bug 1531958 - make http2 test certificates more consistent with existing test certificate infrastructure r=dragana
authorDana Keeler <dkeeler@mozilla.com>
Mon, 04 Mar 2019 15:42:07 +0000
changeset 520130 f2f2c1e2c322709f8f956e3c9ab0306c8ef5728c
parent 520129 cc4b2dbdfd83244f10bbdc8bdf588edaea618663
child 520131 8df68de5179601ea70ad1b2d73c1ec282927adc8
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdragana
bugs1531958
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1531958 - make http2 test certificates more consistent with existing test certificate infrastructure r=dragana This patch uses the existing xpcshell test certificate infrastructure (pycert/pykey) to manage the http2 test certificates (and gets rid of some uses of nsIBadCertListener2 as a bonus). Differential Revision: https://phabricator.services.mozilla.com/D21814
dom/push/test/xpcshell/head-http2.js
dom/push/test/xpcshell/test_notification_http2.js
dom/push/test/xpcshell/test_register_error_http2.js
dom/push/test/xpcshell/test_register_success_http2.js
dom/push/test/xpcshell/test_unregister_success_http2.js
netwerk/test/moz.build
netwerk/test/unit/CA.cert.der
netwerk/test/unit/head_channels.js
netwerk/test/unit/http2-ca.pem
netwerk/test/unit/http2-ca.pem.certspec
netwerk/test/unit/moz.build
netwerk/test/unit/test_altsvc.js
netwerk/test/unit/test_anonymous-coalescing.js
netwerk/test/unit/test_esni_dns_fetch.js
netwerk/test/unit/test_header_Server_Timing.js
netwerk/test/unit/test_http2.js
netwerk/test/unit/test_immutable.js
netwerk/test/unit/test_origin.js
netwerk/test/unit/test_trr.js
netwerk/test/unit/xpcshell.ini
testing/xpcshell/moz-http2/http2-cert.key
testing/xpcshell/moz-http2/http2-cert.key.keyspec
testing/xpcshell/moz-http2/http2-cert.pem
testing/xpcshell/moz-http2/http2-cert.pem.certspec
testing/xpcshell/moz-http2/http2-key.pem
testing/xpcshell/moz-http2/moz-http2.js
testing/xpcshell/moz-http2/moz.build
testing/xpcshell/moz.build
--- a/dom/push/test/xpcshell/head-http2.js
+++ b/dom/push/test/xpcshell/head-http2.js
@@ -1,61 +1,37 @@
+const {NetUtil} = ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
+
 // Returns the test H/2 server port, throwing if it's missing or invalid.
 function getTestServerPort() {
   let portEnv = Cc["@mozilla.org/process/environment;1"]
                   .getService(Ci.nsIEnvironment).get("MOZHTTP2_PORT");
   let port = parseInt(portEnv, 10);
   if (!Number.isFinite(port) || port < 1 || port > 65535) {
     throw new Error(`Invalid port in MOZHTTP2_PORT env var: ${portEnv}`);
   }
   info(`Using HTTP/2 server on port ${port}`);
   return port;
 }
 
-// Support for making sure we can talk to the invalid cert the server presents
-var CertOverrideListener = function(host, port, bits) {
-  this.host = host;
-  this.port = port || 443;
-  this.bits = bits;
-};
-
-CertOverrideListener.prototype = {
-  host: null,
-  bits: null,
-
-  getInterface: function(aIID) {
-    return this.QueryInterface(aIID);
-  },
-
-  QueryInterface: function(aIID) {
-    if (aIID.equals(Ci.nsIBadCertListener2) ||
-        aIID.equals(Ci.nsIInterfaceRequestor) ||
-        aIID.equals(Ci.nsISupports))
-      return this;
-    throw Cr.NS_ERROR_NO_INTERFACE;
-  },
+function readFile(file) {
+  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
+                  .createInstance(Ci.nsIFileInputStream);
+  fstream.init(file, -1, 0, 0);
+  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
+  fstream.close();
+  return data;
+}
 
-  notifyCertProblem: function(socketInfo, secInfo, targetHost) {
-    var cert = secInfo.serverCert;
-    var cos = Cc["@mozilla.org/security/certoverride;1"].
-              getService(Ci.nsICertOverrideService);
-    cos.rememberValidityOverride(this.host, this.port, cert, this.bits, false);
-    dump("Certificate Override in place\n");
-    return true;
-  },
-};
+function addCertFromFile(certdb, filename, trustString) {
+  let certFile = do_get_file(filename, false);
+  let pem = readFile(certFile)
+              .replace(/-----BEGIN CERTIFICATE-----/, "")
+              .replace(/-----END CERTIFICATE-----/, "")
+              .replace(/[\r\n]/g, "");
+  certdb.addCertFromBase64(pem, trustString);
+}
 
