bug 929617 - disregard expired stapled OCSP responses, acquire fresh ones r=briansmith a=bajaj
authorDavid Keeler <dkeeler@mozilla.com>
Mon, 25 Nov 2013 15:40:11 -0800
changeset 167831 171046c2495fe4d72b293af29079b22b0b9e38fc
parent 167830 1786928ad7b2e6df873721cdc6d8812cfb44ae5a
child 167832 741a8c5658a9c171d11d2e870c7545e2b35ec6f9
push id428
push userbbajaj@mozilla.com
push dateTue, 28 Jan 2014 00:16:25 +0000
treeherdermozilla-release@cd72a7ff3a75 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith, bajaj
bugs929617
milestone27.0
bug 929617 - disregard expired stapled OCSP responses, acquire fresh ones r=briansmith a=bajaj
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/tlsserver/cert8.db
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
security/manager/ssl/tests/unit/tlsserver/key3.db
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
security/manager/ssl/tests/unit/tlsserver/test-ca.der
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -898,17 +898,24 @@ AuthCertificate(TransportSecurityInfo * 
 
   SECStatus rv;
   if (stapledOCSPResponse) {
     CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
     rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
                                                stapledOCSPResponse,
                                                infoObject);
     if (rv != SECSuccess) {
-      return rv;
+      // Due to buggy servers that will staple expired OCSP responses
+      // (see for example http://trac.nginx.org/nginx/ticket/425),
+      // don't terminate the connection if the stapled response is expired.
+      // We will fall back to fetching revocation information.
+      PRErrorCode ocspErrorCode = PR_GetError();
+      if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
+        return rv;
+      }
     }
   }
 
   CERTCertList *verifyCertChain = nullptr;
   SECOidTag evOidPolicy;
   rv = PSM_SSL_PKIX_AuthCertificate(cert, infoObject, infoObject->GetHostNameRaw(),
                                     &verifyCertChain, &evOidPolicy);
 
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -47,42 +47,59 @@ function addCertFromFile(certdb, filenam
 }
 
 function getXPCOMStatusFromNSS(statusNSS) {
   let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
                            .getService(Ci.nsINSSErrorsService);
   return nssErrorsService.getXPCOMFromNSSError(statusNSS);
 }
 
-function clearOCSPCache() {
+function _getLibraryFunctionWithNoArguments(functionName, libraryName) {
   // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
-  let path = ctypes.libraryName("nss3");
+  let path = ctypes.libraryName(libraryName);
 
   // XXX really want to be able to pass specific dlopen flags here.
   let nsslib;
   try {
     nsslib = ctypes.open(path);
   } catch(e) {
     // In case opening the library without a full path fails,
     // try again with a full path.
-    let directoryService = Cc["@mozilla.org/file/directory_service;1"]
-                             .getService(Ci.nsIProperties);
-    let greDir = directoryService.get("GreD", Ci.nsILocalFile);
+    let file = Services.dirsvc.get("GreD", Ci.nsILocalFile);
     file.append(path);
     nsslib = ctypes.open(file.path);
   }
 
   let SECStatus = ctypes.int;
-  let CERT_ClearOCSPCache = nsslib.declare("CERT_ClearOCSPCache",
-                                           ctypes.default_abi, SECStatus);
+  let func = nsslib.declare(functionName, ctypes.default_abi, SECStatus);
+  return func;
+}
+
+function clearOCSPCache() {
+  let CERT_ClearOCSPCache =
+    _getLibraryFunctionWithNoArguments("CERT_ClearOCSPCache", "nss3");
   if (CERT_ClearOCSPCache() != 0) {
     throw "Failed to clear OCSP cache";
   }
 }
 
