME \
                                                      -s "$SUBJECT" \
-                                                     -8 $SUBJECT_ALT_NAME \
+                                                     $SUBJECT_ALT_NAME \
                                                      -c $CA \
                                                      -t ",," \
                                                      -m $SERIALNO \
                                                      --extAIA \
-                                                     $COMMON_ARGS \
-                                                     $EXTRA_ARGS
+                                                     $COMMON_ARGS
   SERIALNO=$(($SERIALNO + 1))
 }
 
 make_CA testCA 'CN=Test CA' test-ca.der
 make_CA otherCA 'CN=Other test CA' other-test-ca.der
 make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com"
-$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n localhostAndExampleCom -r > $OUTPUT_DIR/default-ee.der
 # A cert that is like localhostAndExampleCom, but with a different serial number for
 # testing the "OCSP response is from the right issuer, but it is for the wrong cert"
 # case.
 make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
 
 make_INT testINT 'CN=Test Intermediate' testCA
 make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
-make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
-make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com"
-make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x"
-# If the certificate 'CN=Test Intermediate' isn't loaded into memory,
-# this certificate will have an unknown issuer.
-make_INT deletedINT 'CN=Test Intermediate to delete' testCA
-make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com"
-$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -D -n deletedINT
-make_INT expiredINT 'CN=Expired Test Intermediate' testCA "-w -400"
-make_EE expiredissuer 'CN=Test End-entity with expired issuer' expiredINT "expiredissuer.example.com"
-NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature 'CN=Test End-entity with MD5 signature' testCA "md5signature.example.com" "-Z MD5"
-make_EE inadequatekeyusage 'CN=Test End-entity with inadequate key usage' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
-make_EE untrustedissuer 'CN=Test End-entity with untrusted issuer' otherCA "untrustedissuer.example.com"
 
 cleanup
index 567ae9ac82b20526d21706bbf5f10a2a364e3a0c..2d4698c8d1bedeec2aecfc114b31b546d0f9004f
GIT binary patch
literal 16384
zc%1FoWl+@LzrgW@g(VhP8l<JWJCx2vr5iz7y1TnmatVo58tIl)O1ir{1*Al7`QSeK
zJ-hcm_s+g%&YaK8d2k-RXU=@T01%NW002M+08l0Y0Nj5c0ayS465ziU0R8WP{C5Zb
z=l-8Z0F3{bKREbr0saf}-}S!^9qC_jD*^%n0s;a80s;a80s_MS9aw-n$Svd$(g-Ps
zWI#wDrdS(bHjHxgYt%W^Yt$zM1Ox<x|4)DbBmj2^auqi-2+SIx7;%G*goTO(<bH-i
zc*VagQ6bkO1L~mleZ?PzJjbZ5gN%fP5`rAG?LUvpKzhwe(?}%paz|uULCG`qlC6>;
zTARR+q>Yg~Vx@vLT4?6Ra6ir8yqRcCVKM}rW3jK;B`Gbq)ipT_-)H)2;dh73*r$Nq
z;K*8ED164sK!^okL1{AjCCvKnvFM(0xRc(9h;htUakF>~m5*Uz)YqYl3FoD(*CCQn
zCP-R@S$VEljw-Wq>TC~E%pwP)aT0ek^{xJ@XJP34NlStHG?sh(`q116yahG+Q25ru
zd1OCLqyZC-P4g$fUd=A%C@JGqLD5K{_v}{Uih*Kv-hGX`D*aSt9dB&Y$lJK=wz%6@
z^998u<_Jahhln;0C)2Idk20Px?2E8f?yv+xB$?v0<a-`<9rlI^RkF4Fwe&KH<GC~Z
zFQ{^9yXB`mS)61=i(UG=yE%>K?Ja%=WU*L@hTQ@;v}0qB&fBQ-n9r}G-b%^eOLZ^X
z$9zEc+h}Bph$;~x@!IW+Tq2b{m=b;F*BZyCZ6CzK-Nj|TM~a)Zj*sT>pz5nzU}<R?
