Backout bug 428009
authorKai Engert <kaie@kuix.de>
Wed, 18 Jun 2008 14:30:29 +0200
changeset 15415 f3c8daf3e831479cf0032d082f123f27fccb4b3a
parent 15414 1cb6c752d008d14fc36dae74af3a5bbc28c7ed6a
child 15416 8473190b24b0d3922e8fe9cc7662de97e2bce16e
child 15489 faa43f41e777b01e3195d1e2df0d0670e39e06ca
push id1
push userroot
push dateTue, 26 Apr 2011 22:38:44 +0000
treeherdermozilla-beta@bfdb6e623a36 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs428009
milestone1.9.1a1pre
Backout bug 428009
build/Makefile.in
build/pgo/Makefile.in
build/pgo/automation.py.in
build/pgo/certs/Makefile.in
build/pgo/certs/pgoca.ca
build/pgo/certs/pgoca.p12
build/pgo/genpgocert.py.in
build/pgo/server-locations.txt
security/manager/Makefile.in
testing/mochitest/Makefile.in
testing/mochitest/server.js
testing/mochitest/ssltunnel/ssltunnel.cpp
toolkit/mozapps/installer/packager.mk
--- a/build/Makefile.in
+++ b/build/Makefile.in
@@ -74,23 +74,19 @@ browser_path = \"$(DIST)/$(MOZ_APP_DISPL
 else
 browser_path = \"$(DIST)/$(MOZ_APP_DISPLAYNAME).app/Contents/MacOS/$(PROGRAM)\"
 endif
 else
 browser_path = \"$(DIST)/bin/$(PROGRAM)\"
 endif
 endif
 
-_CERTS_DIR = _profile/pgo/certs
-
 AUTOMATION_PPARGS = 	\
 			-DBROWSER_PATH=$(browser_path) \
 			-DXPC_BIN_PATH=\"$(DIST)/bin\" \
-			-DBIN_SUFFIX=\"$(BIN_SUFFIX)\" \
-			-DCERTS_DIR=\"../$(_CERTS_DIR)\" \
 			$(NULL)
 
 ifeq ($(OS_ARCH),Darwin)
 AUTOMATION_PPARGS += -DIS_MAC=1
 else
 AUTOMATION_PPARGS += -DIS_MAC=0
 endif
 
--- a/build/pgo/Makefile.in
+++ b/build/pgo/Makefile.in
@@ -38,37 +38,30 @@
 
 DEPTH		= ../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 relativesrcdir = build/pgo
 
 include $(DEPTH)/config/autoconf.mk
-
-DIRS = \
-		certs \
-		$(NULL)
-
 include $(topsrcdir)/config/rules.mk
 
 # Stuff to make a build with a profile
 _PROFILE_DIR = $(DEPTH)/_profile/pgo
-_CERTS_DIR = $(_PROFILE_DIR)/certs
-_CERTS_SRC_DIR = $(srcdir)/certs
 
 _PGO_FILES = 	\
 		automation.py \
 		profileserver.py \
-		genpgocert.py \
 		index.html \
 		quit.js \
 		server-locations.txt \
 		$(NULL)
 
+
 ifeq ($(USE_SHORT_LIBNAME), 1)
 PROGRAM = $(MOZ_APP_NAME)$(BIN_SUFFIX)
 else
 PROGRAM = $(MOZ_APP_NAME)-bin$(BIN_SUFFIX)
 endif
 
 ifeq ($(MOZ_BUILD_APP),camino)
 browser_path = \"$(DIST)/Camino.app/Contents/MacOS/Camino\"
@@ -82,19 +75,16 @@ endif
 else
 browser_path = \"$(DIST)/bin/$(PROGRAM)\"
 endif
 endif
 
 AUTOMATION_PPARGS = 	\
 			-DBROWSER_PATH=$(browser_path) \
 			-DXPC_BIN_PATH=\"$(DIST)/bin\" \
-			-DBIN_SUFFIX=\"$(BIN_SUFFIX)\" \
-			-DCERTS_DIR=\"$(_CERTS_DIR)\" \
-			-DCERTS_SRC_DIR=\"$(_CERTS_SRC_DIR)\" \
 			$(NULL)
 
 ifeq ($(OS_ARCH),Darwin)
 AUTOMATION_PPARGS += -DIS_MAC=1
 else
 AUTOMATION_PPARGS += -DIS_MAC=0
 endif
 
@@ -107,20 +97,16 @@ endif
 ifeq ($(host_os), cygwin)
 AUTOMATION_PPARGS += -DIS_CYGWIN=1
 endif
 
 automation.py: automation.py.in
 	$(PYTHON) $(topsrcdir)/config/Preprocessor.py \
 	$(AUTOMATION_PPARGS) $(DEFINES) $(ACDEFINES) $^ > $@
 
-genpgocert.py: genpgocert.py.in
-	$(PYTHON) $(topsrcdir)/config/Preprocessor.py \
-	$(AUTOMATION_PPARGS) $(DEFINES) $(ACDEFINES) $^ > $@
-
 profileserver.py: profileserver.py.in
 	$(PYTHON) $(topsrcdir)/config/Preprocessor.py $^ > $@
 	chmod +x $@
 
-GARBAGE += automation.py profileserver.py genpgocert.py
+GARBAGE += automation.py profileserver.py
 
 libs:: $(_PGO_FILES)
 	$(INSTALL) $^ $(_PROFILE_DIR)
--- a/build/pgo/automation.py.in
+++ b/build/pgo/automation.py.in
@@ -69,22 +69,20 @@ for setting up the browser environment.
 #expand IS_WIN32 = len("__WIN32__") != 0
 #expand IS_MAC = __IS_MAC__ != 0
 #ifdef IS_CYGWIN
 #expand IS_CYGWIN = __IS_CYGWIN__ == 1
 #else
 IS_CYGWIN = False
 #endif
 #expand IS_CAMINO = __IS_CAMINO__ != 0
-#expand BIN_SUFFIX = __BIN_SUFFIX__
 
 UNIXISH = not IS_WIN32 and not IS_MAC
 
 #expand DEFAULT_APP = "./" + __BROWSER_PATH__
-#expand CERTS_DIR = __CERTS_DIR__
 
 ###########
 # LOGGING #
 ###########
 
 # We use the logging system here primarily because it'll handle multiple
 # threads, which is needed to process the output of the server and application
 # processes simultaneously.
@@ -100,58 +98,42 @@ log.addHandler(handler)
 
 class Process:
   """
   Represents a subprocess of this process.  We don't just directly use the
   subprocess module here because we want compatibility with Python 2.3 on
   non-Windows platforms.  :-(
   """
 
-  def __init__(self, command, args, env, inputdata = None):
+  def __init__(self, command, args, env):
     """
     Creates a process representing the execution of the given command, which
     must be an absolute path, with the given arguments in the given environment.
     The process is then started.
     """
     command = os.path.abspath(command)
     if IS_WIN32:
-      import tempfile
       import subprocess
-      
-      if inputdata:
-        inputfile = tempfile.TemporaryFile()
-        inputfile.write(inputdata)
-        inputfile.seek(0)
-      else:
-        inputfile = None
-        
       cmd = [command]
       cmd.extend(args)
       p = subprocess.Popen(cmd, env = env,
                            stdout = subprocess.PIPE,
-                           stderr = subprocess.STDOUT,
-                           stdin = inputfile)
+                           stderr = subprocess.STDOUT)
       self._out = p.stdout
     else:
       import popen2
       cmd = []
-      if env:
-        for (k, v) in env.iteritems():
-          cmd.append(k + "='" + v + "' ")
-          
+      for (k, v) in env.iteritems():
+        cmd.append(k + "='" + v + "' ")
       cmd.append("'" + command + "'")
       cmd.extend(map(lambda x: "'" + x + "'", args))
       cmd = " ".join(cmd)
       p = popen2.Popen4(cmd)
       self._out = p.fromchild
 
