net: don't do TLS False Start with RC4.

net/third_party/nss/patches/norc4falsestart.patch

Index: net/third_party/nss/patches/norc4falsestart.patch
diff --git a/net/third_party/nss/patches/norc4falsestart.patch b/net/third_party/nss/patches/norc4falsestart.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e4e102f0fe8a235c8554649ed6e3b34c7c2f19a2
--- /dev/null
+++ b/net/third_party/nss/patches/norc4falsestart.patch
@@ -0,0 +1,25 @@
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
+index ee96089..18ed539 100644
+--- a/net/third_party/nss/ssl/ssl3con.c
++++ b/net/third_party/nss/ssl/ssl3con.c
+@@ -6411,12 +6411,18 @@ ssl3_CanFalseStart(sslSocket *ss) {
+ 	  * do False Start in the case that the selected ciphersuite is
+ 	  * sufficiently strong that the attack can gain no advantage.
+ 	  * Therefore we require an 80-bit cipher and a forward-secret key
+-	  * exchange. */
++	  * exchange.
++	  *
++	  * Although RC4 has more than 80 bits of key, biases in the RC4
++	  * keystream make it unsuitable for False Start because an attacker
++	  * can cause the same plaintext to be transmitted under many different
++	  * keys. */
+ 	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
+ 	(ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+ 	 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+ 	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+-	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
++	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) &&
++	 ss->ssl3.cwSpec->cipher_def->cipher != cipher_rc4;
+     ssl_ReleaseSpecReadLock(ss);
+     return rv;
+ }