+function clearSessionCache() {
+  let SSL_ClearSessionCache = null;
+  try {
+    SSL_ClearSessionCache =
+      _getLibraryFunctionWithNoArguments("SSL_ClearSessionCache", "ssl3");
+  } catch (e) {
+    // On Windows, this is actually in the nss3 library.
+    SSL_ClearSessionCache =
+      _getLibraryFunctionWithNoArguments("SSL_ClearSessionCache", "nss3");
+  }
+  if (!SSL_ClearSessionCache || SSL_ClearSessionCache() != 0) {
+    throw "Failed to clear SSL session cache";
+  }
+}
 
 // Set up a TLS testing environment that has a TLS server running and
 // ready to accept connections. This async function starts the server and
 // waits for the server to indicate that it is ready.
 //
 // Each test should have its own subdomain of example.com, for example
 // my-first-connection-test.example.com. The server can use the server
 // name (passed through the SNI TLS extension) to determine what behavior
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -3,28 +3,39 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 "use strict";
 
 // In which we connect to a number of domains (as faked by a server running
 // locally) with and without OCSP stapling enabled to determine that good
 // things happen and bad things don't.
 
+let gExpectOCSPRequest;
+
 function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
   add_connection_test(aHost, aExpectedResult,
     function() {
+      gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
+      clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
 function run_test() {
   do_get_profile();
 
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    do_check_true(gExpectOCSPRequest);
+  });
+  fakeOCSPResponder.start(8080);
+
   add_tls_server_setup("OCSPStaplingServer");
 
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
@@ -74,19 +85,28 @@ function run_test() {
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true);
   add_ocsp_test("ocsp-stapling-unauthorized.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST),
                 true);
   add_ocsp_test("ocsp-stapling-unknown.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
   add_ocsp_test("ocsp-stapling-good-other.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
-  // If the server doesn't send an OCSP response, we continue as normal.
-  add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, true);
+  // If the server doesn't staple an OCSP response, we continue as normal
+  // (this means that even though stapling is enabled, we expect an OCSP
+  // request).
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+    function() {
+      gExpectOCSPRequest = true;
+      clearOCSPCache();
+      clearSessionCache();
+      Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+    }
+  );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
-  add_ocsp_test("ocsp-stapling-expired.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), true);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), true);
+  // ocsp-stapling-expired.example.com and
+  // ocsp-stapling-expired-fresh-ca.example.com are handled in
+  // test_ocsp_stapling_expired.js
 
