bug 1313491 - add basic tests that PSM sets the right security state during session resumption r=Cykesiopka,jcj,mgoodwin
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 01 Nov 2016 13:47:51 -0700
changeset 321686 bd9fb386560691dd55d4905213f28fa9666d30b9
parent 321685 1c76db819ee6f879a126db6d2a91234a2547b3e2
child 321687 b1db1c9b6f545f2d6980b7f9e017842e5238192b
push id21
push usermaklebus@msu.edu
push dateThu, 01 Dec 2016 06:22:08 +0000
reviewersCykesiopka, jcj, mgoodwin
bugs1313491
milestone52.0a1
bug 1313491 - add basic tests that PSM sets the right security state during session resumption r=Cykesiopka,jcj,mgoodwin MozReview-Commit-ID: 3Q265OJyTIO
security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
security/manager/ssl/tests/unit/bad_certs/ev-test.pem
security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
security/manager/ssl/tests/unit/bad_certs/evroot.key
security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
security/manager/ssl/tests/unit/bad_certs/evroot.pem
security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
security/manager/ssl/tests/unit/bad_certs/moz.build
security/manager/ssl/tests/unit/test_session_resumption.js
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
security/manager/ssl/tests/unit/xpcshell.ini
copy from security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
copy to security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
+MIIDNzCCAiGgAwIBAgIUdakyQxHEOz8eq2oddSdoUYT0DP0wCwYJKoZIhvcNAQEL
 MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
-MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
-aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
-CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
-vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
-TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
-XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
-tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
-C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
+MDAwMDAwWjAfMR0wGwYDVQQDDBRldi10ZXN0LWludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaN5
+MHcwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRwYIKwYBBQUHAQEEOzA5MDcG
+CCsGAQUFBzABhitodHRwOi8vbG9jYWxob3N0Ojg4ODgvZXYtdGVzdC1pbnRlcm1l
+ZGlhdGUvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsDggEBAEnoeMK3
+VQ18/OA9LzFSlkr8YFLnz/0iL8l2LnftDtcoTckr3Zhyo6HdQDYvWf7Ox1sN3BLB
+PFgQ0bEWSLRUSCTuUjLM+gKR8Dzo5LWY3ZyHh851NRP4o/mwXujr4qlMiCpKMlJi
+itjIIPEID2/oFdf8uujH+q6/Mk038v+Bq0FcfLmpcfmsptCHza1Ryw2lxc3WVvOv
+J+5t6qA1H6xJIVcb0dQwF5doTMV27YDmuLyg2VTKnoF4Fux/glH1v/YXdfxi6WKC
+8L7jeeVMurd3huWLRIoBimOn26e/wMQJAJMOXfwnYU1RULgbwdFCVZUeSNYW4pDY
+4ga6LzbJdLBvb6k=
 -----END CERTIFICATE-----
\ No newline at end of file
copy from security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
copy to security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
@@ -1,7 +1,7 @@
 issuer:evroot
-subject:anyPolicy-int-path-int
+subject:ev-test-intermediate
 issuerKey:ev
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
+extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/
 extension:certificatePolicies:any
copy from security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
copy to security/manager/ssl/tests/unit/bad_certs/ev-test.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
-MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
-WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
-PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
-9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
-4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
-exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
-ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
-AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
-d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
-FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
-cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
-i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
-qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
-XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
-tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
-a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
+MIIDPjCCAiigAwIBAgIUD91RYDYNkAEZj914Ztj5ISzYywEwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMBIxEDAOBgNVBAMMB2V2LXRlc3QwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+fzB9MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2xvY2FsaG9z
+dDo4ODg4L2V2LXRlc3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
+MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wCwYJKoZIhvcNAQELA4IB
+AQCGr7tHhNrdziIH9DlTc6KOtwgHAC/9oq2t5r+nTw2PAzGnXlVDhechXaXHYJJ0
+6PAEh+VkN+QGluG2qUfQsKDoMMNTOdJekZWlnhPuAwQPfjzLa06yLbmzMwUSHJZU
