net: don't do TLS False Start with RC4.

net/third_party/nss/ssl/ssl3con.c

Index: net/third_party/nss/ssl/ssl3con.c
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index ee960890f836fb8bdb2ec76ca64bc1145f793d5b..18ed5395c8ff674d4d1a92f3cf87fe865f85a56e 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -6411,12 +6411,18 @@ ssl3_CanFalseStart(sslSocket *ss) {
 	  * do False Start in the case that the selected ciphersuite is
 	  * sufficiently strong that the attack can gain no advantage.
 	  * Therefore we require an 80-bit cipher and a forward-secret key
-	  * exchange. */
+	  * exchange.
+	  *
+	  * Although RC4 has more than 80 bits of key, biases in the RC4
+	  * keystream make it unsuitable for False Start because an attacker
+	  * can cause the same plaintext to be transmitted under many different
+	  * keys. */
 	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
 	(ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
 	 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
 	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
+	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) &&
+	 ss->ssl3.cwSpec->cipher_def->cipher != cipher_rc4;
     ssl_ReleaseSpecReadLock(ss);
     return rv;
 }