--- a/testing/mochitest/ssltunnel/ssltunnel.cpp
+++ b/testing/mochitest/ssltunnel/ssltunnel.cpp
@@ -349,23 +349,23 @@ bool ReadConnectRequest(server_info_t* s
 }
 
 bool ConfigureSSLServerSocket(PRFileDesc* socket, server_info_t* si, const string &certificate,
                               const client_auth_option clientAuth, int32_t flags)
 {
   const char* certnick = certificate.empty() ?
       si->cert_nickname.c_str() : certificate.c_str();
 
-  ScopedCERTCertificate cert(PK11_FindCertFromNickname(certnick, nullptr));
+  UniqueCERTCertificate cert(PK11_FindCertFromNickname(certnick, nullptr));
   if (!cert) {
     LOG_ERROR(("Failed to find cert %s\n", certnick));
     return false;
   }
 
-  ScopedSECKEYPrivateKey privKey(PK11_FindKeyByAnyCert(cert, nullptr));
+  UniqueSECKEYPrivateKey privKey(PK11_FindKeyByAnyCert(cert.get(), nullptr));
   if (!privKey) {
     LOG_ERROR(("Failed to find private key\n"));
     return false;
   }
 
   PRFileDesc* ssl_socket = SSL_ImportFD(nullptr, socket);
   if (!ssl_socket) {
     LOG_ERROR(("Error importing SSL socket\n"));
@@ -373,18 +373,18 @@ bool ConfigureSSLServerSocket(PRFileDesc
   }
 
   if (flags & FAIL_HANDSHAKE) {
     // deliberately cause handshake to fail by sending the client a client hello
     SSL_ResetHandshake(ssl_socket, false);
     return true;
   }
 
-  SSLKEAType certKEA = NSS_FindCertKEAType(cert);
-  if (SSL_ConfigSecureServer(ssl_socket, cert, privKey, certKEA)
+  SSLKEAType certKEA = NSS_FindCertKEAType(cert.get());
+  if (SSL_ConfigSecureServer(ssl_socket, cert.get(), privKey.get(), certKEA)
       != SECSuccess) {
     LOG_ERROR(("Error configuring SSL server socket\n"));
     return false;
   }
 
   SSL_OptionSet(ssl_socket, SSL_SECURITY, true);
   SSL_OptionSet(ssl_socket, SSL_HANDSHAKE_AS_CLIENT, false);
   SSL_OptionSet(ssl_socket, SSL_HANDSHAKE_AS_SERVER, true);
@@ -574,79 +574,80 @@ bool AdjustRequestURI(relayBuffer& buffe
 
   memmove(path + hostlength, path, buffer.buffertail - path);
   memcpy(path, host->c_str(), hostlength);
   buffer.buffertail += hostlength;
 
   return true;
 }
 
-bool ConnectSocket(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime timeout)
+bool ConnectSocket(UniquePRFileDesc& fd, const PRNetAddr* addr,
+                   PRIntervalTime timeout)
 {
-  PRStatus stat = PR_Connect(fd, addr, timeout);
+  PRStatus stat = PR_Connect(fd.get(), addr, timeout);
   if (stat != PR_SUCCESS)
     return false;
 
   PRSocketOptionData option;
   option.option = PR_SockOpt_Nonblocking;
   option.value.non_blocking = true;
-  PR_SetSocketOption(fd, &option);
+  PR_SetSocketOption(fd.get(), &option);
 
   return true;
 }
 
 /*
  * Handle an incoming client connection. The server thread has already
  * accepted the connection, so we just need to connect to the remote
  * port and then proxy data back and forth.
  * The data parameter is a connection_info_t*, and must be deleted
  * by this function.
  */
 void HandleConnection(void* data)
 {
   connection_info_t* ci = static_cast<connection_info_t*>(data);
   PRIntervalTime connect_timeout = PR_SecondsToInterval(30);
 
-  ScopedPRFileDesc other_sock(PR_NewTCPSocket());
+  UniquePRFileDesc other_sock(PR_NewTCPSocket());
   bool client_done = false;
   bool client_error = false;
   bool connect_accepted = !do_http_proxy;
   bool ssl_updated = !do_http_proxy;
   bool expect_request_start = do_http_proxy;
   string certificateToUse;
   string locationHeader;
   client_auth_option clientAuth;
   string fullHost;
   int32_t flags = 0;
 
