OLD | NEW |
(Empty) | |
| 1 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con
.c |
| 2 index ee96089..18ed539 100644 |
| 3 --- a/net/third_party/nss/ssl/ssl3con.c |
| 4 +++ b/net/third_party/nss/ssl/ssl3con.c |
| 5 @@ -6411,12 +6411,18 @@ ssl3_CanFalseStart(sslSocket *ss) { |
| 6 * do False Start in the case that the selected ciphersuite is |
| 7 * sufficiently strong that the attack can gain no advantage. |
| 8 * Therefore we require an 80-bit cipher and a forward-secret key |
| 9 - * exchange. */ |
| 10 + * exchange. |
| 11 + * |
| 12 + * Although RC4 has more than 80 bits of key, biases in the RC4 |
| 13 + * keystream make it unsuitable for False Start because an attacker |
| 14 + * can cause the same plaintext to be transmitted under many different |
| 15 + * keys. */ |
| 16 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && |
| 17 (ss->ssl3.hs.kea_def->kea == kea_dhe_dss || |
| 18 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa || |
| 19 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || |
| 20 - ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa); |
| 21 + ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) && |
| 22 + ss->ssl3.cwSpec->cipher_def->cipher != cipher_rc4; |
| 23 ssl_ReleaseSpecReadLock(ss); |
| 24 return rv; |
| 25 } |
OLD | NEW |