net: Precede each CBC encrypted application data record with an empty one.

net/third_party/nss/README.chromium

 Name: Network Security Services (NSS)
 URL: http://www.mozilla.org/projects/security/pki/nss/
 
 This directory includes a copy of NSS's libssl from the CVS repo at:
   :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot
 
 The snapshot was updated to the CVS tag: NSS_3_12_9_RTM
 
 Patches:
 
@@ skipping 25 matching lines @@
   * Add support for client auth with native crypto APIs on Mac and Windows
     patches/clientauth.patch
     ssl/sslplatf.c
 
   * Don't send a client certificate when renegotiating if the peer does not
     request one. This only happened if the previous key exchange algorithm
     was non-RSA.
     patches/clientauth.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=616757
 
+  * Preceed each CBC encrypted application data record with an empty

[wtc, 2011/06/23 23:58:33]

Typo: Preceed => Precede

IMPORTANT: the patch does not do exactly what you described
here.  The patch adds an empty application data record for
each call to ssl3_SendApplicationData, which may send
multiple application data records if the data length is
greater than MAX_FRAGMENT_LENGTH.

I believe what the patch does is good enough, and we
should simply change the description here to match the code.

[agl, 2011/06/24 18:50:18]

Done.

+    application data record in order to randomize the IV in a backwards
+    compatible manner.
+    patches/cbcrandomiv.patch
+
 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
 the comments at the top of patches/applypatches.sh for instructions.
 
 The ssl/bodge directory contains files taken from the NSS repo that we required
 for building libssl outside of its usual build environment.