+  add_test(function() { fakeOCSPResponder.stop(run_next_test); });
   run_next_test();
 }
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -0,0 +1,85 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with OCSP stapling enabled to determine that good things happen
+// and bad things don't, specifically with respect to various expired OCSP
+// responses (stapled and otherwise).
+
+let gCurrentOCSPResponse = null;
+let gOCSPRequestCount = 0;
+
+function add_ocsp_test(aHost, aExpectedResult, aOCSPResponseToServe) {
+  add_connection_test(aHost, aExpectedResult,
+    function() {
+      clearOCSPCache();
+      clearSessionCache();
+      gCurrentOCSPResponse = aOCSPResponseToServe;
+      gOCSPRequestCount = 0;
+    },
+    function() {
+      do_check_eq(gOCSPRequestCount, 1);
+    });
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+  let args = [ ["good", "localhostAndExampleCom", "unused" ],
+               ["expiredresponse", "localhostAndExampleCom", "unused"],
+               ["oldvalidperiod", "localhostAndExampleCom", "unused"],
+               ["revoked", "localhostAndExampleCom", "unused"] ];
+  let ocspResponses = generateOCSPResponses(args, "tlsserver");
+  // Fresh response, certificate is good.
+  let ocspResponseGood = ocspResponses[0];
+  // Expired response, certificate is good.
+  let expiredOCSPResponseGood = ocspResponses[1];
+  // Fresh signature, old validity period, certificate is good.
+  let oldValidityPeriodOCSPResponseGood = ocspResponses[2];
+  // Fresh signature, certificate is revoked.
+  let ocspResponseRevoked = ocspResponses[3];
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function(request, response) {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.setHeader("Content-Type", "application/ocsp-response");
+    response.write(gCurrentOCSPResponse);
+    gOCSPRequestCount++;
+  });
+  ocspResponder.start(8080);
+
+  add_tls_server_setup("OCSPStaplingServer");
+
+  // In these tests, the OCSP stapling server gives us a stapled
+  // response based on the host name ("ocsp-stapling-expired" or
+  // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
+  // properly falling back to fetching revocation information.
+  // For ocsp-stapling-expired.example.com, the OCSP stapling server
+  // staples an expired OCSP response. The certificate has not expired.
+  // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
+  // server staples an OCSP response with a recent signature but with an
+  // out-of-date validity period. The certificate has not expired.
+  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+                ocspResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+                expiredOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+                expiredOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+                oldValidityPeriodOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+                oldValidityPeriodOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                ocspResponseRevoked);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                ocspResponseRevoked);
+  add_test(function() { ocspResponder.stop(run_next_test); });
+  run_next_test();
+}
index 590f59078ca48d911a7dffe52b0b6bdc55a1560e..6c82819df43f97267ab26d670f22b4487a471436
GIT binary patch
literal 65536
zc%1Fsc~BEs9tZH(9gctmMQ(;mL3crc4uY^DAu<d&pm7vL5mc}s3pga<$bf)M4LB>h
z40vmKfHIy1!h*88q6{dmN>)bEDdch~WnF|3DAWb7kxdBWSW`glR$0sb@%^N_x|8>Q
z-7l|y{pasB(K22~2%!nlxI@SS<ss20gd*yVutyK*(LHNqKhi`vs^dM<%ub?4k8b~S
zY-%#D3IG5A0000000000000000000000000000000002+;pmYe;d9{=;a#CZSR%|7
zo)PR3tQPnS488uvGxQn;00000000000000000000000000000000000m~3o{Xe>~D
z=&8h%$)=|;*_8YUi>7Frq8N^rj^pM}HxF?rN>h_C)49_aeJxgq2Fp-;xj0#F>+8c<
zn{v4GxQr{8>*?<9>K10oaeMzOW5G3JOw=(`M`HY>(N1EiJWig*WF3D03X~>cW#thj
zYb%|VMe1#j)t;EOKHod*%Nr3!e>2Mr3wjtmdrwW1yW^|Q{f1K-Qoj9r4Nbx$YrbzO
zV;dicyy5HO`g})fen;`^;r8=RihpiNb)bx_smvu`9xLC(;eKYu4L>bg{|Eb`_<aUV
zbvZ$~O|2~s6`bcq-v^%%*~iB$jGgKFd5^&g!9Z!;=5U%t5$b3h6T{dkM{i}IVaZrz
z>%_~V*2TxllI7VPM`!Vdb&`a5v2&D6!nkU&=V&P>Nt>cHW;6E8%%8tA)Mk@dxjcdA
z;_@z-=gD|7E{vY)#D)|#tU)v6S98r$PC<TG#HlEeG@&u|MoA1^D6QcJhNey{{=t2H
zQRsf7#VtnZl?Q5L)33_|QyZ3kle=clT2}A0l`XT5rjgK<7G`zS-bi5@=U|5;oAErC
zQE0j?Ss_}s_3V9Cch9bm`k6=lmrBI>Ma7op@~b*_*13wGj7k?Dl1L>{>7`C{gF<ER
z#_J=E_EY~?Uzvm`^J0udV6#*&OE)ECoG4<fY#%F-HBpMF-ge%sN>A!4VJlO!R=GK-
z(^Hcaq~x3YIz`R6CXA8#T%6D3vEn3K`G1(G<3~=ErY~H6_myX*rT#s$)V=dXj(#~B
zFCCI{&CBRJr#`kVyKtp^{;C4S<0KwWbJJzEv@OZR)#grF%C?Z54IBR&yn9YWK*P7I
z@~(y4%BvS0ef6elufO!=Y4hlv)uHYiFPP5RXY}y+*FHh|>7PH4WIpK(kwl;TB!95?
zN~DD(F{37j`@~9}rpl2s)8Azio6%D4XlksSYP-O1`BXB4SvPR1`T5~3g^NuCKIy7I
zuDRVI&37R0V|V94f6ca<FwGbH#rch`i)=1f9$f#nApENx=MMQ4ynbeuX!j<(J;=f<
z++b00`MtodZvtEU++LL5H}mK_CA_%i&8DlOtmEakL+<zWDYic-+CEe>p#5ao#zMES
zdT&{B)oht+W_^8>sWNi+#+`IFO^C(#&GgUbQS~z#E3If%PgMs($O>^%a-2*`^vRFH
z?}W#M&4OydRzad*semuA6|e<&`PKYgyhPqE-ej*(0000000000000000000000000
z00000000000F&&O`g>hs$Yj%6Og1GOt-q%~ME$)n*N`z#$LOj{Xnn;=@(F92D+2yR
z9X#KAS(pF7r>Ar8@|;I`p(mUoj)}i+P4C~f$aly5S23Xmy1I|Mw*)s=*wvjq)3M}I
ziJy*D@6Be{tV+JwU|vFG2$QySN_1<{fiLD6&It)hxg8p?OY`(J<Ma9U?KdtzU7Oms
za7q2?yLv-x%G%etPQJ*h+{-w(|8zlC_y0lZ{nmcZNdEAZ0Bd<spsRQ3;5_RoJuc@P
z=bo(dUwG-<%#4nDX^Tyr_eEX9_#e)tS6LaY*2ydWO_0-LFPU(`5<BPejRLRlcD~$O
zE~)D8sU7-r$>V3kO~T-tjy&<%eMVgd6#wOnOq-;}I~SgLvr;;OUFw%PmzB16KNVj4
z;^tG5B8y5+7`a=1(rCYtN_e77hjGj94G9?|LRE4<W)N$ftWXtGn~u{)k8uH2f6Ix=
z_vvvK15l5etsM1e88@*}J_{39gtI0n7Js)&z+Z^A@&T$;ZdUKD5@7rx9;C5iCVGm7
z@-0q^g5z64FM4pQ(mkHpRQ4rbyKNu2TGF8BcRxNd`Aqn96Mow3%fFpvzC)_TZC}<b
z+F-Kq`rU?=f%3Ov|J`k(vz-ZU87Ah6E~!Vb{-Nq?F}r?@bS`w;xXsUAI#8K0ThY<y
zA-7?bME;}TN{lvZ?Qv)Qht)3}k7oE(EKmGzR|fcfK7T|19}P4I^^#{OKDyPlJZaDI
zO|91EyxLnL|AEd2-DMG_F+n@3=LUE5N=l{&-HmA*N=wvRHLZt}W9i!+%;~we-y^Ix
zd1vF)r7PYB=ZLh17Zg2eY;tIQZOXHYDXutd-crSvA6cWYsJQOEJ5y(Q+15Qp196Iu
zC}XE1;T@y(`jq;HjhpJ)gpBqi=IWdovomX~AAg$c)m8ui00000000000000000000
T0000000000000000ATpvzp?Lg
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -69,32 +69,33 @@ function make_CA {
                                                    -t "CT,," \
                                                    -x $COMMON_ARGS
   $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
 }
 
