Make SSL False Start work with asynchronous certificate validation

net/third_party/nss/patches/canfalsestart.patch

+Index: net/third_party/nss/ssl/ssl.h
+===================================================================
+--- net/third_party/nss/ssl/ssl.h       (revision 227363)
++++ net/third_party/nss/ssl/ssl.h       (working copy)
+@@ -121,14 +121,22 @@
+ #define SSL_ENABLE_FALSE_START         22 /* Enable SSL false start (off by */
+                                           /* default, applies only to       */
+                                           /* clients). False start is a     */
+-/* mode where an SSL client will start sending application data before      */
+-/* verifying the server's Finished message. This means that we could end up */
+-/* sending data to an imposter. However, the data will be encrypted and     */
+-/* only the true server can derive the session key. Thus, so long as the    */
+-/* cipher isn't broken this is safe. Because of this, False Start will only */
+-/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80   */
+-/* bits. The advantage of False Start is that it saves a round trip for     */
+-/* client-speaks-first protocols when performing a full handshake.          */
++/* mode where an SSL client will start sending application data before
++ * verifying the server's Finished message. This means that we could end up
++ * sending data to an imposter. However, the data will be encrypted and
++ * only the true server can derive the session key. Thus, so long as the
++ * cipher isn't broken this is safe. The advantage of false start is that
++ * it saves a round trip for client-speaks-first protocols when performing a
++ * full handshake.
++ *
++ * See SSL_DefaultCanFalseStart for the default criteria that NSS uses to
++ * determine whether to false start or not. See SSL_SetCanFalseStartCallback
++ * for how to change that criteria. In addition to those criteria, false start
++ * will only be done when the server selects a cipher suite with an effective
++ * key length of 80 bits or more (including RC4-128). Also, see
++ * SSL_HandshakeCallback for a description on how false start affects when the
++ * handshake callback gets called.
++ */
+ 
+ /* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
+  * on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
+@@ -741,14 +749,59 @@
+ SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
+ 
+ /*
+-** Set the callback on a particular socket that gets called when we finish
+-** performing a handshake.
++** Set the callback that normally gets called when the TLS handshake
++** is complete. If false start is not enabled, then the handshake callback is
++** called after verifying the peer's Finished message and before sending
++** outgoing application data and before processing incoming application data.
++**
++** If false start is enabled and there is a custom CanFalseStartCallback
++** callback set, then the handshake callback gets called after the peer's
++** Finished message has been verified, which may be after application data is
++** sent.
++**
++** If false start is enabled and there is not a custom CanFalseStartCallback
++** callback established with SSL_SetCanFalseStartCallback then the handshake
++** callback gets called before any application data is sent, which may be
++** before the peer's Finished message has been verified.
+ */
+ typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
+                                                  void *client_data);
+ SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
+                                  SSLHandshakeCallback cb, void *client_data);
+ 
++/* Applications that wish to customize TLS false start should set this callback
++** function. NSS will invoke the functon to determine if a particular
++** connection should use false start or not. SECSuccess indicates that the
++** callback completed successfully, and if so *canFalseStart indicates if false
++** start can be used. If the callback does not return SECSuccess then the
++** handshake will be canceled.
++**
++** Applications that do not set the callback will use an internal set of
++** criteria to determine if the connection should false start. If
++** the callback is set false start will never be used without invoking the
++** callback function, but some connections (e.g. resumed connections) will
++** never use false start and therefore will not invoke the callback.
++**
++** NSS's internal criteria for this connection can be evaluated by calling
++** SSL_DefaultCanFalseStart() from the custom callback.
++**
++** See the description of SSL_HandshakeCallback for important information on
++** how registering a custom false start callback affects when the handshake
++** callback gets called.
++**/
++typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
++    PRFileDesc *fd, void *arg, PRBool *canFalseStart);
++
++SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
++    PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
++
++/* A utility function that can be called from a custom CanFalseStartCallback
++** function to determine what NSS would have done for this connection if the
++** custom callback was not implemented.
++**/
++SSL_IMPORT SECStatus SSL_DefaultCanFalseStart(PRFileDesc *fd,
++                                              PRBool *canFalseStart);
++
+ /*
+ ** For the server, request a new handshake.  For the client, begin a new
+ ** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
+Index: net/third_party/nss/ssl/ssl3gthr.c
+===================================================================
+--- net/third_party/nss/ssl/ssl3gthr.c  (revision 227363)
++++ net/third_party/nss/ssl/ssl3gthr.c  (working copy)
+@@ -374,9 +374,7 @@
+         */
+        if (ss->opt.enableFalseStart) {
+            ssl_GetSSL3HandshakeLock(ss);
+-           canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
+-                            ss->ssl3.hs.ws == wait_new_session_ticket) &&
+-                           ssl3_CanFalseStart(ss);
++           canFalseStart = ss->ssl3.hs.canFalseStart;
+            ssl_ReleaseSSL3HandshakeLock(ss);
+        }
+     } while (ss->ssl3.hs.ws != idle_handshake &&
+Index: net/third_party/nss/ssl/sslinfo.c
+===================================================================
+--- net/third_party/nss/ssl/sslinfo.c   (revision 227363)
++++ net/third_party/nss/ssl/sslinfo.c   (working copy)
+@@ -26,7 +26,6 @@
+     sslSocket *      ss;
+     SSLChannelInfo   inf;
+     sslSessionID *   sid;
+-    PRBool           enoughFirstHsDone = PR_FALSE;
+ 
+     if (!info || len < sizeof inf.length) { 
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -43,14 +42,7 @@
+     memset(&inf, 0, sizeof inf);
+     inf.length = PR_MIN(sizeof inf, len);
+ 
+-    if (ss->firstHsDone) {
+-       enoughFirstHsDone = PR_TRUE;
+-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+-              ssl3_CanFalseStart(ss)) {
+-       enoughFirstHsDone = PR_TRUE;
+-    }
+-
+-    if (ss->opt.useSecurity && enoughFirstHsDone) {
++    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+         sid = ss->sec.ci.sid;
+        inf.protocolVersion  = ss->version;
+        inf.authKeyBits      = ss->sec.authKeyBits;
+Index: net/third_party/nss/ssl/sslauth.c
+===================================================================
+--- net/third_party/nss/ssl/sslauth.c   (revision 227363)
++++ net/third_party/nss/ssl/sslauth.c   (working copy)
+@@ -100,7 +100,6 @@
+     sslSocket *ss;
+     const char *cipherName;
+     PRBool isDes = PR_FALSE;
+-    PRBool enoughFirstHsDone = PR_FALSE;
+ 
+     ss = ssl_FindSocket(fd);
+     if (!ss) {
+@@ -118,14 +117,7 @@
+        *op = SSL_SECURITY_STATUS_OFF;
+     }
+ 
+-    if (ss->firstHsDone) {
+-       enoughFirstHsDone = PR_TRUE;
+-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+-              ssl3_CanFalseStart(ss)) {
+-       enoughFirstHsDone = PR_TRUE;
+-    }
+-
+-    if (ss->opt.useSecurity && enoughFirstHsDone) {
++    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+        if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+            cipherName = ssl_cipherName[ss->sec.cipherType];
+        } else {
+Index: net/third_party/nss/ssl/sslimpl.h
+===================================================================
+--- net/third_party/nss/ssl/sslimpl.h   (revision 227363)
++++ net/third_party/nss/ssl/sslimpl.h   (working copy)
+@@ -881,6 +881,8 @@
+     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
+     PRBool                cacheSID;
+ 
++    PRBool                canFalseStart;   /* Can/did we False Start */
++
+     /* clientSigAndHash contains the contents of the signature_algorithms
+      * extension (if any) from the client. This is only valid for TLS 1.2
+      * or later. */
+@@ -1162,6 +1164,10 @@
+     unsigned long    clientAuthRequested;
+     unsigned long    delayDisabled;       /* Nagle delay disabled */
+     unsigned long    firstHsDone;         /* first handshake is complete. */
++    unsigned long    enoughFirstHsDone;   /* enough of the first handshake is
++                                          * done for callbacks to be able to
++                                          * retrieve channel security
++                                          * parameters from the SSL socket. */
+     unsigned long    handshakeBegun;     
+     unsigned long    lastWriteBlocked;   
+     unsigned long    recvdCloseNotify;    /* received SSL EOF. */
+@@ -1210,6 +1216,8 @@
+     void                     *badCertArg;
+     SSLHandshakeCallback      handshakeCallback;
+     void                     *handshakeCallbackData;
++    SSLCanFalseStartCallback  canFalseStartCallback;
++    void                     *canFalseStartCallbackData;
+     void                     *pkcs11PinArg;