-function addCertOverride(host, port, bits) {
-  var req = new XMLHttpRequest();
-  try {
-    var url;
-    if (port && (port > 0) && (port !== 443)) {
-      url = "https://" + host + ":" + port + "/";
-    } else {
-      url = "https://" + host + "/";
-    }
-    req.open("GET", url, false);
-    req.channel.notificationCallbacks = new CertOverrideListener(host, port, bits);
-    req.send(null);
-  } catch (e) {
-    // This will fail since the server is not trusted yet
-  }
+function trustHttp2CA() {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                  .getService(Ci.nsIX509CertDB);
+  addCertFromFile(certdb, "../../../../netwerk/test/unit/http2-ca.pem", "CTu,u,u");
 }
--- a/dom/push/test/xpcshell/test_notification_http2.js
+++ b/dom/push/test/xpcshell/test_notification_http2.js
@@ -19,20 +19,17 @@ function run_test() {
   prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
 
   // Set to allow the cert presented by our H2 server
   var oldPref = prefs.getIntPref("network.http.speculative-parallel-limit");
   prefs.setIntPref("network.http.speculative-parallel-limit", 0);
   prefs.setBoolPref("dom.push.enabled", true);
   prefs.setBoolPref("dom.push.connection.enabled", true);
 
-  addCertOverride("localhost", serverPort,
-                  Ci.nsICertOverrideService.ERROR_UNTRUSTED |
-                  Ci.nsICertOverrideService.ERROR_MISMATCH |
-                  Ci.nsICertOverrideService.ERROR_TIME);
+  trustHttp2CA();
 
   prefs.setIntPref("network.http.speculative-parallel-limit", oldPref);
 
   run_next_test();
 }
 
 add_task(async function test_pushNotifications() {
 
--- a/dom/push/test/xpcshell/test_register_error_http2.js
+++ b/dom/push/test/xpcshell/test_register_error_http2.js
@@ -49,20 +49,17 @@ add_task(async function test_pushSubscri
   PushService.uninit();
 });
 
 add_task(async function test_TLS() {
     // Set to allow the cert presented by our H2 server
   var oldPref = prefs.getIntPref("network.http.speculative-parallel-limit");
   prefs.setIntPref("network.http.speculative-parallel-limit", 0);
 
-  addCertOverride("localhost", serverPort,
-                  Ci.nsICertOverrideService.ERROR_UNTRUSTED |
-                  Ci.nsICertOverrideService.ERROR_MISMATCH |
-                  Ci.nsICertOverrideService.ERROR_TIME);
+  trustHttp2CA();
 
   prefs.setIntPref("network.http.speculative-parallel-limit", oldPref);
 });
 
 add_task(async function test_pushSubscriptionMissingLocation() {
 
   let db = PushServiceHttp2.newPushDB();
   registerCleanupFunction(() => {
--- a/dom/push/test/xpcshell/test_register_success_http2.js
+++ b/dom/push/test/xpcshell/test_register_success_http2.js
@@ -22,20 +22,17 @@ function run_test() {
   pushConnectionEnabled = prefs.getBoolPref("dom.push.connection.enabled");
 
   // Set to allow the cert presented by our H2 server
   var oldPref = prefs.getIntPref("network.http.speculative-parallel-limit");
   prefs.setIntPref("network.http.speculative-parallel-limit", 0);
   prefs.setBoolPref("dom.push.enabled", true);
   prefs.setBoolPref("dom.push.connection.enabled", true);
 
-  addCertOverride("localhost", serverPort,
-                  Ci.nsICertOverrideService.ERROR_UNTRUSTED |
-                  Ci.nsICertOverrideService.ERROR_MISMATCH |
-                  Ci.nsICertOverrideService.ERROR_TIME);
+  trustHttp2CA();
 
   prefs.setIntPref("network.http.speculative-parallel-limit", oldPref);
 
   serverURL = "https://localhost:" + serverPort;
 
   run_next_test();
 }
 
--- a/dom/push/test/xpcshell/test_unregister_success_http2.js
+++ b/dom/push/test/xpcshell/test_unregister_success_http2.js
@@ -21,20 +21,17 @@ function run_test() {
   pushConnectionEnabled = prefs.getBoolPref("dom.push.connection.enabled");
 
   // Set to allow the cert presented by our H2 server
   var oldPref = prefs.getIntPref("network.http.speculative-parallel-limit");
   prefs.setIntPref("network.http.speculative-parallel-limit", 0);
   prefs.setBoolPref("dom.push.enabled", true);
   prefs.setBoolPref("dom.push.connection.enabled", true);
 
-  addCertOverride("localhost", serverPort,
-                  Ci.nsICertOverrideService.ERROR_UNTRUSTED |
-                  Ci.nsICertOverrideService.ERROR_MISMATCH |
-                  Ci.nsICertOverrideService.ERROR_TIME);
+  trustHttp2CA();
 
   prefs.setIntPref("network.http.speculative-parallel-limit", oldPref);
 
   run_next_test();
 }
 
 add_task(async function test_pushUnsubscriptionSuccess() {
   let db = PushServiceHttp2.newPushDB();
--- a/netwerk/test/moz.build
+++ b/netwerk/test/moz.build
@@ -1,15 +1,15 @@
 # -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-TEST_DIRS += ['httpserver', 'gtest']
+TEST_DIRS += ['httpserver', 'gtest', 'unit']
 
 BROWSER_CHROME_MANIFESTS += ['browser/browser.ini']
 MOCHITEST_MANIFESTS += ['mochitests/mochitest.ini']
 
