From 7104607e1d89e0f39cbddc2167ead41b1bb274c7 Mon Sep 17 00:00:00 2001
From: "kaie@kuix.de" <kaie@kuix.de>
Date: Wed, 3 Oct 2007 04:47:26 -0700
Subject: [PATCH] Bug 327181, Improve error reporting for invalid-certificate
 errors (error page for https, or combined dialog) Code in
 mozilla/security/manager: r=rrelyea Code elsewhere: r=mconnor, sr=dveditz
 blocking1.9=mconnor

---
 .../src/nsMicrosummaryService.js              |  22 +-
 browser/components/search/nsSearchService.js  |  19 -
 .../browser/gtk/src/EmbedCertificates.cpp     | 121 ----
 embedding/browser/gtk/src/EmbedCertificates.h |  12 -
 extensions/metrics/src/nsMetricsService.cpp   |  95 ---
 .../locales/en-US/chrome/pippki/pippki.dtd    |   8 -
 .../en-US/chrome/pippki/pippki.properties     |  16 +-
 .../pki/resources/content/certManager.js      | 152 +++-
 .../pki/resources/content/deletecert.js       |  42 +-
 .../pki/resources/content/newserver.xul       |  91 ---
 .../resources/content/serverCertExpired.js    |  92 ---
 security/manager/pki/src/nsNSSDialogs.h       |   3 -
 security/manager/pki/src/nsPKIModule.cpp      |   7 -
 security/manager/ssl/public/Makefile.in       |   3 +-
 .../manager/ssl/public/nsIBadCertListener.idl | 155 ----
 security/manager/ssl/public/nsICertTree.idl   |  13 +-
 security/manager/ssl/public/nsISSLStatus.idl  |  17 +-
 security/manager/ssl/src/Makefile.in          |   3 +
 security/manager/ssl/src/nsCertTree.cpp       | 663 +++++++++++++++---
 security/manager/ssl/src/nsCertTree.h         |  59 +-
 security/manager/ssl/src/nsNSSCallbacks.cpp   | 109 +--
 security/manager/ssl/src/nsNSSIOLayer.h       |   8 -
 security/manager/ssl/src/nsNSSModule.cpp      |   9 +
 toolkit/mozapps/shared/src/badCertHandler.js  |  19 -
 xpinstall/src/nsXPInstallManager.cpp          |  33 +-
 xpinstall/src/nsXPInstallManager.h            |   6 +-
 26 files changed, 806 insertions(+), 971 deletions(-)

diff --git a/browser/components/microsummaries/src/nsMicrosummaryService.js b/browser/components/microsummaries/src/nsMicrosummaryService.js
index a5d3bc6babe..8861e8d9fa8 100644
--- a/browser/components/microsummaries/src/nsMicrosummaryService.js
+++ b/browser/components/microsummaries/src/nsMicrosummaryService.js
@@ -1767,8 +1767,7 @@ MicrosummaryResource.prototype = {
   // and abort loads for bad SSL certs and HTTP authorization requests.
   
   // Interfaces this component implements.
-  interfaces: [Ci.nsIBadCertListener,
-               Ci.nsIAuthPromptProvider,
+  interfaces: [Ci.nsIAuthPromptProvider,
                Ci.nsIAuthPrompt,
                Ci.nsIPrompt,
                Ci.nsIProgressEventSink,
@@ -1800,25 +1799,6 @@ MicrosummaryResource.prototype = {
     return this.QueryInterface(iid);
   },
 
-  // nsIBadCertListener
-
-  // Suppress UI and abort secure loads from servers with bad SSL certificates.
-  
-  confirmUnknownIssuer: function MSR_confirmUnknownIssuer(socketInfo, cert, certAddType) {
-    return false;
-  },
-
-  confirmMismatchDomain: function MSR_confirmMismatchDomain(socketInfo, targetURL, cert) {
-    return false;
-  },
-
-  confirmCertExpired: function MSR_confirmCertExpired(socketInfo, cert) {
-    return false;
-  },
-
-  notifyCrlNextupdate: function MSR_notifyCrlNextupdate(socketInfo, targetURL, cert) {
-  },
-
   // Suppress UI and abort loads for files secured by authentication.
 
   // Auth requests appear to succeed when we cancel them (since the server
diff --git a/browser/components/search/nsSearchService.js b/browser/components/search/nsSearchService.js
index 51b3dba7aa6..ce000bd434e 100755
--- a/browser/components/search/nsSearchService.js
+++ b/browser/components/search/nsSearchService.js
@@ -293,7 +293,6 @@ loadListener.prototype = {
         aIID.equals(Ci.nsIStreamListener)     ||
         aIID.equals(Ci.nsIChannelEventSink)   ||
         aIID.equals(Ci.nsIInterfaceRequestor) ||
-        aIID.equals(Ci.nsIBadCertListener)    ||
         // See FIXME comment below
         aIID.equals(Ci.nsIHttpEventSink)      ||
         aIID.equals(Ci.nsIProgressEventSink)  ||
@@ -349,24 +348,6 @@ loadListener.prototype = {
     return this.QueryInterface(aIID);
   },
 
-  // nsIBadCertListener
-  confirmUnknownIssuer: function SRCH_load_CUI(aSocketInfo, aCert,
-                                               aCertAddType) {
-    return false;
-  },
-
-  confirmMismatchDomain: function SRCH_load_CMD(aSocketInfo, aTargetURL,
-                                                aCert) {
-    return false;
-  },
-
-  confirmCertExpired: function SRCH_load_CCE(aSocketInfo, aCert) {
-    return false;
-  },
-
-  notifyCrlNextupdate: function SRCH_load_NCN(aSocketInfo, aTargetURL, aCert) {
-  },
-
   // FIXME: bug 253127
   // nsIHttpEventSink
   onRedirect: function (aChannel, aNewChannel) {},
diff --git a/embedding/browser/gtk/src/EmbedCertificates.cpp b/embedding/browser/gtk/src/EmbedCertificates.cpp
index 62a332955f9..f9bf297db77 100644
--- a/embedding/browser/gtk/src/EmbedCertificates.cpp
+++ b/embedding/browser/gtk/src/EmbedCertificates.cpp
@@ -87,10 +87,6 @@ NS_IMPL_THREADSAFE_ADDREF(EmbedCertificates)
 NS_IMPL_THREADSAFE_RELEASE(EmbedCertificates)
 NS_INTERFACE_MAP_BEGIN(EmbedCertificates)
 NS_INTERFACE_MAP_ENTRY(nsITokenPasswordDialogs)
-NS_INTERFACE_MAP_ENTRY(nsIBadCertListener)
-#ifdef BAD_CERT_LISTENER2
-NS_INTERFACE_MAP_ENTRY(nsIBadCertListener2)
-#endif
 NS_INTERFACE_MAP_ENTRY(nsICertificateDialogs)
 NS_INTERFACE_MAP_ENTRY(nsIClientAuthDialogs)
 NS_INTERFACE_MAP_ENTRY(nsICertPickDialogs)
@@ -129,40 +125,6 @@ EmbedCertificates::GetPassword(nsIInterfaceRequestor *ctx,
   return NS_OK;
 }
 
-NS_IMETHODIMP
-EmbedCertificates::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo,
-                                   nsIX509Cert *cert, PRInt16 *outAddType,
-                                   PRBool *_retval)
-{
-  *outAddType = ADD_TRUSTED_FOR_SESSION;
-  *_retval    = PR_TRUE;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-EmbedCertificates::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo,
-                                    const nsACString &targetURL,
-                                    nsIX509Cert *cert, PRBool *_retval)
-{
-  *_retval = PR_TRUE;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-EmbedCertificates::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo,
-                                 nsIX509Cert *cert, PRBool *_retval)
-{
-  *_retval = PR_TRUE;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-EmbedCertificates::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo,
-                                  const nsACString &targetURL, nsIX509Cert *cert)
-{
-  return NS_OK;
-}
-
 NS_IMETHODIMP
 EmbedCertificates::CrlImportStatusDialog(nsIInterfaceRequestor *ctx, nsICRLInfo *crl)
 {
@@ -278,86 +240,3 @@ EmbedCertificates::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retva
   return NS_OK;
 }
 
-#ifdef BAD_CERT_LISTENER2
-NS_IMETHODIMP
-EmbedCertificates::ConfirmBadCertificate(
-  nsIInterfaceRequestor *ctx,
-  nsIX509Cert *cert,
-  PRBool aSecSuccess,
-  PRUint32 aError,
-  PRBool *_retval)
-{
-  nsresult rv;
-  gpointer pCert = NULL;
-  guint messint = 0;
-  nsCOMPtr<nsIDOMWindow> parent(do_GetInterface(ctx));
-
-  GtkMozEmbedCommon * common = nsnull;
-  GtkMozEmbed *parentWidget = GTK_MOZ_EMBED(GetGtkWidgetForDOMWindow(parent));
-
-  if (!parentWidget) {
-    EmbedCommon * embedcommon = EmbedCommon::GetInstance();
-    if (embedcommon)
-      common = GTK_MOZ_EMBED_COMMON(embedcommon->mCommon);
-  }
-
-  if (!(aError & nsIX509Cert::VERIFIED_OK)) {
-    pCert = (gpointer)cert;
-    messint = GTK_MOZ_EMBED_CERT_VERIFIED_OK;
-    if (aError & nsIX509Cert::NOT_VERIFIED_UNKNOWN) {
-      messint |= GTK_MOZ_EMBED_CERT_NOT_VERIFIED_UNKNOWN;
-    }
-    if (aError & nsIX509Cert::CERT_EXPIRED || aError & nsIX509Cert::CERT_REVOKED) {
-      nsCOMPtr<nsIX509CertValidity> validity;
-      rv = cert->GetValidity(getter_AddRefs(validity));
-      if (NS_SUCCEEDED(rv)) {
-        PRTime notBefore, notAfter, timeToUse;
-        PRTime now = PR_Now();
-        rv = validity->GetNotBefore(&notBefore);
-        if (NS_FAILED(rv))
-          return rv;
-        rv = validity->GetNotAfter(&notAfter);
-        if (NS_FAILED(rv))
-          return rv;
-        if (LL_CMP(now, >, notAfter)) {
-          messint |= GTK_MOZ_EMBED_CERT_EXPIRED;
-          timeToUse = notAfter;
-        } else {
-          messint |= GTK_MOZ_EMBED_CERT_REVOKED;
-          timeToUse = notBefore;
-        }
-      }
-    }
-    if (aError & nsIX509Cert::CERT_NOT_TRUSTED) {
-      messint |= GTK_MOZ_EMBED_CERT_UNTRUSTED;
-    }
-    if (aError & nsIX509Cert::ISSUER_UNKNOWN) {
-      messint |= GTK_MOZ_EMBED_CERT_ISSUER_UNKNOWN;
-    }
-    if (aError & nsIX509Cert::ISSUER_NOT_TRUSTED) {
-      messint |= GTK_MOZ_EMBED_CERT_ISSUER_UNTRUSTED;
-    }
-    if (aError & nsIX509Cert::INVALID_CA) {
-      messint |= GTK_MOZ_EMBED_CERT_INVALID_CA;
-    }
-    if (aError & nsIX509Cert::USAGE_NOT_ALLOWED) {
-    }
-    PRBool retVal = PR_FALSE;
-    if (common) {
-      g_signal_emit_by_name(common, "certificate-error", pCert, messint, &retVal);
-    }
-    if (retVal == PR_TRUE) {
-      *_retval = PR_FALSE;
-      rv = NS_ERROR_FAILURE;
-    } else {
-      rv = NS_OK;
-      *_retval = PR_TRUE;
-    }
-    pCert = NULL;
-  } else {
-    rv = NS_OK;
-    *_retval = PR_TRUE;
-  }
-  return rv;
-}
-#endif
diff --git a/embedding/browser/gtk/src/EmbedCertificates.h b/embedding/browser/gtk/src/EmbedCertificates.h
index 0f93027d359..7d765493816 100644
--- a/embedding/browser/gtk/src/EmbedCertificates.h
+++ b/embedding/browser/gtk/src/EmbedCertificates.h
@@ -44,10 +44,6 @@
 #ifndef __EmbedCertificates_h
 #define __EmbedCertificates_h
 #include "nsITokenPasswordDialogs.h"
-#include "nsIBadCertListener.h"
-#ifdef BAD_CERT_LISTENER2
-#include "nsIBadCertListener2.h"
-#endif
 #include "nsICertificateDialogs.h"
 #include "nsIClientAuthDialogs.h"
 #include "nsICertPickDialogs.h"
@@ -63,10 +59,6 @@
 class EmbedPrivate;
 class EmbedCertificates
 : public nsITokenPasswordDialogs,
-  public nsIBadCertListener,
-#ifdef BAD_CERT_LISTENER2
-  public nsIBadCertListener2,
-#endif
   public nsICertificateDialogs,
   public nsIClientAuthDialogs,
   public nsICertPickDialogs,
@@ -77,10 +69,6 @@ class EmbedCertificates
   public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSITOKENPASSWORDDIALOGS
-    NS_DECL_NSIBADCERTLISTENER
-#ifdef BAD_CERT_LISTENER2
-    NS_DECL_NSIBADCERTLISTENER2
-#endif
     NS_DECL_NSICERTIFICATEDIALOGS
     NS_DECL_NSICLIENTAUTHDIALOGS
     NS_DECL_NSICERTPICKDIALOGS
diff --git a/extensions/metrics/src/nsMetricsService.cpp b/extensions/metrics/src/nsMetricsService.cpp
index 2c2012697b3..c458aa83b97 100644
--- a/extensions/metrics/src/nsMetricsService.cpp
+++ b/extensions/metrics/src/nsMetricsService.cpp
@@ -81,7 +81,6 @@
 #include "nsIDocShellTreeItem.h"
 #include "nsDocShellCID.h"
 #include "nsMemory.h"
-#include "nsIBadCertListener.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsIX509Cert.h"
@@ -195,95 +194,6 @@ CompressBZ2(nsIInputStream *src, PRFileDesc *outFd)
 
