Backed out 2 changesets (bug 1247250) for bustage. r=bustage on a CLOSED TREE

Backed out changeset 8aded3a039f5 (bug 1247250)
Backed out changeset 374e6d0abf0e (bug 1247250)

config/external/nss/nss.symbols

@@ -673,7 +673,6 @@ SSL_PeerCertificateChain
 SSL_PeerStapledOCSPResponses
 SSL_ResetHandshake
 SSL_SetCanFalseStartCallback
-SSL_SetDowngradeCheckVersion
 SSL_SetNextProtoNego
 SSL_SetPKCS11PinArg
 SSL_SetSockPeerID

security/manager/ssl/nsNSSIOLayer.cpp

@@ -1078,10 +1078,7 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo)
                                  nsIWebProgressListener::STATE_USES_SSL_3);
   }
 
-  // NSS will return SSL_ERROR_RX_MALFORMED_SERVER_HELLO if anti-downgrade
-  // detected the downgrade.
-  if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT ||
-      err == SSL_ERROR_RX_MALFORMED_SERVER_HELLO) {
+  if (err == SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT) {
     // This is a clear signal that we've fallen back too many versions.  Treat
     // this as a hard failure, but forget any intolerance so that later attempts
     // don't use this version (i.e., range.max) and trigger the error again.
@@ -2558,10 +2555,6 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
     if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true)) {
       return NS_ERROR_FAILURE;
     }
-    // tell NSS the max enabled version to make anti-downgrade effective
-    if (SECSuccess != SSL_SetDowngradeCheckVersion(fd, maxEnabledVersion)) {
-      return NS_ERROR_FAILURE;
-    }
   }
 
   bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled();