Bug 1159944 - more alt-svc tests r=hurley
authorPatrick McManus <mcmanus@ducksong.com>
Thu, 30 Apr 2015 20:53:20 -0400
changeset 273316 35dfb84cc70f937cf359de009a84fe551862ed3d
parent 273315 7bc6ca1495610504491cc2c0634441a9b8abd873
child 273317 33d085b0ca4030131e2d256c480a92a15cff2d52
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershurley
bugs1159944
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1159944 - more alt-svc tests r=hurley
netwerk/test/unit/CA.cert.der
netwerk/test/unit/CA.key.pem
netwerk/test/unit/test_altsvc.js
netwerk/test/unit/test_http2.js
netwerk/test/unit/xpcshell.ini
testing/xpcshell/moz-http2/http2-cert.pem
testing/xpcshell/moz-http2/http2-key.pem
testing/xpcshell/moz-http2/moz-http2.js
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..67157cabd08d9705a3ec762eba1ace9fb0f75f3f
GIT binary patch
literal 827
zc$_n6Vm3EuVv=9L%*4pV#L3WOey+2(`kt`?FB_*;n@8JsUPeZ4Rt5tjLv903Hs(+k
zHesgFU_(9w9uS9vht)SRGcVOp*gz1(=i=dVc2sb!NX#wBNi~oY=QT7nFfp<;Fg3C;
zF^v-EH3D(Xpj@)dY+_VGb{Zoq19KB2KLb#li>Zl`k>TF_Ykc0jzSfmJiD<vNKkvxh
z^2X_Bmnc5vx-)-%*v$PKAHQ_f(3fZFzxw#_%RbBCxmO?R*Ut`Q^g23wpUHZA-BPz-
zR+|E2m6pWh@ETXu%IulY`@Zuk&lx3|6UEBx3W0Y2EOwU9beLWCp2ar0<nJ0$MbC^=
zz7J%l{nU|4ebe~U;gQ_x#gG1OcI^_qaP8g>jqH-wnR{anG{@gNG--})>&;!PsXYIE
zuPk{nWpzbx?)5_~-4<!_(MRlV+-ts~wtumF;PW)Y*Qc|Ju4*nipZwmHd*YrgA0(~Q
zcA7;tPEX#e`P_Y3tNKCKZ&P=rRUR?7xp4UQn!dFx&f8uyuAlgeQT*0VS0-jg2FAq!
z27U&zz`&E`V-aH!`TnPD{ZXlxC!KOE?sv1#)7E*~r(hrtl2&GsFc53Nt^gDnvcfE^
z2F#3%|Iv~IGbpIHn)|e_+P9W>DZgb+-!c!m&C55vTYdSqfa7zK685eCwKoM6C$5_x
zT-RR}G9#<e@`O`J*rAQnmVZxmytHV#);j-EKg*ETk`K$WCl*h+;;sAp+V3(?>CT>0
z5_7Fe&V2UGXn!}^Pi`W^iyapaY+3Pa-?6Hh8}ylcbryQrEcy9YwPa0+$(GH1Cv@3@
z{bO%WwDYS{-&4-0<27MX&WeoGJN*mpp7l7c?zd&{^Bq?oBpGjOKR+{}v~lZ=nzAml
z7^yNv2ZqV>3O97SNG&YeyqV4K?R;0W^S-}-HY+IqW)0bIw0nu@1eZf|W44<=sSY~+
b-nePor-_fdj~$)#`SSDP7~N0jR-Xd^dG=7E
new file mode 100644
--- /dev/null
+++ b/netwerk/test/unit/CA.key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIoXjtIGzP1OkCAggA
+MBQGCCqGSIb3DQMHBAg7NkhJaDJEVwSCBMhYUI4JRAIdvJtCmP7lKl30QR+HG4JC
+9gUJflQrCsa1WhxKCHa7VXzqlItQTu0FTMwn9GRFUOtqpY8ZE6XJFuvzKPox3RMa
+1TMod6v3NS3KIs6/l2Pb2HcGtcMzOJVei1nwtjsT5fvq36x3eoKzgqd9l0fLcvlD
+wf+byzgY0Nsau+ER8DWy65jXF8bPsQQcKTc+U+p4moO3UuXG4+Pnd8ooSaM4X2on
+1jIYDU1aFoSDUvze8+MvQCD32QLuO63iK7ox4sFharG7KucYqeWCihDx5rlGaVGB
+5647v4oHRysEdLVTkU12mIC/Hx/yPXcLhHYmawmnYwEoh1S+wd7rOo9Wn/l16NTK
+8BcDuvfM8km4T5oO/UFaNDIBLBQsNM5sNHDYFDlhmR4x6d5nXeERJ6DQbvhQtgnV
+bTtT9h24rsC8Irflz/abcvTvqqp8I1+gYEzmhgDRUgp9zAPZUoH3E4DKk5rVgApR
+ARX9Y88S7k/OBnU8r+cT+0CjsusbbIv5W2nAFqEX9jMend0cHzYvq3m6v1Jqxjfn
+kQRP1n+SagmAPBIAzy1wSHGV43+COk6FB+blfAGbO55lLglEM9PLH7Nnl0XrPtaE
+dXx5RTtdBnb349Ow8H3WnleTfKspUbIVNyM48aPaXJu6Y784pUXDOC13ISFVbOew
+dPr/s/GoHgBUIm9gxkhNQYUlcSNrJCyJ6bqvrYbOmVQRusO/SaM6ozY8wFL8LDnS
+GeXmg3dAslHhuaHlFN7atF7rBtTWPsH+oQdHNKcLDK7nYq45v8VfjPUrWPfYc2nB
+l+zT4LozY3VPfPW7BG2zVBTyxXkiynz0w7tJaN/HokZGAUDqWXqjSceJqc9Q4XAG