-      if inputdata:
-        p.tochild.write(inputdata)
-        p.tochild.flush()
-
     self._process = p
     self.pid = p.pid
     
     self._thread = threading.Thread(target = lambda: self._run())
     self._thread.start()
 
   def _run(self):
     "Continues execution of this process on a separate thread."
@@ -178,23 +160,18 @@ class Process:
   def wait(self):
     "Waits for this process to finish, then returns the process's status."
     self._thread.join()
     return self._status
 
   def kill(self):
     "Kills this process."
     try:
-      if not IS_WIN32:
+      if not IS_WIN32: # XXX
         os.kill(self._process.pid, signal.SIGKILL)
-      else:
-        import subprocess
-        pid = "%i" % self.pid
-        process = subprocess.Popen(["taskkill", "/F", "/PID", pid])
-        process.wait()
     except:
       pass
 
 
 #################
 # PROFILE SETUP #
 #################
 
@@ -219,40 +196,40 @@ class Location:
 
   def __init__(self, scheme, host, port, options):
     self.scheme = scheme
     self.host = host
     self.port = port
     self.options = options
 
 
-def readLocations(locationsPath = "server-locations.txt"):
+def readLocations():
   """
   Reads the locations at which the Mochitest HTTP server is available from
   server-locations.txt.
   """
 
-  locationFile = codecs.open(locationsPath, "r", "UTF-8")
+  locationFile = codecs.open("server-locations.txt", "r", "UTF-8")
 
   # Perhaps more detail than necessary, but it's the easiest way to make sure
   # we get exactly the format we want.  See server-locations.txt for the exact
   # format guaranteed here.
   lineRe = re.compile(r"^(?P<scheme>[a-z][-a-z0-9+.]*)"
                       r"://"
                       r"(?P<host>"
                         r"\d+\.\d+\.\d+\.\d+"
                         r"|"
                         r"(?:[a-z0-9](?:[-a-z0-9]*[a-z0-9])?\.)*"
                         r"[a-z](?:[-a-z0-9]*[a-z0-9])?"
                       r")"
                       r":"
                       r"(?P<port>\d+)"
                       r"(?:"
                       r"\s+"
-                      r"(?P<options>\S+(?:,\S+)*)"
+                      r"(?P<options>\w+(?:,\w+)*)"
                       r")?$")
   locations = []
   lineno = 0
   seenPrimary = False
   for line in locationFile:
     lineno += 1
     if line.startswith("#") or line == "\n":
       continue
@@ -336,30 +313,23 @@ function FindProxyForURL(url, host)
                          '://' +
                          '(?:[^/@]*@)?' +
                          '(.*?)' +
                          '(?::(\\\\\\\\d+))?/');
   var matches = regex.exec(url);
   if (!matches)
     return 'DIRECT';
   var isHttp = matches[1] == 'http';
-  var isHttps = matches[1] == 'https';
   if (!matches[3])
-  {
-    if (isHttp) matches[3] = '80';
-    if (isHttps) matches[3] = '443';
-  }
-    
+    matches[3] = isHttp ? '80' : '443';
   var origin = matches[1] + '://' + matches[2] + ':' + matches[3];
   if (origins.indexOf(origin) < 0)
     return 'DIRECT';
   if (isHttp)
-    return 'PROXY 127.0.0.1:8888';
-  if (isHttps)
-    return 'PROXY 127.0.0.1:4443';
+    return 'PROXY localhost:8888';
   return 'DIRECT';
 }""" % { "origins": origins }
   pacURL = "".join(pacURL.splitlines())
 
   part = """
 user_pref("network.proxy.type", 2);
 user_pref("network.proxy.autoconfig_url", "%(pacURL)s");
 
@@ -367,80 +337,22 @@ user_pref("camino.use_system_proxy_setti
 """ % {"pacURL": pacURL}
   prefs.append(part)
 
   # write the preferences
   prefsFile = open(profileDir + "/" + "user.js", "a")
   prefsFile.write("".join(prefs))
   prefsFile.close()
 
-def fillCertificateDB(profileDir):
-
-  pwfilePath = os.path.join(profileDir, ".crtdbpw")
-  
-  pwfile = open(pwfilePath, "w")
-  pwfile.write("\n")
-  pwfile.close()
-
-  # Create head of the ssltunnel configuration file 
-  sslTunnelConfigPath = os.path.join(CERTS_DIR, "ssltunnel.cfg")
-  sslTunnelConfig = open(sslTunnelConfigPath, "w")
-  
-  sslTunnelConfig.write("httpproxy:1\n")
-  sslTunnelConfig.write("certdbdir:%s\n" % CERTS_DIR)
-  sslTunnelConfig.write("forward:127.0.0.1:8888\n")
-  sslTunnelConfig.write("listen:*:4443:pgo server certificate\n")
-
-  # Generate automatic certificate and bond custom certificates
-  locations = readLocations()
-  locations.pop(0)
-  for loc in locations:
-    if loc.scheme == "https" and "nocert" not in loc.options:
-      customCertRE = re.compile("^cert=(?P<nickname>[0-9a-zA-Z_ ]+)")
-      for option in loc.options:
-        match = customCertRE.match(option)
-        if match:
-          customcert = match.group("nickname");
-          sslTunnelConfig.write("listen:%s:%s:4443:%s\n" % (loc.host, loc.port, customcert))
-          break
-
-  sslTunnelConfig.close()
-
-  # Pre-create the certification database for the profile
-  certutil = DIST_BIN + "/certutil" + BIN_SUFFIX
-  status = Process(certutil, ["-N", "-d", profileDir, "-f", pwfilePath], None).wait()
-  if status != 0:
-    return status
-
-  # Walk the cert directory and add custom CAs as trusted
-  files = os.listdir(CERTS_DIR)
-  for item in files:
-    root, ext = os.path.splitext(item)
-    if ext == ".ca":
-      Process(certutil, ["-A", "-i", os.path.join(CERTS_DIR, item), "-d", profileDir, "-f", pwfilePath, "-n", root, "-t", "CT,,"], None)
-
-  os.unlink(pwfilePath)
-  return 0
-
 
 ###############
 # RUN THE APP #
 ###############
 
 def runApp(testURL, env, app, profileDir, extraArgs):
-  # create certificate database for the profile
-  certificateStatus = fillCertificateDB(profileDir)
-  if certificateStatus != 0:
-    log.info("ERROR FAIL Certificate integration")
-    return certificateStatus
-
-  ssltunnel = DIST_BIN + "/ssltunnel" + BIN_SUFFIX
-  ssltunnelProcess = Process(ssltunnel, [os.path.join(CERTS_DIR, "ssltunnel.cfg")], None)
-  log.info("SSL tunnel pid: %d", ssltunnelProcess.pid)
-  
   "Run the app, returning the time at which it was started."
   # mark the start
   start = datetime.now()
 
   # now run with the profile we created
   cmd = app
   if IS_MAC and not IS_CAMINO and not cmd.endswith("-bin"):
     cmd += "-bin"
@@ -462,11 +374,9 @@ def runApp(testURL, env, app, profileDir
     args.append((testURL))
   args.extend(extraArgs)
   proc = Process(cmd, args, env = env)
   log.info("Application pid: %d", proc.pid)
   status = proc.wait()
   if status != 0:
     log.info("ERROR FAIL Exited with code %d during test run", status)
 