 XPCSHELL_TESTS_MANIFESTS += [
     'unit/xpcshell.ini',
     'unit_ipc/xpcshell.ini',
 ]
--- a/netwerk/test/unit/head_channels.js
+++ b/netwerk/test/unit/head_channels.js
@@ -232,8 +232,27 @@ function OriginAttributes(appId, inIsola
   this.inIsolatedMozBrowser = inIsolatedMozBrowser;
   this.privateBrowsingId = privateId;
 }
 OriginAttributes.prototype = {
   appId: 0,
   inIsolatedMozBrowser: false,
   privateBrowsingId: 0
 };
+
+function readFile(file) {
+  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
+                  .createInstance(Ci.nsIFileInputStream);
+  fstream.init(file, -1, 0, 0);
+  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
+  fstream.close();
+  return data;
+}
+
+function addCertFromFile(certdb, filename, trustString) {
+  let certFile = do_get_file(filename, false);
+  let pem = readFile(certFile)
+              .replace(/-----BEGIN CERTIFICATE-----/, "")
+              .replace(/-----END CERTIFICATE-----/, "")
+              .replace(/[\r\n]/g, "");
+  certdb.addCertFromBase64(pem, trustString);
+}
+
rename from netwerk/test/unit/CA.cert.der
rename to netwerk/test/unit/http2-ca.pem
index 67157cabd08d9705a3ec762eba1ace9fb0f75f3f..db6f723d2e7adbfe52fc90a4884fe310639ed945
GIT binary patch
literal 1041
zc$|$>Nz<Z85WVv&=1zPen*xVER6zm7D#|7|kR6ppu*6?KcF(adlM#7&nUN9smY<(*
zL8N2%9|fHPtYHNN=r{O7IT$Ofswg1eYCtdqH4abd%N4h1(p(ZWx&h9^#(FnTe|Zj3
z{flW0DQ;d@7x>7gpbv;1pu~Zp4%iR@LOhI`Fw($=wbSj&`?b#?f}8s2bl~lNz}ry~
zaa8bam{B^AHb=$$A20y_4Yc8Z9j$BBQVw8r<vi(Uob#%WAn-!~1PoOIelJ*H_`c;U
zhgQ>v6Bc5&H{^WIFzhb=F(3iOm2>Zg6C)m@A>v41N`_%(UClvSex^jfb3)d<%vqS^
ztcaH>H4rYRC>xpBkl&w(GEJgXPgdQ*{m7_wZKd9f9oO8u>ppPIIS1mRUGPy#4oh~L
z-VDKqb{nBM6+{4%OLY}{SGJXyrqx&Z9bb~W|BOoiSYYv8D#97kgDZR3r=^FsG||GP
z+4K;UUXc#vTLBbo1IN&}WKPp27OVEw*q{jXPBo2Uab|vJF@;$;rYQD_Iu(PEyQ00B
zudMW#c8nUzD1|%Q#>KQpIOuZQP`={YQrvF4n{=U5?V}6N-QL8zaSN~hoAtdX*VL9<
zaxSPHNCBXCNClqrwZm7k0uf(xfCE7#{bic3XTB_bl~Omg^&eLEe4QwF_If6pYEw#T
zYlmwy(d-;V?W=<}d6+ut$$Qoog%$2&Fdx^1$Y9Hxd2qV+F$ovy>RtkE4G=H%OqHTg
zDh`af3&yHoTLwXi9>U`~c@Ns<<egm_NAT!Xv+&Zb<Ovhf)Oi6|l;bJ9_?d-uak3xF
zfhl|fmy+eySH2!I$lp&0S8C!}*UpATYS=8v;%@nb3H9NS%tp8vU#4E6DpB|fm+b1v
zX0t=G8^zaF66i<QyU!c#ZLso8DWJ!QKO0qC79*AB9cd0>u=aSp^7ojT&$}u0GLG<u
ypLu&8I{9rK7{b!m=hZ96CkSo@XBe+@Ye1TzEa@C;C!>H~_>20JaOA3grT$;9j7tmv
new file mode 100644
--- /dev/null
+++ b/netwerk/test/unit/http2-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer: HTTP2 Test CA
+subject: HTTP2 Test CA
+validity:20170101-20270101
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/netwerk/test/unit/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Temporarily disabled. See bug 1256495.
+#GeneratedTestCertificate('http2-ca.pem')
--- a/netwerk/test/unit/test_altsvc.js
+++ b/netwerk/test/unit/test_altsvc.js
@@ -37,23 +37,23 @@ function run_test() {
   altsvcpref2 = prefs.getBoolPref("network.http.altsvc.oe", true);
 
   prefs.setBoolPref("network.http.spdy.enabled", true);
   prefs.setBoolPref("network.http.spdy.enabled.http2", true);
   prefs.setBoolPref("network.http.altsvc.enabled", true);
   prefs.setBoolPref("network.http.altsvc.oe", true);
   prefs.setCharPref("network.dns.localDomains", "foo.example.com, bar.example.com");
 