ztZkk>(kbVL5?r!Fw4NDu3>?)C@08ZPq^TsQXEJOQNaDdT(ZYY8<wL+6h@tldLJN=F
zrBfU^zn3Ltv0kprUaP}kooO)O7RSdivV3X!Ug&I7Rwx3wL&mG#i2=JU6wZ1tF)gJZ
zpe-}k@?2x2gF~6QmwDuUdc$m}ABM}R^<Fey#y%fx2`X@J!^w2<TChudn=%Ral`Vmq
zm3UGga!DEv7g0(LR$URvu5xxnZ$Or?(@i`XyK<8M#Rc?G9Nm{bfn3=W%K7W9mTKtR
zw8Q#C$CyfAA@uI4(c{{oy=!b|)ncOg(0x2KCnLzx4_#kcqVLJxU-|f{Q5$w}GEi1j
z)H;{T<UCZnTDstJ*{lOKvRS;jPg4x2p1%|BN_^#-G646KcBZUv+@7}WZp8IMs<GX}
zYedL6xYX~)ux?&+qLR%}m_K8KHNI?lx0QQRnJ$Rz1)fkG6KsGA!lRTT5+=M$BdBj`
z85i<gopn?ae+H8?6%~^$s{KPXe{8xXDr;vaC%b?`bd{YyD6oXj{#Jv&*<U8sPg4!A
z>7YAAuZ`>E-PzU``fmG%s4IFl-h1<sJ)QoXgRL-;#BZId3BQA5^P4m`4aU530J+mZ
zT@VCnP0*bgwNit$O>B^^H;0ok-q&yVXJ8?rnDY7AI3|M~l=z(4eWT<<K<FdueJ!X7
zLw>g7@moG?mT!cAng~whu*q7tn1jC5FORCDk+|XMLz-@h+e72I-xbqR?>p09PdyE3
zx$*E;uPiYspB<QPJ9G}x&9t4B#m;=;=Tofve$n2vU!8%|G>c&qg9>+(P|U8dC(RUF
z?0NNN8T+#J=5x>!?1;>f^9rU=txffIlpR;I4E{FPWtqDF(`SzA`2;Q35>BvP=gWEZ
z0ACCMN<m_R?I#-PuZM-+X*QLjs=?N2Ql>N>Ki;KC#^B*gT1y2#3TwA?>KSkaK@8zp
z3{xZigO@ej<qZmorvy^|8*qo5eKGZ`-yDiIRX>pqE}X#=txxyu@=fKDvdF8%(z@P>
zG`OvwJgZ?XL<WscX!(4+s5^P_3{qlyD=PEfc1+YblF@i2$+CUQH)0)y8<dy;@51YM
zkVPE7-?k9?5IDjZh{b)V5{(^5)y%7`8&80RLUOMivUJTTno_4SwJZ&z`L^xEx0(_f
zIkp5N6rULKRd)M?>TD7j_{Sx0GLqp$7uvF&qqTGE$S*$dHCkVxoiy+^ud1lTK%R9|
zFZt)H6)k^RjIHZMcK+((S$?7KgMau@W!YCUlnq@+p5R{FK8o?<{l)v1E=WaJ+-Ci0
zzdn;BzpXv&d0F&cWoX4t5NU4Sjoaxg4}}wE8|HvSM_ZhPtY;EfmZ&D6Sn_=`6;s0%
zs(VBbETezmy7i4I-e>(=gZ9XQxj72DE?P9S7vhf<!H2<U>l7tZRITRc#tk$b_pm=c
zpi{?e9ENaMl~GT~xVRzpC(p{XXF-o!FCtD|u`DFx;FgX)QIgD3G}Vi@^Wa#8OwY!F
zra35=?a1&v`FzPEa`26|$#!Y`OH@d^eB@7iWqpxoo`0wY+AUs?n-5TkSt9e0-xvYq
ztlSCyt)_esN!gsFFwf@@^dvhJG1OgaP!aSCmG$A6Kq(q5OnDm`r~?j4-y?4B?p^f7
zvXpoVC4P~5vFKIpD{Rei?|8{r`9WOy8h6q6L9&Fuj@wuUXR}J}F?v_Lyshv!G2o)z
zpy4^mX;iS#bF)Uz>Fb%=f#aFOW-0A!bG3dSS?_3S5P8kV<e#(S0BU!cJ<gKhwgT&H
z%X#U^fee=fL1n3~K<N_pHO*ABz>Ek?9<FDAKQ7KFe5;!1Fy`2_*K!e7aNY@RK+oLK
z__tCL!dc$1kigCUm0}F1O?ztay<_OA30*J{3tM$1zcil|-Y=`K-?S~~sB~gdFTKX4
zTl<q%&^YWWZ$A-7vkJFz7p0#B#ZP(=R$n%*ubS%kskkr*#PWKYezP4`MF#C8EjH3(
z!^TIMt_44}4=nhR-m;7xgip%0p5}2BUpIXb8)LwDLr3IOo-LKSHEOvq_b#seV8leE
zNTS(RgR37h{(^{W>*p%{tr@d*-Pm?826s!O&(*`1@-TeyHSA<74T)R}$DbT|vaKYu
z;-XVRDQ%DWB!*cecErH#P>v1EYz>{?Va!AEKs`ws_O-Ynw?9U*jeA{3VYwwKgMeKd
zlgn!VmP4Y49o9=rtja#We8ucvHt9H8iEVm6epl8&9yR=g+b-O8Oqm;&-ncr1{9vNp
zFEgBBc&+l7U@~Buf9z*{fW`yelau8Yu-5&FrV2m8bW0{wVq1U=q_3cj7C7w2W;07-
zNCchsF)ZFY;I8rBhWBL*5)tuI)Djd-{nAYl?>q}}K4!a{$;fr=0khAzbOBpZned^{
zTA1jgo3Fg++|T_4$Sz3fq1;VFV9!pyLQXnch~|}Q9|(WXHVF@DA*$~+&1*j#mz7KY
zIQE=SaCDnbvn))<s*vOe8M}DZOpZiQY+|MwNjj^(R4H8Y)~5dxp4}{esKy0lynf(h
z4=1<N?~EG)fiCq0b%S}v6*n=lWSVW)T(zc_AlzT73dBEM$=-=Sl@7+K7_Dgd_m(Gm
z6PvPRMr`Q*at=@=Menn+b9`rN$Kh&f=LRH1qKAwXC-U?!=@!kzi*1TJDeKYp0RDSn
zH&EdG#jKA2u~TyRCxPiQCsS8fPe&JX4l`>DGh3jxg^R0=qXP&K1R26o#!AB=#4rXy
zLB^ne^%n^Q1Ox<x|NH*o@pn*$`(Y|D;$8t=7XJN_pFT7*r}XdRuc*pRdvDrggD>-m
zoAg1b-EFk%!055y#T^-nub#Fzob~igPOBwucIqPR{u@gs!_f<=6RlFw;}rOm{HWk;
z1Al;TX{?icfYZUfp9y6tMT6Q&@3SelD+eKqPJT=vDygSxz4^lM9BgXK^k}~Dq@o2i
zXZHnK+OyW!wQDWejbRh3$QaS^N#_>BlfWT<D9VqLZ4>I0f>(ua=8VS+H51(nIDdyU
zYuzh2U`?#f`(l0DuV;0b4OWqO`fL%US*X7v^SyEHAXt)+2}(nECEJjc%vo-_Cr(QU
z==g4!ZP=&2b6@kEPs-IYd`K*%zbkRDxT;Q9Zbpd!3W=61GCMvJPSuTxm-i>4R3CM9
z2dY_PjvrjgEL)OB4*hid@jC9Ko#}Zc=iwF{h6I+{w^dR27y`vBDi4LgM2cm8apxJM
zczYjtKR=T!y9&`icPeUOlCLq7fXAVTu{M$Pe<Q!?QVzWt(Be1t&<38A|0<^L!#x#D
z2u_qTxMQJebiP}1efVUeQdDK(73i}veNL+SSrpw~v{zRyyuh3on17m~PZRjTiKER4
z7R_SspOaAarp_ZY7S2hs`>qA3&PX@v_3$`N)TLnX)<`MwGpM6*hBlNpiU9VVNv0yG
zRF;P(zPzSRH~icOPbEfP5PDI>FQc!cw*2*Y{cM^A+Ub?hF}R~eM5C0gBs-8uYE=Oo
zV2Ob*x{H~BIqT)i+S{;@>9zJ)$7&)ejs%UQu^LC?Iz{93s|Qe03uXf;uT6Ac6h5Y6
zod^1u)-I<ux#}KTJU-Oy>r3#vmXxxKvo-nv*{ZD>*zP$c3Htc-@UpLP`~9n}PSibn
zFIMFGo8X1Op@yU8kaQuNDUJ>ex4jSE*Vv_dt#n3@I%K|QYNN@Nqf@xKI})e{9?pZ0
zg~aOUMdzF`;1f#A>$&KP{-Py@4#UAN@J2VRm0&rcfN}*Jq-eK#A;Pv;8M#?ELI3AD
ztnEeAvYWLPj>HZe*B=!dGcgAAm`7Vb2^o7?@(<MrrI7$_^aXRKzKO2rn@~YO0xHOV
ztI>v89aE-(^xN?U4Uz_q46-WpPW<aE_UWd!HkdrJ+Q-kv&u71An~BmrH5(>Pe8JVK
zijHqnF7AML&Z<PB0*@|=4anNkOY9DHsM)uP8)5bl9#$xCXHL2Up7zt?A5gJ6`h9Jh
zN|t;Bb``fXmRV(cIFpl3g<)6Erp)leos*i)K>bHS{haT-${akdgg1#eL_Buqay;mJ
ztHF8}!+Nc-X7?Q~x~x6pGidHa-7{suZ)SN!)?<~kF?5?Ml;aXr;<KgMRw2olC&&jc
zapwp=<Nj{H2Z`vN%zhTN4enL4VH&g90KXqU3!O<h=JGaPhwUDF-ag>YYM9acBw3GQ