-  ssltunnelProcess.kill()
-  
   return start
deleted file mode 100644
--- a/build/pgo/certs/Makefile.in
+++ /dev/null
@@ -1,65 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is Mozilla test code
-#
-# The Initial Developer of the Original Code is
-# Mozilla Foundation
-# Portions created by the Initial Developer are Copyright (C) 2008
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-# Honza Bambas <honzab@firemni.cz>
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-DEPTH		= ../../..
-topsrcdir	= @top_srcdir@
-srcdir		= @srcdir@
-VPATH		= @srcdir@
-
-include $(DEPTH)/config/autoconf.mk
-
-_PROFILE_DIR = $(DEPTH)/_profile/pgo
-_CERTS_DIR = $(_PROFILE_DIR)/certs
-
-# Extension of files must be '.server'
-_SERVER_CERTS = \
-    $(NULL)
-  
-# Extension of files must be '.ca'
-_CERT_AUTHORITIES = \
-    pgoca.ca \
-    $(NULL)
-
-_SERV_FILES = \
-    pgoca.p12 \
-    $(NULL)
-
-include $(topsrcdir)/config/rules.mk
-
-libs:: $(_SERV_FILES) $(_SERVER_CERTS) $(_CERT_AUTHORITIES)
-	$(INSTALL) $^ $(_CERTS_DIR)
deleted file mode 100644
--- a/build/pgo/certs/pgoca.ca
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICXTCCAcagAwIBAgIBATANBgkqhkiG9w0BAQUFADBqMSQwIgYDVQQLExtQcm9m
-aWxlIEd1aWRlZCBPcHRpbWl6YXRpb24xGDAWBgNVBAoTD01vemlsbGEgVGVzdGlu
-ZzEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0w
-ODA1MjIwMDM4MDVaFw0xODA1MjIwMDM4MDVaMGoxJDAiBgNVBAsTG1Byb2ZpbGUg
-R3VpZGVkIE9wdGltaXphdGlvbjEYMBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSgw
-JgYDVQQDEx9UZW1wb3JhcnkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDg6iipAXGZYmgTcHfx8M2hcLqmqDalcj7sZ1A7
-a3LiCBb+1uHKKy9hUxRUe61aJF4NgMAF5oc+HpXN0hpvkiNHxqqD7R6hrkP3gAJ3
-eczEFKsFUI6AqaCL0+xpyhaaZmmarcHxU+PL2h5zq6VssxfBAsO0DkzWzk6E8vM+
-jrku7QIDAQABoxMwETAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GB
-ALPbn3Ztg0m8qDt8Vkf5You6HEqIxZe+ffDTrfq/L7ofHk/OXEpL7OWKRHU33pNG
-QS8khBG+sO461C51s6u9giW+eq2PaQv2HGASBpDbvPqc/Hf+zupZsdsXzHv6rt0V
-lu5B6nOpMse1nhA494i1ARSuBNzLv5mas38YWG8Rr6jR
------END CERTIFICATE-----
deleted file mode 100644
index 4867c286bbf6950a51078caedff875a945b2d93c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
--- a/build/pgo/genpgocert.py.in
+++ /dev/null
@@ -1,211 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is mozilla.org code.
-#
-# The Initial Developer of the Original Code is
-# Mozilla Foundation.
-# Portions created by the Initial Developer are Copyright (C) 2008
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Honza Bambas <honzab@firemni.cz>
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-import automation
-import os
-import re
-import sys
-
-#expand DIST_BIN = "./" + __XPC_BIN_PATH__
-#expand BIN_SUFFIX = __BIN_SUFFIX__
-#expand CERTS_DIR = __CERTS_DIR__
-#expand CERTS_SRC_DIR = __CERTS_SRC_DIR__
-
-dbFiles = ["cert8.db", "key3.db", "secmod.db"]
-
-def dbPaths(dir):
-  return map(lambda f: os.path.join(dir, f), dbFiles)
-
-def runUtil(util, args, inputdata = None):
-  proc = automation.Process(util, args, None, inputdata)
-  return proc.wait();
-
-
-def createRandomFile(randomFile):
-  import random
-  file = open(randomFile, "wb");
-  for count in xrange(0, 2048):
-    file.write(chr(random.randint(0, 255)))
-  file.close()
-
-
-def createCertificateAuthority(dbDir, srcDir):
-  certutil = DIST_BIN + "/certutil" + BIN_SUFFIX
-  pk12util = DIST_BIN + "/pk12util" + BIN_SUFFIX
-
-  tempDbDir = os.path.join(dbDir, ".temp")
-  if not os.path.exists(tempDbDir):
-    os.mkdir(tempDbDir)
-  
-  pwfilePath = os.path.join(tempDbDir, ".crtdbpw")
-  rndfilePath = os.path.join(tempDbDir, ".rndfile")
-  pgoCAModulePathSrc = os.path.join(srcDir, "pgoca.p12")
-  pgoCAPathSrc = os.path.join(srcDir, "pgoca.ca")
-  pgoCAModulePath = os.path.join(srcDir, "pgoca.p12")
-  pgoCAPath = os.path.join(srcDir, "pgoca.ca")
-  
-  pwfile = open(pwfilePath, "w")
-  pwfile.write("\n")
-  pwfile.close()
-
-  for dbFile in dbPaths(tempDbDir):
-    if os.path.exists(dbFile):
-      os.unlink(dbFile)
-
-  # Create temporary certification database for CA generation
-  status = runUtil(certutil, ["-N", "-d", tempDbDir, "-f", pwfilePath])
-  if status != 0:
-    return status
-
-  createRandomFile(rndfilePath);
-  status = runUtil(certutil, ["-S", "-d", tempDbDir, "-s", "CN=Temporary Certificate Authority, O=Mozilla Testing, OU=Profile Guided Optimization", "-t", "C,,", "-x", "-m", "1", "-v", "120", "-n", "pgo temporary ca", "-2", "-f", pwfilePath, "-z", rndfilePath], "Y\n0\nN\n")
-  if status != 0:
-    return status
- 
-  status = runUtil(certutil, ["-L", "-d", tempDbDir, "-n", "pgo temporary ca", "-a", "-o", pgoCAPathSrc, "-f", pwfilePath])
-  if status != 0:
-    return status
- 
-  status = runUtil(pk12util, ["-o", pgoCAModulePathSrc, "-n", "pgo temporary ca", "-d", tempDbDir, "-w", pwfilePath, "-k", pwfilePath])
-  if status != 0:
-    return status
-    
-  for dbFile in dbPaths(tempDbDir):
-    if os.path.exists(dbFile):
-      os.unlink(dbFile)
-  os.unlink(pwfilePath)
-  os.unlink(rndfilePath)
-  os.rmdir(tempDbDir)
-  return 0
-
-
-def createSSLServerCertificate(dbDir):
-  certutil = DIST_BIN + "/certutil" + BIN_SUFFIX
-  pk12util = DIST_BIN + "/pk12util" + BIN_SUFFIX
-
-  pwfilePath = os.path.join(dbDir, ".crtdbpw")
-  rndfilePath = os.path.join(dbDir, ".rndfile")
-  pgoCAPath = os.path.join(dbDir, "pgoca.p12")
-  
-  pwfile = open(pwfilePath, "w")
-  pwfile.write("\n")
-  pwfile.close()
-
-  for dbFile in dbPaths(dbDir):
-    if os.path.exists(dbFile):
-      os.unlink(dbFile)
-
-  # Create certification database for ssltunnel
-  status = runUtil(certutil, ["-N", "-d", dbDir, "-f", pwfilePath])
-  if status != 0:
-    return status
-
-  status = runUtil(pk12util, ["-i", pgoCAPath, "-w", pwfilePath, "-d", dbDir, "-k", pwfilePath])
-  if status != 0:
-    return status
-
-  # Generate automatic certificate
-  locations = automation.readLocations(os.path.join(dbDir, "../server-locations.txt"))
-  locations.pop(0)
-  locationsParam = ""
-  firstLocation = ""
-  for loc in locations:
-    if loc.scheme == "https" and "nocert" not in loc.options:
-      customCertOption = False
-      customCertRE = re.compile("^cert=(?:\w+)")
-      for option in loc.options:
-        match = customCertRE.match(option)
-        if match:
-          customCertOption = True
-          break
-
-      if not customCertOption:
-        if len(locationsParam) > 0:
-          locationsParam += ","
-        locationsParam += loc.host
-        
-        if firstLocation == "":
-          firstLocation = loc.host
-      
-  if firstLocation == "":
-    print "Nothing to generate, no automatic secure hosts specified"
-  else:
-    createRandomFile(rndfilePath);
-    status = runUtil(certutil, ["-S", "-s", "CN=%s" % firstLocation, "-t", "Pu,,", "-c", "pgo temporary ca", "-m", "2", "-8", locationsParam, "-v", "12", "-n", "pgo server certificate", "-d", dbDir, "-z", rndfilePath, "-f", pwfilePath])
-    if status != 0:
-      return status
-    
-  # Walk the cert directory and add what necessary
-  files = os.listdir(CERTS_DIR)
-  for item in files:
-    root, ext = os.path.splitext(item)
-    if ext == ".server":
-      runUtil(pk12util, ["-i", os.path.join(CERTS_DIR, item), "-d", dbDir, "-k", pwfilePath, "-w", pwfilePath])
-            
-  os.unlink(pwfilePath)
-  os.unlink(rndfilePath)
-  return 0
-
-
-if len(sys.argv) == 1:
-  print "Specify --gen-server or --gen-ca"
-  sys.exit(1)
-
-if sys.argv[1] == "--gen-server":
-  certificateStatus = createSSLServerCertificate(CERTS_DIR)
-  if certificateStatus != 0:
-    print "ERROR FAIL: SSL Server Certificate generation"
-  
-  sys.exit(certificateStatus)
-  
-if sys.argv[1] == "--gen-ca":
-  certificateStatus = createCertificateAuthority(CERTS_DIR, CERTS_SRC_DIR)
-  if certificateStatus != 0:
-    print "ERROR FAIL: Certificate Authority generation"
-  else:
-    print "\n\n"
-    print "==================================================="
-    print " IMPORTANT:"
-    print " To use this new certificate authority in tests"
-    print " run 'make' at testing/mochitest"
-    print "==================================================="
-
-  sys.exit(certificateStatus)
-
-print "Invalid option specified"
-sys.exit(1)
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@@ -47,34 +47,21 @@
 # and a comma-separated list of options (if indeed any options are needed).
 #
 # The format of an origin is, referring to RFC 2396, a scheme (either "http" or
 # "https"), followed by "://", followed by a host, followed by ":", followed by
 # a port number.  The colon and port number must be present even if the port
 # number is the default for the protocol.
 #
 # Unrecognized options are ignored.  Recognized options are "primary" and
-# "privileged", "nocert", "cert=some_cert_nickname". 
-#
-# "primary" denotes a location which is the canonical location of
+# "privileged".  "primary" denotes a location which is the canonical location of
 # the server; this location is the one assumed for requests which don't
-# otherwise identify a particular origin (e.g. HTTP/1.0 requests).  
-#
-# "privileged" denotes a location which should have the ability to request 
-# elevated privileges; the default is no privileges.
-#
-# "nocert" makes sense only for https:// hosts and means there is not
-# any certificate automatically generated for this host.
-#
-# "cert=nickname" tells the pgo server to use a particular certificate
-# for this host. The certificate is referenced by its nickname that must
-# not contain any spaces. The certificate  key files (PKCS12 modules)
-# for custom certification are loaded from build/pgo/ssltunnel/certs
-# directory. When new certificate is added to this dir pgo/ssltunnel
-# must be builded then.
+# otherwise identify a particular origin (e.g. HTTP/1.0 requests).  "privileged"
+# denotes a location which should have the ability to request elevated
+# privileges; the default is no privileges.
 #
 