   LOG_DEBUG(("SSLTUNNEL(%p)): incoming connection csock(0)=%p, ssock(1)=%p\n",
          static_cast<void*>(data),
          static_cast<void*>(ci->client_sock),
-         static_cast<void*>(other_sock)));
-  if (other_sock) 
+         static_cast<void*>(other_sock.get())));
+  if (other_sock)
   {
     int32_t numberOfSockets = 1;
 
     relayBuffer buffers[2];
 
     if (!do_http_proxy)
     {
       if (!ConfigureSSLServerSocket(ci->client_sock, ci->server_info,
                                     certificateToUse, caNone, flags))
         client_error = true;
       else if (!ConnectSocket(other_sock, &remote_addr, connect_timeout))
         client_error = true;
       else
         numberOfSockets = 2;
     }
 
-    PRPollDesc sockets[2] = 
-    { 
+    PRPollDesc sockets[2] =
+    {
       {ci->client_sock, PR_POLL_READ, 0},
-      {other_sock, PR_POLL_READ, 0}
+      {other_sock.get(), PR_POLL_READ, 0}
     };
     bool socketErrorState[2] = {false, false};
 
     while (!((client_error||client_done) && buffers[0].empty() && buffers[1].empty()))
     {
       sockets[0].in_flags |= PR_POLL_EXCEPT;
       sockets[1].in_flags |= PR_POLL_EXCEPT;
       LOG_DEBUG(("SSLTUNNEL(%p)): polling flags csock(0)=%c%c, ssock(1)=%c%c\n",
@@ -939,17 +940,17 @@ void HandleConnection(void* data)
     } // while, poll
   }
   else
     client_error = true;
 
   LOG_DEBUG(("SSLTUNNEL(%p)): exiting root function for csock=%p, ssock=%p\n",
              static_cast<void*>(data),
              static_cast<void*>(ci->client_sock),
-             static_cast<void*>(other_sock)));
+             static_cast<void*>(other_sock.get())));
   if (!client_error)
     PR_Shutdown(ci->client_sock, PR_SHUTDOWN_SEND);
   PR_Close(ci->client_sock);
 
   delete ci;
 }
 
 /*
@@ -958,55 +959,55 @@ void HandleConnection(void* data)
  * The data parameter is a server_info_t*, owned by the calling
  * function.
  */
 void StartServer(void* data)
 {
   server_info_t* si = static_cast<server_info_t*>(data);
 
   //TODO: select ciphers?
-  ScopedPRFileDesc listen_socket(PR_NewTCPSocket());
+  UniquePRFileDesc listen_socket(PR_NewTCPSocket());
   if (!listen_socket) {
     LOG_ERROR(("failed to create socket\n"));
     SignalShutdown();
     return;
   }
 
   // In case the socket is still open in the TIME_WAIT state from a previous
   // instance of ssltunnel we ask to reuse the port.
   PRSocketOptionData socket_option;
   socket_option.option = PR_SockOpt_Reuseaddr;
   socket_option.value.reuse_addr = true;
-  PR_SetSocketOption(listen_socket, &socket_option);
+  PR_SetSocketOption(listen_socket.get(), &socket_option);
 
   PRNetAddr server_addr;
   PR_InitializeNetAddr(PR_IpAddrAny, si->listen_port, &server_addr);
-  if (PR_Bind(listen_socket, &server_addr) != PR_SUCCESS) {
+  if (PR_Bind(listen_socket.get(), &server_addr) != PR_SUCCESS) {
     LOG_ERROR(("failed to bind socket on port %d: error %d\n", si->listen_port, PR_GetError()));
     SignalShutdown();
     return;
   }
 
-  if (PR_Listen(listen_socket, 1) != PR_SUCCESS) {
+  if (PR_Listen(listen_socket.get(), 1) != PR_SUCCESS) {
     LOG_ERROR(("failed to listen on socket\n"));
     SignalShutdown();
     return;
   }
 
   LOG_INFO(("Server listening on port %d with cert %s\n", si->listen_port,
          si->cert_nickname.c_str()));
 
   while (!shutdown_server) {
     connection_info_t* ci = new connection_info_t();
     ci->server_info = si;
     ci->http_proxy_only = do_http_proxy;
     // block waiting for connections
-    ci->client_sock = PR_Accept(listen_socket, &ci->client_addr,
+    ci->client_sock = PR_Accept(listen_socket.get(), &ci->client_addr,
                                 PR_INTERVAL_NO_TIMEOUT);
-    
+
     PRSocketOptionData option;
     option.option = PR_SockOpt_Nonblocking;
     option.value.non_blocking = true;
     PR_SetSocketOption(ci->client_sock, &option);
 
     if (ci->client_sock)
       // Not actually using this PRJob*...
       //PRJob* job =