+     SSLNextProtoCallback      nextProtoCallback;
+     void                     *nextProtoArg;
+@@ -1423,7 +1431,6 @@
+ 
+ extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
+ 
+-extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
+ extern SECStatus
+ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
+                              PRBool             isServer,
+Index: net/third_party/nss/ssl/sslsecur.c
+===================================================================
+--- net/third_party/nss/ssl/sslsecur.c  (revision 227363)
++++ net/third_party/nss/ssl/sslsecur.c  (working copy)
+@@ -99,21 +99,12 @@
+        if (ss->handshake == 0) {
+            ssl_GetRecvBufLock(ss);
+            ss->gs.recordLen = 0;
++           ss->gs.writeOffset = 0;
++           ss->gs.readOffset = 0;
+            ssl_ReleaseRecvBufLock(ss);
+ 
+            SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
+                        SSL_GETPID(), ss->fd));
+-            /* call handshake callback for ssl v2 */
+-           /* for v3 this is done in ssl3_HandleFinished() */
+-           if ((ss->handshakeCallback != NULL) && /* has callback */
+-               (!ss->firstHsDone) &&              /* only first time */
+-               (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
+-               ss->firstHsDone     = PR_TRUE;
+-               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+-           }
+-           ss->firstHsDone         = PR_TRUE;
+-           ss->gs.writeOffset = 0;
+-           ss->gs.readOffset  = 0;
+            break;
+        }
+        rv = (*ss->handshake)(ss);
+@@ -206,6 +197,7 @@
+     ssl_Get1stHandshakeLock(ss);
+ 
+     ss->firstHsDone = PR_FALSE;
++    ss->enoughFirstHsDone = PR_FALSE;
+     if ( asServer ) {
+        ss->handshake = ssl2_BeginServerHandshake;
+        ss->handshaking = sslHandshakingAsServer;
+@@ -221,6 +213,8 @@
+     ssl_ReleaseRecvBufLock(ss);
+ 
+     ssl_GetSSL3HandshakeLock(ss);
++    ss->ssl3.hs.canFalseStart = PR_FALSE;
++    ss->ssl3.hs.restartTarget = NULL;
+ 
+     /*
+     ** Blow away old security state and get a fresh setup.
+@@ -266,7 +260,7 @@
+ 
+     /* SSL v2 protocol does not support subsequent handshakes. */
+     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+-       PORT_SetError(SEC_ERROR_INVALID_ARGS);
++       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+        rv = SECFailure;
+     } else {
+        ssl_GetSSL3HandshakeLock(ss);
+@@ -331,6 +325,75 @@
+     return SECSuccess;
+ }
+ 
++/* Register an application callback to be called when false start may happen.
++** Acquires and releases HandshakeLock.
++*/
++SECStatus
++SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
++                            void *client_data)
++{
++    sslSocket *ss;
++
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
++                SSL_GETPID(), fd));
++       return SECFailure;
++    }
++
++    if (!ss->opt.useSecurity) {
++       PORT_SetError(SEC_ERROR_INVALID_ARGS);
++       return SECFailure;
++    }
++
++    ssl_Get1stHandshakeLock(ss);
++    ssl_GetSSL3HandshakeLock(ss);
++
++    ss->canFalseStartCallback     = cb;
++    ss->canFalseStartCallbackData = client_data;
++
++    ssl_ReleaseSSL3HandshakeLock(ss);
++    ssl_Release1stHandshakeLock(ss);
++
++    return SECSuccess;
++}
++
++/* A utility function that can be called from a custom SSLCanFalseStartCallback
++** function to determine what NSS would have done for this connection if the
++** custom callback was not implemented.
++*/
++SECStatus
++SSL_DefaultCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
++{
++    sslSocket *ss;
++
++    *canFalseStart = PR_FALSE;
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DefaultCanFalseStart",
++                SSL_GETPID(), fd));
++       return SECFailure;
++    }
++
++    if (!ss->ssl3.initialized) {
++       PORT_SetError(SEC_ERROR_INVALID_ARGS);
++       return SECFailure;
++    }
++
++    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
++       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
++       return SECFailure;
++    }
++
++    /* Require a forward-secret key exchange. */
++    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
++                    ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
++                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
++                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
++
++    return SECSuccess;
++}
++
+ /* Try to make progress on an SSL handshake by attempting to read the 
+ ** next handshake from the peer, and sending any responses.
+ ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
+@@ -1195,12 +1258,7 @@
+        ssl_Get1stHandshakeLock(ss);
+        if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+            ssl_GetSSL3HandshakeLock(ss);
+-           if ((ss->ssl3.hs.ws == wait_change_cipher ||
+-               ss->ssl3.hs.ws == wait_finished ||
+-               ss->ssl3.hs.ws == wait_new_session_ticket) &&
+-               ssl3_CanFalseStart(ss)) {
+-               canFalseStart = PR_TRUE;
+-           }
++           canFalseStart = ss->ssl3.hs.canFalseStart;
+            ssl_ReleaseSSL3HandshakeLock(ss);
+        }
+        if (!canFalseStart &&
+Index: net/third_party/nss/ssl/sslsock.c
+===================================================================
+--- net/third_party/nss/ssl/sslsock.c   (revision 227363)
++++ net/third_party/nss/ssl/sslsock.c   (working copy)
+@@ -2457,10 +2457,14 @@
+            } else if (new_flags & PR_POLL_WRITE) {
+                    /* The caller is trying to write, but the handshake is 
+                    ** blocked waiting for data to read, and the first 
+-                   ** handshake has been sent.  so do NOT to poll on write.
++                   ** handshake has been sent.  So do NOT to poll on write
++                   ** unless we did false start.
+                    */
+-                   new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
+-                   new_flags |=  PR_POLL_READ;    /* do    select on read. */
++                   if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
++                       ss->ssl3.hs.canFalseStart)) {
++                       new_flags ^= PR_POLL_WRITE; /* don't select on write. */
++                   }
++                   new_flags |= PR_POLL_READ;      /* do    select on read. */
+            }
+        }
+     } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
+Index: net/third_party/nss/ssl/ssl3con.c
+===================================================================
+--- net/third_party/nss/ssl/ssl3con.c   (revision 227363)
++++ net/third_party/nss/ssl/ssl3con.c   (working copy)
+@@ -2890,7 +2890,7 @@
+     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
+                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+                nIn));
+-    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
++    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
+ 
+     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+ 
+@@ -7344,35 +7344,42 @@
+     return rv;
+ }
+ 
+-PRBool
+-ssl3_CanFalseStart(sslSocket *ss) {
+-    PRBool rv;
++static SECStatus
++ssl3_CheckFalseStart(sslSocket *ss)
++{
++    SECStatus rv;
++    PRBool maybeFalseStart = PR_TRUE;
+ 
+     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
++    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
+ 
+-    /* XXX: does not take into account whether we are waiting for
+-     * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
+-     * that is done, this function could return different results each time it
+-     * would be called.
+-     */
++    /* An attacker can control the selected ciphersuite so we only wish to
++     * do False Start in the case that the selected ciphersuite is
++     * sufficiently strong that the attack can gain no advantage.
++     * Therefore we always require an 80-bit cipher. */
+ 
+     ssl_GetSpecReadLock(ss);
+-    rv = ss->opt.enableFalseStart &&
+-        !ss->sec.isServer &&
+-        !ss->ssl3.hs.isResuming &&
+-        ss->ssl3.cwSpec &&
++    if (ss->ssl3.cwSpec->cipher_def->secret_key_size < 10) {
++       ss->ssl3.hs.canFalseStart = PR_FALSE;
++       maybeFalseStart = PR_FALSE;
++    }
++    ssl_ReleaseSpecReadLock(ss);
++    if (!maybeFalseStart) {
++       return SECSuccess;
++    }
+ 
+-        /* An attacker can control the selected ciphersuite so we only wish to
+-         * do False Start in the case that the selected ciphersuite is
+-         * sufficiently strong that the attack can gain no advantage.
+-         * Therefore we require an 80-bit cipher and a forward-secret key
+-         * exchange. */
+-        ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
+-       (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+-        ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
+-    ssl_ReleaseSpecReadLock(ss);
++    if (!ss->canFalseStartCallback) {
++       rv = SSL_DefaultCanFalseStart(ss->fd, &ss->ssl3.hs.canFalseStart);
++    } else {
++       rv = (ss->canFalseStartCallback)(ss->fd,
++                                        ss->canFalseStartCallbackData,
++                                        &ss->ssl3.hs.canFalseStart);
++    }
++
++    if (rv != SECSuccess) {
++       ss->ssl3.hs.canFalseStart = PR_FALSE;
++    }
++
+     return rv;
+ }
+ 
+@@ -7500,20 +7507,59 @@
+        goto loser;     /* err code was set. */
+     }
+ 
+-    /* XXX: If the server's certificate hasn't been authenticated by this
+-     * point, then we may be leaking this NPN message to an attacker.
++    /* This must be done after we've set ss->ssl3.cwSpec in
++     * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
++     * from cwSpec. This must be done before we call ssl3_CheckFalseStart
++     * because the false start callback (if any) may need the information from
++     * the functions that depend on this being set.