 //-----------------------------------------------------------------------------
 
-class nsMetricsService::BadCertListener : public nsIBadCertListener,
-                                          public nsIInterfaceRequestor
-{
- public:
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIBADCERTLISTENER
-  NS_DECL_NSIINTERFACEREQUESTOR
-
-  BadCertListener() { }
-
- private:
-  ~BadCertListener() { }
-};
-
-// This object has to implement threadsafe addref and release, but this is
-// only because the GetInterface call happens on the socket transport thread.
-// The actual notifications are proxied to the main thread.
-NS_IMPL_THREADSAFE_ISUPPORTS2(nsMetricsService::BadCertListener,
-                              nsIBadCertListener, nsIInterfaceRequestor)
-
-NS_IMETHODIMP
-nsMetricsService::BadCertListener::ConfirmUnknownIssuer(
-    nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert,
-    PRInt16 *certAddType, PRBool *result)
-{
-  *result = PR_FALSE;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsMetricsService::BadCertListener::ConfirmMismatchDomain(
-    nsIInterfaceRequestor *socketInfo, const nsACString &targetURL,
-    nsIX509Cert *cert, PRBool *result)
-{
-  *result = PR_FALSE;
-
-  nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
-  NS_ENSURE_STATE(prefs);
-
-  nsCString certHostOverride;
-  prefs->GetCharPref("metrics.upload.cert-host-override",
-                     getter_Copies(certHostOverride));
-
-  if (!certHostOverride.IsEmpty()) {
-    // Accept the given alternate hostname (CN) for the certificate
-    nsString certHost;
-    cert->GetCommonName(certHost);
-    if (certHostOverride.Equals(NS_ConvertUTF16toUTF8(certHost))) {
-      *result = PR_TRUE;
-    }
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsMetricsService::BadCertListener::ConfirmCertExpired(
-    nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRBool *result)
-{
-  *result = PR_FALSE;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsMetricsService::BadCertListener::NotifyCrlNextupdate(
-    nsIInterfaceRequestor *socketInfo,
-    const nsACString &targetURL, nsIX509Cert *cert)
-{
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsMetricsService::BadCertListener::GetInterface(const nsIID &uuid,
-                                                void **result)
-{
-  NS_ENSURE_ARG_POINTER(result);
-
-  if (uuid.Equals(NS_GET_IID(nsIBadCertListener))) {
-    *result = static_cast<nsIBadCertListener *>(this);
-    NS_ADDREF_THIS();
-    return NS_OK;
-  }
-
-  *result = nsnull;
-  return NS_ERROR_NO_INTERFACE;
-}
-
-//-----------------------------------------------------------------------------
-
 nsMetricsService::nsMetricsService()  
     : mMD5Context(nsnull),
       mEventCount(0),
@@ -1327,11 +1237,6 @@ nsMetricsService::UploadData()
   NS_ENSURE_STATE(props);
   props->SetPropertyAsBool(NS_LITERAL_STRING("moz-metrics-request"), PR_TRUE);
 
-  nsCOMPtr<nsIInterfaceRequestor> certListener = new BadCertListener();
-  NS_ENSURE_TRUE(certListener, NS_ERROR_OUT_OF_MEMORY);
-
-  channel->SetNotificationCallbacks(certListener);
-
   nsCOMPtr<nsIUploadChannel> uploadChannel = do_QueryInterface(channel);
   NS_ENSURE_STATE(uploadChannel); 
 
diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.dtd b/security/manager/locales/en-US/chrome/pippki/pippki.dtd
index 2ff58c8105e..961745073f4 100644
--- a/security/manager/locales/en-US/chrome/pippki/pippki.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.dtd
@@ -82,16 +82,8 @@
 <!-- Certificate Exists in database -->
 <!ENTITY caCertExists.title "Certificate Exists">
 <!ENTITY caCertExists.message "The Certificate already exists.">
-
-<!-- Strings for the MismatchDomain dialog  -->
-<!ENTITY domainMismatch.title "Security Error: Domain Name Mismatch">
-<!ENTITY examineCert.label "View Certificate">
 <!ENTITY examineCert.accesskey "V">
 
-<!-- Strings for the Server cert expired dialog  -->
-<!ENTITY serverCertExpired.continue "Would you like to continue anyway?">
-<!ENTITY serverCertExpired.accept.label "Continue">
-
 <!-- Strings for the SSL client auth ask dialog -->
 <!ENTITY clientAuthAsk.title "User Identification Request">
 <!ENTITY clientAuthAsk.message1 "This site has requested that you identify yourself with a certificate:">
diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.properties b/security/manager/locales/en-US/chrome/pippki/pippki.properties
index 65baa063e34..bf70f866f72 100644
--- a/security/manager/locales/en-US/chrome/pippki/pippki.properties
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.properties
@@ -54,9 +54,9 @@ issuerNotKnown=Because you do not know the certificate authority that issued thi
 issuerCertNotFound=Certificate for this certificate authority was not found
 
 #For Deleting Certificates
-deleteSslCertConfirm=Are you sure you want to delete these web site certificates?
-deleteSslCertImpact=If you delete a web site certificate, you will be asked to accept it again the next time you visit the web site.
-deleteSslCertTitle=Delete Web Site Certificates
+deleteSslCertConfirm2=Are you sure you want to delete these web site exceptions?
+deleteSslCertImpact2=If you delete a web site exception, you restore the usual security checks for that site and require it uses a valid certificate.
+deleteSslCertTitle2=Delete Web Site Certificate Exceptions
 
 deleteUserCertConfirm=Are you sure you want to delete these certificates?
 deleteUserCertImpact=If you delete one of your own certificates, you can no longer use it to identify yourself.
@@ -79,16 +79,6 @@ chooseP12RestoreFileDialog=File Name to Restore
 chooseP12BackupFileDialog=File Name to Backup
 file_browse_PKCS12_spec=PKCS12 Files
 
-#Mismatch Domain Dialg
-mismatchDomainMsg1=You have attempted to establish a connection with "%S".  However, the security certificate presented belongs to "%S".  It is possible, though unlikely, that someone may be trying to intercept your communication with this web site.
-mismatchDomainMsg2=If you suspect the certificate shown does not belong to "%S", please cancel the connection and notify the site administrator.
-
-#Server Cert expired
-serverCertExpiredMsg1="%S" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on %S.
-serverCertExpiredTitle=Server Certificate Expired
-serverCertNotYetValedMsg1="%S" is a site that uses a security certificate to encrypt data during transmission, but its certificate will not be valid until %S.
-serverCertNotYetValidTitle=Server Certificate Not Yet Valid
-serverCertExpiredMsg2=You should check to make sure that your computer's time (currently set to %S) is correct.
 
 #Preferences
 resetPreferences=Use this button to reset %S's security preferences to their factory settings.
diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js
index 042f6b7f115..c4760dcbd81 100644
--- a/security/manager/pki/resources/content/certManager.js
+++ b/security/manager/pki/resources/content/certManager.js
@@ -21,6 +21,7 @@
  * Contributor(s):
  *   Bob Lord <lord@netscape.com>
  *   Ian McGreer <mcgreer@netscape.com>
+ *   Kai Engert <kengert@redhat.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -53,7 +54,8 @@ const nsNSSCertCache = "@mozilla.org/security/nsscertcache;1";
 var key;
 
 var selected_certs = [];
-var selected_cert_index = [];
+var selected_tree_items = [];
+var selected_index = [];
 var certdb;
 
 var caTreeView;
@@ -157,7 +159,61 @@ function getSelectedCerts()
         if (cert) {
           var sc = selected_certs.length;
           selected_certs[sc] = cert;
-          selected_cert_index[sc] = j;
+          selected_index[sc] = j;
+        }
+      }
+    }
+  }
+}
+
+function getSelectedTreeItems()
+{
+  var ca_tab = document.getElementById("ca_tab");
+  var mine_tab = document.getElementById("mine_tab");
+  var others_tab = document.getElementById("others_tab");
+  var websites_tab = document.getElementById("websites_tab");
+  var orphan_tab = document.getElementById("orphan_tab");
+  var items = null;
+  if (ca_tab.selected) {
+    items = caTreeView.selection;
+  } else if (mine_tab.selected) {
+    items = userTreeView.selection;
+  } else if (others_tab.selected) {
+    items = emailTreeView.selection;
+  } else if (websites_tab.selected) {
+    items = serverTreeView.selection;
+  } else if (orphan_tab.selected) {
+    items = orphanTreeView.selection;
+  }
+  selected_certs = [];
+  selected_tree_items = [];
+  selected_index = [];
+  var tree_item = null;
+  var nr = 0;
+  if (items != null) nr = items.getRangeCount();
+  if (nr > 0) {
+    for (var i=0; i<nr; i++) {
+      var o1 = {};
+      var o2 = {};
+      items.getRangeAt(i, o1, o2);
+      var min = o1.value;
+      var max = o2.value;
+      for (var j=min; j<=max; j++) {
+        if (ca_tab.selected) {
+          tree_item = caTreeView.getTreeItem(j);
+        } else if (mine_tab.selected) {
+          tree_item = userTreeView.getTreeItem(j);
+        } else if (others_tab.selected) {
+          tree_item = emailTreeView.getTreeItem(j);
+        } else if (websites_tab.selected) {
+          tree_item = serverTreeView.getTreeItem(j);
+        } else if (orphan_tab.selected) {
+          tree_item = orphanTreeView.getTreeItem(j);
+        }
+        if (tree_item) {
+          var sc = selected_tree_items.length;
+          selected_tree_items[sc] = tree_item;
+          selected_index[sc] = j;
         }
       }
     }
@@ -222,18 +278,49 @@ function mine_enableButtons()
 function websites_enableButtons()
 {
   var items = serverTreeView.selection;
-  var toggle="false";
-  if (items.getRangeCount() == 0) {
-    toggle="true";
+  var count_ranges = items.getRangeCount();
+
+  var enable_delete = false;
+  var enable_view = false;
+  var enable_edit = false;
+
+  if (count_ranges > 0) {
+    enable_delete = true;
   }
+
+  if (count_ranges == 1) {
+    var o1 = {};
+    var o2 = {};
+    items.getRangeAt(0, o1, o2); // the first range
+    if (o1.value == o2.value) {
+      // only a single item is selected
+      try {
+        var ti = serverTreeView.getTreeItem(o1.value);
+        if (ti) {
+          if (ti.cert) {
+            enable_view = true;
+          }
+          // Trust editing is not possible for override
+          // entries that are bound to host:port,
+          // where the cert is stored for convenince only.
+          if (!ti.hostPort.length) {
+            enable_edit = true;
+          }
+        }
+      }
+      catch (e) {
+      }
+    }
+  }
+
   var enableViewButton=document.getElementById('websites_viewButton');
-  enableViewButton.setAttribute("disabled",toggle);
+  enableViewButton.setAttribute("disabled", !enable_view);
   var enableEditButton=document.getElementById('websites_editButton');
-  enableEditButton.setAttribute("disabled",toggle);
+  enableEditButton.setAttribute("disabled", !enable_edit);
   var enableExportButton=document.getElementById('websites_exportButton');
-  enableExportButton.setAttribute("disabled",toggle);
+  enableExportButton.setAttribute("disabled", !enable_edit);
   var enableDeleteButton=document.getElementById('websites_deleteButton');
-  enableDeleteButton.setAttribute("disabled",toggle);
+  enableDeleteButton.setAttribute("disabled", !enable_delete);
 }
 
 function email_enableButtons()
@@ -305,15 +392,17 @@ function editCerts()
   for (var t=0; t<numcerts; t++) {
     var cert = selected_certs[t];
     var certkey = cert.dbKey;
-    var ca_tab = document.getElementById("ca_tab");
-    var others_tab = document.getElementById("others_tab");
-    if (ca_tab.selected) {
+    if (document.getElementById("ca_tab").selected) {
       window.openDialog('chrome://pippki/content/editcacert.xul', certkey,
                         'chrome,centerscreen,modal');
-    } else if (others_tab.selected) {
+    } else if (document.getElementById("others_tab").selected) {
       window.openDialog('chrome://pippki/content/editemailcert.xul', certkey,
                         'chrome,centerscreen,modal');
-    } else {
+    } else if (!document.getElementById("websites_tab").selected
+               || !serverTreeView.isHostPortOverride(selected_index[t])) {
+      // If the web sites tab is select, trust editing is only allowed
+      // if the entry refers to a real cert, but not if it's
+      // a host:port override, where the cert is stored for convenince only.
       window.openDialog('chrome://pippki/content/editsslcert.xul', certkey,
                         'chrome,centerscreen,modal');
     }
@@ -356,8 +445,8 @@ function exportCerts()
 
 function deleteCerts()
 {
-  getSelectedCerts();
-  var numcerts = selected_certs.length;
+  getSelectedTreeItems();
+  var numcerts = selected_tree_items.length;
   if (!numcerts)
     return;
 
