Merge m-c to birch.
authorRyan VanderMeulen <ryanvm@gmail.com>
Thu, 20 Jun 2013 20:13:06 -0400
changeset 147366 8fe4e8968c88cc1b87d3675f99e64733a93707a4
parent 147365 1168d6e45277655776ea122c17cf6f47ec481718 (current diff)
parent 147361 7ba8c86f1a567fe821b6ecd70c594d42a5422e06 (diff)
child 147367 7972d8009245593d681a51cd7b6794bb499835df
push id2697
push userbbajaj@mozilla.com
push dateMon, 05 Aug 2013 18:49:53 +0000
treeherdermozilla-beta@dfec938c7b63 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone24.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge m-c to birch.
security/manager/ssl/tests/unit/moz.build
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling/Makefile.in
security/manager/ssl/tests/unit/test_ocsp_stapling/OCSPStaplingServer.cpp
security/manager/ssl/tests/unit/test_ocsp_stapling/cert8.db
security/manager/ssl/tests/unit/test_ocsp_stapling/gen_ocsp_certs.sh
security/manager/ssl/tests/unit/test_ocsp_stapling/key3.db
security/manager/ssl/tests/unit/test_ocsp_stapling/moz.build
security/manager/ssl/tests/unit/test_ocsp_stapling/ocsp-ca.der
security/manager/ssl/tests/unit/test_ocsp_stapling/ocsp-other-ca.der
security/manager/ssl/tests/unit/test_ocsp_stapling/secmod.db
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -8,17 +8,16 @@ pref("security.enable_tls_session_ticket
 pref("security.enable_md5_signatures", false);
 
 pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
 pref("security.ssl.renego_unrestricted_hosts", "");
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_false_start", false);
-pref("security.ssl.enable_ocsp_stapling", true);
 
 pref("security.ssl3.rsa_rc4_128_md5", true);
 pref("security.ssl3.rsa_rc4_128_sha", true);
 pref("security.ssl3.rsa_fips_des_ede3_sha", true);
 pref("security.ssl3.rsa_des_ede3_sha", true);
 pref("security.ssl3.dhe_rsa_camellia_256_sha", true);
 pref("security.ssl3.dhe_dss_camellia_256_sha", true);
 pref("security.ssl3.rsa_camellia_256_sha", true);
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -1,10 +1,11 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-DIRS += ['src', 'public', 'tests']
+DIRS += ['src', 'public']
+TEST_DIRS += ['tests']
 
 MODULE = 'pipnss'
 
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -115,17 +115,16 @@
 #include "nsIConsoleService.h"
 #include "PSMRunnable.h"
 #include "SharedSSLState.h"
 
 #include "ssl.h"
 #include "secerr.h"
 #include "secport.h"
 #include "sslerr.h"
-#include "ocsp.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 namespace {
@@ -439,18 +438,17 @@ CertErrorRunnable::RunOnTargetThread()
 
 // Returns null with the error code (PR_GetError()) set if it does not create
 // the CertErrorRunnable.
 CertErrorRunnable *
 CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport,
                         TransportSecurityInfo * infoObject,
                         CERTCertificate * cert,
                         const void * fdForLogging,
-                        uint32_t providerFlags,
-                        PRTime now)
+                        uint32_t providerFlags)
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
   
   // cert was revoked, don't do anything else
   if (defaultErrorCodeToReport == SEC_ERROR_REVOKED_CERTIFICATE) {
     PR_SetError(SEC_ERROR_REVOKED_CERTIFICATE, 0);
     return nullptr;
@@ -473,16 +471,18 @@ CreateCertErrorRunnable(PRErrorCode defa
 
   RefPtr<CertVerifier> certVerifier(GetDefaultCertVerifier());
   if (!certVerifier) {
     NS_ERROR("GetDefaultCerVerifier failed");
     PR_SetError(defaultErrorCodeToReport, 0);
     return nullptr;
   }
   
+  PRTime now = PR_Now();
+
   PLArenaPool *log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
   if (!log_arena) {
     NS_ERROR("PORT_NewArena failed");
     return nullptr; // PORT_NewArena set error code
   }
 
   CERTVerifyLog * verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog);
@@ -1080,17 +1080,17 @@ SSLServerCertVerificationJob::Run()
 #endif
       MutexAutoLock telemetryMutex(*gSSLVerificationTelemetryMutex);
       Telemetry::AccumulateTimeDelta(telemetryID,
                                      mJobStartTime,
                                      now);
     }
     if (error != 0) {
       RefPtr<CertErrorRunnable> runnable(CreateCertErrorRunnable(
-        error, mInfoObject, mCert, mFdForLogging, mProviderFlags, PR_Now()));
+        error, mInfoObject, mCert, mFdForLogging, mProviderFlags));
       if (!runnable) {
         // CreateCertErrorRunnable set a new error code
         error = PR_GetError(); 
       } else {
         // We must block the the socket transport service thread while the
         // main thread executes the CertErrorRunnable. The CertErrorRunnable
         // will dispatch the result asynchronously, so we don't have to block
         // this thread waiting for it.
@@ -1156,38 +1156,17 @@ AuthCertificateHook(void *arg, PRFileDes
   }
 
   ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
 
   if (!checkSig || isServer || !socketInfo || !serverCert) {
       PR_SetError(PR_INVALID_STATE_ERROR, 0);
       return SECFailure;
   }
-
-  // This value of "now" is used both here for OCSP stapling and later
-  // when calling CreateCertErrorRunnable.
-  PRTime now = PR_Now();
-  PRBool enabled;
-  if (SECSuccess != SSL_OptionGet(fd, SSL_ENABLE_OCSP_STAPLING, &enabled)) {
-    return SECFailure;
-  }
-  if (enabled) {
-      // no ownership
-      const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
-      // we currently only support single stapled responses
-      if (csa && csa->len == 1) {
-          CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
-          SECStatus cacheResult = CERT_CacheOCSPResponseFromSideChannel(
-              handle, serverCert, now, &csa->items[0], arg);
-          if (cacheResult != SECSuccess) {
-              return SECFailure;
-          }
-      }
-  }
-
+      
   if (BlockServerCertChangeForSpdy(socketInfo, serverCert) != SECSuccess)
     return SECFailure;
 
   bool onSTSThread;
   nsresult nrv;
   nsCOMPtr<nsIEventTarget> sts
     = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
   if (NS_SUCCEEDED(nrv)) {
@@ -1224,17 +1203,17 @@ AuthCertificateHook(void *arg, PRFileDes
   if (rv == SECSuccess) {
     return SECSuccess;
   }
 
   PRErrorCode error = PR_GetError();
   if (error != 0) {
     RefPtr<CertErrorRunnable> runnable(CreateCertErrorRunnable(
                     error, socketInfo, serverCert,
-                    static_cast<const void *>(fd), providerFlags, now));
+                    static_cast<const void *>(fd), providerFlags));
     if (!runnable) {
       // CreateCertErrorRunnable sets a new error code when it fails
       error = PR_GetError();
     } else {
       // We have to return SECSuccess or SECFailure based on the result of the
       // override processing, so we must block this thread waiting for it. The
       // CertErrorRunnable will NOT dispatch the result at all, since we passed
       // false for CreateCertErrorRunnable's async parameter
--- a/security/manager/ssl/src/ScopedNSSTypes.h
+++ b/security/manager/ssl/src/ScopedNSSTypes.h
@@ -15,17 +15,16 @@
 #include "prio.h"
 #include "cert.h"
 #include "cms.h"
 #include "keyhi.h"
 #include "pk11pub.h"
 #include "sechash.h"
 #include "secpkcs7.h"
 #include "prerror.h"
-#include "ocsp.h"
 
 namespace mozilla {
 
 // It is very common to cast between char* and uint8_t* when doing crypto stuff.
 // Here, we provide more type-safe wrappers around reinterpret_cast so you don't
 // shoot yourself in the foot by reinterpret_casting completely unrelated types.
 