 #
 # This is the primary location from which tests run.
 #
 http://localhost:8888   primary,privileged
 
 #
@@ -98,49 +85,32 @@ http://sub2.test2.example.org:8000   pri
 http://example.com:80                privileged
 http://test1.example.com:80          privileged
 http://test2.example.com:80          privileged
 http://sub1.test1.example.com:80     privileged
 http://sub1.test2.example.com:80     privileged
 http://sub2.test1.example.com:80     privileged
 http://sub2.test2.example.com:80     privileged
 
-https://example.com:443                privileged
-https://test1.example.com:443          privileged
-https://test2.example.com:443          privileged
-https://sub1.test1.example.com:443     privileged
-https://sub1.test2.example.com:443     privileged
-https://sub2.test1.example.com:443     privileged
-https://sub2.test2.example.com:443     privileged
-https://nocert.example.com:443         privileged,nocert
-
 #
 # These are subdomains of <ält.example.org>.
 #
 http://sub1.xn--lt-uia.example.org:8000   privileged
 http://sub2.xn--lt-uia.example.org:80     privileged
 http://xn--exmple-cua.test:80             privileged
 http://sub1.xn--exmple-cua.test:80        privileged
 
-https://xn--hxajbheg2az3al.xn--jxalpdlp:443        privileged
-https://sub1.xn--hxajbheg2az3al.xn--jxalpdlp:443   privileged
-
 #
 # These are subdomains of <παράδειγμα.δοκιμή>, the Greek IDN for example.test.
 #
 http://xn--hxajbheg2az3al.xn--jxalpdlp:80        privileged
 http://sub1.xn--hxajbheg2az3al.xn--jxalpdlp:80   privileged
 
 #
 # These hosts are used in tests which exercise privilege-granting functionality;
 # we could reuse some of the names above, but specific names make it easier to
 # distinguish one from the other in tests (as well as what functionality is
 # being tested).
 #
 http://sectest1.example.org:80       privileged
 http://sub.sectest2.example.org:80   privileged
 http://sectest2.example.org:80
 http://sub.sectest1.example.org:80
-
-https://sectest1.example.org:443       privileged
-https://sub.sectest2.example.org:443   privileged
-https://sectest2.example.org:443
-https://sub.sectest1.example.org:443
--- a/security/manager/Makefile.in
+++ b/security/manager/Makefile.in
@@ -276,26 +276,18 @@ ifdef MOZ_XUL
 	$(MAKE) -C pki $@
 endif
 