+slIxbxkfxEJUEmJ2wHEnure6T0dJOIfbJzkCqWAeJjkrbI5mdKLuXFj94VgSlfK2
+iq3J20/5HVdHqoVGRZ5rxBUIaVEgSXB3/+9C/M0U0uxx23zxRmVkMGdhhCqXQRh/
+jFUkBzq4x3yibxJW3fRe7jXEJdo1DAAfgBnDvCUWH7lRX8hDkx6OIX4ZS4D7Va0j
+ogSC04IdZWxOP3YJ4gGwx8vvgHWnBLyFfmdFnfHXUr9A8HDDJQTupYg25PDUGHla
+SxukgOYdQ2O6jUCW0TYeUzX7y/P/Za93kWJp7XqA4v76fQ+C9d3CZT/TY0CqNgxB
+C5+PWRGvxtcy+Bne8QYCJhvNPEhfgFa9fU3Rd4w43lvTb9rsy7eBR3jJKdPLKExJ
+zEPIgVUGaMf0lawL0fIgoUI5Q3kRCmrswkTK9kr4+rSA//p0NralnZtHCWRvgs9W
+Lg4hkf1vXxsa9f16Nk6PxqU/OnJmhTnTnv9MzFoX3Sce2neD86H5c7tdguySbrsj
+5fww64rH1UwHhn/i49i3hkseax48gOAZPA8rl+L70FS8dXLpHOm4ihmv6ubVjr82
+yOxi4WmaoXfmOPBgOgGhz1nTFAaetwfhZIsgEtysuWAOsApOUyjlD/wM25988bAa
+m5FwslUGLWQfBIV1N9PC+Q0ui1ywRuLoKHNiKDSE+T5iOuv2Yf7du4nncoM/ANmU
+FnWJL3Aj1VE/O+OeUyuNEPWLHvVX5TChe5mFXZO4bXfTR4tgdJJ15HWf4LKMQdcl
+BEA=
+-----END ENCRYPTED PRIVATE KEY-----
new file mode 100644
--- /dev/null
+++ b/netwerk/test/unit/test_altsvc.js
@@ -0,0 +1,358 @@
+Cu.import("resource://testing-common/httpd.js");
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/NetUtil.jsm");
+
+var h2Port;
+var prefs;
+var spdypref;
+var http2pref;
+var tlspref;
+var altsvcpref1;
+var altsvcpref2;
+
+// https://foo.example.com:(h2Port)
+// https://bar.example.com:(h2Port) <- invalid for bar, but ok for foo
+var h1Foo; // server http://foo.example.com:(h1Foo.identity.primaryPort)
+var h1Bar; // server http://bar.example.com:(h1bar.identity.primaryPort)
+
+var h2FooRoute; // foo.example.com:H2PORT
+var h2BarRoute; // bar.example.com:H2PORT
+var h2Route;    // :H2PORT
+var httpFooOrigin; // http://foo.exmaple.com:PORT/
+var httpsFooOrigin; // https://foo.exmaple.com:PORT/
+var httpBarOrigin; // http://bar.example.com:PORT/
+var httpsBarOrigin; // https://bar.example.com:PORT/
+
+function run_test() {
+  var env = Cc["@mozilla.org/process/environment;1"].getService(Ci.nsIEnvironment);
+  h2Port = env.get("MOZHTTP2-PORT");
+  do_check_neq(h2Port, null);
+  do_check_neq(h2Port, "");
+
+  // Set to allow the cert presented by our H2 server
+  do_get_profile();
+  prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
+
+  spdypref = prefs.getBoolPref("network.http.spdy.enabled");
+  http2pref = prefs.getBoolPref("network.http.spdy.enabled.http2");
+  tlspref = prefs.getBoolPref("network.http.spdy.enforce-tls-profile");
+  altsvcpref1 = prefs.getBoolPref("network.http.altsvc.enabled");
+  altsvcpref2 = prefs.getBoolPref("network.http.altsvc.oe", true);
+
+  prefs.setBoolPref("network.http.spdy.enabled", true);
+  prefs.setBoolPref("network.http.spdy.enabled.http2", true);
+  prefs.setBoolPref("network.http.spdy.enforce-tls-profile", false);
+  prefs.setBoolPref("network.http.altsvc.enabled", true);
+  prefs.setBoolPref("network.http.altsvc.oe", true);
+  prefs.setCharPref("network.dns.localDomains", "foo.example.com, bar.example.com");
+