@@ -398,15 +487,17 @@ function deleteCerts()
   params.SetInt(0,numcerts);
   for (t=0; t<numcerts; t++) 
   {
-    var cert = selected_certs[t];
-    params.SetString(t+1, cert.dbKey);  
+    var tree_item = selected_tree_items[t];
+    var c = tree_item.cert;
+    if (!c) {
+      params.SetString(t+1, tree_item.hostPort);
+    }
+    else {
+      params.SetString(t+1, c.commonName);
+    }
+
   }
-  
-  // The dialog will modify the params.
-  // Every param item where the corresponding cert could get deleted,
-  // will still contain the db key.
-  // Certs which could not get deleted, will have their corrensponding
-  // param string erased.
+
   window.openDialog('chrome://pippki/content/deletecert.xul', "",
                     'chrome,centerscreen,modal', params);
  
@@ -419,30 +510,23 @@ function deleteCerts()
     selTabID = selTab.getAttribute('id');
     if (selTabID == 'mine_tab') {
       treeView = userTreeView;
-      loadParam = nsIX509Cert.USER_CERT;
     } else if (selTabID == "others_tab") {
       treeView = emailTreeView;
-      loadParam = nsIX509Cert.EMAIL_CERT;
     } else if (selTabID == "websites_tab") {
       treeView = serverTreeView;
-      loadParam = nsIX509Cert.SERVER_CERT;
     } else if (selTabID == "ca_tab") {
       treeView = caTreeView;
-      loadParam = nsIX509Cert.CA_CERT;
     } else if (selTabID == "orphan_tab") {
       treeView = orphanTreeView;
-      loadParam = nsIX509Cert.UNKNOWN_CERT;
     }
 
     for (t=numcerts-1; t>=0; t--)
     {
-      var s = params.GetString(t+1);
-      if (s.length) {
-        // This cert was deleted.
-        treeView.removeCert(selected_cert_index[t]);
-      }
+      treeView.deleteEntryObject(selected_index[t]);
     }
 
+    selected_tree_items = [];
+    selected_index = [];
     treeView.selection.clearSelection();
   }
 }
diff --git a/security/manager/pki/resources/content/deletecert.js b/security/manager/pki/resources/content/deletecert.js
index 6f5069821dc..6c7add315bf 100644
--- a/security/manager/pki/resources/content/deletecert.js
+++ b/security/manager/pki/resources/content/deletecert.js
@@ -42,24 +42,14 @@ const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
 const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
 
 var certdb;
-var certs = [];
 var gParams;
 
 function setWindowName()
 {
   gParams = window.arguments[0].QueryInterface(nsIDialogParamBlock);
   
-  //  Get the cert from the cert database
-  certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
-  
   var typeFlag = gParams.GetString(0);
   var numberOfCerts = gParams.GetInt(0);
-  var dbkey;
-  for(var x=0; x<numberOfCerts;x++)
-  {
-     dbkey = gParams.GetString(x+1);
-     certs[x] = certdb.findCertByDBKey(dbkey , null);
-  }
   
   var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
   var title;
@@ -74,9 +64,9 @@ function setWindowName()
   }
   else if(typeFlag == "websites_tab")
   {
-     title = bundle.GetStringFromName("deleteSslCertTitle");
-     confirm = bundle.GetStringFromName("deleteSslCertConfirm");
-     impact = bundle.GetStringFromName("deleteSslCertImpact");
+     title = bundle.GetStringFromName("deleteSslCertTitle2");
+     confirm = bundle.GetStringFromName("deleteSslCertConfirm2");
+     impact = bundle.GetStringFromName("deleteSslCertImpact2");
   }
   else if(typeFlag == "ca_tab")
   {
@@ -108,12 +98,10 @@ function setWindowName()
 
   var box=document.getElementById("certlist");
   var text;
-  for(x=0;x<certs.length;x++)
+  for(var x=0;x<numberOfCerts;x++)
   {
-    if (!certs[x])
-      continue;
     text = document.createElement("text");
-    text.setAttribute("value",certs[x].commonName);
+    text.setAttribute("value", gParams.GetString(x+1));
     box.appendChild(text);
   }
 
@@ -122,32 +110,12 @@ function setWindowName()
 
 function doOK()
 {
-  // On returning our param list will contain keys of those certs that were deleted.
-  // It will contain empty strings for those certs that are still alive.
-
-  for(var i=0;i<certs.length;i++)
-  {
-    if (certs[i]) {
-      try {
-        certdb.deleteCertificate(certs[i]);
-      }
-      catch (e) {
-        gParams.SetString(i+1, "");
-      }
-      certs[i] = null;
-    }
-  }
   gParams.SetInt(1, 1); // means OK
   return true;
 }
 
 function doCancel()
 {
-  var numberOfCerts = gParams.GetInt(0);
-  for(var x=0; x<numberOfCerts;x++)
-  {
-     gParams.SetString(x+1, "");
-  }
   gParams.SetInt(1, 0); // means CANCEL
   return true;
 }
diff --git a/security/manager/pki/resources/content/newserver.xul b/security/manager/pki/resources/content/newserver.xul
index 2f17f4c1306..e69de29bb2d 100644
--- a/security/manager/pki/resources/content/newserver.xul
+++ b/security/manager/pki/resources/content/newserver.xul
@@ -1,91 +0,0 @@
-<?xml version="1.0"?>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is mozilla.org Code.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 2001
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -   Javier Delgadillo <javi@netscape.com>
-   -   Bob Lord <lord@netscape.com>
-   -   Håkan Waara <hwaara@chello.se>
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-
-<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
-
-<!DOCTYPE dialog [
-<!ENTITY % newserverDTD SYSTEM "chrome://pippki/locale/newserver.dtd" >
-%newserverDTD;
-<!ENTITY % pippkiDTD SYSTEM "chrome://pippki/locale/pippki.dtd" >
-%pippkiDTD;
-]>
-
-<dialog id="newServerDialog" title="&newserver.title;"
-  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-  style="width: 47em;"
-  onload="onLoad();"
-  buttons="accept,cancel,extra2"
-  defaultButton="cancel"
-  buttonlabelextra2="&newserver.examine;"
-  ondialogaccept="return doOK();"
-  ondialogcancel="return doCancel();"
-  ondialogextra2="viewCert();">
-
-<script type="application/x-javascript" src="chrome://global/content/strres.js"/>
-<script type="application/x-javascript" src="chrome://pippki/content/pippki.js"/>
-<script type="application/x-javascript" src="chrome://pippki/content/newserver.js"/>
-
-<stringbundle id="newserver_bundle" src="chrome://pippki/locale/newserver.properties"/>
-
-<hbox valign="top" align="center">
-
-  <image class="alert-icon" style="margin: 5px"/>
-  <vbox flex="1" valign="middle">
-
-    <description id="intro"/>
-    <separator class="thin"/>
-    <description>&newserver.reasons;</description>
-    <description>&newserver.reason1x;</description>
-    <description>&newserver.reason2;</description>
-    <description id="reason3"/>
-    <separator class="thin"/>
-    <description>&newserver.notify;</description>
-    <separator/>
-    <description id="question"/>
-    <separator class="thin"/>
-    <radiogroup id="whatnow">
-      <radio label="&newserver.remember;" id="remember" value="0"/>
-      <radio label="&newserver.session;" id="session"
-             value="1" selected="true"/>
-    </radiogroup>
-  </vbox>
-</hbox>
-
-</dialog>
diff --git a/security/manager/pki/resources/content/serverCertExpired.js b/security/manager/pki/resources/content/serverCertExpired.js
index d383420ef98..e69de29bb2d 100644
--- a/security/manager/pki/resources/content/serverCertExpired.js
+++ b/security/manager/pki/resources/content/serverCertExpired.js
@@ -1,92 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Javier Delgadillo <javi@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
-const nsIPKIParamBlock    = Components.interfaces.nsIPKIParamBlock;
-const nsIX509Cert         = Components.interfaces.nsIX509Cert;
-
-var dialogParams;
-var pkiParams;
-var cert=null;
-
-function onLoad()
-{
-  pkiParams    = window.arguments[0].QueryInterface(nsIPKIParamBlock);
-  dialogParams = pkiParams.QueryInterface(nsIDialogParamBlock);
-
-  document.title = dialogParams.GetString(2);
-  var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
-  var message1 = dialogParams.GetString(1);
-  
-  const nsIScriptableDateFormat = Components.interfaces.nsIScriptableDateFormat;
-  var dateService = Components.classes["@mozilla.org/intl/scriptabledateformat;1"].getService(nsIScriptableDateFormat);
-  var date = new Date(); 
-  var dateStr = dateService.FormatDateTime("", dateService.dateFormatShort, dateService.timeFormatNoSeconds, 
-                                           date.getFullYear(), date.getMonth()+1, date.getDate(), 
-                                           date.getHours(), date.getMinutes(), date.getSeconds());
-
-  var message2 = bundle.formatStringFromName("serverCertExpiredMsg2", 
-                                             [ dateStr ],
-                                              1);
-  setText("message1", message1);
-  setText("message2", message2);
-  document.documentElement.getButton("accept").focus();
-}
-
-function doOK()
-{
-  dialogParams.SetInt(1,1);
-  return true;
-}
-
-function doCancel()
-{
-  dialogParams.SetInt(1,0);
-  return true;
-}
-
-function viewCert()
-{
-  if (cert == null) {
-    var isupport = pkiParams.getISupportAtIndex(1);
-    cert = isupport.QueryInterface(nsIX509Cert);
-  }
-  viewCertHelper(window, cert);
-}
diff --git a/security/manager/pki/src/nsNSSDialogs.h b/security/manager/pki/src/nsNSSDialogs.h
index 3ab50f65816..3402791149e 100644
--- a/security/manager/pki/src/nsNSSDialogs.h
+++ b/security/manager/pki/src/nsNSSDialogs.h
@@ -41,7 +41,6 @@
 #define __NS_NSSDIALOGS_H__
 
 #include "nsITokenPasswordDialogs.h"
-#include "nsIBadCertListener.h"
 #include "nsICertificateDialogs.h"
 #include "nsIClientAuthDialogs.h"
 #include "nsICertPickDialogs.h"
@@ -58,7 +57,6 @@
 
 class nsNSSDialogs
 : public nsITokenPasswordDialogs,
-  public nsIBadCertListener,
   public nsICertificateDialogs,
   public nsIClientAuthDialogs,
   public nsICertPickDialogs,
@@ -69,7 +67,6 @@ class nsNSSDialogs
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSITOKENPASSWORDDIALOGS
-  NS_DECL_NSIBADCERTLISTENER
   NS_DECL_NSICERTIFICATEDIALOGS
   NS_DECL_NSICLIENTAUTHDIALOGS
   NS_DECL_NSICERTPICKDIALOGS
diff --git a/security/manager/pki/src/nsPKIModule.cpp b/security/manager/pki/src/nsPKIModule.cpp
index 21685dd4d92..4896466cdbc 100644
--- a/security/manager/pki/src/nsPKIModule.cpp
+++ b/security/manager/pki/src/nsPKIModule.cpp
@@ -61,13 +61,6 @@ static const nsModuleComponentInfo components[] =
     nsNSSDialogsConstructor
   },
 
