net: don't do TLS False Start with RC4.

net/third_party/nss/ssl/ssl3con.c

Index: net/third_party/nss/ssl/ssl3con.c
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index ee960890f836fb8bdb2ec76ca64bc1145f793d5b..abc1db00a66830d82e8c5fe7cfe60fd41942e1b7 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -6411,12 +6411,17 @@ ssl3_CanFalseStart(sslSocket *ss) {
 	  * do False Start in the case that the selected ciphersuite is
 	  * sufficiently strong that the attack can gain no advantage.
 	  * Therefore we require an 80-bit cipher and a forward-secret key
-	  * exchange. */
+	  * exchange.
+	  *
+	  * Although RC4 has more than 80 bits of key, biases in the RC4
+	  * keystream make its effective security level significantly less.
+	  * Because of this, RC4 is not suitable for False Start. */

[wtc, 2013/04/16 21:06:45]

agl wrote:
Thank you for the explanation. I think I got it now. It would
be good to add this to the comment. Note: your use of
"uniformity" is not clear to me. (I believe you meant
"lack of biases".)  Could you reword it? Thanks.

[agl, 2013/04/19 14:49:39]

Done.

 	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
 	(ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
 	 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
 	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
+	 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) &&
+	 ss->ssl3.cwSpec->cipher_def->cipher != cipher_rc4;
     ssl_ReleaseSpecReadLock(ss);
     return rv;
 }