+  // The moz-http2 cert is for foo.example.com and is signed by CA.cert.der
+  // so add that cert to the trust list as a signing cert. The same cert is used
+  // for both h2FooRoute and h2BarRoute though it is only valid for
+  // the foo.example.com domain name.
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                  .getService(Ci.nsIX509CertDB);
+  addCertFromFile(certdb, "CA.cert.der", "CTu,u,u");
+
+  h1Foo = new HttpServer();
+  h1Foo.registerPathHandler("/altsvc-test", h1Server);
+  h1Foo.start(-1);
+  h1Foo.identity.setPrimary("http", "foo.example.com", h1Foo.identity.primaryPort);
+
+  h1Bar = new HttpServer();
+  h1Bar.registerPathHandler("/altsvc-test", h1Server);
+  h1Bar.start(-1);
+  h1Bar.identity.setPrimary("http", "bar.example.com", h1Bar.identity.primaryPort);
+
+  h2FooRoute = "foo.example.com:" + h2Port;
+  h2BarRoute = "bar.example.com:" + h2Port;
+  h2Route = ":" + h2Port;
+
+  httpFooOrigin = "http://foo.example.com:" + h1Foo.identity.primaryPort + "/";
+  httpsFooOrigin = "https://" + h2FooRoute + "/";
+  httpBarOrigin = "http://bar.example.com:" + h1Bar.identity.primaryPort + "/";
+  httpsBarOrigin = "https://" + h2BarRoute + "/";
+  dump ("http foo - " + httpFooOrigin + "\n" +
+        "https foo - " + httpsFooOrigin + "\n" +
+        "http bar - " + httpBarOrigin + "\n" +
+        "https bar - " + httpsBarOrigin + "\n");
+
+  doTest1();
+}
+
+function h1Server(metadata, response) {
+  response.setStatusLine(metadata.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "text/plain", false);
+  response.setHeader("Connection", "close", false);
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Access-Control-Allow-Origin", "*", false);
+  response.setHeader("Access-Control-Allow-Method", "GET", false);
+  response.setHeader("Access-Control-Allow-Headers", "x-altsvc", false);
+
+  try {
+    var hval = "h2=" + metadata.getHeader("x-altsvc");
+    response.setHeader("Alt-Svc", hval, false);
+  } catch (e) {}
+
+  var body = "Q: What did 0 say to 8? A: Nice Belt!\n";
+  response.bodyOutputStream.write(body, body.length);
+}
+
+function resetPrefs() {
+  prefs.setBoolPref("network.http.spdy.enabled", spdypref);
+  prefs.setBoolPref("network.http.spdy.enabled.http2", http2pref);
+  prefs.setBoolPref("network.http.spdy.enforce-tls-profile", tlspref);
+  prefs.setBoolPref("network.http.altsvc.enabled", altsvcpref1);
+  prefs.setBoolPref("network.http.altsvc.oe", altsvcpref2);
+  prefs.clearUserPref("network.dns.localDomains");
+}
+
+function readFile(file) {
+  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
+                  .createInstance(Ci.nsIFileInputStream);
+  fstream.init(file, -1, 0, 0);
+  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
+  fstream.close();
+  return data;
+}
+
+function addCertFromFile(certdb, filename, trustString) {
+  let certFile = do_get_file(filename, false);