-  {
-    NSS_DIALOGS_DESCRIPTION,
-    NS_NSSDIALOGS_CID,
-    NS_BADCERTLISTENER_CONTRACTID,
-    nsNSSDialogsConstructor
-  },
-
   {
     NSS_DIALOGS_DESCRIPTION,
     NS_NSSDIALOGS_CID,
diff --git a/security/manager/ssl/public/Makefile.in b/security/manager/ssl/public/Makefile.in
index e22b745af41..109bbb3f248 100644
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -51,7 +51,7 @@ GRE_MODULE	= 1
 SDK_XPIDLSRCS = \
     nsIASN1Object.idl \
     nsIASN1Sequence.idl \
-    nsIBadCertListener.idl \
+    nsIBadCertListener2.idl \
     nsICertificateDialogs.idl \
     nsICRLInfo.idl \
     nsIX509Cert.idl \
@@ -61,6 +61,7 @@ SDK_XPIDLSRCS = \
     $(NULL)
 
 XPIDLSRCS = \
+    nsICertOverrideService.idl \
     nsIFormSigningDialog.idl \
     nsIX509Cert2.idl \
     nsIX509Cert3.idl \
diff --git a/security/manager/ssl/public/nsIBadCertListener.idl b/security/manager/ssl/public/nsIBadCertListener.idl
index d8c77694c55..e69de29bb2d 100644
--- a/security/manager/ssl/public/nsIBadCertListener.idl
+++ b/security/manager/ssl/public/nsIBadCertListener.idl
@@ -1,155 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Javier Delgadillo <javi@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-interface nsIX509Cert;
-interface nsIInterfaceRequestor;
-
-/**
- * Functions that display warnings for problems with web site trust.
- *
- * @status FROZEN
- */
-[scriptable, uuid(86960956-edb0-11d4-998b-00b0d02354a0)]
-interface nsIBadCertListener : nsISupports {
-
-  /**
-   *  No decision was made by the user, whether to trust a cert.
-   */
-  const short UNINIT_ADD_FLAG = -1;
-
-  /**
-   *  The user decided to add trust to a certificate temporarily
-   *  for the current application session only.
-   */
-  const short ADD_TRUSTED_FOR_SESSION = 1;
-
-  /**
-   *  The user decided to add trust to a certificate permanently.
-   */
-  const short ADD_TRUSTED_PERMANENTLY = 2;
-
-  /**
-   *  Inform the user there are problems with the trust of a certificate,
-   *  and request a decision from the user.
-   *  The UI should offer the user a way to look at the certificate in detail.
-   *  The following is a sample UI message to be shown to the user:
-   *
-   *    Unable to verify the identity of %S as a trusted site.
-   *    Possible reasons for this error:
-   *    - Your browser does not recognize the Certificate Authority 
-   *      that issued the site's certificate.
-   *    - The site's certificate is incomplete due to a 
-   *      server misconfiguration.
-   *    - You are connected to a site pretending to be %S, 
-   *      possibly to obtain your confidential information.
-   *    Please notify the site's webmaster about this problem.
-   *    Before accepting this certificate, you should examine this site's 
-   *      certificate carefully. Are you willing to accept this certificate 
-   *      for the purpose of identifying the Web site %S?
-   *    o Accept this certificate permanently
-   *    x Accept this certificate temporarily for this session
-   *    o Do not accept this certificate and do not connect to this Web site
-   *
-   *  @param socketInfo A network communication context that can be used to obtain more information
-   *                    about the active connection.
-   *  @param cert The certificate that is not trusted and that is having the problem.
-   *  @param certAddType The user's trust decision. See constants defined above.
-   *
-   *  @return true if the user decided to connect anyway, false if the user decided to not connect
-   */
-  boolean confirmUnknownIssuer(in nsIInterfaceRequestor socketInfo, 
-                               in nsIX509Cert cert,
-                               out short certAddType);
-
-  /**
-   *  Inform the user there are problems with the trust of a certificate,
-   *  and request a decision from the user.
-   *  The hostname mentioned in the server's certificate is not the hostname
-   *  that was used as a destination address for the current connection.
-   *
-   *  @param socketInfo A network communication context that can be used to obtain more information
-   *                    about the active connection.
-   *  @param targetURL The URL that was used to open the current connection.
-   *  @param cert The certificate that was presented by the server.
-   *
-   *  @return true if the user decided to connect anyway, false if the user decided to not connect
-   */
-  boolean confirmMismatchDomain(in nsIInterfaceRequestor socketInfo,
-                                in AUTF8String targetURL,
-                                in nsIX509Cert cert);
-
-  /**
-   *  Inform the user there are problems with the trust of a certificate,
-   *  and request a decision from the user.
-   *  The certificate presented by the server is no longer valid because 
-   *  the validity period has expired.
-   *
-   *  @param socketInfo A network communication context that can be used to obtain more information
-   *                    about the active connection.
-   *  @param cert The certificate that was presented by the server.
-   *
-   *  @return true if the user decided to connect anyway, false if the user decided to not connect
-   */
-  boolean confirmCertExpired(in nsIInterfaceRequestor socketInfo,
-                             in nsIX509Cert cert);
-
-  /**
-   *  Inform the user there are problems with the trust of a certificate,
-   *  and request a decision from the user.
-   *  The Certificate Authority (CA) that issued the server's certificate has issued a 
-   *  Certificate Revocation List (CRL). 
-   *  However, the application does not have a current version of the CA's CRL.
-   *  Due to the application configuration, the application disallows the connection
-   *  to the remote site.
-   *
-   *  @param socketInfo A network communication context that can be used to obtain more information
-   *                    about the active connection.
-   *  @param targetURL The URL that was used to open the current connection.
-   *  @param cert The certificate that was presented by the server.
-   */
-  void notifyCrlNextupdate(in nsIInterfaceRequestor socketInfo,
-                           in AUTF8String targetURL, in nsIX509Cert cert);
-
-};
-
-%{C++
-#define NS_BADCERTLISTENER_CONTRACTID "@mozilla.org/nsBadCertListener;1"
-%}
diff --git a/security/manager/ssl/public/nsICertTree.idl b/security/manager/ssl/public/nsICertTree.idl
index 0bbed579ecd..80c4e4838e5 100644
--- a/security/manager/ssl/public/nsICertTree.idl
+++ b/security/manager/ssl/public/nsICertTree.idl
@@ -22,6 +22,7 @@
  *
  * Contributor(s):
  *   Ian McGreer <mcgreer@netscape.com>
+ *   Kai Engert <kengert@redhat.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -43,15 +44,23 @@
 interface nsINSSCertCache;
 interface nsIX509Cert;
 
-[scriptable, uuid(4ea60761-31d6-491d-9e34-4b53a26c416c)]
+[scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)]
+interface nsICertTreeItem : nsISupports {
+  readonly attribute nsIX509Cert cert;
+  readonly attribute AString hostPort;
+};
+
+[scriptable, uuid(a8cd1c89-a901-4735-831b-7198b7b8b6b1)]
 interface nsICertTree : nsITreeView {
 
   void loadCerts(in unsigned long type);
   void loadCertsFromCache(in nsINSSCertCache cache, in unsigned long type);
 
   nsIX509Cert getCert(in unsigned long index);
+  nsICertTreeItem getTreeItem(in unsigned long index);
+  boolean isHostPortOverride(in unsigned long index);
   
-  void removeCert(in unsigned long index);
+  void deleteEntryObject(in unsigned long index);
 };
 
 %{C++
diff --git a/security/manager/ssl/public/nsISSLStatus.idl b/security/manager/ssl/public/nsISSLStatus.idl
index da0a0242b11..2619b3316de 100644
--- a/security/manager/ssl/public/nsISSLStatus.idl
+++ b/security/manager/ssl/public/nsISSLStatus.idl
@@ -41,10 +41,25 @@
 
 interface nsIX509Cert;
 
-[scriptable, uuid(7b2ca1ca-1dd2-11b2-87ec-d217dbe22b85)]
+[scriptable, uuid(cfede939-def1-49be-81ed-d401b3a07d1c)]
 interface nsISSLStatus : nsISupports {
   readonly attribute nsIX509Cert serverCert;
+
   readonly attribute string cipherName;
   readonly attribute unsigned long keyLength;
   readonly attribute unsigned long secretKeyLength;
+
+  readonly attribute boolean isDomainMismatch;
+  readonly attribute boolean isNotValidAtThisTime;
+
+  /* Note: To distinguish between 
+   *         "unstrusted because missing or untrusted issuer"
+   *       and 
+   *         "untrusted because self signed"
+   *       compare for equality of 
+   *         nsIX509Cert::subjectName
+   *       and
+   *         nsIX509Cert::issuerName
+   */
+  readonly attribute boolean isUntrusted;
 };
diff --git a/security/manager/ssl/src/Makefile.in b/security/manager/ssl/src/Makefile.in
index fd15429f088..010965c63ad 100644
--- a/security/manager/ssl/src/Makefile.in
+++ b/security/manager/ssl/src/Makefile.in
@@ -57,6 +57,8 @@ LIBXUL_LIBRARY	= 1
 PACKAGE_FILE = pipnss.pkg
 
 CPPSRCS = 				\
+	nsNSSCleaner.cpp                \
+	nsCertOverrideService.cpp   \
 	nsPSMBackgroundThread.cpp       \
 	nsSSLThread.cpp                 \
 	nsCertVerificationThread.cpp    \
@@ -65,6 +67,7 @@ CPPSRCS = 				\
 	nsNSSComponent.cpp		\
 	nsNSSErrors.cpp			\
 	nsNSSIOLayer.cpp		\
+	nsSSLStatus.cpp		\
 	nsNSSModule.cpp			\
 	nsSSLSocketProvider.cpp		\
 	nsTLSSocketProvider.cpp		\
diff --git a/security/manager/ssl/src/nsCertTree.cpp b/security/manager/ssl/src/nsCertTree.cpp
index 4de3a477494..98254af7167 100644
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -20,6 +20,7 @@
  *
  * Contributor(s):
  *   Ian McGreer <mcgreer@netscape.com>
+ *   Kai Engert <kengert@redhat.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -51,12 +52,18 @@
 #include "nsArrayUtils.h"
 #include "nsISupportsPrimitives.h"
 #include "nsXPCOMCID.h"
+#include "nsTHashtable.h"
+#include "nsHashKeys.h"
+
 
 #include "prlog.h"
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
+#include "nsNSSCleaner.h"
+NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
+
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 // treeArrayElStr
@@ -130,7 +137,48 @@ static PLDHashTableOps gMapOps = {
   CompareCacheInitEntry
 };
 
+NS_IMPL_ISUPPORTS0(nsCertAddonInfo)
+NS_IMPL_ISUPPORTS1(nsCertTreeDispInfo, nsICertTreeItem)
 
+nsCertTreeDispInfo::nsCertTreeDispInfo()
+:mAddonInfo(nsnull)
+,mTypeOfEntry(direct_db)
+,mOverrideBits(nsCertOverride::ob_None)
+{
+}
+
+nsCertTreeDispInfo::nsCertTreeDispInfo(nsCertTreeDispInfo &other)
+{
+  mAddonInfo = other.mAddonInfo;
+  mTypeOfEntry = other.mTypeOfEntry;
+  mHostWithPort = other.mHostWithPort;
+  mOverrideBits = other.mOverrideBits;
+}
+
+nsCertTreeDispInfo::~nsCertTreeDispInfo()
+{
+}
+
+NS_IMETHODIMP
+nsCertTreeDispInfo::GetCert(nsIX509Cert **_cert)
+{
+  NS_ENSURE_ARG(_cert);
+  if (mAddonInfo) {
+    *_cert = mAddonInfo->mCert.get();
+    NS_IF_ADDREF(*_cert);
+  }
+  else {
+    *_cert = nsnull;
+  }
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTreeDispInfo::GetHostPort(nsAString &aHostPort)
+{
+  aHostPort = mHostWithPort;
+  return NS_OK;
+}
 
 NS_IMPL_ISUPPORTS2(nsCertTree, nsICertTree, nsITreeView)
 