 libs::
 ifndef MOZ_NATIVE_NSS
 	$(MAKE) -C $(topsrcdir)/security/coreconf $(DEFAULT_GMAKE_FLAGS)
 	$(MAKE) -C $(topsrcdir)/security/dbm $(DEFAULT_GMAKE_FLAGS) 
 	$(MAKE) -C $(topsrcdir)/security/nss/lib $(DEFAULT_GMAKE_FLAGS)
-ifdef ENABLE_TESTS
-	# Need certutil binary for mochitest certificates generation
+ifndef SKIP_CHK
 	$(MAKE) -C $(topsrcdir)/security/nss/cmd/lib $(DEFAULT_GMAKE_FLAGS)
-	$(MAKE) -C $(topsrcdir)/security/nss/cmd/certutil $(DEFAULT_GMAKE_FLAGS)
-	$(MAKE) -C $(topsrcdir)/security/nss/cmd/pk12util $(DEFAULT_GMAKE_FLAGS)
-endif
-ifndef SKIP_CHK
-ifndef ENABLE_TESTS # Just avoid secondary compile
-	$(MAKE) -C $(topsrcdir)/security/nss/cmd/lib $(DEFAULT_GMAKE_FLAGS)
-endif
 	$(MAKE) -C $(topsrcdir)/security/nss/cmd/shlibsign $(DEFAULT_GMAKE_FLAGS)
 endif
 	$(INSTALL) -m 755 $(DIST)/lib/$(LOADABLE_ROOT_MODULE) $(DIST)/bin
 ifndef SKIP_CHK
 	$(INSTALL) -m 644 $(DIST)/lib/$(SOFTOKEN3_CHK) $(DIST)/bin
 endif
 	$(INSTALL) -m 755 $(DIST)/lib/$(SOFTOKEN3_LIB) $(DIST)/bin
 	$(INSTALL) -m 755 $(DIST)/lib/$(NSSDBM3_LIB) $(DIST)/bin
--- a/testing/mochitest/Makefile.in
+++ b/testing/mochitest/Makefile.in
@@ -69,17 +69,16 @@ include $(topsrcdir)/config/rules.mk
 		redirect.html \
 		redirect.js \
 		$(topsrcdir)/build/pgo/server-locations.txt \
 		$(topsrcdir)/netwerk/test/httpserver/httpd.js \
 		$(NULL)	
 
 
 _DEST_DIR = $(DEPTH)/_tests/$(relativesrcdir)
-_CERTS_DIR = $(DEPTH)/_profile/pgo/certs
 
 ifeq ($(USE_SHORT_LIBNAME), 1)
 PROGRAM = $(MOZ_APP_NAME)$(BIN_SUFFIX)
 else
 PROGRAM = $(MOZ_APP_NAME)-bin$(BIN_SUFFIX)
 endif
 
 ifeq ($(MOZ_BUILD_APP),camino)
@@ -95,18 +94,16 @@ else
 browser_path = \"../$(DIST)/bin/$(PROGRAM)\"
 endif
 endif
 
 # These go in _tests/ so they need to go up an extra path segement
 TEST_DRIVER_PPARGS = 	\
 			-DBROWSER_PATH=$(browser_path) \
 			-DXPC_BIN_PATH=\"../$(DIST)/bin\" \
-			-DBIN_SUFFIX=\"$(BIN_SUFFIX)\" \
-			-DCERTS_DIR=\"../$(_CERTS_DIR)\" \
 			$(NULL)
 
 ifeq ($(OS_ARCH),Darwin)
 TEST_DRIVER_PPARGS += -DIS_MAC=1
 else
 TEST_DRIVER_PPARGS += -DIS_MAC=0
 endif
 
@@ -131,11 +128,8 @@ runtests.py: runtests.py.in
 automation.py: $(topsrcdir)/build/pgo/automation.py.in
 	$(PYTHON) $(topsrcdir)/config/Preprocessor.py \
 	$(TEST_DRIVER_PPARGS) $(DEFINES) $(ACDEFINES) $^ > $@
 
 GARBAGE += runtests.pl runtests.py automation.py
 
 libs:: $(_SERV_FILES)
 	$(INSTALL) $^ $(_DEST_DIR)
-
-libs::
-	$(RUN_TEST_PROGRAM) $(PYTHON) $(DEPTH)/_profile/pgo/genpgocert.py --gen-server
--- a/testing/mochitest/server.js
+++ b/testing/mochitest/server.js
@@ -217,17 +217,17 @@ function processLocations(server)
                  "|" +
                  "(?:[a-z0-9](?:[-a-z0-9]*[a-z0-9])?\\.)*" +
                  "[a-z](?:[-a-z0-9]*[a-z0-9])?" +
                ")" +
                ":" +
                "(\\d+)" +
                "(?:" +
                "\\s+" +
-               "(\\S+(?:,\\S+)*)" +
+               "(\\w+(?:,\\w+)*)" +
                ")?$");
 
   var line = {};
   var lineno = 0;
   var seenPrimary = false;
   do
   {
     var more = lis.readLine(line);
--- a/testing/mochitest/ssltunnel/ssltunnel.cpp
+++ b/testing/mochitest/ssltunnel/ssltunnel.cpp
@@ -45,26 +45,25 @@
 #include "prio.h"
 #include "prnetdb.h"
 #include "prtpool.h"
 #include "nss.h"
 #include "pk11func.h"
 #include "key.h"
 #include "keyt.h"
 #include "ssl.h"
-#include "plhash.h"
 
 using std::string;
 using std::vector;
 
 // Structs for passing data into jobs on the thread pool
 typedef struct {
   PRInt32 listen_port;
+  PRNetAddr remote_addr;
   string cert_nickname;
-  PLHashTable* host_cert_table;
 } server_info_t;
 
 typedef struct {
   PRFileDesc* client_sock;
   PRNetAddr client_addr;
   server_info_t* server_info;
 } connection_info_t;
 
@@ -109,340 +108,116 @@ private:
 // These are suggestions. If the number of ports to proxy on * 2
 // is greater than either of these, then we'll use that value instead.
 const PRInt32 INITIAL_THREADS = 1;
 const PRInt32 MAX_THREADS = 5;
 const PRInt32 DEFAULT_STACKSIZE = (512 * 1024);
 const PRInt32 BUF_SIZE = 4096;
 
 // global data
-string nssconfigdir;
-vector<server_info_t> servers;
-PRNetAddr remote_addr;
 PRThreadPool* threads = NULL;
 PRLock* shutdown_lock = NULL;
 PRCondVar* shutdown_condvar = NULL;
 // Not really used, unless something fails to start
 bool shutdown_server = false;
-bool do_http_proxy = false;
-bool any_host_cert_mapping = false;
 
 /*
  * Signal the main thread that the application should shut down.
  */
 void SignalShutdown()
 {
   PR_Lock(shutdown_lock);
   PR_NotifyCondVar(shutdown_condvar);
   PR_Unlock(shutdown_lock);
 }
 