+  let der = readFile(certFile);
+  certdb.addCert(der, trustString, null);
+}
+
+function makeChan(origin) {
+  var ios = Cc["@mozilla.org/network/io-service;1"].getService(Ci.nsIIOService);
+  var chan = ios.newChannel2(origin + "altsvc-test",
+                             null,
+                             null,
+                             null,      // aLoadingNode
+                             Services.scriptSecurityManager.getSystemPrincipal(),
+                             null,      // aTriggeringPrincipal
+                             Ci.nsILoadInfo.SEC_NORMAL,
+                             Ci.nsIContentPolicy.TYPE_OTHER).QueryInterface(Ci.nsIHttpChannel);
+
+  return chan;
+}
+
+var origin;
+var xaltsvc;
+var retryCounter = 0;
+var loadWithoutAltSvc = false;
+var nextTest;
+var expectPass = true;
+var waitFor = 0;
+
+var Listener = function() {};
+Listener.prototype = {
+  onStartRequest: function testOnStartRequest(request, ctx) {
+    do_check_true(request instanceof Components.interfaces.nsIHttpChannel);
+
+    if (expectPass) {
+      if (!Components.isSuccessCode(request.status)) {
+        do_throw("Channel should have a success code! (" + request.status + ")");
+      }
+      do_check_eq(request.responseStatus, 200);
+    } else {
+      do_check_eq(Components.isSuccessCode(request.status), false);
+    }
+  },
+
+  onDataAvailable: function testOnDataAvailable(request, ctx, stream, off, cnt) {
+    read_stream(stream, cnt);
+  },
+
+  onStopRequest: function testOnStopRequest(request, ctx, status) {
+    var routed = "";
+    try {
+      routed = request.getRequestHeader("Alt-Used");
+    } catch (e) {}
+    dump("routed is " + routed + "\n");
+
+    if (waitFor != 0) {
+      do_check_eq(routed, "");
+      do_test_pending();
+      do_timeout(waitFor, doTest);
+      waitFor = 0;
+      xaltsvc = "NA";
+    } else if (xaltsvc == "NA") {
+      do_check_eq(routed, "");
+      nextTest();
+    } else if (routed == xaltsvc) {
+      do_check_eq(routed, xaltsvc); // always true, but a useful log
+      nextTest();
+    } else {
+      dump ("poll later for alt svc mapping\n");
+      do_test_pending();
+      do_timeout(500, doTest);
+    }
+
+    do_test_finished();
+  }
+};
+
+function testsDone()
+{
+  dump("testDone\n");
+  resetPrefs();
+  do_test_pending();
+  h1Foo.stop(do_test_finished);
+  do_test_pending();
+  h1Bar.stop(do_test_finished);
+}
+
+function doTest()
+{
+  dump("execute doTest " + origin + "\n");
+  var chan = makeChan(origin);
+  var listener = new Listener();
+  if (xaltsvc != "NA") {
+    chan.setRequestHeader("x-altsvc", xaltsvc, false);
+  }
+  chan.loadFlags = Ci.nsIRequest.LOAD_FRESH_CONNECTION |
+	           Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
+  chan.asyncOpen(listener, null);
+}
+
+// xaltsvc is overloaded to do two things..