-  // The moz-http2 cert is for foo.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert. The same cert is used
   // for both h2FooRoute and h2BarRoute though it is only valid for
   // the foo.example.com domain name.
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
   h1Foo = new HttpServer();
   h1Foo.registerPathHandler("/altsvc-test", h1Server);
   h1Foo.registerPathHandler("/.well-known/http-opportunistic", h1ServerWK);
   h1Foo.start(-1);
   h1Foo.identity.setPrimary("http", "foo.example.com", h1Foo.identity.primaryPort);
 
   h1Bar = new HttpServer();
@@ -111,31 +111,16 @@ function h1ServerWK(metadata, response) 
 function resetPrefs() {
   prefs.setBoolPref("network.http.spdy.enabled", spdypref);
   prefs.setBoolPref("network.http.spdy.enabled.http2", http2pref);
   prefs.setBoolPref("network.http.altsvc.enabled", altsvcpref1);
   prefs.setBoolPref("network.http.altsvc.oe", altsvcpref2);
   prefs.clearUserPref("network.dns.localDomains");
 }
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 function makeChan(origin) {
   return NetUtil.newChannel({
     uri: origin + "altsvc-test",
     loadUsingSystemPrincipal: true
   }).QueryInterface(Ci.nsIHttpChannel);
 }
 
 var origin;
--- a/netwerk/test/unit/test_anonymous-coalescing.js
+++ b/netwerk/test/unit/test_anonymous-coalescing.js
@@ -27,47 +27,32 @@ function run_test() {
   http2pref = prefs.getBoolPref("network.http.spdy.enabled.http2");
   extpref = prefs.getBoolPref("network.http.originextension");
 
   prefs.setBoolPref("network.http.spdy.enabled", true);
   prefs.setBoolPref("network.http.spdy.enabled.http2", true);
   prefs.setBoolPref("network.http.originextension", true);
   prefs.setCharPref("network.dns.localDomains", "foo.example.com, alt1.example.com");
 
-  // The moz-http2 cert is for {foo, alt1, alt2}.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for {foo, alt1, alt2}.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert.
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
   doTest1();
 }
 
 function resetPrefs() {
   prefs.setBoolPref("network.http.spdy.enabled", spdypref);
   prefs.setBoolPref("network.http.spdy.enabled.http2", http2pref);
   prefs.setBoolPref("network.http.originextension", extpref);
   prefs.clearUserPref("network.dns.localDomains");
 }
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 function makeChan(origin) {
   return NetUtil.newChannel({
     uri: origin,
     loadUsingSystemPrincipal: true
   }).QueryInterface(Ci.nsIHttpChannel);
 }
 
 var nextTest;
--- a/netwerk/test/unit/test_esni_dns_fetch.js
+++ b/netwerk/test/unit/test_esni_dns_fetch.js
@@ -30,21 +30,21 @@ function run_test() {
   prefs.setBoolPref("network.dns.native-is-localhost", true);
 
   // 0 - off, 1 - race, 2 TRR first, 3 TRR only, 4 shadow
   prefs.setIntPref("network.trr.mode", 2); // TRR first
   prefs.setBoolPref("network.trr.wait-for-portal", false);
   // don't confirm that TRR is working, just go!
   prefs.setCharPref("network.trr.confirmationNS", "skip");
 
-  // The moz-http2 cert is for foo.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert.  // the foo.example.com domain name.
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
       .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
   do_test_pending();
   run_dns_tests();
 }
 
 registerCleanupFunction(() => {
   prefs.clearUserPref("network.security.esni.enabled");
   prefs.clearUserPref("network.http.spdy.enabled");
   prefs.clearUserPref("network.http.spdy.enabled.http2");
@@ -58,31 +58,16 @@ registerCleanupFunction(() => {
   prefs.clearUserPref("network.trr.useGET");
   prefs.clearUserPref("network.trr.confirmationNS");
   prefs.clearUserPref("network.trr.bootstrapAddress");
   prefs.clearUserPref("network.trr.blacklist-duration");
   prefs.clearUserPref("network.trr.request-timeout");
 
 });
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 var test_answer="bXkgdm9pY2UgaXMgbXkgcGFzc3dvcmQ=";
 var test_answer_addr="127.0.0.1";
 
 // check that we do lookup by type fine
 var listenerEsni = {
   onLookupByTypeComplete: function(inRequest, inRecord, inStatus) {
     if (inRequest == listen) {
       Assert.ok(!inStatus);
--- a/netwerk/test/unit/test_header_Server_Timing.js
+++ b/netwerk/test/unit/test_header_Server_Timing.js
@@ -13,40 +13,25 @@ function make_and_open_channel(url, call
   chan.asyncOpen(new ChannelListener(callback, null, CL_ALLOW_UNKNOWN_CL));
 }
 
 var responseServerTiming = [{metric:"metric", duration:"123.4", description:"description"},
                             {metric:"metric2", duration:"456.78", description:"description1"}];
 var trailerServerTiming = [{metric:"metric3", duration:"789.11", description:"description2"},
                            {metric:"metric4", duration:"1112.13", description:"description3"}];
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 function run_test()
 {
   do_test_pending();
 