zc6B6>YuIYtJ}tiurqyPY4k{_BH7+)r-{_GvJ<(xijm?gI=s)8V{<Y1E?fdTZ&F^7p
z_p9CgWkph(A-sS;6*y2*aJ}-6cr?Gw^7-9O86NTUc}dQn>kmG8Ib4Qa%Evyli!w&0
zp=3kg-i5Es^HfLJI)1gys4GVwgXZJv&a<jkLt>}|4m)ZKx(J1m$XYJS)xg8U4_`GS
zOBVD$nP#3vf`eI!6Ztr8%vx7M81shOf6XY_yYE_d4b2bh6y-(GGRkmo4)!|SQASt&
zmO1GwaaD!|V&tuBs_*CwSKzU(Cn#e=?Sncv#5P{p4M=Df=IdxO;H)K>t1Tc)GWB><
z4<j*O7_AVNJ-sBWrV<ZV<Y1EKPTDA}i+TgwJm^{%`b0iop0`O-%H8*U+J!xFV#NLl
zfLW#67kzW~zOV{R1=5g2FM2EE&%bb-@ncsx*F*)!=IeH6OO#;_X;>3=YA}p+a1gDx
ztUdIUO~@-mQIN;6@$k}*QN!tw@TbjOUTRsSPF9FkorqdNfTifugYmh3RszJxW8~p(
zeVN9CS6dVN7vsLi_PtckDtV(4jb|0nB+!t6PiPnaO&Oa^-=%x`?M7+R$g&q&FQwU~
z#eBlM3>&gvL8wv#BVf532vrVpyC7*NX+`xVoy2A9O_~>`I-yo&WPR^HR8vy_<Xy8c
zgVM^VgS6gJ_?_=}Z~WhCpcm$A*K!w}CSj^Cj>IE@ihuxPehv09g5WBnktD`&StTE<
z2YgLSOd%!yJDMKz<a35sk0lFdS4gd9Gq5lv=zGWK3P$6}@@L2QIesG5&Fi=Hi=pF{
zEBtDK9Q4~xulQh(&8vrhCb^|@JH%QWTu)wUhnHN4#!n&*bV}{BHqnwq6n#4_sve9K
z@pIW~F|N4Ma6612X`%)f+iVFGy@%P`@8&2evuIqmbjht{GXXRG<Vbf5xe}rmW*lV}
zk5LHy$t;B?P=bM_Ir@T&WfAH^4GjAVlY`X9UL21U5a?%<aRMG(V?~`}0}n9%wv75m
z#ThEK4kRuTu(m0m1N)2~ZNa;+h~TaouUL--GRh8>Q9qmkJ$l@HzXstpy2a0J%#oYq
zIxMDb#T$YfyJQVz+5(m2CC5!#$AurIW58h>k2@GfW}t);j51~Wf%TCuPU}12Ku0nT
z{nW~j)y#pr=N&Ka?qp!ITy*nuf^(Q?>BA)0<fC@jL`mlyiav2mgx>fyaho}ttC<r_
zsJJy_-x{Mn{HCmOSURxwk%<cEiEJ?X!YVsS|AO@0v4jjRj+9NgRD0|nt5i3Y1gvMv
z4BcKlQC=~v2RcZ_cdxJ*QSQy(ewTDEL7wgjnIpHzN5Z!bs9a!Vidk9?2qt3I-e<L%
zSQGjzW_Lwo1_BVf3ty%r2|TbkNG>Sk7&Yvk^^prvJXLodu?g4QVI0I!4?FUtj2&t8
zCB%v19J>Jb3olgb2*g7`SXsr@x#>2oiW%%FLpmT(q+Vzr;g{!F{!J{Sk%?$kg^BQ@
z*C<}`Oz;BtSZj1E8bjYxE0*CDASdgF?d#iW%+xgG<nN~KX8T(_KYsVbq<^5N<p{z+
zub_Hmn(cjI0yh`JlWjm7{kcf<jaOpBUOv{^(PAOn-mw{OY9kLI48s2L{UTDGFU9xt
z=$-$B`W{(0Nc$wgvp)mW{73&`4D<TW$}8EoJu5~;E|W^Q)})GL`&e=0Ww2WUw~`d^
heA^$Wf*Fth>VHuP2nYxW2nYxW2nYxW2nhe<{tcbjUfloy
index 83b01deddfc049ef363795d0ba0af242aa5a7685..4161f2bd76f0b97c2f9079641b96adc62bacc4d0
GIT binary patch
literal 452
zc$_n6Vmx5b#HhJ|nTe5!iIrjQuTLrlylk9WZ60mkc^Mg5Ss4r@48;sY*qB3En1y-$
zOEOZ66iQNyOB9?P4dldm4UG+rfY`v;z}O;6oYw@Ii$`bUd}Lb~Ss9ocdl?KGJDD0A
z8TLgk(o@dn5BcJIgiYvq_5?x3n;l2|75r=Xitc_k>Cu_p%-y-WYKP05@bpFEubFt4