 SERIALNO=1
 
 function make_cert {
-  CERT_RESPONSES="n\n\ny"
+  CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
   SUBJECT_ALT_NAME="${4}"
   if [ -n "$SUBJECT_ALT_NAME" ]; then
     SUBJECT_ALT_NAME="-8 $SUBJECT_ALT_NAME"
   fi
 
   echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
                                                      -n $NICKNAME \
                                                      -s "$SUBJECT" \
                                                      $SUBJECT_ALT_NAME \
                                                      -c $CA \
                                                      -t ",," \
                                                      -m $SERIALNO \
+                                                     --extAIA \
                                                      $COMMON_ARGS
   SERIALNO=$(($SERIALNO + 1))
 }
 
 make_CA testCA 'CN=Test CA' test-ca.der
 make_CA otherCA 'CN=Other test CA' other-test-ca.der
 make_cert localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com"
 # A cert that is like localhostAndExampleCom, but with a different serial number for
index bfd268e76a0f71d01ac41f6f6e400efe9a14fb5a..4ccb58b7b73ea4bb8524451b013eb58005b7fa23
GIT binary patch
literal 16384
zc%1FoS5VXYwg>QpUXmcvdk+MpN>Q3LL3#;2C;^FdklqoHj`Uu)AfU7$(wj(CQF;{+
z1QZ0KAOevV&N=(|aG&<vmwWe|Gyl)bnzd$r55K4H%UU2Z20IW4L<9nnOoBj{{yBmm
zAP^Yz?*dW$9*BN-;y?SJPayJt&DkDd>!5!l`d$C;D8PTmuK)l500000000000Q~2G
zfR1T?(QMPS(A3c6(lF83K~||nC~GJVN#{rpNiP5Z008jcgct+{NkkE0C4|VRg=25U
z;-O#&DVSJ-g@k@)G=#tOyDlYLfBnZI>&|c?`2Hm#FqkBYC}MHIfa@AYB_nGikg)@g
z)rg&;yQ*h}yC$1af(gyzL`%x09_bcb<`r6A=xJwPXV2aDGWx(2+H7%JDftE-uqZ2j
z^irB$)U)HRlOS=Ys>R)4FwE}0p1Q@vwkU&aJb409VmAb_a^$GXL%5ys+?d;6Y+IPg
z`cg+H?usb0-qdIwCr_ZrAWl0{xz)eD7DGurVy-xIeOUgQ2lB-&6T5ihZGLxjAMLV{
z8mUAfAHM+HJ7=gxaZY8ZTG^E?qpYmk*+Z835yJa1tE(D?vE-*JMytJVRta@5c8M>?
z%L`I%p>K{QDf^E{(kwnYbdlkcG^ND@ofEeZ<eaOU6Y}JPZ>9y~^>3fS8V+^Ja&;%U