   // Set up to allow the cert presented by the server
   do_get_profile();
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
   Services.prefs.setCharPref("network.dns.localDomains", "foo.example.com");
   registerCleanupFunction(() => {
     Services.prefs.clearUserPref("network.dns.localDomains");
   });
 
   var env = Cc["@mozilla.org/process/environment;1"].getService(Ci.nsIEnvironment);
   var serverPort = env.get("MOZHTTP2_PORT");
--- a/netwerk/test/unit/test_http2.js
+++ b/netwerk/test/unit/test_http2.js
@@ -1177,69 +1177,16 @@ function run_next_test() {
   if (current_test < tests.length) {
     dump("starting test number " + current_test + "\n");
     tests[current_test]();
     current_test++;
     do_test_pending();
   }
 }
 
-// Support for making sure we can talk to the invalid cert the server presents
-var CertOverrideListener = function(host, port, bits) {
-  this.host = host;
-  if (port) {
-    this.port = port;
-  }
-  this.bits = bits;
-};
-
-CertOverrideListener.prototype = {
-  host: null,
-  port: -1,
-  bits: null,
-
-  getInterface: function(aIID) {
-    return this.QueryInterface(aIID);
-  },
-
-  QueryInterface: function(aIID) {
-    if (aIID.equals(Ci.nsIBadCertListener2) ||
-        aIID.equals(Ci.nsIInterfaceRequestor) ||
-        aIID.equals(Ci.nsISupports))
-      return this;
-    throw Cr.NS_ERROR_NO_INTERFACE;
-  },
-
-  notifyCertProblem: function(socketInfo, secInfo, targetHost) {
-    var cert = secInfo.serverCert;
-    var cos = Cc["@mozilla.org/security/certoverride;1"].
-              getService(Ci.nsICertOverrideService);
-    cos.rememberValidityOverride(this.host, this.port, cert, this.bits, false);
-    dump("Certificate Override in place\n");
-    return true;
-  },
-};
-
-function addCertOverride(host, port, bits) {
-  var req = new XMLHttpRequest();
-  try {
-    var url;
-    if (port) {
-      url = "https://" + host + ":" + port + "/";
-    } else {
-      url = "https://" + host + "/";
-    }
-    req.open("GET", url, false);
-    req.channel.notificationCallbacks = new CertOverrideListener(host, port, bits);
-    req.send(null);
-  } catch (e) {
-    // This will fail since the server is not trusted yet
-  }
-}
-
 var prefs;
 var spdypref;
 var spdypush;
 var http2pref;
 var altsvcpref1;
 var altsvcpref2;
 var loadGroup;
 var serverPort;
@@ -1262,28 +1209,23 @@ function run_test() {
   dump("using port " + serverPort + "\n");
 
   // Set to allow the cert presented by our H2 server
   do_get_profile();
   prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
   speculativeLimit = prefs.getIntPref("network.http.speculative-parallel-limit");
   prefs.setIntPref("network.http.speculative-parallel-limit", 0);
 
-  // The moz-http2 cert is for foo.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert. Some older tests in
   // this suite use localhost with a TOFU exception, but new ones should use
   // foo.example.com
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
-
-  addCertOverride("localhost", serverPort,
-                  Ci.nsICertOverrideService.ERROR_UNTRUSTED |
-                  Ci.nsICertOverrideService.ERROR_MISMATCH |
-                  Ci.nsICertOverrideService.ERROR_TIME);
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
   // Enable all versions of spdy to see that we auto negotiate http/2
   spdypref = prefs.getBoolPref("network.http.spdy.enabled");
   spdypush = prefs.getBoolPref("network.http.spdy.allow-push");
   http2pref = prefs.getBoolPref("network.http.spdy.enabled.http2");
   altsvcpref1 = prefs.getBoolPref("network.http.altsvc.enabled");
   altsvcpref2 = prefs.getBoolPref("network.http.altsvc.oe", true);
 
@@ -1306,23 +1248,8 @@ function run_test() {
   httpserv2.registerPathHandler("/altsvc2", altsvcHttp1Server2);
   httpserv2.registerPathHandler("/.well-known/http-opportunistic", h1ServerWK2);
   httpserv2.start(-1);
   httpserv2.identity.setPrimary("http", "foo.example.com", httpserv2.identity.primaryPort);
 
   // And make go!
   run_next_test();
 }
-
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
--- a/netwerk/test/unit/test_immutable.js
+++ b/netwerk/test/unit/test_immutable.js
@@ -21,49 +21,34 @@ function run_test() {
   rcwnpref = prefs.getBoolPref("network.http.rcwn.enabled");
 
   prefs.setBoolPref("network.http.spdy.enabled", true);
   prefs.setBoolPref("network.http.spdy.enabled.http2", true);
   prefs.setCharPref("network.dns.localDomains", "foo.example.com, bar.example.com");
   // Disable rcwn to make cache behavior deterministic.
   prefs.setBoolPref("network.http.rcwn.enabled", false);
 