+XdeAbf1o79xyMHfJMcmA5pduAv0RAsAZl6SyiR5Fm6nORHVHWu0Zw9WqPDBCb+BW
+Mx2Lgl3M95jAbUeR2HfDOHTh3Crpf0V8FL2n9jFgpQ+niO3JFZOBg3dVQ+BMIov/
+pldY1jGnSAaf1xGh3vL5ildKQVH2an69KjIliwofEW0qq6q4OTZgZXYBuARzGvPl
+Pbf+6Wnb09vLKtJ4QXy9cBHO
 -----END CERTIFICATE-----
\ No newline at end of file
copy from security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
copy to security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
@@ -1,5 +1,5 @@
-issuer:test-oid-path-int
-subject:test-oid-path-ee
-extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
+issuer:ev-test-intermediate
+subject:ev-test
+extension:authorityInformationAccess:http://localhost:8888/ev-test/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
 extension:subjectAlternativeName:ev-test.example.com
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.key
copy to security/manager/ssl/tests/unit/bad_certs/evroot.key
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
copy to security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
copy to security/manager/ssl/tests/unit/bad_certs/evroot.pem
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
copy to security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
--- a/security/manager/ssl/tests/unit/bad_certs/moz.build
+++ b/security/manager/ssl/tests/unit/bad_certs/moz.build
@@ -11,16 +11,19 @@
 #    'beforeEpochINT.pem',
 #    'beforeEpochIssuer.pem',
 #    'ca-used-as-end-entity.pem',
 #    'default-ee.pem',
 #    'eeIssuedByNonCA.pem',
 #    'eeIssuedByV1Cert.pem',
 #    'emptyIssuerName.pem',
 #    'emptyNameCA.pem',
+#    'ev-test-intermediate.pem',
+#    'ev-test.pem',
+#    'evroot.pem',
 #    'expired-ee.pem',
 #    'expiredINT.pem',
 #    'expiredissuer.pem',
 #    'idn-certificate.pem',
 #    'inadequateKeySizeEE.pem',
 #    'inadequatekeyusage-ee.pem',
 #    'ipAddressAsDNSNameInSAN.pem',
 #    'md5signature-expired.pem',
@@ -51,14 +54,15 @@
 #    'v1Cert.pem',
 #)
 #
 #for test_certificate in test_certificates:
 #    GeneratedTestCertificate(test_certificate)
 #
 #test_keys = (
 #    'default-ee.key',
+#    'evroot.key',
 #    'inadequateKeySizeEE.key',
 #    'other-test-ca.key',
 #)
 #
 #for test_key in test_keys:
 #    GeneratedTestKey(test_key)
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -0,0 +1,117 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM makes the correct determination of the security status of
+// loads involving session resumption (i.e. when a TLS handshake bypasses the
+// AuthCertificate callback).
+
+do_get_profile();
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+
+do_register_cleanup(() => {
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");
+
+// For expired.example.com, the platform will make a connection that will fail.
+// Using information gathered at that point, an override will be added and
+// another connection will be made. This connection will succeed. At that point,
+// as long as the session cache isn't cleared, subsequent new connections should
+// use session resumption, thereby bypassing the AuthCertificate hook. We need
+// to ensure that the correct security state is propagated to the new connection
+// information object.
+function add_resume_non_ev_with_override_test() {
+  // This adds the override and makes one successful connection.
+  add_cert_override_test("expired.example.com",
+                         Ci.nsICertOverrideService.ERROR_TIME,
+                         SEC_ERROR_EXPIRED_CERTIFICATE);
+
+  // This connects again, using session resumption. Note that we don't clear
+  // the TLS session cache between these operations (that would defeat the
+  // purpose).
+  add_connection_test("expired.example.com", PRErrorCodeSuccess, null,
+    (transportSecurityInfo) => {
+      ok(transportSecurityInfo.securityState &
+         Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+         "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag");
+      let sslStatus = transportSecurityInfo
+                        .QueryInterface(Ci.nsISSLStatusProvider)
+                        .SSLStatus;
+      ok(!sslStatus.isDomainMismatch,
+         "expired.example.com should not have isDomainMismatch set");
+      ok(sslStatus.isNotValidAtThisTime,
+         "expired.example.com should have isNotValidAtThisTime set");
+      ok(!sslStatus.isUntrusted,
+         "expired.example.com should not have isUntrusted set");
+      ok(!sslStatus.isExtendedValidation,
+         "expired.example.com should not have isExtendedValidation set");
+    }
+  );
+}
+
+// Helper function that adds a test that connects to ev-test.example.com and
+// verifies that it validates as EV (or not, if we're running a non-debug
+// build). This assumes that an appropriate OCSP responder is running or that
+// good responses are cached.