zo~A%pV+-ef+iab3nBBN)t(0{%+Vo+p0|kw@7_a5>x@(22r)y<2(zG!l9$ef+9X-5o
zQTU{}k~ZIIb}|8<>#F-Aqyy0;yq7-8{+X25tcyHQduuLn{BB$}v3ICh-Fk!&41Z!p
z6!iJ{On#b5nD^sVF-;qUm9q4AsprG3kVC_=7AG&KK0dY_hGinj9UKa?tCT@kcB7%f
zqyz-Hn|DjZ`GLbsN_8(LR@|yM<1ma=?Z8dKcZ2!YG}R-T8IU+l^x9S%KIu`8=}BBk
zzmt^92ydvUz?omZf`4IU^80CTe>>M2%do@SBj;ygAP+-?mfJ(_6Qxg8Kb?D>D#A~F
z0$$DeFAY~En1v{A>!wa<MaIch`}tW<)nprdu;b$JU5wvB;<~n)oM7C8YcopLW^qYq
zHBOW$=5FfAZeVM}MyE20_+rsQq(qkfx<Px(I7!;xuUSF9PrEV=5Zn%fFU^-nYm(PW
z&$AE>+V$YV)^EL3imR&I>p7-zUy>~=MQzJ5(F?)5sk-XvvL}v~v{Y1Ix8jlW4SfBL
zFIEh?YHm_;e0x7H71^Z7e3X12Z6*<9MD4IpTHtq;PQ=W_f80_#leG2{Lu(5E(wpA>
zI|1Ld4BpmGLGTn{PIa+<UtNyp3JgiRwZ)NJe~}tj`5W0eClB|W5`|fl^y{Tx7W6Iu
zP7Qo68ucT4J!{K86Wbo6nyzQy@@kT=4b(OeJ&w#T+~uoS-SMQi{@}gaQ@#TUJLH&K
zN>~LsptY#yw6wAHX$H<A*Ht3fUpE{2AMOgt)>xk3kk1i|c9LyXxJ`D;Ldlxi?}!Jj
z)>C9An)>=wU3vWdUQaQE<qL7rv&HmOqMP($ln<edT`@|y#1G{XQHc2^FBjXaz<`68
znq~Y+2qPz<Uu%#sfs<x_(P}JY3L6A9!p`wCUm?hDmkooHd9F_nNMHEIkzKWwwu~Qd
zEX;<cNN_<Lb(lMH{7<7Y&Uw9Qhc=grIv^&{O9ci<AFd^d0Zdt;p|U9LL9-g%U|(S&
zbdwhq7GmIaYT_Vtyj=1$ZKu9Zdz*kQWXRU5sw{tz<%EI-w|imwd1_ZGM`WLPIcQ86
zCB-v6(^Zyir1<pq{tx_gQOw%9W~0#-A8~|pW2NllbDw0INzHCkwpZz$q`&CP-)H_x
zr_(6g4(1p5mT`KcEjGB5HtxlR6&F8r+kt1MRk(7DdiU3`3f{)J368HiFg1#qsSRQl
zpFmM!qY$v^YlG+q_!u2%s!Gyhzr0y{_V!G?9e=j>Qo(Zvs9vQw(wpL>D>me!p$_@x
zZtC(mM-I$(`9#RZMRF#m{PrA2^-Ib3{f9KcqOG{&hf~FTW?j^(EN0GZh3Q;6i?aqf
zo@Oh>(RA<HLIoGC{-_|XZ{$^+rA#YEa>`PI4|X$`Y8hLq6T<C$8YLQHW<E))3=3Ks
z`WR`mYRgmFtByk|EDdLpez<c7X2}c<$V*KA47{O{{QUDis=5FlwbQL@!e4NS(3?IO
zS|d^Sp!mr2a`>~2;*I8sjE!I7*CVbqvBTz=19D{bg>S}@93#AwSg=Hs&(yfF?S0Q>
zt%`@gddtg`KJ2CNSoCI;;+n+zr<!GqgbpIJL~ON3%B+%y%*K-6>OVO->&VgcIId-J
z$mq6|32kQ*$)#Vbh*mX$1-q`ghvC-E+#Q~3q#S+gL$kVjh4jQp;yC^yHO^g&6;VTW
zEMD+_h^c(UoR_)4%J0<B`hdS|Zez8I6xgM1lSh@RDpOfnxOpnb8Jn6S8*A(+6J%Ng
zqP6q$W@H{>Xp=ejg@)brJ#0I;H%Qx_2B*hOFS?N`;gpk~8QuUFachpDbKlO*FZz?(
zSH%>Igp88iaHlIZQmRkDSHay!`Hh7~wB~9Zn_g{gzt}4<kU7xd>=u0EWc)P9Rz;@!