 inline char *
@@ -92,19 +91,16 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLAT
                                           CERTCertList,
                                           CERT_DestroyCertList)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName,
                                           CERTName,
                                           CERT_DestroyName)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames,
                                           CERTCertNicknames,
                                           CERT_FreeNicknames)
-MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID,
-                                          CERTOCSPCertID,
-                                          CERT_DestroyOCSPCertID)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo,
                                           CERTSubjectPublicKeyInfo,
                                           SECKEY_DestroySubjectPublicKeyInfo)
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTValidity,
                                           CERTValidity,
                                           CERT_DestroyValidity)
 
 MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedNSSCMSMessage,
--- a/security/manager/ssl/src/SharedSSLState.cpp
+++ b/security/manager/ssl/src/SharedSSLState.cpp
@@ -128,17 +128,16 @@ PrivateBrowsingObserver::Observe(nsISupp
   }
   return NS_OK;
 }
 
 SharedSSLState::SharedSSLState()
 : mClientAuthRemember(new nsClientAuthRememberService)
 , mMutex("SharedSSLState::mMutex")
 , mSocketCreated(false)
-, mOCSPStaplingEnabled(false)
 {
   mIOLayerHelpers.Init();
   mClientAuthRemember->Init();
 }
 
 SharedSSLState::~SharedSSLState()
 {
 }
--- a/security/manager/ssl/src/SharedSSLState.h
+++ b/security/manager/ssl/src/SharedSSLState.h
@@ -31,38 +31,35 @@ public:
 
   nsSSLIOLayerHelpers& IOLayerHelpers() {
     return mIOLayerHelpers;
   }
 
   // Main-thread only
   void ResetStoredData();
   void NotePrivateBrowsingStatus();
-  void SetOCSPStaplingEnabled(bool enabled) { mOCSPStaplingEnabled = enabled; }
 
   // The following methods may be called from any thread
   bool SocketCreated();
   void NoteSocketCreated();
   static void NoteCertOverrideServiceInstantiated();
   static void NoteCertDBServiceInstantiated();
-  bool IsOCSPStaplingEnabled() const { return mOCSPStaplingEnabled; }
 
 private:
   void Cleanup();
 
   nsCOMPtr<nsIObserver> mObserver;
   RefPtr<nsClientAuthRememberService> mClientAuthRemember;
   nsSSLIOLayerHelpers mIOLayerHelpers;
 
   // True if any sockets have been created that use this shared data.
   // Requires synchronization between the socket and main threads for
   // reading/writing.
   Mutex mMutex;
   bool mSocketCreated;
-  bool mOCSPStaplingEnabled;
 };
 
 SharedSSLState* PublicSSLState();
 SharedSSLState* PrivateSSLState();
 
 } // namespace psm
 } // namespace mozilla
 
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -979,17 +979,16 @@ setNonPkixOcspEnabled(int32_t ocspEnable
 
 #define CRL_DOWNLOAD_DEFAULT false
 #define OCSP_ENABLED_DEFAULT 1
 #define OCSP_REQUIRED_DEFAULT 0
 #define FRESH_REVOCATION_REQUIRED_DEFAULT false
 #define MISSING_CERT_DOWNLOAD_DEFAULT false
 #define FIRST_REVO_METHOD_DEFAULT "ocsp"
 #define USE_NSS_LIBPKIX_DEFAULT false
-#define OCSP_STAPLING_ENABLED_DEFAULT true
 
 // Caller must hold a lock on nsNSSComponent::mutex when calling this function
 void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
 {
   nsNSSShutDownPreventionLock locker;
   nsresult rv;
 
   bool crlDownloading;
@@ -1018,27 +1017,16 @@ void nsNSSComponent::setValidationOption
   rv = pref->GetBoolPref("security.missing_cert_download.enabled", &aiaDownloadEnabled);
   if (NS_FAILED(rv))
     aiaDownloadEnabled = MISSING_CERT_DOWNLOAD_DEFAULT;
 
   nsCString firstNetworkRevo;
   rv = pref->GetCharPref("security.first_network_revocation_method", getter_Copies(firstNetworkRevo));
   if (NS_FAILED(rv))
     firstNetworkRevo = FIRST_REVO_METHOD_DEFAULT;
-
-  bool ocspStaplingEnabled;
-  rv = pref->GetBoolPref("security.ssl.enable_ocsp_stapling", &ocspStaplingEnabled);
-  if (NS_FAILED(rv)) {
-    ocspStaplingEnabled = OCSP_STAPLING_ENABLED_DEFAULT;
-  }
-  if (!ocspEnabled) {
-    ocspStaplingEnabled = false;
-  }
-  PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
-  PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
   
   setNonPkixOcspEnabled(ocspEnabled, pref);
   
   CERT_SetOCSPFailureMode( ocspRequired ?
                            ocspMode_FailureIsVerificationFailure
                            : ocspMode_FailureIsNotAVerificationFailure);
 
   mDefaultCertVerifier = new CertVerifier(
@@ -1557,18 +1545,16 @@ nsNSSComponent::InitializeNSS(bool showW
     if (problem_no_security_at_all != which_nss_problem) {
 
       mNSSInitialized = true;
 
       ::NSS_SetDomesticPolicy();
 
       PK11_SetPasswordFunc(PK11PasswordPrompt);
 
-      SharedSSLState::GlobalInit();
-
       // Register an observer so we can inform NSS when these prefs change
       mPrefBranch->AddObserver("security.", this, false);
 
       SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
       SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
 
       rv = setEnabledTLSVersions(mPrefBranch);
       if (NS_FAILED(rv)) {
@@ -1751,16 +1737,17 @@ nsNSSComponent::Init()
     PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to Initialize NSS.\n"));
 
     DeregisterObservers();
     mPIPNSSBundle = nullptr;
     return rv;
   }
 
   RememberCertErrorsTable::Init();
+  SharedSSLState::GlobalInit();
   
   createBackgroundThreads();
   if (!mCertVerificationThread)
   {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS init, could not create threads\n"));
 
     DeregisterObservers();
     mPIPNSSBundle = nullptr;
@@ -2050,18 +2037,17 @@ nsNSSComponent::Observe(nsISupports *aSu
       mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
       SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
 #endif
     } else if (prefName.Equals("security.OCSP.enabled")
                || prefName.Equals("security.CRL_download.enabled")
                || prefName.Equals("security.fresh_revocation_info.require")
                || prefName.Equals("security.missing_cert_download.enabled")
                || prefName.Equals("security.first_network_revocation_method")
-               || prefName.Equals("security.OCSP.require")
-               || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
+               || prefName.Equals("security.OCSP.require")) {
       MutexAutoLock lock(mutex);
       setValidationOptions(mPrefBranch);
     } else if (prefName.Equals("network.ntlm.send-lm-response")) {
       bool sendLM = false;
       mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
       nsNTLMAuthModule::SetSendLM(sendLM);
     } else {
       /* Look through the cipher table and set according to pref setting */
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -2547,21 +2547,16 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, b
     return NS_ERROR_FAILURE;
   }
   infoObject->SetSSL3Enabled(enabled);
   if (SECSuccess != SSL_OptionGet(fd, SSL_ENABLE_TLS, &enabled)) {
     return NS_ERROR_FAILURE;
   }
   infoObject->SetTLSEnabled(enabled);
 
-  enabled = infoObject->SharedState().IsOCSPStaplingEnabled();
-  if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, enabled)) {
-    return NS_ERROR_FAILURE;
-  }
-
   if (SECSuccess != SSL_OptionSet(fd, SSL_HANDSHAKE_AS_CLIENT, true)) {
     return NS_ERROR_FAILURE;
   }
 
   nsSSLIOLayerHelpers& ioHelpers = infoObject->SharedState().IOLayerHelpers();
   if (ioHelpers.isRenegoUnrestrictedSite(nsDependentCString(host))) {
     if (SECSuccess != SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, false)) {
       return NS_ERROR_FAILURE;
--- a/security/manager/ssl/tests/moz.build
+++ b/security/manager/ssl/tests/moz.build
@@ -1,12 +1,11 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-DIRS += ['unit']
 TEST_DIRS += ['mochitest']
 
 MODULE = 'pipnss'
 
 XPCSHELL_TESTS_MANIFESTS += ['unit/xpcshell.ini']
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -2,34 +2,26 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 "use strict";
 
 const { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
 
 let { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
-let { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
-let { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
 
-let gIsWindows = ("@mozilla.org/windows-registry-key;1" in Cc);
+Cu.import("resource://gre/modules/FileUtils.jsm"); // XXX: tempScope?
+Cu.import("resource://gre/modules/Services.jsm");  // XXX: tempScope?
 
 function readFile(file) {
   let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
                   .createInstance(Ci.nsIFileInputStream);
   fstream.init(file, -1, 0, 0);
   let data = NetUtil.readInputStreamToString(fstream, fstream.available());
   fstream.close();
   return data;
 }
 
 function addCertFromFile(certdb, filename, trustString) {
   let certFile = do_get_file(filename, false);
   let der = readFile(certFile);
   certdb.addCert(der, trustString, null);
 }
-
-function getXPCOMStatusFromNSS(offset) {
-  let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
-                           .getService(Ci.nsINSSErrorsService);
-  let statusNSS = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE + offset;
-  return nssErrorsService.getXPCOMFromNSSError(statusNSS);
-}
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/moz.build
+++ /dev/null
@@ -1,10 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-DIRS += ['test_ocsp_stapling']
-
-MODULE = 'pipnss'
-
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ /dev/null
@@ -1,211 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-// In which we connect to a number of domains (as faked by a server running
-// locally) with and without OCSP stapling enabled to determine that good
-// things happen and bad things don't.
-
-let { Promise } = Cu.import("resource://gre/modules/commonjs/sdk/core/promise.js", {});
-let { HttpServer } = Cu.import("resource://testing-common/httpd.js", {});
-
-let gOCSPServerProcess = null;
-let gHttpServer = null;
-
-const REMOTE_PORT = 8443;
-const CALLBACK_PORT = 8444;
-
-function Connection(aHost) {
-  this.host = aHost;
-  let threadManager = Cc["@mozilla.org/thread-manager;1"]
-                        .getService(Ci.nsIThreadManager);
-  this.thread = threadManager.currentThread;
-  this.defer = Promise.defer();
-  let sts = Cc["@mozilla.org/network/socket-transport-service;1"]
-              .getService(Ci.nsISocketTransportService);
-  this.transport = sts.createTransport(["ssl"], 1, aHost, REMOTE_PORT, null);
-  this.transport.setEventSink(this, this.thread);
-  this.inputStream = null;
-  this.outputStream = null;
-  this.connected = false;
-}
-
-Connection.prototype = {
-  // nsITransportEventSink
-  onTransportStatus: function(aTransport, aStatus, aProgress, aProgressMax) {
-    if (!this.connected && aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO) {
-      this.connected = true;
-      this.outputStream.asyncWait(this, 0, 0, this.thread);
-    }
-  },
-
-  // nsIInputStreamCallback
-  onInputStreamReady: function(aStream) {
-    try {
-      // this will throw if the stream has been closed by an error
-      let str = NetUtil.readInputStreamToString(aStream, aStream.available());
-      do_check_eq(str, "0");
-      this.inputStream.close();
-      this.inputStream = null;
-      this.outputStream.close();
-      this.outputStream = null;
-      this.transport = null;
-      this.defer.resolve(Cr.NS_OK);
-    } catch (e) {
-      this.defer.resolve(e.result);
-    }
-  },
-
-  // nsIOutputStreamCallback
-  onOutputStreamReady: function(aStream) {
-    let sslSocketControl = this.transport.securityInfo
-                             .QueryInterface(Ci.nsISSLSocketControl);
-    sslSocketControl.proxyStartSSL();
-    this.outputStream.write("0", 1);
-    let inStream = this.transport.openInputStream(0, 0, 0)
-                     .QueryInterface(Ci.nsIAsyncInputStream);
-    this.inputStream = inStream;
-    this.inputStream.asyncWait(this, 0, 0, this.thread);
-  },
-
-  go: function() {
-    this.outputStream = this.transport.openOutputStream(0, 0, 0)
-                          .QueryInterface(Ci.nsIAsyncOutputStream);
-    return this.defer.promise;
-  }
-};
-
-/* Returns a promise to connect to aHost that resolves to the result of that
- * connection */
-function connectTo(aHost) {
-  Services.prefs.setCharPref("network.dns.localDomains", aHost);
-  let connection = new Connection(aHost);
-  return connection.go();
-}
-
-function add_connection_test(aHost, aExpectedResult, aStaplingEnabled) {
-  add_test(function() {
-    Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
-                               aStaplingEnabled);
-    do_test_pending();
-    connectTo(aHost).then(function(aResult) {
-      do_check_eq(aResult, aExpectedResult);
-      do_test_finished();
-      run_next_test();
-    });
-  });
-}
-
-function cleanup() {
-  gOCSPServerProcess.kill();
-}
-
-function run_test() {
-  do_get_profile();
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"]
-                 .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "test_ocsp_stapling/ocsp-ca.der", "CTu,u,u");
-
-  let directoryService = Cc["@mozilla.org/file/directory_service;1"]
-                           .getService(Ci.nsIProperties);
-  let envSvc = Cc["@mozilla.org/process/environment;1"]
-                 .getService(Ci.nsIEnvironment);
-  let greDir = directoryService.get("GreD", Ci.nsIFile);
-  envSvc.set("DYLD_LIBRARY_PATH", greDir.path);
-  envSvc.set("LD_LIBRARY_PATH", greDir.path);
-  envSvc.set("OCSP_SERVER_DEBUG_LEVEL", "3");
-  envSvc.set("OCSP_SERVER_CALLBACK_PORT", CALLBACK_PORT);
-
-  gHttpServer = new HttpServer();
-  gHttpServer.registerPathHandler("/", handleServerCallback);
-  gHttpServer.start(CALLBACK_PORT);
-
-  let serverBin = directoryService.get("CurProcD", Ci.nsILocalFile);
-  serverBin.append("OCSPStaplingServer" + (gIsWindows ? ".exe" : ""));
-  // If we're testing locally, the above works. If not, the server executable
-  // is in another location.
-  if (!serverBin.exists()) {
-    serverBin = directoryService.get("CurWorkD", Ci.nsILocalFile);
-    while (serverBin.path.indexOf("xpcshell") != -1) {
-      serverBin = serverBin.parent;
-    }
-    serverBin.append("bin");
-    serverBin.append("OCSPStaplingServer" + (gIsWindows ? ".exe" : ""));
-  }
-  do_check_true(serverBin.exists());
-  gOCSPServerProcess = Cc["@mozilla.org/process/util;1"]
-                     .createInstance(Ci.nsIProcess);
-  gOCSPServerProcess.init(serverBin);
-  let ocspCertDir = directoryService.get("CurWorkD", Ci.nsILocalFile);
-  ocspCertDir.append("test_ocsp_stapling");
-  do_check_true(ocspCertDir.exists());
-  gOCSPServerProcess.run(false, [ocspCertDir.path], 1);
-
-  do_test_pending();
-}
-
-function handleServerCallback(aRequest, aResponse) {
-  aResponse.write("OK!");
-  aResponse.seizePower();
-  aResponse.finish();
-  run_test_body();
-}
-
-function run_test_body() {
-  // In the absence of OCSP stapling, these should actually all work.
-  add_connection_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-unauthorized.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-unknown.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-good-other.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-expired.example.com", Cr.NS_OK, false);
-  add_connection_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, false);
-  // Now test OCSP stapling
-  // The following error codes are defined in security/nss/lib/util/SECerrs.h
-  add_connection_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
-  // SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12
-  add_connection_test("ocsp-stapling-revoked.example.com", getXPCOMStatusFromNSS(12), true);
-  // This stapled response is from a CA that is untrusted and did not issue
-  // the server's certificate.
-  // SEC_ERROR_BAD_DATABASE = SEC_ERROR_BASE + 18
-  add_connection_test("ocsp-stapling-good-other-ca.example.com", getXPCOMStatusFromNSS(18), true);
-  // Now add that CA to the trusted database. It still should not be able
-  // to sign for the ocsp response.
-  add_test(function() {
-    let certdb = Cc["@mozilla.org/security/x509certdb;1"]