-bool ReadConnectRequest(server_info_t* server_info, 
-    char* bufferhead, char* buffertail, PRInt32* result, string* certificate)
-{
-  if (buffertail - bufferhead < 4)
-    return false;
-  if (strncmp(buffertail-4, "\r\n\r\n", 4))
-    return false;
-
-  *result = 400;
-
-  char* token;
-  token = strtok(bufferhead, " ");
-  if (!token) 
-    return true;
-  if (strcmp(token, "CONNECT")) 
-    return true;
-
-  token = strtok(NULL, " ");
-  void* c = PL_HashTableLookup(server_info->host_cert_table, token);
-  if (c)
-    *certificate = (char*)c;
-
-  token = strtok(NULL, "/");
-  if (strcmp(token, "HTTP"))
-    return true;
-
-  *result = 200;
-  return true;
-}
-
-bool ConfigureSSLServerSocket(PRFileDesc* socket, server_info_t* si, string &certificate)
-{
-  const char* certnick = certificate.empty() ?
-      si->cert_nickname.c_str() : certificate.c_str();
-
-  AutoCert cert(PK11_FindCertFromNickname(
-      certnick, NULL));
-  if (!cert) {
-    fprintf(stderr, "Failed to find cert %s\n", si->cert_nickname.c_str());
-    return false;
-  }
-
-  AutoKey privKey(PK11_FindKeyByAnyCert(cert, NULL));
-  if (!privKey) {
-    fprintf(stderr, "Failed to find private key\n");
-    return false;
-  }
-
-  PRFileDesc* ssl_socket = SSL_ImportFD(NULL, socket);
-  if (!ssl_socket) {
-    fprintf(stderr, "Error importing SSL socket\n");
-    return false;
-  }
-
-  SSLKEAType certKEA = NSS_FindCertKEAType(cert);
-  if (SSL_ConfigSecureServer(ssl_socket, cert, privKey, certKEA)
-      != SECSuccess) {
-    fprintf(stderr, "Error configuring SSL server socket\n");
-    return false;
-  }
-
-  SSL_OptionSet(ssl_socket, SSL_SECURITY, PR_TRUE);
-  SSL_OptionSet(ssl_socket, SSL_HANDSHAKE_AS_CLIENT, PR_FALSE);
-  SSL_OptionSet(ssl_socket, SSL_HANDSHAKE_AS_SERVER, PR_TRUE);
-  SSL_ResetHandshake(ssl_socket, PR_TRUE);
-
-  return true;
-}
-
-bool ConnectSocket(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime timeout)
-{
-  PRStatus stat = PR_Connect(fd, addr, timeout);
-  if (stat != PR_SUCCESS)
-    return false;
-
-  PRSocketOptionData option;
-  option.option = PR_SockOpt_Nonblocking;
-  option.value.non_blocking = PR_TRUE;
-  PR_SetSocketOption(fd, &option);
-
-  return true;
-}
-
 /*
  * Handle an incoming client connection. The server thread has already
  * accepted the connection, so we just need to connect to the remote
  * port and then proxy data back and forth.
  * The data parameter is a connection_info_t*, and must be deleted
  * by this function.
  */
 void PR_CALLBACK HandleConnection(void* data)
 {
   connection_info_t* ci = static_cast<connection_info_t*>(data);
   PRIntervalTime connect_timeout = PR_SecondsToInterval(2);
   PRIntervalTime short_timeout = PR_MillisecondsToInterval(250);
 
   AutoFD other_sock(PR_NewTCPSocket());
   bool client_done = false;
   bool client_error = false;
-  bool connect_accepted = !do_http_proxy;
-  bool ssl_updated = !do_http_proxy;
-  string certificateToUse;
-
-  if (other_sock) 
-  {
-    PRInt32 numberOfSockets = 1;
-
-    struct relayBuffer
-    {
-      char *buffer, *bufferhead, *buffertail, *bufferend;
-      relayBuffer() 
-      { 
-        bufferhead = buffertail = buffer = new char[BUF_SIZE]; 
-        bufferend = buffer + BUF_SIZE; 
-      }
-      ~relayBuffer() 
-      { 
-        delete [] buffer; 
-      }
-
-      bool empty() 
-      { 
-        return bufferhead == buffertail; 
-      }
-      PRInt32 free() 
-      { 
-        return bufferend - buffertail; 
-      }
-      PRInt32 present() 
-      { 
-        return buffertail - bufferhead; 
-      }
-      void compact() 
-      { 
-        if (buffertail == bufferhead) 
-          buffertail = bufferhead = buffer;
-      }
-    } buffers[2];
+  PRUint8 buf[BUF_SIZE];
 
-    if (!do_http_proxy)
-    {
-      if (!ConfigureSSLServerSocket(ci->client_sock, ci->server_info, certificateToUse))
-        client_error = true;
-      else if (!ConnectSocket(other_sock, &remote_addr, connect_timeout))
-        client_error = true;
-      else
-        numberOfSockets = 2;
-    }
-
-    PRPollDesc sockets[2] = 
-    { 
-      {ci->client_sock, PR_POLL_READ, 0},
-      {other_sock, PR_POLL_READ, 0}
-    };
-
-    while (!((client_error||client_done) && buffers[0].empty() && buffers[1].empty()))
-    {
-      sockets[0].in_flags |= PR_POLL_EXCEPT;
-      sockets[1].in_flags |= PR_POLL_EXCEPT;
-      PRInt32 pollStatus = PR_Poll(sockets, numberOfSockets, PR_MillisecondsToInterval(1000));
-      if (pollStatus < 0)
-      {
-        client_error = true;
-        break;
-      }
-
-      if (pollStatus == 0)
-        // timeout
-        continue;
-
-      for (PRInt32 s = 0; s < numberOfSockets; ++s)
-      {
-        PRInt32 s2 = s == 1 ? 0 : 1;
-        PRInt16 out_flags = sockets[s].out_flags;
-        PRInt16 &in_flags = sockets[s].in_flags;
-        PRInt16 &in_flags2 = sockets[s2].in_flags;
-        sockets[s].out_flags = 0;
-
-        if (out_flags & PR_POLL_EXCEPT)
-        {
+  if (other_sock &&
+      PR_Connect(other_sock, &ci->server_info->remote_addr, connect_timeout)
+      == PR_SUCCESS) {
+    PRInt32 bytes = PR_Recv(ci->client_sock, buf, BUF_SIZE, 0, short_timeout);
+    if (bytes > 0 &&
+        PR_Send(other_sock, buf, bytes, 0, short_timeout) > 0) {
+      bytes = PR_Recv(other_sock, buf, BUF_SIZE, 0, short_timeout);
+      while (bytes > 0) {
+        if (PR_Send(ci->client_sock, buf, bytes, 0, short_timeout) == -1) {
           client_error = true;
-          continue;
-        } // PR_POLL_EXCEPT handling
-
-        if (out_flags & PR_POLL_READ && buffers[s].free())
-        {
-          PRInt32 bytesRead = PR_Recv(sockets[s].fd, buffers[s].buffertail, 
-              buffers[s].free(), 0, PR_INTERVAL_NO_TIMEOUT);
-
-          if (bytesRead == 0)
-          {
+          break;
+        }
+        if (!client_done) {
+          bytes = PR_Recv(ci->client_sock, buf, BUF_SIZE, 0, short_timeout);
+          if (bytes > 0) {
+            if (PR_Send(other_sock, buf, bytes, 0, short_timeout) == -1)
+              break;
+          }
+          else if (bytes == 0) {
             client_done = true;
-            in_flags &= ~PR_POLL_READ;
           }
-          else if (bytesRead < 0)
-          {
-            if (PR_GetError() != PR_WOULD_BLOCK_ERROR)
-              client_error = true;
+          else  {// error
+            client_error = true;
+            break;
           }
-          else
-          {
-            buffers[s].buffertail += bytesRead;
-
-            // We have to accept and handle the initial CONNECT request here
-            PRInt32 response;
-            if (!connect_accepted && ReadConnectRequest(ci->server_info, buffers[s].bufferhead, buffers[s].buffertail, 
-                &response, &certificateToUse))
-            {
-              // Clean the request as it would be read
-              buffers[s].bufferhead = buffers[s].buffertail = buffers[s].buffer;
-
-              // Store response to the oposite buffer
-              if (response != 200)
-              {
-                client_done = true;
-                sprintf(buffers[s2].buffer, "HTTP/1.1 %d ERROR\r\nConnection: close\r\n\r\n", response);
-                buffers[s2].buffertail = buffers[s2].buffer + strlen(buffers[s2].buffer);
-                break;
-              }
-
-              strcpy(buffers[s2].buffer, "HTTP/1.1 200 Connected\r\nConnection: keep-alive\r\n\r\n");
-              buffers[s2].buffertail = buffers[s2].buffer + strlen(buffers[s2].buffer);
-
-              if (!ConnectSocket(other_sock, &remote_addr, connect_timeout))
-              {
-                client_error = true;
-                break;
-              }
-
-              // Send the response to the client socket
-              in_flags |= PR_POLL_WRITE;
-              connect_accepted = true;
-              break;
-            } // end of CONNECT handling
-
-            if (!buffers[s].free()) // Do not poll for read when the buffer is full
-              in_flags &= ~PR_POLL_READ;
-
-            if (ssl_updated)
-              in_flags2 |= PR_POLL_WRITE;
-          }
-        } // PR_POLL_READ handling
-
-        if (out_flags & PR_POLL_WRITE)
-        {
-          PRInt32 bytesWrite = PR_Send(sockets[s].fd, buffers[s2].bufferhead, 
-              buffers[s2].present(), 0, PR_INTERVAL_NO_TIMEOUT);
-
-          if (bytesWrite < 0)
-          {
-            if (PR_GetError() != PR_WOULD_BLOCK_ERROR)
-              client_error = true;
-          }
-          else
-          {
-            buffers[s2].bufferhead += bytesWrite;
-            if (buffers[s2].present())
-              in_flags |= PR_POLL_WRITE;              
-            else
-            {
-              if (!ssl_updated)
-              {
-                // Proxy response has just been writen, update to ssl
-                ssl_updated = true;
-                if (!ConfigureSSLServerSocket(ci->client_sock, ci->server_info, certificateToUse))
-                {
-                  client_error = true;
-                  break;
-                }
-
-                numberOfSockets = 2;
-              } // sslUpdate
-
-              in_flags &= ~PR_POLL_WRITE;              
-              in_flags2 |= PR_POLL_READ;
-              buffers[s2].compact();
-            }
-          }
-        } // PR_POLL_WRITE handling
-      } // for...
-    } // while, poll
+        }
+        bytes = PR_Recv(other_sock, buf, BUF_SIZE, 0, short_timeout);
+      }
+    }
+    else if (bytes == -1) {
+      client_error = true;
+    }
   }
-  else
-    client_error = true;
-
   if (!client_error)
-    PR_Shutdown(ci->client_sock, PR_SHUTDOWN_SEND);
+    PR_Shutdown(ci->client_sock, PR_SHUTDOWN_BOTH);
   PR_Close(ci->client_sock);
 
