Index: net/third_party/nss/ssl/ssl.h |
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h |
index b0e77df514dbd67fe920bf98b9f06a00c5e87779..60fc9b568c8f7a3171f6768743ad3240ab3187c5 100644 |
--- a/net/third_party/nss/ssl/ssl.h |
+++ b/net/third_party/nss/ssl/ssl.h |
@@ -128,6 +128,17 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); |
/* Renegotiation Info (RI) */ |
/* extension in ALL handshakes. */ |
/* default: off */ |
+#define SSL_ENABLE_FALSE_START 22 /* Enable SSL false start (off by */ |
+ /* default, applies only to */ |
+ /* clients). False start is a */ |
+/* mode where an SSL client will start sending application data before */ |
+/* verifing the server's Finished message. This means that we could end up */ |
wtc
2010/02/20 00:39:51
Typo: verifing => verifying
|
+/* sending data to an imposter. However, the data will be encrypted and */ |
+/* only the true server can decrypt the session key. Thus, so long as the */ |
wtc
2010/02/20 00:39:51
Nit: "can decrypt the session key" isn't entirely
|
+/* cipher isn't broken this is safe. Because of this, False Start will only */ |
+/* occur on RSA ciphersuites where the cipher's key length is >= 80 bits. */ |
wtc
2010/02/20 00:39:51
Why only RSA ciphersuites?
|
+/* The advantage of False Start is that it saves a round trip for */ |
+/* client-speaks-first protocols when performing a full handshake. */ |
#ifdef SSL_DEPRECATED_FUNCTION |
/* Old deprecated function names */ |