Update net/third_party/nss to NSS 3.15.4.

net/third_party/nss/patches/resumeclienthelloversion.patch

-diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
-index d22a7d6..a7617fb 100644
---- a/nss/lib/ssl/ssl3con.c
-+++ b/nss/lib/ssl/ssl3con.c
-@@ -2865,12 +2865,14 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
-  *    Forces the use of the provided epoch
-  * ssl_SEND_FLAG_CAP_RECORD_VERSION
-  *    Caps the record layer version number of TLS ClientHello to { 3, 1 }
-- *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore 
-+ *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
-  *    ClientHello.client_version and use the record layer version number
-  *    (TLSPlaintext.version) instead when negotiating protocol versions. In
-  *    addition, if the record layer version number of ClientHello is { 3, 2 }
-- *    (TLS 1.1) or higher, these servers reset the TCP connections. Set this
-- *    flag to work around such servers.
-+ *    (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
-+ *    some F5 BIG-IP servers hang if a record containing a ClientHello has a
-+ *    version greater than 0x0301 and a length greater than 255. Set this flag
-+ *    to work around such servers.
-  */
- PRInt32
- ssl3_SendRecord(   sslSocket *        ss,
-@@ -5363,7 +5365,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
-     }
- 
-     flags = 0;
--    if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
-+    if (!ss->firstHsDone && !IS_DTLS(ss)) {
-        flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
-     }
-     rv = ssl3_FlushHandshake(ss, flags);