-  // The moz-http2 cert is for foo.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert.  // the foo.example.com domain name.
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
   origin = "https://foo.example.com:" + h2Port;
   dump ("origin - " + origin + "\n");
   doTest1();
 }
 
 function resetPrefs() {
   prefs.setBoolPref("network.http.spdy.enabled", spdypref);
   prefs.setBoolPref("network.http.spdy.enabled.http2", http2pref);
   prefs.setBoolPref("network.http.rcwn.enabled", rcwnpref);
   prefs.clearUserPref("network.dns.localDomains");
 }
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 function makeChan(origin, path) {
   return NetUtil.newChannel({
     uri: origin + path,
     loadUsingSystemPrincipal: true
   }).QueryInterface(Ci.nsIHttpChannel);
 }
 
 var nextTest;
--- a/netwerk/test/unit/test_origin.js
+++ b/netwerk/test/unit/test_origin.js
@@ -21,47 +21,32 @@ function run_test() {
   http2pref = prefs.getBoolPref("network.http.spdy.enabled.http2");
   extpref = prefs.getBoolPref("network.http.originextension");
 
   prefs.setBoolPref("network.http.spdy.enabled", true);
   prefs.setBoolPref("network.http.spdy.enabled.http2", true);
   prefs.setBoolPref("network.http.originextension", true);
   prefs.setCharPref("network.dns.localDomains", "foo.example.com, alt1.example.com");
 
-  // The moz-http2 cert is for {foo, alt1, alt2}.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for {foo, alt1, alt2}.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert.
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
   doTest1();
 }
 
 function resetPrefs() {
   prefs.setBoolPref("network.http.spdy.enabled", spdypref);
   prefs.setBoolPref("network.http.spdy.enabled.http2", http2pref);
   prefs.setBoolPref("network.http.originextension", extpref);
   prefs.clearUserPref("network.dns.localDomains");
 }
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 function makeChan(origin) {
   return NetUtil.newChannel({
     uri: origin,
     loadUsingSystemPrincipal: true
   }).QueryInterface(Ci.nsIHttpChannel);
 }
 
 var nextTest;
--- a/netwerk/test/unit/test_trr.js
+++ b/netwerk/test/unit/test_trr.js
@@ -33,21 +33,21 @@ function run_test() {
   prefs.setBoolPref("network.dns.native-is-localhost", true);
 
   // 0 - off, 1 - race, 2 TRR first, 3 TRR only, 4 shadow
   prefs.setIntPref("network.trr.mode", 2); // TRR first
   prefs.setBoolPref("network.trr.wait-for-portal", false);
   // don't confirm that TRR is working, just go!
   prefs.setCharPref("network.trr.confirmationNS", "skip");
 
-  // The moz-http2 cert is for foo.example.com and is signed by CA.cert.der
+  // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem
   // so add that cert to the trust list as a signing cert.  // the foo.example.com domain name.
   let certdb = Cc["@mozilla.org/security/x509certdb;1"]
       .getService(Ci.nsIX509CertDB);
-  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
   do_test_pending();
   run_dns_tests();
 }
 
 function resetTRRPrefs() {
   prefs.clearUserPref("network.trr.mode");
   prefs.clearUserPref("network.trr.uri");
   prefs.clearUserPref("network.trr.credentials");
@@ -64,31 +64,16 @@ function resetTRRPrefs() {
 registerCleanupFunction(() => {
   prefs.clearUserPref("network.http.spdy.enabled");
   prefs.clearUserPref("network.http.spdy.enabled.http2");
   prefs.clearUserPref("network.dns.localDomains");
   prefs.clearUserPref("network.dns.native-is-localhost");
   resetTRRPrefs();
 });
 
-function readFile(file) {
-  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
-                  .createInstance(Ci.nsIFileInputStream);
-  fstream.init(file, -1, 0, 0);
-  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
-  fstream.close();
-  return data;
-}
-
-function addCertFromFile(certdb, filename, trustString) {
-  let certFile = do_get_file(filename, false);
-  let der = readFile(certFile);
-  certdb.addCert(der, trustString);
-}
-
 function testsDone()
 {
   do_test_finished();
   do_test_finished();
 }
 