   delete ci;
 }
 
 /*
  * Start listening for SSL connections on a specified port, handing
  * them off to client threads after accepting the connection.
  * The data parameter is a server_info_t*, owned by the calling
  * function.
  */
 void PR_CALLBACK StartServer(void* data)
 {
   server_info_t* si = static_cast<server_info_t*>(data);
 
   //TODO: select ciphers?
+  AutoCert cert(PK11_FindCertFromNickname(si->cert_nickname.c_str(),
+                                          NULL));
+  if (!cert) {
+    fprintf(stderr, "Failed to find cert %s\n", si->cert_nickname.c_str());
+    SignalShutdown();
+    return;
+  }
+
+  AutoKey privKey(PK11_FindKeyByAnyCert(cert, NULL));
+  if (!privKey) {
+    fprintf(stderr, "Failed to find private key\n");
+    SignalShutdown();
+    return;
+  }
+
   AutoFD listen_socket(PR_NewTCPSocket());
   if (!listen_socket) {
     fprintf(stderr, "failed to create socket\n");
     SignalShutdown();
     return;
   }
 
   PRNetAddr server_addr;
@@ -454,31 +229,40 @@ void PR_CALLBACK StartServer(void* data)
   }
 
   if (PR_Listen(listen_socket, 1) != PR_SUCCESS) {
     fprintf(stderr, "failed to listen on socket\n");
     SignalShutdown();
     return;
   }
 
+  PRFileDesc* ssl_socket = SSL_ImportFD(NULL, listen_socket);
+  if (!ssl_socket) {
+    fprintf(stderr, "Error importing SSL socket\n");
+    SignalShutdown();
+    return;
+  }
+  listen_socket.reset(ssl_socket);
+
+  if (SSL_ConfigSecureServer(listen_socket, cert, privKey, kt_rsa)
+      != SECSuccess) {
+    fprintf(stderr, "Error configuring SSL listen socket\n");
+    SignalShutdown();
+    return;
+  }
+
   printf("Server listening on port %d with cert %s\n", si->listen_port,
          si->cert_nickname.c_str());
 
   while (!shutdown_server) {
     connection_info_t* ci = new connection_info_t();
     ci->server_info = si;
     // block waiting for connections
     ci->client_sock = PR_Accept(listen_socket, &ci->client_addr,
                                 PR_INTERVAL_NO_TIMEOUT);
-    
-    PRSocketOptionData option;
-    option.option = PR_SockOpt_Nonblocking;
-    option.value.non_blocking = PR_TRUE;
-    PR_SetSocketOption(ci->client_sock, &option);
-
     if (ci->client_sock)
       // Not actually using this PRJob*...
       //PRJob* job =
       PR_QueueJob(threads, HandleConnection, ci, PR_TRUE);
     else
       delete ci;
   }
 }
@@ -487,204 +271,55 @@ void PR_CALLBACK StartServer(void* data)
 char* password_func(PK11SlotInfo* slot, PRBool retry, void* arg)
 {
   if (retry)
     return NULL;
 
   return "";
 }
 
-server_info_t* findServerInfo(int portnumber)
-{
-  for (vector<server_info_t>::iterator it = servers.begin();
-       it != servers.end(); it++) 
-  {
-    if (it->listen_port == portnumber)
-      return &(*it);
-  }
-
-  return NULL;
-}
-
-int processConfigLine(char* configLine)
+int main(int argc, char** argv)
 {
-  if (*configLine == 0 || *configLine == '#')
-    return 0;
-
-  char* keyword = strtok(configLine, ":");
-
-  // Configure usage of http/ssl tunneling proxy behavior
-  if (!strcmp(keyword, "httpproxy"))
-  {
-    char* value = strtok(NULL, ":");
-    if (!strcmp(value, "1"))
-      do_http_proxy = true;
-
-    return 0;
-  }
-
-  // Configure the forward address of the target server
-  if (!strcmp(keyword, "forward"))
-  {
-    char* ipstring = strtok(NULL, ":");
-    if (PR_StringToNetAddr(ipstring, &remote_addr) != PR_SUCCESS) {
-      fprintf(stderr, "Invalid remote IP address: %s\n", ipstring);
-      return 1;
-    }
-    char* portstring = strtok(NULL, ":");
-    int port = atoi(portstring);
-    if (port <= 0) {
-      fprintf(stderr, "Invalid remote port: %s\n", portstring);
-      return 1;
-    }
-    remote_addr.inet.port = PR_htons(port);
-
-    return 0;
+  if (argc < 6) {
+    fprintf(stderr, "Error: not enough arguments\n"
+            "Usage: ssltunnel <NSS db path> <remote ip> <remote port> (<certname> <port>)+\n"
+            "       Provide SSL encrypted tunnels to <remote ip>:<remote port>\n"
+            "       from each port specified in a <certname>,<port> pair.\n"
+            "       <certname> must be the nickname of a server certificate\n"
+            "       installed in the NSS db pointed to by the <NSS db path>.\n");
+    return 1;
   }
 
-  // Configure all listen sockets and port+certificate bindings
-  if (!strcmp(keyword, "listen"))
-  {
-    char* hostname = strtok(NULL, ":");
-    char* hostportstring = NULL;
-    if (strcmp(hostname, "*"))
-    {
-      any_host_cert_mapping = true;
-      hostportstring = strtok(NULL, ":");
-    }
 