+function add_one_ev_test() {
+  add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null,
+    (transportSecurityInfo) => {
+      ok(!(transportSecurityInfo.securityState &
+           Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
+         "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag");
+      let sslStatus = transportSecurityInfo
+                        .QueryInterface(Ci.nsISSLStatusProvider)
+                        .SSLStatus;
+      ok(!sslStatus.isDomainMismatch,
+         "ev-test.example.com should not have isDomainMismatch set");
+      ok(!sslStatus.isNotValidAtThisTime,
+         "ev-test.example.com should not have isNotValidAtThisTime set");
+      ok(!sslStatus.isUntrusted,
+         "ev-test.example.com should not have isUntrusted set");
+      ok(!gEVExpected || sslStatus.isExtendedValidation,
+         "ev-test.example.com should have isExtendedValidation set " +
+         "(or this is a non-debug build)");
+    }
+  );
+}
+
+// This test is similar, except with extended validation. We should connect
+// successfully, and the certificate should be EV in debug builds. Without
+// clearing the session cache, we should connect successfully again, this time
+// with session resumption. The certificate should again be EV in debug builds.
+function add_resume_ev_test() {
+  const SERVER_PORT = 8888;
+  let expectedRequestPaths = gEVExpected ? [ "ev-test-intermediate", "ev-test" ]
+                                         : [ "ev-test" ];
+  let responseTypes = gEVExpected ? [ "good", "good" ] : [ "good" ];
+  // Since we cache OCSP responses, we only ever actually serve one set.
+  let ocspResponder = startOCSPResponder(SERVER_PORT, "localhost", "bad_certs",
+                                         expectedRequestPaths,
+                                         expectedRequestPaths.slice(),
+                                         null, responseTypes);
+  // We should be able to connect and verify the certificate as EV (in debug
+  // builds).
+  add_one_ev_test();
+  // We should be able to connect again (using session resumption). In debug
+  // builds, the certificate should be noted as EV. Again, it's important that
+  // nothing clears the TLS cache in between these two operations.
+  add_one_ev_test();
+
+  add_test(() => {
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+function run_test() {
+  add_tls_server_setup("BadCertServer", "bad_certs");
+  add_resume_non_ev_with_override_test();
+  add_resume_ev_test();
+  run_next_test();
+}
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -71,16 +71,17 @@ const BadCertHost sBadCertHosts[] =
   { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
   { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
   { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
   { "badSubjectAltNames.example.com", "badSubjectAltNames" },
   { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
   { "noValidNames.example.com", "noValidNames" },
   { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
   { "emptyissuername.example.com", "emptyIssuerName" },
+  { "ev-test.example.com", "ev-test" },
   { nullptr, nullptr }
 };
 
 int32_t
 DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
                              uint32_t aSrvNameArrSize)
 {
   for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
--- a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
@@ -484,16 +484,19 @@ ConfigSecureServerWithNamedCert(PRFileDe
   if (certOut) {
     *certOut = Move(cert);
   }
 
   if (keaOut) {
     *keaOut = certKEA;
   }
 
+  SSL_OptionSet(fd, SSL_NO_CACHE, false);
+  SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true);
+
   return SECSuccess;
 }
 
 int
 StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig,
             void *sniSocketConfigArg)
 {
   const char *debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -112,16 +112,18 @@ run-sequentially = hardcoded ports
 [test_pinning.js]
 run-sequentially = hardcoded ports
 # This test can take longer than 300 seconds on B2G emulator debug builds, so
 # give it enough time to finish. See bug 1081128.
 requesttimeoutfactor = 2
 [test_pinning_dynamic.js]
 [test_pinning_header_parsing.js]
 [test_sdr.js]
+[test_session_resumption.js]
+run-sequentially = hardcoded ports
 [test_signed_apps.js]
 [test_signed_apps-marketplace.js]
 [test_signed_dir.js]
 tags = addons psm
 [test_sss_eviction.js]
 [test_sss_readstate.js]
 [test_sss_readstate_child.js]
 support-files = sss_readstate_child_worker.js