+// 1] it is sent in the x-altsvc request header, and the response uses the value in the Alt-Svc response header
+// 2] the test polls until necko sets Alt-Used to that value (i.e. it uses that route)
+//
+// When xaltsvc is set to h2Route (i.e. :port with the implied hostname) it doesn't match the alt-used,
+// which is always explicit, so it needs to be changed after the channel is created but before the
+// listener is invoked
+    
+// http://foo served from h2=:port
+function doTest1()
+{
+  dump("doTest1()\n");
+  origin = httpFooOrigin;
+  xaltsvc = h2Route;
+  nextTest = doTest2;
+  do_test_pending();
+  doTest();
+  xaltsvc = h2FooRoute;
+}
+
+// http://foo served from h2=foo:port
+function doTest2()
+{
+  dump("doTest2()\n");
+  origin = httpFooOrigin;
+  xaltsvc = h2FooRoute;
+  nextTest = doTest3;
+  do_test_pending();
+  doTest();
+}
+
+// http://foo served from h2=bar:port
+// requires cert for foo
+function doTest3()
+{
+  dump("doTest3()\n");
+  origin = httpFooOrigin;
+  xaltsvc = h2BarRoute;
+  nextTest = doTest4;
+  do_test_pending();
+  doTest();
+}
+
+// https://bar should fail because host bar has cert for foo
+function doTest4()
+{
+  dump("doTest4()\n");
+  origin = httpsBarOrigin;
+  xaltsvc = '';
+  expectPass = false;
+  nextTest = doTest5;
+  do_test_pending();
+  doTest();
+}
+
+// https://foo no alt-svc (just check cert setup)
+function doTest5()
+{
+  dump("doTest5()\n");
+  origin = httpsFooOrigin;
+  xaltsvc = 'NA';
+  expectPass = true;
+  nextTest = doTest6;
+  do_test_pending();
+  doTest();
+}
+
+// https://foo via bar (bar has cert for foo)
+function doTest6()
+{
+  dump("doTest6()\n");
+  origin = httpsFooOrigin;
+  xaltsvc = h2BarRoute;
+  nextTest = doTest7;
+  do_test_pending();
+  doTest();
+}
+
+// check again https://bar should fail because host bar has cert for foo
+function doTest7()
+{
+  dump("doTest7()\n");
+  origin = httpsBarOrigin;
+  xaltsvc = '';
+  expectPass = false;
+  nextTest = doTest8;
+  do_test_pending();
+  doTest();
+}
+
+// http://bar via h2 on bar
+function doTest8()
+{
+  dump("doTest8()\n");
+  origin = httpBarOrigin;
+  xaltsvc = h2BarRoute;
+  expectPass = true;
+  nextTest = doTest9;
+  do_test_pending();
+  doTest();
+}
+
+// http://bar served from h2=:port
+function doTest9()
+{
+  dump("doTest9()\n");
+  origin = httpBarOrigin;
+  xaltsvc = h2Route;
+  nextTest = doTest10;
+  do_test_pending();
+  doTest();
+  xaltsvc = h2BarRoute;
+}
+
+// check again https://bar should fail because host bar has cert for foo
+function doTest10()
+{
+  dump("doTest10()\n");
+  origin = httpsBarOrigin;
+  xaltsvc = '';
+  expectPass = false;
+  nextTest = doTest11;
+  do_test_pending();
+  doTest();
+}
+
+// http://bar served from h2=foo, should fail because host foo only has
+// cert for foo. Fail in this case means alt-svc is not used, but content
+// is served
+function doTest11()
+{
+  dump("doTest11()\n");
+  origin = httpBarOrigin;
+  xaltsvc = h2FooRoute;
+  expectPass = true;
+  waitFor = 1000;
+  nextTest = testsDone;
+  do_test_pending();
+  doTest();
+}
+
--- a/netwerk/test/unit/test_http2.js
+++ b/netwerk/test/unit/test_http2.js
@@ -313,17 +313,17 @@ function checkXhr(xhr) {
   }
 
   do_check_eq(xhr.status, 200);