-    char* portstring = strtok(NULL, ":");
-    char* certnick = strtok(NULL, ":");
-
-    int port = atoi(portstring);
-    if (port <= 0) {
-      fprintf(stderr, "Invalid port specified: %s\n", portstring);
-      return 1;
-    }
-
-    if (server_info_t* existingServer = findServerInfo(port))
-    {
-      char *certnick_copy = new char[strlen(certnick)+1];
-      char *hostname_copy = new char[strlen(hostname)+strlen(hostportstring)+2];
-
-      strcpy(hostname_copy, hostname);
-      strcat(hostname_copy, ":");
-      strcat(hostname_copy, hostportstring);
-      strcpy(certnick_copy, certnick);
-
-      PL_HashTableAdd(existingServer->host_cert_table, hostname_copy, certnick_copy);
-    }
-    else
-    {
-      server_info_t server;
-      server.cert_nickname = certnick;
-      server.listen_port = port;
-      server.host_cert_table = PL_NewHashTable(0, PL_HashString, PL_CompareStrings, PL_CompareStrings, NULL, NULL);
-      if (!server.host_cert_table)
-      {
-        fprintf(stderr, "Internal, could not create hash table\n");
-        return 1;
-      }
-      servers.push_back(server);
-    }
-
-    return 0;
-  }
-  
-  // Configure the NSS certificate database directory
-  if (!strcmp(keyword, "certdbdir"))
-  {
-    nssconfigdir = strtok(NULL, "\n");
-    return 0;
-  }
-
-  printf("Error: keyword \"%s\" unexpected\n", keyword);
-  return 1;
-}
-
-int parseConfigFile(const char* filePath)
-{
-  FILE* f = fopen(filePath, "r");
-  if (!f)
-    return 1;
-
-  char buffer[1024], *b = buffer;
-  while (!feof(f))
-  {
-    char c;
-    fscanf(f, "%c", &c);
-    switch (c)
-    {
-    case '\n':
-      *b++ = 0;
-      if (processConfigLine(buffer))
-        return 1;
-      b = buffer;
-    case '\r':
-      continue;
-    default:
-      *b++ = c;
-    }
-  }
-
-  fclose(f);
-
-  // Check mandatory items
-  if (nssconfigdir.empty())
-  {
-    printf("Error: missing path to NSS certification database\n,use certdbdir:<path> in the config file\n");
+  PRNetAddr remote_addr;
+  if (PR_StringToNetAddr(argv[2], &remote_addr) != PR_SUCCESS) {
+    fprintf(stderr, "Invalid remote IP address: %s\n", argv[2]);
     return 1;
   }
 
-  if (any_host_cert_mapping && !do_http_proxy)
-  {
-    printf("Warning: any host-specific certificate configurations are ignored, add httpproxy:1 to allow them\n");
+  int port = atoi(argv[3]);
+  if (port <= 0) {
+    fprintf(stderr, "Invalid remote port: %s\n", argv[2]);
+    return 1;
   }
-
-  return 0;
-}
-
-PRIntn PR_CALLBACK freeHashItems(PLHashEntry *he, PRIntn i, void *arg)
-{
-  delete [] (char*)he->key;
-  delete [] (char*)he->value;
-  return HT_ENUMERATE_REMOVE;
-}
-
-int main(int argc, char** argv)
-{
-  char* configFilePath;
-  if (argc == 1)
-    configFilePath = "ssltunnel.cfg";
-  else
-    configFilePath = argv[1];
+  remote_addr.inet.port = PR_htons(port);
 
-  if (parseConfigFile(configFilePath)) {
-    fprintf(stderr, "Error: config file \"%s\" missing or formating incorrect\n"
-      "Specify path to the config file as parameter to ssltunnel or \n"
-      "create ssltunnel.cfg in the working directory.\n\n"
-      "Example format of the config file:\n\n"
-      "       # Enable http/ssl tunneling proxy-like behavior.\n"
-      "       # If not specified ssltunnel simply does direct forward.\n"
-      "       httpproxy:1\n\n"
-      "       # Specify path to the certification database used.\n"
-      "       certdbdir:/path/to/certdb\n\n"
-      "       # Forward/proxy all requests in raw to 127.0.0.1:8888.\n"
-      "       forward:127.0.0.1:8888\n\n"
-      "       # Accept connections on port 4443 or 5678 resp. and authenticate\n"
-      "       # to any host ('*') using the 'server cert' or 'server cert 2' resp.\n"
-      "       listen:*:4443:server cert\n"
-      "       listen:*:5678:server cert 2\n\n"
-      "       # Accept connections on port 4443 and authenticate using\n"
-      "       # 'a different cert' when target host is 'my.host.name:443'.\n"
-      "       # This works only in httpproxy mode and has higher priority\n"
-      "       # then the previews option.\n"
-      "       listen:my.host.name:443:4443:a different cert\n",
-      configFilePath);
-    return 1;
+  // get our list of cert:port from the remaining args
+  vector<server_info_t> servers;
+  for (int i=4; i<argc; i++) {
+    server_info_t server;
+    memcpy(&server.remote_addr, &remote_addr, sizeof(PRNetAddr));
+    server.cert_nickname = argv[i++];
+    port = atoi(argv[i]);
+    if (port <= 0) {
+      fprintf(stderr, "Invalid port specified: %s\n", argv[i]);
+      return 1;
+    }
+    server.listen_port = port;
+    servers.push_back(server);
   }
 
   // create a thread pool to handle connections
   threads = PR_CreateThreadPool(std::max<PRInt32>(INITIAL_THREADS,
                                                   servers.size()*2),
                                 std::max<PRInt32>(MAX_THREADS,
                                                   servers.size()*2),
                                 DEFAULT_STACKSIZE);
@@ -705,17 +340,19 @@ int main(int argc, char** argv)
     PR_ShutdownThreadPool(threads);
     PR_DestroyLock(shutdown_lock);
     return 1;
   }
 
   PK11_SetPasswordFunc(password_func);
 
   // Initialize NSS
-  if (NSS_Init(nssconfigdir.c_str()) != SECSuccess) {
+  char* configdir = argv[1];
+
+  if (NSS_Init(configdir) != SECSuccess) {
     PRInt32 errorlen = PR_GetErrorTextLength();
     char* err = new char[errorlen+1];
     PR_GetErrorText(err);
     fprintf(stderr, "Failed to init NSS: %s", err);
     delete[] err;
     PR_ShutdownThreadPool(threads);
     PR_DestroyCondVar(shutdown_condvar);
     PR_DestroyLock(shutdown_lock);
@@ -756,19 +393,11 @@ int main(int argc, char** argv)
   // cleanup
   PR_ShutdownThreadPool(threads);
   PR_JoinThreadPool(threads);
   PR_DestroyCondVar(shutdown_condvar);
   PR_DestroyLock(shutdown_lock);
   if (NSS_Shutdown() == SECFailure) {
     fprintf(stderr, "Leaked NSS objects!\n");
   }
-  
-  for (vector<server_info_t>::iterator it = servers.begin();
-       it != servers.end(); it++) 
-  {
-    PL_HashTableEnumerateEntries(it->host_cert_table, freeHashItems, NULL);
-    PL_HashTableDestroy(it->host_cert_table);
-  }
-
   PR_Cleanup();
   return 0;
 }
--- a/toolkit/mozapps/installer/packager.mk
+++ b/toolkit/mozapps/installer/packager.mk
@@ -240,18 +240,16 @@ NO_PKG_FILES += \
 	msmap* \
 	nm2tsv* \
 	nsinstall* \
 	rebasedlls* \
 	res/samples \
 	res/throbber \
 	shlibsign* \
 	ssltunnel* \
-	certutil* \
-	pk12util* \
 	winEmbed.exe \
 	os2Embed.exe \
 	chrome/chrome.rdf \
 	chrome/app-chrome.manifest \
 	chrome/overlayinfo \
 	components/compreg.dat \
 	components/xpti.dat \
 	content_unit_tests \