 var test_loops;
 var test_answer="127.0.0.1";
--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
@@ -1,12 +1,12 @@
 [DEFAULT]
 head = head_channels.js head_cache.js head_cache2.js
 support-files =
-  CA.cert.der
+  http2-ca.pem
   client_cert_chooser.js
   client_cert_chooser.manifest
   data/image.png
   data/system_root.lnk
   data/test_psl.txt
   data/test_readline1.txt
   data/test_readline2.txt
   data/test_readline3.txt
rename from testing/xpcshell/moz-http2/http2-key.pem
rename to testing/xpcshell/moz-http2/http2-cert.key
--- a/testing/xpcshell/moz-http2/http2-key.pem
+++ b/testing/xpcshell/moz-http2/http2-cert.key
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDP/8AnO6MRtX9d
-TyL5dUhH2TrOm2aCTuSuq3jTTDqaXDeXsntOKlR3Fio+b1LuS0lGHWsYmu2xrWSf
-i+X65GB7OQ7b6LQtS+irN+iQ7OsPPmtAetHa5miz9PZoVFsnkG3CwwTehSMrPGZO
-BnlYk6Fx1+x0VaSEnUEiKnp2rlaxbxUt8vWcZD5PD26Ptihm6YkEXR0hd/gD04nt
-fPQ7QgLIjd5HdB9KXf6N0Vc3CFS/idj3JyKnKl2q1bBhIpuWde6rCcqpyyseiHxa
-U35fiMRD6uin2zVssomtmOCWyYPEwecqXPiZXJ4BnOaZvRhcadQQ8UaINwtOdl9q
-GiHCpBbRAgMBAAECggEBAKqcsQQ9cdQr2S4zpI+UuVZeBFPGun32srPn6TMA2y0U
-qXEgMO574E7SepI+BHt8e70sklVbd89/WANa4Kk8vTs2IU8XAPwKwO347SY7f9BA
-Nf9s/0gcKRQ7wgbv8tlwKehQyWSxNpjXcV9dBho29n2ITOdb/Jfe2bdpuowxEuF0
-rugkKh7P7LJTG1SAw01UTIszoOGIqHU2XlmYQOws4EvRov/BRTn9axBHH33top+m
-dX+96ntgWxdHOJjTcoXLGhTu1c0ZlJgtgEaH03jjy0f+3Qc+jIgbaZ4WLZkF/oZh
-hscL56XhsT3hR2Sdtxccw2zZ0exLO+qV1RykIAlUXkECgYEA7U+ljowyPxbREHnf
-SRTauIZfJNP6IHT60MkslltlYn7jABvx+u2xCC/QhZxCJi/iAs6iNvkbXR6uK/MH
-NrXwdk67SDUXaDZ9LM3rXPqjuwmvkc+e7P5an6KRtyzQD8K8mjbze1NfxbcGgKti
-A+8GL8H3V29EQ6xp2+UxIF/3UNkCgYEA4GEm9NLbu4neP+A+1NpUS4tUgMCdTkPm
-fiOECd4jjTizPZjjrk+zTin9aP+eBRYHharIGrDP2Uj98uv4kQ8u0rQbcjPwitog
-8DgccMQ92E6DYGDGECh5Hg2Zu71+zQQNzOEJTyrFLx4Gf5SkBzLlbDZDpNhbuQc9
-zvRYBc11urkCgYBOu2Dy9SJqefhsnfJtfaS/GZ2RS16tzAG2qTfIvpPZZL2NOLhE
-hv13+N0WpuvvXW1/fuykjmr8rwQcAqo/BYe8yIwr/alBYuqOpdbTZzhRAnqkRpy0
-hgKs+bOccRqqT/Jgu6B2JwgcQYe/wpxnL7L+vzx/XqPoS9hnIxf0ZMJZqQKBgQDa
-KJuf3oQWS23z3Sw5+C2NZeK7bIuF1S795bozffBDFqXvdf+pM4S6ssjYlfAmMc0O
-gYYdrVvpf7apwhTjtUdpRgSJfUabOopcBbJhUexvq6bAxlbMzw0z0zVt/EiVPSPN
-198dQhCGR0M6OGNjPHEkTX5ngJVtyUSnO5t5yNJ2wQKBgQDheEUJYgo2UjLNsdTs
-b4og5gHkyoKS3paWV64itJQbVBuri4HWeIExM9ayBB6nSJ2VvpZPyE6XfiYYGNhR
-jOc394qlnrx+oi2KdSmIWfQU0I+rW3bMqpoyWPYxP/hN6w4LAwjnJOSOIMCACm5J
-d8IebWjY2B3Zc6FFVzbmhXtlig==
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
 -----END PRIVATE KEY-----
new file mode 100644
--- /dev/null
+++ b/testing/xpcshell/moz-http2/http2-cert.key.keyspec
@@ -0,0 +1,1 @@
+default
--- a/testing/xpcshell/moz-http2/http2-cert.pem
+++ b/testing/xpcshell/moz-http2/http2-cert.pem
@@ -1,24 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIID+TCCAuGgAwIBAgIJAKu6XZkGFQ8NMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV
-BAYTAlVTMQ4wDAYDVQQIDAVNYWluZTETMBEGA1UECgwKQ0EgRXhhbXBsZTAeFw0x
-NzAzMjgwMjIxMjZaFw0yNzAzMjYwMjIxMjZaMIHIMQswCQYDVQQGEwJVUzERMA8G
-A1UECAwITmV3IFlvcmsxEjAQBgNVBAcMCVJvY2hlc3RlcjESMBAGA1UECgwJRW5k
-IFBvaW50MRcwFQYDVQQLDA5UZXN0aW5nIERvbWFpbjFLMEkGCSqGSIb3DQEJARY8
-eW91ci1hZG1pbmlzdHJhdGl2ZS1hZGRyZXNzQHlvdXItYXdlc29tZS1leGlzdGlu
-Zy1kb21haW4uY29tMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5jb20wggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP/8AnO6MRtX9dTyL5dUhH2TrOm2aCTuSu
-q3jTTDqaXDeXsntOKlR3Fio+b1LuS0lGHWsYmu2xrWSfi+X65GB7OQ7b6LQtS+ir
-N+iQ7OsPPmtAetHa5miz9PZoVFsnkG3CwwTehSMrPGZOBnlYk6Fx1+x0VaSEnUEi
-Knp2rlaxbxUt8vWcZD5PD26Ptihm6YkEXR0hd/gD04ntfPQ7QgLIjd5HdB9KXf6N
-0Vc3CFS/idj3JyKnKl2q1bBhIpuWde6rCcqpyyseiHxaU35fiMRD6uin2zVssomt
-mOCWyYPEwecqXPiZXJ4BnOaZvRhcadQQ8UaINwtOdl9qGiHCpBbRAgMBAAGjezB5
-MB8GA1UdIwQYMBaAFPf8dq/FGunJQmw434sHniss5Y4gMAkGA1UdEwQCMAAwCwYD
-VR0PBAQDAgTwMD4GA1UdEQQ3MDWCD2Zvby5leGFtcGxlLmNvbYIQYWx0MS5leGFt
-cGxlLmNvbYIQYWx0Mi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEARitg
-nxH87RYCMo/wbfSyttkiDmlw1vuEFI6dq9D6iTYcJK9pD9VvQ8e/k0J0FdtnIGBD
-O9+kKuPCRIjJt0mRToQHXI4SFIEqUraI5xA5VdXT2FR5KsshNSw6LjV25gvv0hcI
-6YBOlJ1IzntSA3h7lGGhgqH2ln32hzTQ8ob8F8i3GecOIk6mDkgCHTPRe7tfyTKw
-7c6Z8By6Es84RCQdxXf6AouhJw9SfZl1T5bcy5vDbBcNYenfvueCLezNX6kK7orh
-KsqnxWr2cG8c3X1OIuuvAEUbQ78InOb4OPiQQXcfv+dzxnv7tK6pNRcmMUhabwM8
-J3i97uzqNXPwTFMu3Q==
------END CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIUCTTdK3eSofAM6mNwAi4Z4YUn8WEwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOIEhUVFAyIFRlc3QgQ0EwIhgPMjAxNzAxMDEwMDAwMDBa
+GA8yMDI3MDEwMTAwMDAwMFowGzEZMBcGA1UEAwwQIEhUVFAyIFRlc3QgQ2VydDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNNMEswSQYDVR0RBEIwQIIJbG9jYWxob3N0gg9mb28uZXhhbXBsZS5jb22C
+EGFsdDEuZXhhbXBsZS5jb22CEGFsdDIuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEL
+BQADggEBAE5aEiXOkvEYeWpMhkGheeeaKwgr44qiWJKC5N/8t+NprB3vNCbTMzE9
+09iWQh9EXbwMjMQ8H0uZwedek2sryxsTzxsdTC5qmEtxs/kbf0rTNUwQDjGHvzMk
+gO+ULESdLTcIFJ57olHaZaXtPGm2ELJAOiEpsYFTafmCEPXZ/b+UkGsSkuVLSOIA
+ClaIJgjff/ucvCvRwl79GzGDCoh3qpqhvxQpC/Fcdz1iQDYEVAmjgUrYJe1lTfj8
+ZozM1WIq8fQ3SCXTJK82CnX818tJio2PWq3uzb9vhpuxJJif7WoMP88Jpdh8zcEb
+YL15XPzhQMyor2p6XfwNI3J6347fd7U=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/testing/xpcshell/moz-http2/http2-cert.pem.certspec
@@ -0,0 +1,4 @@
+issuer: HTTP2 Test CA
+subject: HTTP2 Test Cert
+validity:20170101-20270101
+extension:subjectAlternativeName:localhost,foo.example.com,alt1.example.com,alt2.example.com
--- a/testing/xpcshell/moz-http2/moz-http2.js
+++ b/testing/xpcshell/moz-http2/moz-http2.js
@@ -1152,19 +1152,19 @@ function handleRequest(req, res) {
   if (req.httpVersionMajor != 2) {
     res.setHeader('Connection', 'close');
   }
   res.writeHead(200);
   res.end(content);
 }
 