@@ -138,6 +186,7 @@ nsCertTree::nsCertTree() : mTreeArray(NULL)
 {
   mCompareCache.ops = nsnull;
   mNSSComponent = do_GetService(kNSSComponentCID);
+  mOverrideService = do_GetService("@mozilla.org/security/certoverride;1");
   mCellText = nsnull;
 }
 
@@ -169,20 +218,7 @@ nsCertTree::~nsCertTree()
 void
 nsCertTree::FreeCertArray()
 {
-  if (mCertArray) {
-    PRUint32 count;
-    nsresult rv = mCertArray->Count(&count);
-    if (NS_FAILED(rv))
-    {
-      NS_ASSERTION(0, "Count failed");
-      return;
-    }
-    PRInt32 i;
-    for (i = count - 1; i >= 0; i--)
-    {
-      mCertArray->RemoveElementAt(i);
-    }
-  }
+  mDispInfo.Clear();
 }
 
 CompareCacheHashEntry *
@@ -208,16 +244,19 @@ PRInt32
 nsCertTree::CountOrganizations()
 {
   PRUint32 i, certCount;
-  nsresult rv = mCertArray->Count(&certCount);
-  if (NS_FAILED(rv)) return -1;
+  certCount = mDispInfo.Length();
   if (certCount == 0) return 0;
-  nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(0));
-  nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
+  nsCOMPtr<nsIX509Cert> orgCert = nsnull;
+  if (mDispInfo.ElementAt(0)->mAddonInfo) {
+    orgCert = mDispInfo.ElementAt(0)->mAddonInfo->mCert;
+  }
   nsCOMPtr<nsIX509Cert> nextCert = nsnull;
   PRInt32 orgCount = 1;
   for (i=1; i<certCount; i++) {
-    isupport = dont_AddRef(mCertArray->ElementAt(i));
-    nextCert = do_QueryInterface(isupport);
+    nextCert = nsnull;
+    if (mDispInfo.ElementAt(i)->mAddonInfo) {
+      nextCert = mDispInfo.ElementAt(i)->mAddonInfo->mCert;
+    }
     // XXX we assume issuer org is always criterion 1
     if (CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, sort_None) != 0) {
       orgCert = nextCert;
@@ -255,8 +294,25 @@ nsCertTree::GetThreadDescAtIndex(PRInt32 index)
 nsIX509Cert *
 nsCertTree::GetCertAtIndex(PRInt32 index, PRInt32 *outAbsoluteCertOffset)
 {
-  int i, idx = 0, cIndex = 0, nc;
+  nsRefPtr<nsCertTreeDispInfo> certdi =
+    getter_AddRefs(GetDispInfoAtIndex(index, outAbsoluteCertOffset));
+  if (!certdi)
+    return nsnull;
+
   nsIX509Cert *rawPtr = nsnull;
+  if (certdi->mAddonInfo) {
+    rawPtr = certdi->mAddonInfo->mCert;
+    NS_IF_ADDREF(rawPtr);
+  }
+  return rawPtr;
+}
+
+//  If the row at index is a cert, return that cert.  Otherwise, return null.
+nsCertTreeDispInfo *
+nsCertTree::GetDispInfoAtIndex(PRInt32 index, 
+                               PRInt32 *outAbsoluteCertOffset)
+{
+  int i, idx = 0, cIndex = 0, nc;
   if (index < 0) return nsnull;
   // Loop over the threads
   for (i=0; i<mNumOrgs; i++) {
@@ -267,11 +323,12 @@ nsCertTree::GetCertAtIndex(PRInt32 index, PRInt32 *outAbsoluteCertOffset)
       PRInt32 certIndex = cIndex + index - idx;
       if (outAbsoluteCertOffset)
         *outAbsoluteCertOffset = certIndex;
-      nsCOMPtr<nsISupports> isupport = 
-                             dont_AddRef(mCertArray->ElementAt(certIndex));
-      nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(isupport);
-      rawPtr = cert;
-      NS_IF_ADDREF(rawPtr);
+      nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.ElementAt(certIndex);
+      if (certdi) {
+        nsCertTreeDispInfo *raw = certdi.get();
+        NS_IF_ADDREF(raw);
+        return raw;
+      }
       break;
     }
     if (mTreeArray[i].open)
@@ -279,7 +336,7 @@ nsCertTree::GetCertAtIndex(PRInt32 index, PRInt32 *outAbsoluteCertOffset)
     cIndex += mTreeArray[i].numChildren;
     if (idx > index) break;
   }
-  return rawPtr;
+  return nsnull;
 }
 
 nsCertTree::nsCertCompareFunc
@@ -299,72 +356,313 @@ nsCertTree::GetCompareFuncFromCertType(PRUint32 aType)
   }
 }
 
-PRBool
+struct nsCertAndArrayAndPositionAndCounterAndTracker
+{
+  nsRefPtr<nsCertAddonInfo> certai;
+  nsTArray< nsRefPtr<nsCertTreeDispInfo> > *array;
+  int position;
+  int counter;
+  nsTHashtable<nsCStringHashKey> *tracker;
+};
+
+// Used to enumerate host:port overrides that match a stored
+// certificate, creates and adds a display-info-object to the
+// provided array. Increments insert position and entry counter.
+// We remove the given key from the tracker, which is used to 
+// track entries that have not yet been handled.
+// The created display-info references the cert, so make a note
+// of that by incrementing the cert usage counter.
+PR_STATIC_CALLBACK(void)
+MatchingCertOverridesCallback(const nsCertOverride &aSettings,
+                              void *aUserData)
+{
+  nsCertAndArrayAndPositionAndCounterAndTracker *cap = 
+    (nsCertAndArrayAndPositionAndCounterAndTracker*)aUserData;
+  if (!cap)
+    return;
+
+  nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;
+  if (certdi) {
+    if (cap->certai)
+      cap->certai->mUsageCount++;
+    certdi->mAddonInfo = cap->certai;
+    certdi->mTypeOfEntry = nsCertTreeDispInfo::host_port_override;
+    certdi->mHostWithPort = NS_ConvertUTF8toUTF16(aSettings.mHostWithPortUTF8);
+    certdi->mOverrideBits = aSettings.mOverrideBits;
+    NS_IF_ADDREF(certdi);
+    cap->array->InsertElementAt(cap->position, certdi);
+    cap->position++;
+    cap->counter++;
+  }
+
+  // this entry is now associated to a displayed cert, remove
+  // it from the list of remaining entries
+  cap->tracker->RemoveEntry(aSettings.mHostWithPortUTF8);
+}
+
+// Used to collect a list of the (unique) host:port keys
+// for all stored overrides.
+PR_STATIC_CALLBACK(void)
+CollectAllHostPortOverridesCallback(const nsCertOverride &aSettings,
+                                    void *aUserData)
+{
+  nsTHashtable<nsCStringHashKey> *collectorTable =
+    (nsTHashtable<nsCStringHashKey> *)aUserData;
+  if (!collectorTable)
+    return;
+
+  collectorTable->PutEntry(aSettings.mHostWithPortUTF8);
+}
+
+struct nsArrayAndPositionAndCounterAndTracker
+{
+  nsTArray< nsRefPtr<nsCertTreeDispInfo> > *array;
+  int position;
+  int counter;
+  nsTHashtable<nsCStringHashKey> *tracker;
+};
+
+// Used when enumerating the stored host:port overrides where
+// no associated certificate was found in the NSS database.
+PR_STATIC_CALLBACK(void)
+AddRemaningHostPortOverridesCallback(const nsCertOverride &aSettings,
+                                     void *aUserData)
+{
+  nsArrayAndPositionAndCounterAndTracker *cap = 
+    (nsArrayAndPositionAndCounterAndTracker*)aUserData;
+  if (!cap)
+    return;
+
+  if (!cap->tracker->GetEntry(aSettings.mHostWithPortUTF8))
+    return;
+
+  // This entry is not associated to any stored cert,
+  // so we still need to display it.
+
+  nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;
+  if (certdi) {
+    certdi->mAddonInfo = nsnull;
+    certdi->mTypeOfEntry = nsCertTreeDispInfo::host_port_override;
+    certdi->mHostWithPort = NS_ConvertUTF8toUTF16(aSettings.mHostWithPortUTF8);
+    certdi->mOverrideBits = aSettings.mOverrideBits;
+    NS_IF_ADDREF(certdi);
+    cap->array->InsertElementAt(cap->position, certdi);
+    cap->position++;
+    cap->counter++;
+  }
+}
+
+nsresult
 nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
-                                       PRUint32 aType,
+                                       PRUint32 aWantedType,
                                        nsCertCompareFunc  aCertCmpFn,
-                                       void *aCertCmpFnArg,
-                                       nsISupportsArray **_certs)
+                                       void *aCertCmpFnArg)
 {
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("GetCertsByTypeFromCertList"));
   if (!aCertList)
-    return PR_FALSE;
-  nsCOMPtr<nsISupportsArray> certarray;
-  nsresult rv = NS_NewISupportsArray(getter_AddRefs(certarray));
-  if (NS_FAILED(rv)) return PR_FALSE;
+    return NS_ERROR_FAILURE;
+
+  nsCertOverrideService *cos = 
+    reinterpret_cast<nsCertOverrideService*>(mOverrideService.get());
+  if (!cos)
+    return NS_ERROR_FAILURE;
+
+  nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys;
+  if (!allHostPortOverrideKeys.Init())
+    return NS_ERROR_OUT_OF_MEMORY;
+
+  if (aWantedType == nsIX509Cert::SERVER_CERT) {
+    cos->EnumerateCertOverrides(nsnull, 
+                                CollectAllHostPortOverridesCallback, 
+                                &allHostPortOverrideKeys);
+  }
+
   CERTCertListNode *node;
   int count = 0;
   for (node = CERT_LIST_HEAD(aCertList);
        !CERT_LIST_END(node, aCertList);
        node = CERT_LIST_NEXT(node)) {
-    if (aType == nsIX509Cert2::ANY_CERT || getCertType(node->cert) == aType) {
-      nsCOMPtr<nsIX509Cert> pipCert = new nsNSSCertificate(node->cert);
-      if (pipCert) {
-        int i;
-        for (i = 0; i < count; ++i) {
-          nsCOMPtr<nsIX509Cert> cert = do_QueryElementAt(certarray, i);
-          if ((*aCertCmpFn)(aCertCmpFnArg, pipCert, cert) < 0) {
-            break;
-          }
+
+    PRBool wantThisCert = (aWantedType == nsIX509Cert2::ANY_CERT);
+    PRBool wantThisCertIfNoOverrides = PR_FALSE;
+    PRBool wantThisCertIfHaveOverrides = PR_FALSE;
+    PRBool addOverrides = PR_FALSE;
+
+    if (!wantThisCert) {
+      PRUint32 thisCertType = getCertType(node->cert);
+
+      // The output from getCertType is a "guess", which can be wrong.
+      // The guess is based on stored trust flags, but for the host:port
+      // overrides, we are storing certs without any trust flags associated.
+      // So we must check whether the cert really belongs to the 
+      // server, email or unknown tab. We will lookup the cert in the override
+      // list to come to the decision. Unfortunately, the lookup in the
+      // override list is quite expensive. Therefore we are using this 
+      // lengthy if/else statement to minimize 
+      // the number of override-list-lookups.
+
+      if (aWantedType == nsIX509Cert::SERVER_CERT
+          && thisCertType == nsIX509Cert::UNKNOWN_CERT) {
+        // This unknown cert was stored without trust
+        // Are there host:port based overrides stored?
+        // If yes, display them.
+        addOverrides = PR_TRUE;
+      }
+      else
+      if (aWantedType == nsIX509Cert::UNKNOWN_CERT
+          && thisCertType == nsIX509Cert::UNKNOWN_CERT) {
+        // This unknown cert was stored without trust.
+        // If there are associated overrides, do not show as unknown.
+        // If there are no associated overrides, display as unknown.
+        wantThisCertIfNoOverrides = PR_TRUE;
+      }
+      else
+      if (aWantedType == nsIX509Cert::SERVER_CERT
+          && thisCertType == nsIX509Cert::SERVER_CERT) {
+        // This server cert is explicitly marked as a web site peer, 
+        // with or without trust, but editable, so show it
+        wantThisCert = PR_TRUE;
+        // Are there host:port based overrides stored?
+        // If yes, display them.
+        addOverrides = PR_TRUE;
+      }
+      else
+      if (aWantedType == nsIX509Cert::SERVER_CERT
+          && thisCertType == nsIX509Cert::EMAIL_CERT) {
+        // This cert might have been categorized as an email cert
+        // because it carries an email address. But is it really one?
+        // Our cert categorization is uncertain when it comes to
+        // distinguish between email certs and web site certs.
+        // So, let's see if we have an override for that cert
+        // and if there is, conclude it's really a web site cert.
+        addOverrides = PR_TRUE;
+      }
+      else
+      if (aWantedType == nsIX509Cert::EMAIL_CERT
+          && thisCertType == nsIX509Cert::EMAIL_CERT) {
+        // This cert might have been categorized as an email cert
+        // because it carries an email address. But is it really one?
+        // Our cert categorization is uncertain when it comes to
+        // distinguish between email certs and web site certs.
+        // So, let's see if we have an override for that cert
+        // and if there is, conclude it's really a web site cert.
+        wantThisCertIfNoOverrides = PR_TRUE;
+      }
+      else
+      if (thisCertType == aWantedType) {
+        wantThisCert = PR_TRUE;
+      }
+    }
+
+    nsCOMPtr<nsIX509Cert> pipCert = new nsNSSCertificate(node->cert);
+    if (!pipCert)
+      return NS_ERROR_OUT_OF_MEMORY;
+
+    if (wantThisCertIfNoOverrides || wantThisCertIfHaveOverrides) {
+      PRUint32 ocount = 0;
+      nsresult rv = mOverrideService->IsCertUsedForOverrides(pipCert, &ocount);
+
+      if (wantThisCertIfNoOverrides) {
+        if (NS_FAILED(rv) || ocount == 0) {
+          // no overrides for this cert
+          wantThisCert = PR_TRUE;
         }
-        certarray->InsertElementAt(pipCert, i);
+      }
+
+      if (wantThisCertIfHaveOverrides) {
+        if (NS_SUCCEEDED(rv) && ocount > 0) {
+          // there are overrides for this cert
+          wantThisCert = PR_TRUE;
+        }
+      }
+    }
+
+    nsRefPtr<nsCertAddonInfo> certai = new nsCertAddonInfo;
+    if (!certai)
+      return NS_ERROR_OUT_OF_MEMORY;
+
+    certai->mCert = pipCert;
+    certai->mUsageCount = 0;
+
+    if (wantThisCert || addOverrides) {
+      int InsertPosition = 0;
+      for (; InsertPosition < count; ++InsertPosition) {
+        nsCOMPtr<nsIX509Cert> cert = nsnull;
+        nsRefPtr<nsCertTreeDispInfo> elem = mDispInfo.ElementAt(InsertPosition);
+        if (elem->mAddonInfo) {
+          cert = mDispInfo.ElementAt(InsertPosition)->mAddonInfo->mCert;
+        }
+        if ((*aCertCmpFn)(aCertCmpFnArg, pipCert, cert) < 0) {
+          break;
+        }
+      }
+      if (wantThisCert) {
+        nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;
+        if (!certdi)
+          return NS_ERROR_OUT_OF_MEMORY;
+
+        certdi->mAddonInfo = certai;
+        certai->mUsageCount++;
+        certdi->mTypeOfEntry = nsCertTreeDispInfo::direct_db;
+        // not necessary: certdi->mHostWithPort.Clear();
+        certdi->mOverrideBits = nsCertOverride::ob_None;
+        NS_IF_ADDREF(certdi);
+        mDispInfo.InsertElementAt(InsertPosition, certdi);
         ++count;
+        ++InsertPosition;
+      }
+      if (addOverrides && cos) {
+        nsCertAndArrayAndPositionAndCounterAndTracker cap;
+        cap.certai = certai;
+        cap.array = &mDispInfo;
+        cap.position = InsertPosition;
+        cap.counter = 0;
+        cap.tracker = &allHostPortOverrideKeys;
+
+        cos->EnumerateCertOverrides(pipCert, MatchingCertOverridesCallback, &cap);
+        count += cap.counter;
       }
     }
   }
-  *_certs = certarray;
-  NS_ADDREF(*_certs);
-  return PR_TRUE;
+
+  if (aWantedType == nsIX509Cert::SERVER_CERT) {
+    nsArrayAndPositionAndCounterAndTracker cap;
+    cap.array = &mDispInfo;
+    cap.position = 0;
+    cap.counter = 0;
+    cap.tracker = &allHostPortOverrideKeys;
+    cos->EnumerateCertOverrides(nsnull, AddRemaningHostPortOverridesCallback, &cap);
+  }
+
+  return NS_OK;
 }
 