   do_check_eq(checkIsHttp2(xhr), true);
   run_next_test();
   do_test_finished();
 }
 
-// Fires off an XHR request over SPDY
+// Fires off an XHR request over h2
 function test_http2_xhr() {
   var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
             .createInstance(Ci.nsIXMLHttpRequest);
   req.open("GET", "https://localhost:" + serverPort + "/", true);
   req.addEventListener("readystatechange", function (evt) { checkXhr(req); },
                        false);
   req.send(null);
 }
@@ -879,17 +879,17 @@ function resetPrefs() {
 }
 
 function run_test() {
   var env = Cc["@mozilla.org/process/environment;1"].getService(Ci.nsIEnvironment);
   serverPort = env.get("MOZHTTP2-PORT");
   do_check_neq(serverPort, null);
   dump("using port " + serverPort + "\n");
 
-  // Set to allow the cert presented by our SPDY server
+  // Set to allow the cert presented by our H2 server
   do_get_profile();
   prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
   var oldPref = prefs.getIntPref("network.http.speculative-parallel-limit");
   prefs.setIntPref("network.http.speculative-parallel-limit", 0);
 
   addCertOverride("localhost", serverPort,
                   Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                   Ci.nsICertOverrideService.ERROR_MISMATCH |
--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
@@ -1,13 +1,14 @@
 [DEFAULT]
 head = head_channels.js head_cache.js head_cache2.js
 tail =
 skip-if = toolkit == 'gonk'
 support-files =
+  CA.cert.der
   data/image.png
   data/system_root.lnk
   data/test_psl.txt
   data/test_readline1.txt
   data/test_readline2.txt
   data/test_readline3.txt
   data/test_readline4.txt
   data/test_readline5.txt
@@ -261,16 +262,19 @@ fail-if = os == "android"
 fail-if = os == "android"
 # spdy and http2 unit tests require us to have node available to run the spdy and http2 server
 [test_spdy.js]
 skip-if = !hasNode
 run-sequentially = node server exceptions dont replay well
 [test_http2.js]
 skip-if = !hasNode
 run-sequentially = node server exceptions dont replay well
+[test_altsvc.js]
+skip-if = !hasNode
+run-sequentially = node server exceptions dont replay well
 [test_speculative_connect.js]
 [test_standardurl.js]
 [test_standardurl_port.js]
 [test_streamcopier.js]
 [test_traceable_channel.js]
 [test_unescapestring.js]
 [test_xmlhttprequest.js]
 [test_XHR_redirects.js]
new file mode 100644
--- /dev/null
+++ b/testing/xpcshell/moz-http2/http2-cert.pem
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Maine, O=CA Example
+        Validity
+            Not Before: Apr 29 05:29:19 2015 GMT
+            Not After : Apr 26 05:29:19 2025 GMT
+        Subject: C=US, ST=Maine, O=Example Com, CN=foo.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cf:ff:c0:27:3b:a3:11:b5:7f:5d:4f:22:f9:75:
+                    48:47:d9:3a:ce:9b:66:82:4e:e4:ae:ab:78:d3:4c:
+                    3a:9a:5c:37:97:b2:7b:4e:2a:54:77:16:2a:3e:6f:
+                    52:ee:4b:49:46:1d:6b:18:9a:ed:b1:ad:64:9f:8b:
+                    e5:fa:e4:60:7b:39:0e:db:e8:b4:2d:4b:e8:ab:37:
+                    e8:90:ec:eb:0f:3e:6b:40:7a:d1:da:e6:68:b3:f4:
+                    f6:68:54:5b:27:90:6d:c2:c3:04:de:85:23:2b:3c:
+                    66:4e:06:79:58:93:a1:71:d7:ec:74:55:a4:84:9d:
+                    41:22:2a:7a:76:ae:56:b1:6f:15:2d:f2:f5:9c:64:
+                    3e:4f:0f:6e:8f:b6:28:66:e9:89:04:5d:1d:21:77:
+                    f8:03:d3:89:ed:7c:f4:3b:42:02:c8:8d:de:47:74:
+                    1f:4a:5d:fe:8d:d1:57:37:08:54:bf:89:d8:f7:27:
+                    22:a7:2a:5d:aa:d5:b0:61:22:9b:96:75:ee:ab:09:
+                    ca:a9:cb:2b:1e:88:7c:5a:53:7e:5f:88:c4:43:ea:
+                    e8:a7:db:35:6c:b2:89:ad:98:e0:96:c9:83:c4:c1:
+                    e7:2a:5c:f8:99:5c:9e:01:9c:e6:99:bd:18:5c:69:
+                    d4:10:f1:46:88:37:0b:4e:76:5f:6a:1a:21:c2:a4:
+                    16:d1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                76:BC:13:90:F7:85:1B:1C:24:A1:CC:65:8A:4F:4C:0C:7F:10:D3:F5
+            X509v3 Authority Key Identifier: 
+                keyid:F7:FC:76:AF:C5:1A:E9:C9:42:6C:38:DF:8B:07:9E:2B:2C:E5:8E:20
+
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         03:ab:2a:9e:e5:cd:5c:88:5a:6c:f7:4b:7a:7c:ef:85:2c:31:
+         df:03:79:31:a6:c5:c8:2b:c6:21:a5:33:2b:a0:4b:e2:7e:0a:
+         86:9b:72:25:b6:75:43:41:7c:30:9f:15:b4:9f:34:50:57:eb:
+         87:f9:1e:9f:b6:cd:81:36:92:61:66:d5:fe:e2:c5:ed:de:f1:
+         ce:85:0b:f9:6a:2b:32:4d:29:f1:a9:94:57:a3:0f:74:93:12:
+         c9:0a:28:5e:72:9f:4f:0f:78:f5:84:11:5a:9f:d7:1c:4c:fd:
+         13:d8:3d:4c:f8:dd:4c:c6:1c:fd:63:ee:f5:d5:96:f5:00:2c:
+         e6:bb:c9:4c:d8:6a:19:59:58:2b:d4:05:ab:57:47:1c:49:d6:
+         c5:56:1a:e3:64:10:19:9b:44:3e:74:8b:19:73:28:86:96:b4:
+         d1:2a:49:23:07:25:97:64:8f:1b:1c:64:76:12:e0:df:e3:cf:
+         55:d5:7c:e9:77:d4:69:2f:c7:9a:fd:ce:1a:29:ab:d7:88:68:
+         93:de:75:e4:d6:85:29:e2:b6:b7:59:20:e3:b5:20:b7:e8:0b:
+         23:9b:4c:b4:e8:d9:90:cf:e9:2f:9e:a8:22:a2:ef:6a:68:65:
+         f6:c4:81:ed:75:77:88:01:f2:47:03:1a:de:1f:44:38:47:fa:
+         aa:69:f2:98
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJVUzEO
+MAwGA1UECAwFTWFpbmUxEzARBgNVBAoMCkNBIEV4YW1wbGUwHhcNMTUwNDI5MDUy
+OTE5WhcNMjUwNDI2MDUyOTE5WjBNMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFTWFp
+bmUxFDASBgNVBAoMC0V4YW1wbGUgQ29tMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP/8AnO6MRtX9dTyL5
+dUhH2TrOm2aCTuSuq3jTTDqaXDeXsntOKlR3Fio+b1LuS0lGHWsYmu2xrWSfi+X6
+5GB7OQ7b6LQtS+irN+iQ7OsPPmtAetHa5miz9PZoVFsnkG3CwwTehSMrPGZOBnlY
+k6Fx1+x0VaSEnUEiKnp2rlaxbxUt8vWcZD5PD26Ptihm6YkEXR0hd/gD04ntfPQ7
+QgLIjd5HdB9KXf6N0Vc3CFS/idj3JyKnKl2q1bBhIpuWde6rCcqpyyseiHxaU35f
+iMRD6uin2zVssomtmOCWyYPEwecqXPiZXJ4BnOaZvRhcadQQ8UaINwtOdl9qGiHC
+pBbRAgMBAAGjWjBYMB0GA1UdDgQWBBR2vBOQ94UbHCShzGWKT0wMfxDT9TAfBgNV
+HSMEGDAWgBT3/HavxRrpyUJsON+LB54rLOWOIDAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIFoDANBgkqhkiG9w0BAQsFAAOCAQEAA6sqnuXNXIhabPdLenzvhSwx3wN5MabF
+yCvGIaUzK6BL4n4KhptyJbZ1Q0F8MJ8VtJ80UFfrh/ken7bNgTaSYWbV/uLF7d7x
+zoUL+WorMk0p8amUV6MPdJMSyQooXnKfTw949YQRWp/XHEz9E9g9TPjdTMYc/WPu
+9dWW9QAs5rvJTNhqGVlYK9QFq1dHHEnWxVYa42QQGZtEPnSLGXMohpa00SpJIwcl
+l2SPGxxkdhLg3+PPVdV86XfUaS/Hmv3OGimr14hok9515NaFKeK2t1kg47Ugt+gL
+I5tMtOjZkM/pL56oIqLvamhl9sSB7XV3iAHyRwMa3h9EOEf6qmnymA==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/testing/xpcshell/moz-http2/http2-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDP/8AnO6MRtX9d