-                   .getService(Ci.nsIX509CertDB);
-    addCertFromFile(certdb, "test_ocsp_stapling/ocsp-other-ca.der", "CTu,u,u");
-    run_next_test();
-  });
-  // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = (SEC_ERROR_BASE + 130)
-  add_connection_test("ocsp-stapling-good-other-ca.example.com", getXPCOMStatusFromNSS(130), true);
-  // SEC_ERROR_OCSP_MALFORMED_REQUEST = (SEC_ERROR_BASE + 120)
-  add_connection_test("ocsp-stapling-malformed.example.com", getXPCOMStatusFromNSS(120), true);
-  // SEC_ERROR_OCSP_SERVER_ERROR = (SEC_ERROR_BASE + 121)
-  add_connection_test("ocsp-stapling-srverr.example.com", getXPCOMStatusFromNSS(121), true);
-  // SEC_ERROR_OCSP_TRY_SERVER_LATER = (SEC_ERROR_BASE + 122)
-  add_connection_test("ocsp-stapling-trylater.example.com", getXPCOMStatusFromNSS(122), true);
-  // SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = (SEC_ERROR_BASE + 123)
-  add_connection_test("ocsp-stapling-needssig.example.com", getXPCOMStatusFromNSS(123), true);
-  // SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = (SEC_ERROR_BASE + 124)
-  add_connection_test("ocsp-stapling-unauthorized.example.com", getXPCOMStatusFromNSS(124), true);
-  // SEC_ERROR_OCSP_UNKNOWN_CERT = (SEC_ERROR_BASE + 126)
-  add_connection_test("ocsp-stapling-unknown.example.com", getXPCOMStatusFromNSS(126), true);
-  add_connection_test("ocsp-stapling-good-other.example.com", getXPCOMStatusFromNSS(126), true);
-  // SEC_ERROR_OCSP_MALFORMED_RESPONSE = (SEC_ERROR_BASE + 129)
-  add_connection_test("ocsp-stapling-none.example.com", getXPCOMStatusFromNSS(129), true);
-  // SEC_ERROR_OCSP_OLD_RESPONSE = (SEC_ERROR_BASE + 132)
-  add_connection_test("ocsp-stapling-expired.example.com", getXPCOMStatusFromNSS(132), true);
-  add_connection_test("ocsp-stapling-expired-fresh-ca.example.com", getXPCOMStatusFromNSS(132), true);
-  do_register_cleanup(function() { gHttpServer.stop(cleanup); });
-  run_next_test();
-  do_test_finished();
-}
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling/Makefile.in
+++ /dev/null
@@ -1,32 +0,0 @@
-# vim: noexpandtab ts=8 sw=8
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-DEPTH = @DEPTH@
-topsrcdir = @top_srcdir@
-srcdir = @srcdir@
-VPATH = @srcdir@
-relativesrcdir = @relativesrcdir@
-FAIL_ON_WARNINGS := 1
-
-include $(DEPTH)/config/autoconf.mk
-
-CPPSRCS = \
-  OCSPStaplingServer.cpp \
-  $(NULL)
-
-SIMPLE_PROGRAMS := $(CPPSRCS:.cpp=$(BIN_SUFFIX))
-
-include $(topsrcdir)/config/config.mk
-
-LIBS = \
-  $(NSPR_LIBS) \
-  $(NSS_LIBS) \
-  $(MOZALLOC_LIB) \
-  $(NULL)
-
-DEFINES += $(TK_CFLAGS)
-
-include $(topsrcdir)/config/rules.mk
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling/OCSPStaplingServer.cpp
+++ /dev/null
@@ -1,589 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a standalone server that delivers various stapled OCSP responses.
-// The client is expected to connect, initiate an SSL handshake (with SNI
-// to indicate which "server" to connect to), and verify the OCSP response.
-// If all is good, the client then sends one encrypted byte and receives that
-// same byte back.
-// This server also has the ability to "call back" another process waiting on
-// it. That is, when the server is all set up and ready to receive connections,
-// it will connect to a specified port and issue a simple HTTP request.
-
-#include <stdio.h>
-#include "ScopedNSSTypes.h"
-#include "nspr.h"
-#include "nss.h"
-#include "ocsp.h"
-#include "ocspt.h"
-#include "plarenas.h"
-#include "prenv.h"
-#include "prerror.h"
-#include "prnetdb.h"
-#include "prtime.h"
-#include "ssl.h"
-#include "secerr.h"
-
-using namespace mozilla;
-
-#define LISTEN_PORT 8443
-#define DEBUG_ERRORS 1
-#define DEBUG_WARNINGS 2
-#define DEBUG_VERBOSE 3
-
-uint32_t gDebugLevel = 0;
-uint32_t gCallbackPort = 0;
-
-enum OCSPStapleResponseType
-{
-  OSRTNull = 0,
-  OSRTGood,             // the certificate is good
-  OSRTRevoked,          // the certificate has been revoked
-  OSRTUnknown,          // the responder doesn't know if the cert is good
-  OSRTGoodOtherCert,    // the response references a different certificate
-  OSRTGoodOtherCA,      // the wrong CA has signed the response
-  OSRTExpired,          // the signature on the response has expired
-  OSRTExpiredFreshCA,   // fresh signature, but old validity period
-  OSRTNone,             // no stapled response
-  OSRTMalformed,        // the response from the responder was malformed
-  OSRTSrverr,           // the response indicates there was a server error
-  OSRTTryLater,         // the responder replied with "try again later"
-  OSRTNeedsSig,         // the response needs a signature
-  OSRTUnauthorized      // the responder is not authorized for this certificate
-};
-
-struct OCSPHost
-{
-  const char *mHostName;
-  const char *mCertName;
-  OCSPStapleResponseType mOSRT;
-};
-
-const OCSPHost sOCSPHosts[] =
-{
-  { "ocsp-stapling-good.example.com", "good", OSRTGood },
-  { "ocsp-stapling-revoked.example.com", "revoked", OSRTRevoked },
-  { "ocsp-stapling-unknown.example.com", "unknown", OSRTUnknown },
-  { "ocsp-stapling-good-other.example.com", "good-other", OSRTGoodOtherCert },
-  { "ocsp-stapling-good-other-ca.example.com", "good-otherCA", OSRTGoodOtherCA },
-  { "ocsp-stapling-expired.example.com", "expired", OSRTExpired },
-  { "ocsp-stapling-expired-fresh-ca.example.com", "expired-freshCA", OSRTExpiredFreshCA },
-  { "ocsp-stapling-none.example.com", "none", OSRTNone },
-  { "ocsp-stapling-malformed.example.com", "malformed", OSRTMalformed },
-  { "ocsp-stapling-srverr.example.com", "srverr", OSRTSrverr },
-  { "ocsp-stapling-trylater.example.com", "trylater", OSRTTryLater },
-  { "ocsp-stapling-needssig.example.com", "needssig", OSRTNeedsSig },
-  { "ocsp-stapling-unauthorized.example.com", "unauthorized", OSRTUnauthorized },
-  { nullptr, nullptr, OSRTNull }
-};
-
-struct Connection
-{
-  const OCSPHost *mHost;
-  PRFileDesc *mSocket;
-  char mByte;
-
-  Connection(PRFileDesc *aSocket);
-  ~Connection();
-};
-
-Connection::Connection(PRFileDesc *aSocket)
-: mHost(nullptr)
-, mSocket(aSocket)
-, mByte(0)
-{}
-
-Connection::~Connection()
-{
-  if (mSocket) {
-    PR_Close(mSocket);
-  }
-}
-
-void
-PrintPRError(const char *aPrefix)
-{
-  const char *err = PR_ErrorToName(PR_GetError());
-  if (err) {
-    if (gDebugLevel >= DEBUG_ERRORS) {
-      fprintf(stderr, "%s: %s\n", aPrefix, err);
-    }
-  } else {
-    if (gDebugLevel >= DEBUG_ERRORS) {
-      fprintf(stderr, "%s\n", aPrefix);
-    }
-  }
-}
-
-nsresult
-SendAll(PRFileDesc *aSocket, const char *aData, size_t aDataLen)
-{
-  if (gDebugLevel >= DEBUG_VERBOSE) {
-    fprintf(stderr, "sending '%s'\n", aData);
-  }
-
-  while (aDataLen > 0) {
-    int32_t bytesSent = PR_Send(aSocket, aData, aDataLen, 0,
-                                PR_INTERVAL_NO_TIMEOUT);
-    if (bytesSent == -1) {
-      PrintPRError("PR_Send failed");
-      return NS_ERROR_FAILURE;
-    }
-
-    aDataLen -= bytesSent;
-    aData += bytesSent;
-  }
-
-  return NS_OK;
-}
-
-nsresult
-ReplyToRequest(Connection *aConn)
-{
-  // For debugging purposes, SendAll can print out what it's sending.
-  // So, any strings we give to it to send need to be null-terminated.
-  char buf[2] = { aConn->mByte, 0 };
-  return SendAll(aConn->mSocket, buf, 1);
-}
-
-const OCSPHost *
-GetOcspHost(const char *aServerName)
-{
-  const OCSPHost *host = sOCSPHosts;
-  while (host->mHostName != nullptr &&
-         strcmp(host->mHostName, aServerName) != 0) {
-    host++;
-  }
-
-  if (!host->mHostName) {
-    fprintf(stderr, "host '%s' not in pre-defined list\n", aServerName);
-    MOZ_CRASH();
-    return nullptr;
-  }
-
-  return host;
-}
-
-nsresult
-SetupTLS(Connection *aConn, PRFileDesc *aModelSocket)
-{
-  PRFileDesc *sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket);
-  if (!sslSocket) {
-    PrintPRError("SSL_ImportFD failed");
-    return NS_ERROR_FAILURE;
-  }
-  aConn->mSocket = sslSocket;
-
-  SSL_OptionSet(sslSocket, SSL_SECURITY, true);
-  SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false);
-  SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true);
-
-  SSL_ResetHandshake(sslSocket, /* asServer */ 1);
-
-  return NS_OK;
-}
-
-nsresult
-ReadRequest(Connection *aConn)
-{
-  int32_t bytesRead = PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0,
-                              PR_INTERVAL_NO_TIMEOUT);
-  if (bytesRead < 1) {
-    PrintPRError("PR_Recv failed");