-PRBool 
+nsresult 
 nsCertTree::GetCertsByType(PRUint32           aType,
                            nsCertCompareFunc  aCertCmpFn,
-                           void              *aCertCmpFnArg,
-                           nsISupportsArray **_certs)
+                           void              *aCertCmpFnArg)
 {
   nsNSSShutDownPreventionLock locker;
   CERTCertList *certList = NULL;
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
   certList = PK11_ListCerts(PK11CertListUnique, cxt);
-  PRBool rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg, _certs);
+  nsresult rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
   if (certList)
     CERT_DestroyCertList(certList);
   return rv;
 }
 
-PRBool 
+nsresult 
 nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache   *aCache,
                                     PRUint32           aType,
                                     nsCertCompareFunc  aCertCmpFn,
-                                    void              *aCertCmpFnArg,
-                                    nsISupportsArray **_certs)
+                                    void              *aCertCmpFnArg)
 {
   NS_ENSURE_ARG_POINTER(aCache);
   CERTCertList *certList = reinterpret_cast<CERTCertList*>(aCache->GetCachedCerts());
   if (!certList)
     return NS_ERROR_FAILURE;
-  return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg, _certs);
+  return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
 }
 
 // LoadCerts
@@ -384,8 +682,7 @@ nsCertTree::LoadCertsFromCache(nsINSSCertCache *aCache, PRUint32 aType)
   if (NS_FAILED(rv)) return rv;
 
   rv = GetCertsByTypeFromCache(aCache, aType, 
-                               GetCompareFuncFromCertType(aType), &mCompareCache,
-                               getter_AddRefs(mCertArray));
+                               GetCompareFuncFromCertType(aType), &mCompareCache);
   if (NS_FAILED(rv)) return rv;
   return UpdateUIContents();
 }
@@ -403,8 +700,7 @@ nsCertTree::LoadCerts(PRUint32 aType)
   if (NS_FAILED(rv)) return rv;
 
   rv = GetCertsByType(aType, 
-                      GetCompareFuncFromCertType(aType), &mCompareCache,
-                      getter_AddRefs(mCertArray));
+                      GetCompareFuncFromCertType(aType), &mCompareCache);
   if (NS_FAILED(rv)) return rv;
   return UpdateUIContents();
 }
@@ -412,9 +708,7 @@ nsCertTree::LoadCerts(PRUint32 aType)
 nsresult
 nsCertTree::UpdateUIContents()
 {
-  PRUint32 count;
-  nsresult rv = mCertArray->Count(&count);
-  if (NS_FAILED(rv)) return rv;
+  PRUint32 count = mDispInfo.Length();
   mNumOrgs = CountOrganizations();
   mTreeArray = new treeArrayEl[mNumOrgs];
   if (!mTreeArray)
@@ -422,28 +716,41 @@ nsCertTree::UpdateUIContents()
 
   mCellText = do_CreateInstance(NS_ARRAY_CONTRACTID);
 
+if (count) {
   PRUint32 j = 0;
-  nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(j));
-  nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
+  nsCOMPtr<nsIX509Cert> orgCert = nsnull;
+  if (mDispInfo.ElementAt(j)->mAddonInfo) {
+    orgCert = mDispInfo.ElementAt(j)->mAddonInfo->mCert;
+  }
   for (PRInt32 i=0; i<mNumOrgs; i++) {
     nsString &orgNameRef = mTreeArray[i].orgName;
-    orgCert->GetIssuerOrganization(orgNameRef);
-    if (orgNameRef.IsEmpty())
-      orgCert->GetCommonName(orgNameRef);
+    if (!orgCert) {
+      mNSSComponent->GetPIPNSSBundleString("CertOrgUnknown", orgNameRef);
+    }
+    else {
+      orgCert->GetIssuerOrganization(orgNameRef);
+      if (orgNameRef.IsEmpty())
+        orgCert->GetCommonName(orgNameRef);
+    }
     mTreeArray[i].open = PR_TRUE;
     mTreeArray[i].certIndex = j;
     mTreeArray[i].numChildren = 1;
     if (++j >= count) break;
-    isupport = dont_AddRef(mCertArray->ElementAt(j));
-    nsCOMPtr<nsIX509Cert> nextCert = do_QueryInterface(isupport);
+    nsCOMPtr<nsIX509Cert> nextCert = nsnull;
+    if (mDispInfo.ElementAt(j)->mAddonInfo) {
+      nextCert = mDispInfo.ElementAt(j)->mAddonInfo->mCert;
+    }
     while (0 == CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, sort_None)) {
       mTreeArray[i].numChildren++;
       if (++j >= count) break;
-      isupport = dont_AddRef(mCertArray->ElementAt(j));
-      nextCert = do_QueryInterface(isupport);
+      nextCert = nsnull;
+      if (mDispInfo.ElementAt(j)->mAddonInfo) {
+        nextCert = mDispInfo.ElementAt(j)->mAddonInfo->mCert;
+      }
     }
     orgCert = nextCert;
   }
+}
   if (mTree) {
     mTree->BeginUpdateBatch();
     mTree->RowCountChanged(0, -mNumRows);
@@ -455,9 +762,15 @@ nsCertTree::UpdateUIContents()
 }
 
 NS_IMETHODIMP 
-nsCertTree::RemoveCert(PRUint32 index)
+nsCertTree::DeleteEntryObject(PRUint32 index)
 {
-  if (!mCertArray || !mTreeArray || index < 0) {
+  if (!mTreeArray || index < 0) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIX509CertDB> certdb = 
+    do_GetService("@mozilla.org/security/x509certdb;1");
+  if (!certdb) {
     return NS_ERROR_FAILURE;
   }
 
@@ -471,9 +784,66 @@ nsCertTree::RemoveCert(PRUint32 index)
     nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;
     if (index < idx + nc) { // cert is within range of this thread
       PRInt32 certIndex = cIndex + index - idx;
-      nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(certIndex));
-      RemoveCacheEntry(isupport);
-      mCertArray->RemoveElementAt(certIndex);
+
+      nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.ElementAt(certIndex);
+      nsCOMPtr<nsIX509Cert> cert = nsnull;
+      if (certdi->mAddonInfo) {
+        cert = certdi->mAddonInfo->mCert;
+      }
+      PRBool canRemoveEntry = PR_FALSE;
+
+      if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
+        mOverrideService->ClearValidityOverride(certdi->mHostWithPort);
+        if (certdi->mAddonInfo) {
+          certdi->mAddonInfo->mUsageCount--;
+          if (certdi->mAddonInfo->mUsageCount == 0) {
+            // The certificate stored in the database is no longer
+            // referenced by any other object displayed.
+            // That means we no longer need to keep it around
+            // and really can remove it.
+            canRemoveEntry = PR_TRUE;
+          }
+        } 
+      }
+      else {
+        if (certdi->mAddonInfo->mUsageCount > 1) {
+          // user is trying to delete a perm trusted cert,
+          // although there are still overrides stored,
+          // so, we keep the cert, but remove the trust
+
+          CERTCertificate *nsscert = nsnull;
+          CERTCertificateCleaner nsscertCleaner(nsscert);
+
+          nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
+          if (cert2) {
+            nsscert = cert2->GetCert();
+          }
+
+          if (nsscert) {
+            CERTCertTrust trust;
+            memset((void*)&trust, 0, sizeof(trust));
+          
+            SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override 
+            if (srv == SECSuccess) {
+              CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
+            }
+          }
+        }
+        else {
+          canRemoveEntry = PR_TRUE;
+        }
+      }
+
+      nsCertTreeDispInfo *certdi2 = mDispInfo.ElementAt(certIndex);
+      mDispInfo.RemoveElementAt(certIndex);
+      NS_IF_RELEASE(certdi2);
+      certdi2 = 0;
+
+      if (canRemoveEntry) {
+        RemoveCacheEntry(cert);
+        certdb->DeleteCertificate(cert);
+      }
+
       delete [] mTreeArray;
       mTreeArray = nsnull;
       return UpdateUIContents();
@@ -499,11 +869,35 @@ nsCertTree::GetCert(PRUint32 aIndex, nsIX509Cert **_cert)
 {
   NS_ENSURE_ARG(_cert);
   *_cert = GetCertAtIndex(aIndex);
-  //nsCOMPtr<nsIX509Cert> cert = GetCertAtIndex(aIndex);
-  //if (cert) {
-    //*_cert = cert;
-    //NS_ADDREF(*_cert);
-  //}
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::GetTreeItem(PRUint32 aIndex, nsICertTreeItem **_treeitem)
+{
+  NS_ENSURE_ARG(_treeitem);
+
+  nsRefPtr<nsCertTreeDispInfo> certdi = 
+    getter_AddRefs(GetDispInfoAtIndex(aIndex));
+  if (!certdi)
+    return NS_ERROR_FAILURE;
+
+  *_treeitem = certdi;
+  NS_IF_ADDREF(*_treeitem);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsCertTree::IsHostPortOverride(PRUint32 aIndex, PRBool *_retval)
+{
+  NS_ENSURE_ARG(_retval);
+
+  nsRefPtr<nsCertTreeDispInfo> certdi = 
+    getter_AddRefs(GetDispInfoAtIndex(aIndex));
+  if (!certdi)
+    return NS_ERROR_FAILURE;
+
+  *_retval = (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override);
   return NS_OK;
 }
 