zx%=av{T#%TtWsCb*~YJMRNGV#f^MHb`<OOnA|d*@L>*c&B=wwS+Jk_A)+X9%3oYk_
zOA55XqpPi;yREFDwc`sI^CxJ2N5tOLULW&CcLg=CN8f{cb?jALqZQqgJMBJVfqGo4
zH~6XB>_4ap8d0;I76eBxG$vMFb6zdoA-A@#4tc8Kb>I~6hpCHBnP&+NcxxIe%-I-S
zEk}rn#f@^45a<YJNhcw>P&a1vv^-->21f5)8(L*{hg-P1sSV3`C?~;Ne~YzGW&9(P
z;<-W3?3#cK7KZ5D%(tIN6OY{De&DXfzd4>{?64#iwG)p`J?aZC_#VOWOQxNkzpB!|
z16!4!Z#bnG0`0ZA7Z|ecTzJ^=nTd^grU_i9fhI_U&1@gx5=5gxdepNrA35Ko9*E%m
z%!R+!Cs1@(7%!DKH_RXIZDqvTXkKqeczj)(DjR~ly1F@WVyZBJ4T<MMP}E(VLk9zg
z!1~ppT-M=BNWYq8#UHw*ZfnQYJEPw+1>C|0)^5FQ)*{t`qb&MFoQI<DS2==WB)kkz
zyCilg$*RRhypN|X=?awvTrbOFbqWs2I_@}K&ioPnY}a+{-Kx7vhPvgJ{rTpoPuYjM
zdseStmmaUG#!(Q5MS69dRv{66Jz9I-W1)pQl*h$p_!QQs`bf7AmYs6Yj$pZ;TutA7
zhQ|5PHtr*kn;+fKJ}*$085M(0dxZp8(mlu|myGB20~xhmPmNgU_!2OhS&RCO>-VKY
z7+HolJ>-zEqV6Hb%pJ5?iF9b{O@5CbO(F2%mG5%CT*Ni#&&7R?<ivL>#9(XPzl5KJ
zs5Y2-5uv_jB;9$~-lE}^-ldY;6_C%C@95@fZ|5fJW9Q~eOb@;iG+!E?#_gUp#|f*4
zRq^a+3;BZnXTrFeEIDJ56xU}$({K8n)#u%}^YIDr^mY)v>x8-MN^Fkt_Hp*~AOc0u
z3`1T)h9Q6VCISEe0000000000{<r>O(V*s`DOpJ-{S!etStwEu_b$8AJn(zbaPbyi
z_VvE#^>~V|5|XqALYnWSrfCiFgvZ9cdPmgu_rU2Z{7=%S@)OGT4F{NOOe5$|S_m7f
zc9DCt&SY$Exg|=yzVuXs72>pYL|P%safec0{Y@XNHN1*?>wbH<yz<+5?-+wlmQr4}
z>{D>G7L!hKb_@1$<2mcZJpsB+HZ-5`0sKBIo)H{2cHuoXn%kZsxG5T*SxMTEj|C4s
zBX5?^f491v&nP_$VI-PX#D{SYz{akGpbi!#10&ShVb|@gi`vEW{ECO2^jX?AFYH(<
zNJuP&sh$$3?2IB=Vdjgyf#YR;HpyJ+UBNGR=~@C`Vkhp*5;GJ}?dfcA_6^=s$h;@T
zmsZEPZ^OOJ%@}ct3`Sh58J9|n@EC=zY|b;i4|bY-Fp9>#MhvhV^GM^n663vCm4(D{
zb1ux7v<w}-DXUq>Nx@AXsy13^Kqu&u)J1G}B0JPZ9FrS3wz5L2y&X2}tMaX=AxP{K
zC#y3?bEfWvH5nWi8N@J)g9;2-J{i8;<m$Tc-AROp-=m9AlJbb`bk$b=lXH;K*%rvE
zE%TAkppQ36`91g}3Ii8&1qFr{!TO;JtxBp0?upk@>?WR>dHvl5>)eU?AlCf*Q*-MB
zsSQ~gU+gI}Q^ab9G%t-p7KkFhkFVLrn_Uj)(0dv31Cd!BaC|XFI#*`(-eI)|my{}7
z<Y>=9%S=BxQ=?By)R@L5s7B0#v+bIu89C$oI?9<R$@A<nWeNg{s_lRL$60RbA3So_
zWp0?eHtG7!5aQgE`<u$!mU1#z?Fo#I4TJr7a`M-gIo`@T_{-mk*_^A7sS?8^-#q9@
z>BQW!Xv}iipP;uj&%E=NyZlw9fJ=&UWcV9f`ghD>)+TEX@a&#h8R3)ld^+k8|FY#C
zA`lAQGx`Bb!BBvHqb@FWkRFh-Qhj={)G9i>5g&j6({qBu48qHwKZHseGE1UrJzZk>