-    return NS_ERROR_FAILURE;
-  } else {
-    if (gDebugLevel >= DEBUG_VERBOSE) {
-      fprintf(stderr, "read '0x%hhx'\n", aConn->mByte);
-    }
-  }
-  return NS_OK;
-}
-
-void
-HandleConnection(PRFileDesc *aSocket, PRFileDesc *aModelSocket)
-{
-  Connection conn(aSocket);
-  nsresult rv = SetupTLS(&conn, aModelSocket);
-  if (NS_SUCCEEDED(rv)) {
-    rv = ReadRequest(&conn);
-  }
-  if (NS_SUCCEEDED(rv)) {
-    rv = ReplyToRequest(&conn);
-  }
-}
-
-void
-DoCallback()
-{
-  ScopedPRFileDesc socket(PR_NewTCPSocket());
-  if (!socket) {
-    PrintPRError("PR_NewTCPSocket failed");
-    return;
-  }
-
-  PRNetAddr addr;
-  PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr);
-  if (PR_Connect(socket, &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
-    PrintPRError("PR_Connect failed");
-    return;
-  }
-
-  const char *request = "GET / HTTP/1.0\r\n\r\n";
-  SendAll(socket, request, strlen(request));
-  char buf[4096];
-  memset(buf, 0, sizeof(buf));
-  int32_t bytesRead = PR_Recv(socket, buf, sizeof(buf) - 1, 0,
-                              PR_INTERVAL_NO_TIMEOUT);
-  if (bytesRead < 1) {
-    PrintPRError("PR_Recv failed");
-    return;
-  }
-  fprintf(stderr, "%s\n", buf);
-  memset(buf, 0, sizeof(buf));
-  bytesRead = PR_Recv(socket, buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
-  if (bytesRead < 1) {
-    PrintPRError("PR_Recv failed");
-    return;
-  }
-  fprintf(stderr, "%s\n", buf);
-}
-
-SECItemArray *
-GetOCSPResponseForType(OCSPStapleResponseType aOSRT, CERTCertificate *aCert,
-                       PLArenaPool *aArena)
-{
-  PRTime now = PR_Now();
-  ScopedCERTOCSPCertID id(CERT_CreateOCSPCertID(aCert, now));
-  if (!id) {
-    PrintPRError("CERT_CreateOCSPCertID failed");
-    return nullptr;
-  }
-  PRTime nextUpdate = now + 10 * PR_USEC_PER_SEC;
-  PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
-  PRTime expiredTime = now - oneDay;
-  PRTime oldNow = now - (8 * oneDay);
-  PRTime oldNextUpdate = oldNow + 10 * PR_USEC_PER_SEC;
-  ScopedCERTCertificate othercert(PK11_FindCertFromNickname("good", nullptr));
-  ScopedCERTOCSPCertID otherid(CERT_CreateOCSPCertID(othercert, now));
-  if (!otherid) {
-    PrintPRError("CERT_CreateOCSPCertID failed");
-    return nullptr;
-  }
-  CERTOCSPSingleResponse *sr = nullptr;
-  switch (aOSRT) {
-    case OSRTGood:
-    case OSRTGoodOtherCA:
-      sr = CERT_CreateOCSPSingleResponseGood(aArena, id, now, &nextUpdate);
-      if (!sr) {
-        PrintPRError("CERT_CreateOCSPSingleResponseGood failed");
-        return nullptr;
-      }
-      break;
-    case OSRTRevoked:
-      sr = CERT_CreateOCSPSingleResponseRevoked(aArena, id, now, &nextUpdate,
-                                                expiredTime, nullptr);
-      if (!sr) {
-        PrintPRError("CERT_CreateOCSPSingleResponseRevoked failed");
-        return nullptr;
-      }
-      break;
-    case OSRTUnknown:
-      sr = CERT_CreateOCSPSingleResponseUnknown(aArena, id, now, &nextUpdate);
-      if (!sr) {
-        PrintPRError("CERT_CreateOCSPSingleResponseUnknown failed");
-        return nullptr;
-      }
-      break;
-    case OSRTExpired:
-    case OSRTExpiredFreshCA:
-      sr = CERT_CreateOCSPSingleResponseGood(aArena, id, oldNow, &oldNextUpdate);
-      if (!sr) {
-        PrintPRError("CERT_CreateOCSPSingleResponseGood failed");
-        return nullptr;
-      }
-      break;
-    case OSRTGoodOtherCert:
-      sr = CERT_CreateOCSPSingleResponseGood(aArena, otherid, now, &nextUpdate);
-      if (!sr) {
-        PrintPRError("CERT_CreateOCSPSingleResponseGood failed");
-        return nullptr;
-      }
-      break;
-    case OSRTNone:
-    case OSRTMalformed:
-    case OSRTSrverr:
-    case OSRTTryLater:
-    case OSRTNeedsSig:
-    case OSRTUnauthorized:
-      break;
-    default:
-      if (gDebugLevel >= DEBUG_ERRORS) {
-        fprintf(stderr, "bad ocsp response type: %d\n", aOSRT);
-      }
-      break;
-  }
-  ScopedCERTCertificate ca;
-  if (aOSRT == OSRTGoodOtherCA) {
-    ca = PK11_FindCertFromNickname("otherCA", nullptr);
-    if (!ca) {
-      PrintPRError("PK11_FindCertFromNickname failed");
-      return nullptr;
-    }
-  } else {
-    // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
-    ca = CERT_FindCertIssuer(aCert, now, certUsageSSLCA);
-    if (!ca) {
-      PrintPRError("CERT_FindCertIssuer failed");
-      return nullptr;
-    }
-  }
-
-  PRTime signTime = now;
-  if (aOSRT == OSRTExpired) {
-    signTime = oldNow;
-  }
-
-  CERTOCSPSingleResponse **responses;
-  SECItem *response = nullptr;
-  switch (aOSRT) {
-    case OSRTMalformed:
-      response = CERT_CreateEncodedOCSPErrorResponse(
-        aArena, SEC_ERROR_OCSP_MALFORMED_REQUEST);
-      if (!response) {
-        PrintPRError("CERT_CreateEncodedOCSPErrorResponse failed");
-        return nullptr;
-      }
-      break;
-    case OSRTSrverr:
-      response = CERT_CreateEncodedOCSPErrorResponse(
-        aArena, SEC_ERROR_OCSP_SERVER_ERROR);
-      if (!response) {
-        PrintPRError("CERT_CreateEncodedOCSPErrorResponse failed");
-        return nullptr;
-      }
-      break;
-    case OSRTTryLater:
-      response = CERT_CreateEncodedOCSPErrorResponse(
-        aArena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
-      if (!response) {
-        PrintPRError("CERT_CreateEncodedOCSPErrorResponse failed");
-        return nullptr;
-      }
-      break;
-    case OSRTNeedsSig:
-      response = CERT_CreateEncodedOCSPErrorResponse(
-        aArena, SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
-      if (!response) {
-        PrintPRError("CERT_CreateEncodedOCSPErrorResponse failed");
-        return nullptr;
-      }
-      break;
-    case OSRTUnauthorized:
-      response = CERT_CreateEncodedOCSPErrorResponse(
-        aArena, SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
-      if (!response) {
-        PrintPRError("CERT_CreateEncodedOCSPErrorResponse failed");
-        return nullptr;
-      }
-      break;
-    case OSRTNone:
-      break;
-    default:
-      // responses is contained in aArena and will be freed when aArena is
-      responses = PORT_ArenaNewArray(aArena, CERTOCSPSingleResponse *, 2);
-      if (!responses) {
-        PrintPRError("PORT_ArenaNewArray failed");
-        return nullptr;
-      }
-      responses[0] = sr;
-      responses[1] = nullptr;
-      response = CERT_CreateEncodedOCSPSuccessResponse(
-        aArena, ca, ocspResponderID_byName, signTime, responses, nullptr);
-      if (!response) {
-        PrintPRError("CERT_CreateEncodedOCSPSuccessResponse failed");
-        return nullptr;
-      }
-      break;
-  }
-
-  SECItemArray *arr = SECITEM_AllocArray(aArena, nullptr, 1);
-  arr->items[0].data = response ? response->data : nullptr;
-  arr->items[0].len = response ? response->len : 0;
-
-  return arr;
-}
-
-int32_t
-DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
-                  uint32_t aSrvNameArrSize, void *aArg)
-{
-  const OCSPHost *host = nullptr;
-  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
-    host = GetOcspHost((const char *)aSrvNameArr[i].data);
-    if (host) {
-      break;
-    }
-  }
-
-  if (!host) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  if (gDebugLevel >= DEBUG_VERBOSE) {
-    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
-  }
-
-  ScopedCERTCertificate cert(PK11_FindCertFromNickname(host->mCertName, nullptr));
-  if (!cert) {
-    PrintPRError("PK11_FindCertFromNickname failed");
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  ScopedSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert, nullptr));
-  if (!key) {
-    PrintPRError("PK11_FindKeyByAnyCert failed");
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  SSLKEAType certKEA = NSS_FindCertKEAType(cert);
-
-  if (SSL_ConfigSecureServer(aFd, cert, key, certKEA) != SECSuccess) {
-    PrintPRError("SSL_ConfigSecureServer failed");
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  PLArenaPool arena;
-  PL_InitArenaPool(&arena, "OCSP response", 1024, 0);
-  // response is contained by the arena - finishing the arena will free it
-  SECItemArray *response = GetOCSPResponseForType(host->mOSRT, cert, &arena);
-  if (!response) {
-    PL_FinishArenaPool(&arena);
-    return SSL_SNI_SEND_ALERT;
-  }
-  // SSL_SetStapledOCSPResponses makes a deep copy of response
-  SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA);
-  PL_FinishArenaPool(&arena);