z+)H*9H?zKYbv>ig%q=TDTOEF69$hY&bIqhV_@iuZRQ;txdIkl5rhgYUJrHy=DEfxl
z-4bi-i3(4O=LT-y*&y)E*In#Wu~d@H|CJ|uykqY&F*7nSE(W^XKnUn|Sz$)T|12B^
zY(R>Mkr6F$n1Sw9nz6k6(c#$bjvC#b?uWLY<(4Y^om+DB<uW&C*Z=h&&TNgX<+l30
zf0a1vxlbD=y}o30OeXAe{K~oZ-P@XE*E9EDEs$Cmanz#6t>t<_-%7a+^St!$mliV4
vlWb*7uf4kYx}K+~^V=R4mAGl{(GzxdZPI^au<zB<jH=^nHgV|}$v6W5zP_aO
index a5f2f603a72865b8a22beb933932e44338599699..3dced7b9ece589b22ede0c537c179c08ba79fd55
GIT binary patch
literal 16384
zc%1Fpze>YE9Ki8k|4@o(b#W6paL5+v17xa;6s1^SAkAG%XiQ3yf)2ictBWA`Om0pN
z`WjM`CfEkVwW8k-9QXSJze{dDY3;irQWt4Hi|l2gY>U*SSkf+odbu~2`?6Kk?!((R
zk*~Zi8_=$8;#2?t00000000000Dh0AyzjnsUOEq*yKHUxYXATM0093`OO!a3imqf^
z7g3a|o{7^$cI@LYNxbREw{;NY-L+;u=(X}jyk8D0iU;Szp*jsy6Nhe~2L0Yp9d*0v
zEYkD9Wc^1k3djCL`>|u$mh!TpgV>DyYsa$G)ZDC+#CTVccC2Ez^~h4=z?~$Hn$NVG
zn&k+qOnQ|$MXkR+ttk0=6<<bE6P}pFi~U*ZM`7M69_v3f7WrKres_^S{ocm{00000
H0Q_~IZvIn(
index 61e984b620572ec673ccf6b610c9e58687090e8a..36cfcddcfb5a3363e425fa7a24cbaf5ce3622521
GIT binary patch
literal 440
zc$_n6V%%cT#3;LfnTe5!iIrjQuTRPbylk9WZ60mkc^Mg5Ss4t33<V7M*qB3En1$Ix
zQj1FzoE;71#CZ*k4UK@<z}UdpB1)Xs1euFfPvd-KlNnhVm>YW;3>rI`8XFmoC+<mp
z@!0U}pF>^Krm86EHgIyRk@HKORrxVtS&F%!%U1StpKd7}GqQb{>(-r-pL%mvZvKvC
ziJ5K;A`QG}kAG|rGM-fZ?sZb_#h~X>t!!a$`^t|_XWQ{F>i2oBumA4)xx^p38!K9L
z$x|Rh!b9o>PmlDfIX{F;mQJdipM93qY&sJ&BLm}NF#{0;A)u>eg&7(Dvv3%&0VyU%
zMzjE72D*2l{Jmn$y17SI87dr;k9&LSrC?r+aEheVljEyrFG&`fE!1NyJKMfBLyk+}
z{jI5IuYKkbzx?_5<<lRo-Uu-M_i4p}qpcMz4<x@|iT?O)-}Mu*lW!a_o@~|s*7=?t
rSN6?^vNsIhwahU3J$>u_DZAJdl+Ij<*_iQv<COy(Jfa2N5vzg$%(bXg
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -52,16 +52,12 @@ fail-if = os == "android"
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_ev_certs.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_getchain.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
-[test_cert_overrides.js]
-run-sequentially = hardcoded ports
-# Bug 676972: test fails consistently on Android
-fail-if = os == "android"
 [test_intermediate_basic_usage_constraints.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 