@@ -719,7 +1113,15 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
   }
 
   PRInt32 absoluteCertOffset;
-  nsCOMPtr<nsIX509Cert> cert = dont_AddRef(GetCertAtIndex(row, &absoluteCertOffset));
+  nsRefPtr<nsCertTreeDispInfo> certdi = 
+    getter_AddRefs(GetDispInfoAtIndex(row, &absoluteCertOffset));
+  if (!certdi)
+    return NS_ERROR_FAILURE;
+
+  nsCOMPtr<nsIX509Cert> cert = nsnull;
+  if (certdi->mAddonInfo) {
+    cert = certdi->mAddonInfo->mCert;
+  }
 
   PRInt32 colIndex;
   col->GetIndex(&colIndex);
@@ -736,34 +1138,38 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
     }
   }
 
-  if (cert == nsnull) return NS_ERROR_FAILURE;
   if (NS_LITERAL_STRING("certcol").Equals(colID)) {
-    rv = cert->GetCommonName(_retval);
-    if (NS_FAILED(rv) || _retval.IsEmpty()) {
-      // kaie: I didn't invent the idea to cut off anything before 
-      //       the first colon. :-)
-      nsAutoString nick;
-      rv = cert->GetNickname(nick);
-      
-      nsAString::const_iterator start, end, end2;
-      nick.BeginReading(start);
-      nick.EndReading(end);
-      end2 = end;
-
-      if (FindInReadable(NS_LITERAL_STRING(":"), start, end)) {
-        // found. end points to the first char after the colon,
-        // that's what we want.
-        _retval = Substring(end, end2);
-      }
-      else {
-        _retval = nick;
+    if (!cert) {
+      mNSSComponent->GetPIPNSSBundleString("CertNotStored", _retval);
+    }
+    else {
+      rv = cert->GetCommonName(_retval);
+      if (NS_FAILED(rv) || _retval.IsEmpty()) {
+        // kaie: I didn't invent the idea to cut off anything before 
+        //       the first colon. :-)
+        nsAutoString nick;
+        rv = cert->GetNickname(nick);
+        
+        nsAString::const_iterator start, end, end2;
+        nick.BeginReading(start);
+        nick.EndReading(end);
+        end2 = end;
+  
+        if (FindInReadable(NS_LITERAL_STRING(":"), start, end)) {
+          // found. end points to the first char after the colon,
+          // that's what we want.
+          _retval = Substring(end, end2);
+        }
+        else {
+          _retval = nick;
+        }
       }
     }
-  } else if (NS_LITERAL_STRING("tokencol").Equals(colID)) {
+  } else if (NS_LITERAL_STRING("tokencol").Equals(colID) && cert) {
     rv = cert->GetTokenName(_retval);
-  } else if (NS_LITERAL_STRING("emailcol").Equals(colID)) {
+  } else if (NS_LITERAL_STRING("emailcol").Equals(colID) && cert) {
     rv = cert->GetEmailAddress(_retval);
-  } else if (NS_LITERAL_STRING("purposecol").Equals(colID) && mNSSComponent) {
+  } else if (NS_LITERAL_STRING("purposecol").Equals(colID) && mNSSComponent && cert) {
     PRUint32 verified;
 
     nsAutoString theUsages;
@@ -801,23 +1207,41 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
         rv = mNSSComponent->GetPIPNSSBundleString("VerifyUnknown", _retval);
         break;
     }
-  } else if (NS_LITERAL_STRING("issuedcol").Equals(colID)) {
+  } else if (NS_LITERAL_STRING("issuedcol").Equals(colID) && cert) {
     nsCOMPtr<nsIX509CertValidity> validity;
 
     rv = cert->GetValidity(getter_AddRefs(validity));
     if (NS_SUCCEEDED(rv)) {
       validity->GetNotBeforeLocalDay(_retval);
     }
-  } else if (NS_LITERAL_STRING("expiredcol").Equals(colID)) {
+  } else if (NS_LITERAL_STRING("expiredcol").Equals(colID) && cert) {
     nsCOMPtr<nsIX509CertValidity> validity;
 
     rv = cert->GetValidity(getter_AddRefs(validity));
     if (NS_SUCCEEDED(rv)) {
       validity->GetNotAfterLocalDay(_retval);
     }
-  } else if (NS_LITERAL_STRING("serialnumcol").Equals(colID)) {
+  } else if (NS_LITERAL_STRING("serialnumcol").Equals(colID) && cert) {
     rv = cert->GetSerialNumber(_retval);
-  } else if (NS_LITERAL_STRING("typecol").Equals(colID)) {
+
+
+  } else if (NS_LITERAL_STRING("overridetypecol").Equals(colID)) {
+    // default to classic permanent-trust
+    nsCertOverride::OverrideBits ob = nsCertOverride::ob_Untrusted;
+    if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
+      ob = certdi->mOverrideBits;
+    }
+    nsCAutoString temp;
+    nsCertOverride::convertBitsToString(ob, temp);
+    _retval = NS_ConvertUTF8toUTF16(temp);
+  } else if (NS_LITERAL_STRING("sitecol").Equals(colID)) {
+    if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
+      _retval = certdi->mHostWithPort;
+    }
+    else {
+      _retval = NS_LITERAL_STRING("*");
+    }
+  } else if (NS_LITERAL_STRING("typecol").Equals(colID) && cert) {
     nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
     PRUint32 type = nsIX509Cert::UNKNOWN_CERT;
 
@@ -972,7 +1396,7 @@ nsCertTree::dumpMap()
       nsAutoString td(el->orgName);
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("thread desc[%d]: %s", i, NS_LossyConvertUTF16toASCII(td).get()));
     }
-    nsCOMPtr<nsIX509Cert> ct = dont_AddRef(GetCertAtIndex(i));
+    nsCOMPtr<nsIX509Cert> ct = getter_AddRefs(GetCertAtIndex(i));
     if (ct != nsnull) {
       PRUnichar *goo;
       ct->GetCommonName(&goo);
@@ -1105,11 +1529,24 @@ PRInt32
 nsCertTree::CmpBy(void *cache, nsIX509Cert *a, nsIX509Cert *b, 
                   sortCriterion c0, sortCriterion c1, sortCriterion c2)
 {
-  NS_ENSURE_TRUE( (cache!=0 && a!=0 && b!=0), 0 );
+  // This will be called when comparing items for display sorting.
+  // Some items might have no cert associated, so either a or b is null.
+  // We want all those orphans show at the top of the list,
+  // so we treat a null cert as "smaller" by returning -1.
+  // We don't try to sort within the group of no-cert entries,
+  // so we treat them as equal wrt sort order.
 
-  if (a == b)
+  if (!a && !b)
     return 0;
 
+  if (!a)
+    return -1;
+
+  if (!b)
+    return 1;
+
+  NS_ENSURE_TRUE( (cache!=0 && a!=0 && b!=0), 0 );
+
   CompareCacheHashEntry *ace = getCacheEntry(cache, a);
   CompareCacheHashEntry *bce = getCacheEntry(cache, b);
 
diff --git a/security/manager/ssl/src/nsCertTree.h b/security/manager/ssl/src/nsCertTree.h
index f956900ad3a..41b56d2bdc6 100644
--- a/security/manager/ssl/src/nsCertTree.h
+++ b/security/manager/ssl/src/nsCertTree.h
@@ -20,6 +20,7 @@
  *
  * Contributor(s):
  *   Ian McGreer <mcgreer@netscape.com>
+ *   Kai Engert <kengert@redhat.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -39,6 +40,7 @@
 #define _NS_CERTTREE_H_
 
 #include "nsCOMPtr.h"
+#include "nsAutoPtr.h"
 #include "nsIServiceManager.h"
 #include "nsICertTree.h"
 #include "nsITreeView.h"
@@ -46,8 +48,11 @@
 #include "nsITreeSelection.h"
 #include "nsISupportsArray.h"
 #include "nsIMutableArray.h"
+#include "nsTArray.h"
 #include "pldhash.h"
 #include "nsIX509CertDB.h"
+#include "nsCertOverrideService.h"
+
 
 typedef struct treeArrayElStr treeArrayEl;
 
@@ -66,6 +71,36 @@ struct CompareCacheHashEntryPtr : PLDHashEntryHdr {
   CompareCacheHashEntry *entry;
 };
 
+class nsCertAddonInfo : public nsISupports
+{
+public:
+  NS_DECL_ISUPPORTS
+
+  nsCertAddonInfo() : mUsageCount(0) {}
+
+  nsRefPtr<nsIX509Cert> mCert;
+  // how many display entries reference this?
+  // (and therefore depend on the underlying cert)
+  PRInt32 mUsageCount;
+};
+
+class nsCertTreeDispInfo : public nsICertTreeItem
+{
+public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSICERTTREEITEM
+
+  nsCertTreeDispInfo();
+  nsCertTreeDispInfo(nsCertTreeDispInfo &other);
+  virtual ~nsCertTreeDispInfo();
+
+  nsRefPtr<nsCertAddonInfo> mAddonInfo;
+  enum {
+    direct_db, host_port_override
+  } mTypeOfEntry;
+  nsString mHostWithPort;
+  nsCertOverride::OverrideBits mOverrideBits;
+};
 
 class nsCertTree : public nsICertTree
 {
@@ -102,14 +137,13 @@ protected:
   nsCertCompareFunc GetCompareFuncFromCertType(PRUint32 aType);
   PRInt32 CountOrganizations();
 
-  PRBool GetCertsByType(PRUint32 aType, nsCertCompareFunc aCertCmpFn,
-                        void *aCertCmpFnArg, nsISupportsArray **_certs);
+  nsresult GetCertsByType(PRUint32 aType, nsCertCompareFunc aCertCmpFn,
+                          void *aCertCmpFnArg);
 
-  PRBool GetCertsByTypeFromCache(nsINSSCertCache *aCache, PRUint32 aType,
-                                 nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg,
-                                 nsISupportsArray **_certs);
+  nsresult GetCertsByTypeFromCache(nsINSSCertCache *aCache, PRUint32 aType,
+                                   nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg);
 private:
-  nsCOMPtr<nsISupportsArray>      mCertArray;
+  nsTArray< nsRefPtr<nsCertTreeDispInfo> > mDispInfo;
   nsCOMPtr<nsITreeBoxObject>  mTree;
   nsCOMPtr<nsITreeSelection>  mSelection;
   treeArrayEl                *mTreeArray;
@@ -117,18 +151,19 @@ private:
   PRInt32                         mNumRows;
   PLDHashTable mCompareCache;
   nsCOMPtr<nsINSSComponent> mNSSComponent;
+  nsCOMPtr<nsICertOverrideService> mOverrideService;
 
   treeArrayEl *GetThreadDescAtIndex(PRInt32 _index);
   nsIX509Cert *GetCertAtIndex(PRInt32 _index, PRInt32 *outAbsoluteCertOffset = nsnull);
-
+  nsCertTreeDispInfo *GetDispInfoAtIndex(PRInt32 index,  
+                                         PRInt32 *outAbsoluteCertOffset = nsnull);
   void FreeCertArray();
   nsresult UpdateUIContents();
 