-  if (st != SECSuccess) {
-    PrintPRError("SSL_SetStapledOCSPResponses failed");
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  return 0;
-}
-
-void
-StartServer()
-{
-  ScopedPRFileDesc serverSocket(PR_NewTCPSocket());
-  if (!serverSocket) {
-    PrintPRError("PR_NewTCPSocket failed");
-    return;
-  }
-
-  PRSocketOptionData socketOption;
-  socketOption.option = PR_SockOpt_Reuseaddr;
-  socketOption.value.reuse_addr = true;
-  PR_SetSocketOption(serverSocket, &socketOption);
-
-  PRNetAddr serverAddr;
-  PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
-  if (PR_Bind(serverSocket, &serverAddr) != PR_SUCCESS) {
-    PrintPRError("PR_Bind failed");
-    return;
-  }
-
-  if (PR_Listen(serverSocket, 1) != PR_SUCCESS) {
-    PrintPRError("PR_Listen failed");
-    return;
-  }
-
-  ScopedPRFileDesc rawModelSocket(PR_NewTCPSocket());
-  if (!rawModelSocket) {
-    PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
-    return;
-  }
-
-  ScopedPRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.forget()));
-  if (!modelSocket) {
-    PrintPRError("SSL_ImportFD of rawModelSocket failed");
-    return;
-  }
-
-  if (SECSuccess != SSL_SNISocketConfigHook(modelSocket, DoSNISocketConfig,
-                                            nullptr)) {
-    PrintPRError("SSL_SNISocketConfigHook failed");
-    return;
-  }
-
-  // We have to configure the server with a certificate, but it's not one
-  // we're actually going to end up using. In the SNI callback, we pick
-  // the right certificate for the connection.
-  ScopedCERTCertificate cert(PK11_FindCertFromNickname("localhost", nullptr));
-  if (!cert) {
-    PrintPRError("PK11_FindCertFromNickname failed");
-    return;
-  }
-
-  ScopedSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert, nullptr));
-  if (!key) {
-    PrintPRError("PK11_FindKeyByAnyCert failed");
-    return;
-  }
-
-  SSLKEAType certKEA = NSS_FindCertKEAType(cert);
-
-  if (SSL_ConfigSecureServer(modelSocket, cert, key, certKEA) != SECSuccess) {
-    PrintPRError("SSL_ConfigSecureServer failed");
-    return;
-  }
-
-  if (gCallbackPort != 0) {
-    DoCallback();
-  }
-
-  while (true) {
-    PRNetAddr clientAddr;
-    PRFileDesc *clientSocket = PR_Accept(serverSocket, &clientAddr,
-                                         PR_INTERVAL_NO_TIMEOUT);
-    HandleConnection(clientSocket, modelSocket);
-  }
-}
-
-int
-main(int argc, char *argv[])
-{
-  const char *debugLevel = PR_GetEnv("OCSP_SERVER_DEBUG_LEVEL");
-  if (debugLevel) {
-    gDebugLevel = atoi(debugLevel);
-  }
-
-  const char *callbackPort = PR_GetEnv("OCSP_SERVER_CALLBACK_PORT");
-  if (callbackPort) {
-    gCallbackPort = atoi(callbackPort);
-  }
-
-  if (argc != 2) {
-    fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
-    return 1;
-  }
-
-  if (NSS_Init(argv[1]) != SECSuccess) {
-    PrintPRError("NSS_Init failed");
-    return 1;
-  }
-
-  if (NSS_SetDomesticPolicy() != SECSuccess) {
-    PrintPRError("NSS_SetDomesticPolicy failed");
-    return 1;
-  }
-
-  if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
-    PrintPRError("SSL_ConfigServerSessionIDCache failed");
-    return 1;
-  }
-
-  StartServer();
-
-  return 0;
-}
deleted file mode 100644
index 09aaa7a0108eea4ec6ad5c68f73f988379b9afa5..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100755
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling/gen_ocsp_certs.sh
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/bin/bash
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# Usage: ./gen_ocsp_certs.sh <path to objdir> <output directory>
-# e.g. (from the root of mozilla-central)
-# `./security/manager/ssl/tests/unit/test_ocsp_stapling/gen_ocsp_certs.sh \
-#  obj-x86_64-unknown-linux-gnu/ \
-#  security/manager/ssl/tests/unit/test_ocsp_stapling/`
-#
-# NB: This will cause the following files to be overwritten if they are in
-# the output directory:
-#  cert8.db, key3.db, secmod.db, ocsp-ca.der, ocsp-other-ca.der
-
-if [ $# -ne 2 ]; then
-  echo "Usage: `basename ${0}` <path to objdir> <output directory>"
-  exit $E_BADARGS
-fi
-
-OBJDIR=${1}
-OUTPUT_DIR=${2}
-RUN_MOZILLA="$OBJDIR/dist/bin/run-mozilla.sh"
-CERTUTIL="$OBJDIR/dist/bin/certutil"
-
-function check_retval {
-  retval=$?
-  if [ "$retval" -ne 0 ]; then
-    echo "failed..."
-    exit "$retval"
-  fi
-}
-
-NOISE_FILE=`mktemp`
-echo "running \"dd if=/dev/urandom of="$NOISE_FILE" bs=1024 count=8\""
-dd if=/dev/urandom of="$NOISE_FILE" bs=1024 count=1
-check_retval
-PASSWORD_FILE=`mktemp`
-
-function cleanup {
-  rm -f "$NOISE_FILE" "$PASSWORD_FILE"
-}
-
-if [ ! -f "$RUN_MOZILLA" ]; then
-  echo "Could not find run-mozilla.sh at \'$RUN_MOZILLA\'"
-  exit $E_BADARGS
-fi
-
-if [ ! -f "$CERTUTIL" ]; then
-  echo "Could not find certutil at \'$CERTUTIL\'"
-  exit $E_BADARGS
-fi
-
-if [ ! -d "$OUTPUT_DIR" ]; then
-  echo "Could not find output directory at \'$OUTPUT_DIR\'"
-  exit $E_BADARGS
-fi
-
-if [ -f "$OUTPUT_DIR/cert8.db" -o -f "$OUTPUT_DIR/key3.db" -o -f "$OUTPUT_DIR/secmod.db" ]; then
-  echo "Found pre-existing NSS DBs. Clobbering old OCSP certs."
-  rm -f "$OUTPUT_DIR/cert8.db" "$OUTPUT_DIR/key3.db" "$OUTPUT_DIR/secmod.db"
-fi
-echo "running \"$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE\""
-$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE
-check_retval
-
-COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE"
-
-function make_CA {
-  CA_RESPONSES="y\n0\ny"
-  NICKNAME="${1}"
-  SUBJECT="${2}"
-  DERFILE="${3}"
-
-  check_retval
-  echo "running 'echo -e \"$CA_RESPONSES\" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S -n $NICKNAME -s \"$SUBJECT\" -t CTu,u,u -x $COMMON_ARGS'"
-  echo -e "$CA_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S -n $NICKNAME -s "$SUBJECT" -t CTu,u,u -x $COMMON_ARGS
-  check_retval
-  echo "running \"$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE\""
-  $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
-  check_retval
-}
-
-SERIALNO=1
-
-function make_cert {
-  CERT_RESPONSES="n\n\ny"
-  NICKNAME="${1}"
-  SUBJECT="${2}"
-  CA="${3}"
-
-  echo "running 'echo -e \"$CERT_RESPONSES\" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S -s \"$SUBJECT\" -n $NICKNAME -c $CA -t Pu,u,u -m $SERIALNO $COMMON_ARGS'"
-  echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S -s "$SUBJECT" -n $NICKNAME -c $CA -t Pu,u,u -m $SERIALNO $COMMON_ARGS
-  check_retval
-  SERIALNO=$(($SERIALNO + 1))
-}
-
-make_CA ocspTestCA 'CN=OCSP stapling test CA' ocsp-ca.der
-make_CA otherCA 'CN=OCSP other test CA' ocsp-other-ca.der
-
-make_cert localhost 'CN=localhost' ocspTestCA
-make_cert good 'CN=ocsp-stapling-good.example.com' ocspTestCA
-make_cert revoked 'CN=ocsp-stapling-revoked.example.com' ocspTestCA
-make_cert unknown 'CN=ocsp-stapling-unknown.example.com' ocspTestCA
-make_cert good-other 'CN=ocsp-stapling-good-other.example.com' ocspTestCA
-make_cert good-otherCA 'CN=ocsp-stapling-good-other-ca.example.com' ocspTestCA
-make_cert expired 'CN=ocsp-stapling-expired.example.com' ocspTestCA
-make_cert expired-freshCA 'CN=ocsp-stapling-expired-fresh-ca.example.com' ocspTestCA
-make_cert none 'CN=ocsp-stapling-none.example.com' ocspTestCA
-make_cert malformed 'CN=ocsp-stapling-malformed.example.com' ocspTestCA
-make_cert srverr 'CN=ocsp-stapling-srverr.example.com' ocspTestCA
-make_cert trylater 'CN=ocsp-stapling-trylater.example.com' ocspTestCA
-make_cert needssig 'CN=ocsp-stapling-needssig.example.com' ocspTestCA
-make_cert unauthorized 'CN=ocsp-stapling-unauthorized.example.com' ocspTestCA
-
-cleanup
deleted file mode 100644
index 5d18ce891ac171969cfac81796ad08563ee01c43..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling/moz.build
+++ /dev/null
@@ -1,8 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-MODULE = 'pipnss'
-
deleted file mode 100644
index d609d41573fe3fe7a2bdf5f038e3edb20f58c857..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 952dabd494534a972706e88b5042414a5578cc39..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 6bad1714783fb78303e5908e9b552a172810f69c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -11,9 +11,8 @@ skip-if = os == "android"
 [test_hash_algorithms.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_hmac.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
-[test_ocsp_stapling.js]
--- a/testing/mochitest/Makefile.in
+++ b/testing/mochitest/Makefile.in
@@ -120,17 +120,16 @@ libs:: $(_SERV_FILES)
 