--- a/testing/mochitest/Makefile.in
+++ b/testing/mochitest/Makefile.in
@@ -106,17 +106,16 @@ libs::
 
 # Binaries and scripts that don't get packaged with the build,
 # but that we need for the test harness
 TEST_HARNESS_BINS := \
   xpcshell$(BIN_SUFFIX) \
   ssltunnel$(BIN_SUFFIX) \
   certutil$(BIN_SUFFIX) \
   pk12util$(BIN_SUFFIX) \
-  BadCertServer$(BIN_SUFFIX) \
   OCSPStaplingServer$(BIN_SUFFIX) \
   GenerateOCSPResponse$(BIN_SUFFIX) \
   fix_stack_using_bpsyms.py \
   $(NULL)
 
 ifeq ($(OS_ARCH),WINNT)
 TEST_HARNESS_BINS += \
   crashinject$(BIN_SUFFIX) \
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -5678,22 +5678,16 @@
     "description": "Status of OCSP stapling on this handshake (1=present, good; 2=none; 3=present, expired; 4=present, other error)"
   },
   "SSL_OCSP_MAY_FETCH": {
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 8,
     "description": "For non-stapling cases, is OCSP fetching a possibility? (0=yes, 1=no because missing/invalid OCSP URI, 2=no because fetching disabled, 3=no because both)"
   },
-  "SSL_CERT_ERROR_OVERRIDES": {
-    "expires_in_version": "never",
-    "kind": "enumerated",
-    "n_values": 24,
-    "description": "Was a certificate error overridden on this handshake? What was it? (0=unknown error (indicating bug), 1=no, >1=a specific error)"
-  },
   "TELEMETRY_TEST_EXPIRED": {
     "expires_in_version": "4.0a1",
     "kind": "flag",
     "description": "a testing histogram; not meant to be touched"
   },
   "CERT_OCSP_ENABLED": {
     "expires_in_version": "never",
     "kind": "boolean",
--- a/toolkit/mozapps/installer/packager.mk
+++ b/toolkit/mozapps/installer/packager.mk
@@ -616,17 +616,16 @@ NO_PKG_FILES += \
 	nm2tsv* \
 	nsinstall* \
 	res/samples \
 	res/throbber \
 	shlibsign* \
 	ssltunnel* \
 	certutil* \
 	pk12util* \
-	BadCertServer* \
 	OCSPStaplingServer* \
 	GenerateOCSPResponse* \
 	winEmbed.exe \
 	chrome/chrome.rdf \
 	chrome/app-chrome.manifest \
 	chrome/overlayinfo \
 	components/compreg.dat \
 	components/xpti.dat \