+TyL5dUhH2TrOm2aCTuSuq3jTTDqaXDeXsntOKlR3Fio+b1LuS0lGHWsYmu2xrWSf
+i+X65GB7OQ7b6LQtS+irN+iQ7OsPPmtAetHa5miz9PZoVFsnkG3CwwTehSMrPGZO
+BnlYk6Fx1+x0VaSEnUEiKnp2rlaxbxUt8vWcZD5PD26Ptihm6YkEXR0hd/gD04nt
+fPQ7QgLIjd5HdB9KXf6N0Vc3CFS/idj3JyKnKl2q1bBhIpuWde6rCcqpyyseiHxa
+U35fiMRD6uin2zVssomtmOCWyYPEwecqXPiZXJ4BnOaZvRhcadQQ8UaINwtOdl9q
+GiHCpBbRAgMBAAECggEBAKqcsQQ9cdQr2S4zpI+UuVZeBFPGun32srPn6TMA2y0U
+qXEgMO574E7SepI+BHt8e70sklVbd89/WANa4Kk8vTs2IU8XAPwKwO347SY7f9BA
+Nf9s/0gcKRQ7wgbv8tlwKehQyWSxNpjXcV9dBho29n2ITOdb/Jfe2bdpuowxEuF0
+rugkKh7P7LJTG1SAw01UTIszoOGIqHU2XlmYQOws4EvRov/BRTn9axBHH33top+m
+dX+96ntgWxdHOJjTcoXLGhTu1c0ZlJgtgEaH03jjy0f+3Qc+jIgbaZ4WLZkF/oZh
+hscL56XhsT3hR2Sdtxccw2zZ0exLO+qV1RykIAlUXkECgYEA7U+ljowyPxbREHnf
+SRTauIZfJNP6IHT60MkslltlYn7jABvx+u2xCC/QhZxCJi/iAs6iNvkbXR6uK/MH
+NrXwdk67SDUXaDZ9LM3rXPqjuwmvkc+e7P5an6KRtyzQD8K8mjbze1NfxbcGgKti
+A+8GL8H3V29EQ6xp2+UxIF/3UNkCgYEA4GEm9NLbu4neP+A+1NpUS4tUgMCdTkPm
+fiOECd4jjTizPZjjrk+zTin9aP+eBRYHharIGrDP2Uj98uv4kQ8u0rQbcjPwitog
+8DgccMQ92E6DYGDGECh5Hg2Zu71+zQQNzOEJTyrFLx4Gf5SkBzLlbDZDpNhbuQc9
+zvRYBc11urkCgYBOu2Dy9SJqefhsnfJtfaS/GZ2RS16tzAG2qTfIvpPZZL2NOLhE
+hv13+N0WpuvvXW1/fuykjmr8rwQcAqo/BYe8yIwr/alBYuqOpdbTZzhRAnqkRpy0
+hgKs+bOccRqqT/Jgu6B2JwgcQYe/wpxnL7L+vzx/XqPoS9hnIxf0ZMJZqQKBgQDa
+KJuf3oQWS23z3Sw5+C2NZeK7bIuF1S795bozffBDFqXvdf+pM4S6ssjYlfAmMc0O
+gYYdrVvpf7apwhTjtUdpRgSJfUabOopcBbJhUexvq6bAxlbMzw0z0zVt/EiVPSPN
+198dQhCGR0M6OGNjPHEkTX5ngJVtyUSnO5t5yNJ2wQKBgQDheEUJYgo2UjLNsdTs
+b4og5gHkyoKS3paWV64itJQbVBuri4HWeIExM9ayBB6nSJ2VvpZPyE6XfiYYGNhR
+jOc394qlnrx+oi2KdSmIWfQU0I+rW3bMqpoyWPYxP/hN6w4LAwjnJOSOIMCACm5J
+d8IebWjY2B3Zc6FFVzbmhXtlig==
+-----END PRIVATE KEY-----
--- a/testing/xpcshell/moz-http2/moz-http2.js
+++ b/testing/xpcshell/moz-http2/moz-http2.js
@@ -391,29 +391,35 @@ function handleRequest(req, res) {
       req.headers['alt-used'] != ("localhost:" + serverPort)) {
       res.setHeader('Connection', 'close');
       res.writeHead(400);
       res.end("WHAT?");
       return;
    }
   }
 
+  // for use with test_altsvc.js
+  else if (u.pathname === "/altsvc-test") {
+    res.setHeader('Cache-Control', 'no-cache');
+    res.setHeader('Alt-Svc', 'h2=' + req.headers['x-altsvc']);
+  }
+
   res.setHeader('Content-Type', 'text/html');
   if (req.httpVersionMajor != 2) {
     res.setHeader('Connection', 'close');
   }
   res.writeHead(200);
   res.end(content);
 }
 
-// Set up the SSL certs for our server
+// Set up the SSL certs for our server - this server has a cert for foo.example.com
+// signed by netwerk/tests/unit/CA.cert.der
 var options = {
-  key: fs.readFileSync(__dirname + '/../moz-spdy/spdy-key.pem'),
-  cert: fs.readFileSync(__dirname + '/../moz-spdy/spdy-cert.pem'),
-  ca: fs.readFileSync(__dirname + '/../moz-spdy/spdy-ca.pem'),
+  key: fs.readFileSync(__dirname + '/http2-key.pem'),
+  cert: fs.readFileSync(__dirname + '/http2-cert.pem'),
   //, log: require('../node-http2/test/util').createLogger('server')
 };
 
 var server = http2.createServer(options, handleRequest);
 
 server.on('connection', function(socket) {
   socket.on('error', function() {
     // Ignoring SSL socket errors, since they usually represent a connection that was tore down