 # Binaries and scripts that don't get packaged with the build,
 # but that we need for the test harness
 TEST_HARNESS_BINS := \
   xpcshell$(BIN_SUFFIX) \
   ssltunnel$(BIN_SUFFIX) \
   certutil$(BIN_SUFFIX) \
   pk12util$(BIN_SUFFIX) \
-  OCSPStaplingServer$(BIN_SUFFIX) \
   fix_stack_using_bpsyms.py \
   $(NULL)
 
 ifeq ($(OS_ARCH),WINNT)
 TEST_HARNESS_BINS += \
   crashinject$(BIN_SUFFIX) \
   crashinjectdll$(DLL_SUFFIX) \
   vmwarerecordinghelper$(DLL_SUFFIX) \
--- a/testing/mozbase/mozcrash/mozcrash/mozcrash.py
+++ b/testing/mozbase/mozcrash/mozcrash/mozcrash.py
@@ -16,17 +16,18 @@ import urllib2
 import zipfile
 
 from mozfile import extract_zip
 from mozfile import is_url
 
 def check_for_crashes(dump_directory, symbols_path,
                       stackwalk_binary=None,
                       dump_save_path=None,
-                      test_name=None):
+                      test_name=None,
+                      quiet=False):
     """
     Print a stack trace for minidump files left behind by a crashing program.
 