zOWks5XZzz!l4ch^AR3?trK8A7eSSAbEhk<n*KJyJr5|<9v8eOE`xXTN0000000000
L0002s|J*+S-mE5v
index a978b7e0d5736e931166f1e22d7c5af4899432b9..b31ad5a3f844bbc02ff126173a03a3e2578642f6
GIT binary patch
literal 452
zc$_n6Vmx5b#HhJ|nTe5!iIrh)S)Z5zFB_*;n@8JsUPeY%Rt5tJLoovpHs(+kW?^3c
zl8n?Mg_6|b5(Q^R137VCLt{e&BSS+AQ&S_8C~;mBWG)_^jq{OhVPs`sZtP_+XzXNa
zY-ISMZ`ok6MTYOXMENu`UoF>mmY<qM-ID8=F0F7<Shw@g2D8Yyr(P6US+O=B<jA{S
zBxWRkX<b===%lkXM}wzm$9tY#6xn+$^nCA0-^IWF?3(75_j8S8%A~y!rZqdowWo_b
zTH4|m#8;L5Ft_&2<Ivoc<t}~S-X2Pj$}Ozk-){IumWi2>fpIa=<px4Px62AMGX7`b
zFkk~xOpFX@fx`@R@9mv7H$8F{4H7@DxbbCv$2=c#PnYK>m$FXKtaSd^>tw3;&5iZ;
z{wUTTGgJF6-tv~;DKk6k-`wbiiQDEl&i(yaqEPuy^qn9n>u5pmRU58*J@4_l_0HtS
xhPx8x?^f9Fj{Vbo#J6$jh6|y0-@Q9E;o-sw-}irHe-l_U&m`)kU4HQ{H2@S)tIhxb
index cb247f8e985d2c0cb52aa567d8653dd65ca62805..7d2283830dce7ba3caa86a517432381bffe9ab97
GIT binary patch
literal 440
zc$_n6V%%cT#3;LfnTe5!iIrh)S)Zr@FB_*;n@8JsUPeY%Rt5thLjeOmHs(+kW?}Y_
z)Z!8aXGa4$ab81XLjxm2Lkm+=Ba<j`UK3<4Ry~dLkxgb~WngaXWiV*$WNK_=_}(YA
z+&4JqX2foD-d$DZpXIl_D?WBXB_SsFERXBmoP^>{(L!Q2mA?;as7g-EV>7%Hc*D0s
z%>DS~v*BJP|5Dwi-1go4xWJ@ZO!Cz8Jo8|_IeU+#Pkx=CH_xP|-&G~=<Cbc*Q}^GQ
zm&h}(PIxl+P&zwv+)_QhM|*#0Ev|Ol7*fc@%*epFSj<4gKnUn+Sz$)T|12B^Y(R>M
zkpV40n1Sw1>$9nN-zCWUji*@gl=S)MAw^S{Hs6wyv^sF!*X`ruhcDN~uT2k{xK}6m
z{@dKuLP3|)Z-1{W<cSn`#oI39{4$vL)%BU?Q3r}AUE~i4`xo5q%l6-4;nR!PG;jSD
rw^B}DwQ;`W&0RJn3t~@6Z9Hx_rIs^fUFXz=A2UzgPZrf(5Pcs2Q^TQ_
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -23,14 +23,19 @@ skip-if = os == "android"
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_hmac.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
 [test_ocsp_stapling.js]
+run-sequentially = hardcoded ports
+# Bug 676972: test fails consistently on Android
+fail-if = os == "android"
+[test_ocsp_stapling_expired.js]
+run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_sts_ipv4_ipv6.js]
 [test_cert_signatures.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"