Index: net/third_party/nss/patches/norc4falsestart.patch |
diff --git a/net/third_party/nss/patches/norc4falsestart.patch b/net/third_party/nss/patches/norc4falsestart.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..e4e102f0fe8a235c8554649ed6e3b34c7c2f19a2 |
--- /dev/null |
+++ b/net/third_party/nss/patches/norc4falsestart.patch |
@@ -0,0 +1,25 @@ |
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c |
+index ee96089..18ed539 100644 |
+--- a/net/third_party/nss/ssl/ssl3con.c |
++++ b/net/third_party/nss/ssl/ssl3con.c |
+@@ -6411,12 +6411,18 @@ ssl3_CanFalseStart(sslSocket *ss) { |
+ * do False Start in the case that the selected ciphersuite is |
+ * sufficiently strong that the attack can gain no advantage. |
+ * Therefore we require an 80-bit cipher and a forward-secret key |
+- * exchange. */ |
++ * exchange. |
++ * |
++ * Although RC4 has more than 80 bits of key, biases in the RC4 |
++ * keystream make it unsuitable for False Start because an attacker |
++ * can cause the same plaintext to be transmitted under many different |
++ * keys. */ |
+ ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && |
+ (ss->ssl3.hs.kea_def->kea == kea_dhe_dss || |
+ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa || |
+ ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || |
+- ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa); |
++ ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) && |
++ ss->ssl3.cwSpec->cipher_def->cipher != cipher_rc4; |
+ ssl_ReleaseSpecReadLock(ss); |
+ return rv; |
+ } |