     `dump_directory` will be searched for minidump files. Any minidump files found will
     have `stackwalk_binary` executed on them, with `symbols_path` passed as an extra
     argument.
 
     `stackwalk_binary` should be a path to the minidump_stackwalk binary.
@@ -39,16 +40,19 @@ def check_for_crashes(dump_directory, sy
 
     If `dump_save_path` is set, it should be a path to a directory in which to copy minidump
     files for safekeeping after a stack trace has been printed. If not set, the environment
     variable MINIDUMP_SAVE_PATH will be checked and its value used if it is not empty.
 
     If `test_name` is set it will be used as the test name in log output. If not set the
     filename of the calling function will be used.
 
+    If `quiet` is set, no PROCESS-CRASH message will be printed to stdout if a
+    crash is detected.
+
     Returns True if any minidumps were found, False otherwise.
     """
     dumps = glob.glob(os.path.join(dump_directory, '*.dmp'))
     if not dumps:
         return False
 
     if stackwalk_binary is None:
         stackwalk_binary = os.environ.get('MINIDUMP_STACKWALK', None)
@@ -115,18 +119,19 @@ def check_for_crashes(dump_directory, sy
                 if not symbols_path:
                     stackwalk_output.append("No symbols path given, can't process dump.")
                 if not stackwalk_binary:
                     stackwalk_output.append("MINIDUMP_STACKWALK not set, can't process dump.")
                 elif stackwalk_binary and not os.path.exists(stackwalk_binary):
                     stackwalk_output.append("MINIDUMP_STACKWALK binary not found: %s" % stackwalk_binary)
             if not top_frame:
                 top_frame = "Unknown top frame"
-            print "PROCESS-CRASH | %s | application crashed [%s]" % (test_name, top_frame)
-            print '\n'.join(stackwalk_output)
+            if not quiet:
+                print "PROCESS-CRASH | %s | application crashed [%s]" % (test_name, top_frame)
+                print '\n'.join(stackwalk_output)
             if dump_save_path is None:
                 dump_save_path = os.environ.get('MINIDUMP_SAVE_PATH', None)
             if dump_save_path:
                 # This code did not previously create the directory,
                 # so there may be a file hanging out with its name.
                 if os.path.isfile(dump_save_path):
                     os.unlink(dump_save_path)
                 if not os.path.isdir(dump_save_path):
--- a/testing/mozbase/mozcrash/tests/test.py
+++ b/testing/mozbase/mozcrash/tests/test.py
@@ -50,93 +50,100 @@ class TestCrash(unittest.TestCase):
 
     def test_nodumps(self):
         """
         Test that check_for_crashes returns False if no dumps are present.
         """
         self.stdouts.append(["this is some output"])
         self.assertFalse(mozcrash.check_for_crashes(self.tempdir,
                                                     'symbols_path',
-                                                    stackwalk_binary=self.stackwalk))
+                                                    stackwalk_binary=self.stackwalk,
+                                                    quiet=True))
 
     def test_simple(self):
         """
         Test that check_for_crashes returns True if a dump is present.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
         self.stdouts.append(["this is some output"])
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
                                                 'symbols_path',
-                                                stackwalk_binary=self.stackwalk))
+                                                stackwalk_binary=self.stackwalk,
+                                                quiet=True))
 
     def test_stackwalk_envvar(self):
         """
         Test that check_for_crashes uses the MINIDUMP_STACKWALK environment var.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
         self.stdouts.append(["this is some output"])
         os.environ['MINIDUMP_STACKWALK'] = self.stackwalk
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
-                                                'symbols_path'))
+                                                'symbols_path',
+                                                quiet=True))
         del os.environ['MINIDUMP_STACKWALK']
 
     def test_save_path(self):
         """
         Test that dump_save_path works.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
         save_path = os.path.join(self.tempdir, "saved")
         os.mkdir(save_path)
         self.stdouts.append(["this is some output"])
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
                                                 'symbols_path',
                                                 stackwalk_binary=self.stackwalk,
-                                                dump_save_path=save_path))
+                                                dump_save_path=save_path,
+                                                quiet=True))
         self.assert_(os.path.isfile(os.path.join(save_path, "test.dmp")))
 
     def test_save_path_not_present(self):
         """
         Test that dump_save_path works when the directory doesn't exist.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
         save_path = os.path.join(self.tempdir, "saved")
         self.stdouts.append(["this is some output"])
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
                                                 'symbols_path',
                                                 stackwalk_binary=self.stackwalk,
-                                                dump_save_path=save_path))
+                                                dump_save_path=save_path,
+                                                quiet=True))
         self.assert_(os.path.isfile(os.path.join(save_path, "test.dmp")))
 
     def test_save_path_isfile(self):
         """
         Test that dump_save_path works when the directory doesn't exist,
         but a file with the same name exists.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
         save_path = os.path.join(self.tempdir, "saved")
         open(save_path, "w").write("junk")
         self.stdouts.append(["this is some output"])
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
                                                 'symbols_path',
                                                 stackwalk_binary=self.stackwalk,
-                                                dump_save_path=save_path))
+                                                dump_save_path=save_path,
+                                                quiet=True))
         self.assert_(os.path.isfile(os.path.join(save_path, "test.dmp")))
 
     def test_save_path_envvar(self):
         """
         Test that the MINDUMP_SAVE_PATH environment variable works.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
         save_path = os.path.join(self.tempdir, "saved")
         os.mkdir(save_path)
         self.stdouts.append(["this is some output"])
         os.environ['MINIDUMP_SAVE_PATH'] = save_path
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
                                                 'symbols_path',
-                                                stackwalk_binary=self.stackwalk))
+                                                stackwalk_binary=self.stackwalk,
+                                                quiet=True))
         del os.environ['MINIDUMP_SAVE_PATH']
         self.assert_(os.path.isfile(os.path.join(save_path, "test.dmp")))
 
     def test_symbol_path_url(self):
         """
         Test that passing a URL as symbols_path correctly fetches the URL.
         """
         open(os.path.join(self.tempdir, "test.dmp"), "w").write("foo")
@@ -153,12 +160,13 @@ class TestCrash(unittest.TestCase):
             return (200, headers, make_zipfile())
         httpd = mozhttpd.MozHttpd(port=0,
                                   urlhandlers=[{'method':'GET', 'path':'/symbols', 'function':get_symbols}])
         httpd.start()
         symbol_url = urlparse.urlunsplit(('http', '%s:%d' % httpd.httpd.server_address,
                                         '/symbols','',''))
         self.assert_(mozcrash.check_for_crashes(self.tempdir,
                                                 symbol_url,
-                                                stackwalk_binary=self.stackwalk))
+                                                stackwalk_binary=self.stackwalk,
+                                                quiet=True))
 
 if __name__ == '__main__':
     unittest.main()
--- a/toolkit/mozapps/installer/packager.mk
+++ b/toolkit/mozapps/installer/packager.mk
@@ -502,17 +502,16 @@ NO_PKG_FILES += \
 	nm2tsv* \
 	nsinstall* \
 	res/samples \
 	res/throbber \
 	shlibsign* \
 	ssltunnel* \
 	certutil* \
 	pk12util* \
-	OCSPStaplingServer* \
 	winEmbed.exe \
 	chrome/chrome.rdf \
 	chrome/app-chrome.manifest \
 	chrome/overlayinfo \
 	components/compreg.dat \
 	components/xpti.dat \
 	content_unit_tests \
 	necko_unit_tests \