 // Set up the SSL certs for our server - this server has a cert for foo.example.com
-// signed by netwerk/tests/unit/CA.cert.der
+// signed by netwerk/tests/unit/http2-ca.pem
 var options = {
-  key: fs.readFileSync(__dirname + '/http2-key.pem'),
+  key: fs.readFileSync(__dirname + '/http2-cert.key'),
   cert: fs.readFileSync(__dirname + '/http2-cert.pem'),
 };
 
 if (process.env.HTTP2_LOG !== undefined) {
   var log_module = node_http2_root + "/test/util";
   options.log = require(log_module).createLogger('server')
 }
 
new file mode 100644
--- /dev/null
+++ b/testing/xpcshell/moz-http2/moz.build
@@ -0,0 +1,9 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Temporarily disabled. See bug 1256495.
+#GeneratedTestCertificate('http2-cert.pem')
+#GeneratedTestKey('http2-cert.key')
--- a/testing/xpcshell/moz.build
+++ b/testing/xpcshell/moz.build
@@ -1,15 +1,15 @@
 # -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-TEST_DIRS += ['example']
+TEST_DIRS += ['example', 'moz-http2']
 
 PYTHON_UNITTEST_MANIFESTS += [
     'python.ini',
 ]
 
 TESTING_JS_MODULES += [
     'dbg-actors.js',
 ]