-  PRBool GetCertsByTypeFromCertList(CERTCertList *aCertList,
-                                    PRUint32 aType,
-                                    nsCertCompareFunc  aCertCmpFn,
-                                    void              *aCertCmpFnArg,
-                                    nsISupportsArray **_certs);
+  nsresult GetCertsByTypeFromCertList(CERTCertList *aCertList,
+                                      PRUint32 aType,
+                                      nsCertCompareFunc  aCertCmpFn,
+                                      void              *aCertCmpFnArg);
 
   nsCOMPtr<nsIMutableArray> mCellText;
 
diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp
index 522c2cce5b1..85c5e4d4626 100644
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -41,7 +41,8 @@
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCallbacks.h"
 #include "nsNSSCertificate.h"
-#include "nsISSLStatus.h"
+#include "nsNSSCleaner.h"
+#include "nsSSLStatus.h"
 #include "nsNSSIOLayer.h" // for nsNSSSocketInfo
 #include "nsIWebProgressListener.h"
 #include "nsIStringBundle.h"
@@ -69,6 +70,7 @@
 #include "ocsp.h"
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
+NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
@@ -621,77 +623,6 @@ void nsHTTPListener::send_done_signal()
   }
 }
 
-/* Implementation of nsISSLStatus */
-class nsSSLStatus
-  : public nsISSLStatus
-{
-public:
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSISSLSTATUS
-
-  nsSSLStatus();
-  virtual ~nsSSLStatus();
-
-  /* public for initilization in this file */
-  nsCOMPtr<nsIX509Cert> mServerCert;
-  PRUint32 mKeyLength;
-  PRUint32 mSecretKeyLength;
-  nsXPIDLCString mCipherName;
-};
-
-NS_IMETHODIMP
-nsSSLStatus::GetServerCert(nsIX509Cert** _result)
-{
-  NS_ASSERTION(_result, "non-NULL destination required");
-
-  *_result = mServerCert;
-  NS_IF_ADDREF(*_result);
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetKeyLength(PRUint32* _result)
-{
-  NS_ASSERTION(_result, "non-NULL destination required");
-
-  *_result = mKeyLength;
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetSecretKeyLength(PRUint32* _result)
-{
-  NS_ASSERTION(_result, "non-NULL destination required");
-
-  *_result = mSecretKeyLength;
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetCipherName(char** _result)
-{
-  NS_ASSERTION(_result, "non-NULL destination required");
-
-  *_result = PL_strdup(mCipherName.get());
-
-  return NS_OK;
-}
-
-nsSSLStatus::nsSSLStatus()
-: mKeyLength(0), mSecretKeyLength(0)
-{
-}
-
-NS_IMPL_THREADSAFE_ISUPPORTS1(nsSSLStatus, nsISSLStatus)
-
-nsSSLStatus::~nsSSLStatus()
-{
-}
-
-
 char* PR_CALLBACK
 PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) {
   nsNSSShutDownPreventionLock locker;
@@ -839,7 +770,12 @@ void PR_CALLBACK HandshakeCallback(PRFileDesc* fd, void* client_data) {
     infoObject->SetShortSecurityDescription(shortDesc.get());
 
     /* Set the SSL Status information */
-    nsCOMPtr<nsSSLStatus> status = new nsSSLStatus();
+    nsCOMPtr<nsSSLStatus> status;
+    infoObject->GetSSLStatus(getter_AddRefs(status));
+    if (!status) {
+      status = new nsSSLStatus();
+      infoObject->SetSSLStatus(status);
+    }
 
     CERTCertificate *serverCert = SSL_PeerCertificate(fd);
     if (serverCert) {
@@ -852,11 +788,10 @@ void PR_CALLBACK HandshakeCallback(PRFileDesc* fd, void* client_data) {
       }
     }
 
+    status->mHaveKeyLengthAndCipher = PR_TRUE;
     status->mKeyLength = keyLength;
     status->mSecretKeyLength = encryptBits;
     status->mCipherName.Adopt(cipherName);
-
-    infoObject->SetSSLStatus(status);
   }
 
   PR_FREEIF(certOrgName);
@@ -874,9 +809,11 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
   // complete chain at any time it might need it.
   // But we keep only those CA certs in the temp db, that we didn't already know.
   
-  if (SECSuccess == rv) {
-    CERTCertificate *serverCert = SSL_PeerCertificate(fd);
-    if (serverCert) {
+  CERTCertificate *serverCert = SSL_PeerCertificate(fd);
+  CERTCertificateCleaner serverCertCleaner(serverCert);
+
+  if (serverCert) {
+    if (SECSuccess == rv) {
       CERTCertList *certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
 
       nsCOMPtr<nsINSSComponent> nssComponent;
@@ -915,7 +852,21 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
       }
 
       CERT_DestroyCertList(certList);
-      CERT_DestroyCertificate(serverCert);
+    }
+    else {
+      // The connection will be terminated, let's provide a minimal SSLStatus
+      // to the caller that contains at least the cert and its status.
+      nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
+
+      nsCOMPtr<nsSSLStatus> status;
+      infoObject->GetSSLStatus(getter_AddRefs(status));
+      if (!status) {
+        status = new nsSSLStatus();
+        infoObject->SetSSLStatus(status);
+      }
+      if (status) {
+        status->mServerCert = new nsNSSCertificate(serverCert);
+      }
     }
   }
 
diff --git a/security/manager/ssl/src/nsNSSIOLayer.h b/security/manager/ssl/src/nsNSSIOLayer.h
index 228416b9c34..bbcd2b3841d 100644
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@@ -175,13 +175,6 @@ public:
 
   void SetAllowTLSIntoleranceTimeout(PRBool aAllow);
 
-  enum BadCertUIStatusType {
-    bcuis_not_shown, bcuis_active, bcuis_was_shown
-  };
-
-  void SetBadCertUIStatus(BadCertUIStatusType aNewStatus);
-  BadCertUIStatusType GetBadCertUIStatus() { return mBadCertUIStatus; }
-
   nsresult GetExternalErrorReporting(PRBool* state);
   nsresult SetExternalErrorReporting(PRBool aState);
 
@@ -209,7 +202,6 @@ protected:
   PRPackedBool mHasCleartextPhase;
   PRPackedBool mHandshakeInProgress;
   PRPackedBool mAllowTLSIntoleranceTimeout;
-  BadCertUIStatusType mBadCertUIStatus;
   PRIntervalTime mHandshakeStartTime;
   PRInt32 mPort;
   nsXPIDLCString mHostName;
diff --git a/security/manager/ssl/src/nsNSSModule.cpp b/security/manager/ssl/src/nsNSSModule.cpp
index 5cd50ee004f..f57a878bc36 100644
--- a/security/manager/ssl/src/nsNSSModule.cpp
+++ b/security/manager/ssl/src/nsNSSModule.cpp
@@ -72,6 +72,7 @@
 #include "nsStreamCipher.h"
 #include "nsKeyModule.h"
 #include "nsDataSignatureVerifier.h"
+#include "nsCertOverrideService.h"
 
 // We must ensure that the nsNSSComponent has been loaded before
 // creating any other components.
@@ -192,6 +193,7 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsStreamCipher)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsKeyObject)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsKeyObjectFactory)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsDataSignatureVerifier)
+NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(PR_FALSE, nsCertOverrideService, Init)
 
 static NS_METHOD RegisterPSMContentListeners(
                       nsIComponentManager *aCompMgr,
@@ -454,6 +456,13 @@ static const nsModuleComponentInfo components[] =
     NS_DATASIGNATUREVERIFIER_CID,
     NS_DATASIGNATUREVERIFIER_CONTRACTID,
     nsDataSignatureVerifierConstructor
+  },
+
+  {
+    "PSM Cert Override Settings Service",
+    NS_CERTOVERRIDE_CID,
+    NS_CERTOVERRIDE_CONTRACTID,
+    nsCertOverrideServiceConstructor
   }
 };
 
diff --git a/toolkit/mozapps/shared/src/badCertHandler.js b/toolkit/mozapps/shared/src/badCertHandler.js
index aee20014298..3d41865c630 100644
--- a/toolkit/mozapps/shared/src/badCertHandler.js
+++ b/toolkit/mozapps/shared/src/badCertHandler.js
@@ -69,25 +69,6 @@ function BadCertHandler() {
 }
 BadCertHandler.prototype = {
 
-  // nsIBadCertListener
-  confirmUnknownIssuer: function(socketInfo, cert, certAddType) {
-    LOG("EM BadCertHandler: Unknown issuer");
-    return false;
-  },
-
-  confirmMismatchDomain: function(socketInfo, targetURL, cert) {
-    LOG("EM BadCertHandler: Mismatched domain");
-    return false;
-  },
-
-  confirmCertExpired: function(socketInfo, cert) {
-    LOG("EM BadCertHandler: Expired certificate");
-    return false;
-  },
-
-  notifyCrlNextupdate: function(socketInfo, targetURL, cert) {
-  },
-
   // nsIChannelEventSink
   onChannelRedirect: function(oldChannel, newChannel, flags) {
     // make sure the certificate of the old channel checks out before we follow
diff --git a/xpinstall/src/nsXPInstallManager.cpp b/xpinstall/src/nsXPInstallManager.cpp
index 3de44c57352..1be65120d21 100644
--- a/xpinstall/src/nsXPInstallManager.cpp
+++ b/xpinstall/src/nsXPInstallManager.cpp
@@ -140,7 +140,7 @@ NS_IMPL_THREADSAFE_ISUPPORTS11(nsXPInstallManager,
                                nsIProgressEventSink,
                                nsIInterfaceRequestor,
                                nsPICertNotification,
-                               nsIBadCertListener,
+                               nsIBadCertListener2,
                                nsIChannelEventSink,
                                nsISupportsWeakReference)
 
@@ -1253,7 +1253,7 @@ nsXPInstallManager::GetInterface(const nsIID & eventSinkIID, void* *_retval)
         *_retval = p;
         return NS_OK;
     }
-    else if (eventSinkIID.Equals(NS_GET_IID(nsIBadCertListener))) {
+    else if (eventSinkIID.Equals(NS_GET_IID(nsIBadCertListener2))) {
         // If we aren't chrome triggered fall back to the default dialogs
         if (!mFromChrome)
             return NS_ERROR_NO_INTERFACE;
@@ -1271,31 +1271,14 @@ nsXPInstallManager::OnChannelRedirect(nsIChannel *oldChannel, nsIChannel *newCha
     return NS_OK;
 }
 
-// nsIBadCertListener methods
+// nsIBadCertListener2 methods
 NS_IMETHODIMP
-nsXPInstallManager::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRInt16 *certAddType, PRBool *_retval)
-{
-    *_retval = PR_FALSE;
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsXPInstallManager::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo, const nsACString & targetURL, nsIX509Cert *cert, PRBool *_retval)
-{
-    *_retval = PR_FALSE;
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsXPInstallManager::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRBool *_retval)
-{
-    *_retval = PR_FALSE;
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsXPInstallManager::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo, const nsACString & targetURL, nsIX509Cert *cert)
+nsXPInstallManager::NotifyCertProblem(nsIInterfaceRequestor *socketInfo, 
+                                      nsISSLStatus *status, 
+                                      const nsACString &targetSite, 
+                                      PRBool *_retval)
 {
+    *_retval = PR_TRUE;
     return NS_OK;
 }
 
diff --git a/xpinstall/src/nsXPInstallManager.h b/xpinstall/src/nsXPInstallManager.h
index 59b16517835..38fef23b7ec 100644
--- a/xpinstall/src/nsXPInstallManager.h
+++ b/xpinstall/src/nsXPInstallManager.h
@@ -56,7 +56,7 @@
 #include "nsIChromeRegistry.h"
 #include "nsIDOMWindowInternal.h"
 #include "nsIObserver.h"
-#include "nsIBadCertListener.h"
+#include "nsIBadCertListener2.h"
 #include "nsIChannelEventSink.h"
 #include "nsIXPIInstallInfo.h"
 
@@ -86,7 +86,7 @@ class nsXPInstallManager : public nsIXPIListener,
                            public nsIProgressEventSink,
                            public nsIInterfaceRequestor,
                            public nsPICertNotification,
-                           public nsIBadCertListener,
+                           public nsIBadCertListener2,
                            public nsIChannelEventSink,
                            public nsSupportsWeakReference
 {
@@ -104,7 +104,7 @@ class nsXPInstallManager : public nsIXPIListener,
         NS_DECL_NSIREQUESTOBSERVER
         NS_DECL_NSIINTERFACEREQUESTOR
         NS_DECL_NSPICERTNOTIFICATION
-        NS_DECL_NSIBADCERTLISTENER
+        NS_DECL_NSIBADCERTLISTENER2
         NS_DECL_NSICHANNELEVENTSINK
 
         NS_IMETHOD InitManager(nsIDOMWindowInternal* aParentWindow, nsXPITriggerInfo* aTrigger, PRUint32 aChromeType );