+      */
++    ss->enoughFirstHsDone = PR_TRUE;
++
+     if (!ss->firstHsDone) {
++       /* XXX: If the server's certificate hasn't been authenticated by this
++        * point, then we may be leaking this NPN message to an attacker.
++        */
+        rv = ssl3_SendNextProto(ss);
+        if (rv != SECSuccess) {
+            goto loser; /* err code was set. */
+        }
+     }
++
+     rv = ssl3_SendEncryptedExtensions(ss);
+     if (rv != SECSuccess) {
+        goto loser; /* err code was set. */
+     }
+ 
++    if (!ss->firstHsDone) {
++       if (ss->opt.enableFalseStart) {
++           if (!ss->ssl3.hs.authCertificatePending) {
++               /* When we fix bug 589047, we will need to know whether we are
++                * false starting before we try to flush the client second
++                * round to the network. With that in mind, we purposefully
++                * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
++                * which includes a call to ssl3_FlushHandshake, so that
++                * no application develops a reliance on such flushing being
++                 * done before its false start callback is called.
++                */
++               ssl_ReleaseXmitBufLock(ss);
++               rv = ssl3_CheckFalseStart(ss);
++               ssl_GetXmitBufLock(ss);
++               if (rv != SECSuccess) {
++                   goto loser;
++               }
++           } else {
++               /* The certificate authentication and the server's Finished
++                * message are racing each other. If the certificate
++                * authentication wins, then we will try to false start in
++                * ssl3_AuthCertificateComplete.
++                */
++               SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
++                           " certificate authentication is still pending.",
++                           SSL_GETPID(), ss->fd));
++           }
++       }
++    }
++
+     rv = ssl3_SendFinished(ss, 0);
+     if (rv != SECSuccess) {
+        goto loser;     /* err code was set. */
+@@ -7526,8 +7572,16 @@
+     else
+        ss->ssl3.hs.ws = wait_change_cipher;
+ 
+-    /* Do the handshake callback for sslv3 here, if we can false start. */
+-    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
++    if (ss->handshakeCallback &&
++       (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
++       /* Call the handshake callback here for backwards compatibility with
++        * applications that were using false start before
++        * canFalseStartCallback was added. Note that we do this after calling
++        * ssl3_SendFinished, which includes a call to ssl3_FlushHandshake,
++        * just in case the application is relying on having the handshake
++        * messages flushed to the network before its handshake callback is
++        * called.
++        */
+        (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+     }
+ 
+@@ -10147,13 +10201,6 @@
+ 
+            ss->ssl3.hs.authCertificatePending = PR_TRUE;
+            rv = SECSuccess;
+-
+-           /* XXX: Async cert validation and False Start don't work together
+-            * safely yet; if we leave False Start enabled, we may end up false
+-            * starting (sending application data) before we
+-            * SSL_AuthCertificateComplete has been called.
+-            */
+-           ss->opt.enableFalseStart = PR_FALSE;
+        }
+ 
+        if (rv != SECSuccess) {
+@@ -10278,6 +10325,12 @@
+     } else if (ss->ssl3.hs.restartTarget != NULL) {
+        sslRestartTarget target = ss->ssl3.hs.restartTarget;
+        ss->ssl3.hs.restartTarget = NULL;
++
++       if (target == ssl3_FinishHandshake) {
++           SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
++                      " with peer's finished message", SSL_GETPID(), ss->fd));
++       }
++
+        rv = target(ss);
+        /* Even if we blocked here, we have accomplished enough to claim
+         * success. Any remaining work will be taken care of by subsequent
+@@ -10287,7 +10340,39 @@
+            rv = SECSuccess;
+        }
+     } else {
+-       rv = SECSuccess;
++       SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race"
++                   " with peer's finished message", SSL_GETPID(), ss->fd));
++
++       PORT_Assert(!ss->firstHsDone);
++       PORT_Assert(!ss->sec.isServer);
++       PORT_Assert(!ss->ssl3.hs.isResuming);
++       PORT_Assert(ss->ssl3.hs.ws == wait_change_cipher ||
++                   ss->ssl3.hs.ws == wait_finished ||          
++                   ss->ssl3.hs.ws == wait_new_session_ticket);
++
++       /* ssl3_SendClientSecondRound deferred the false start check because
++        * certificate authentication was pending, so we have to do it now.
++        */
++       if (ss->opt.enableFalseStart &&
++           !ss->firstHsDone &&
++           !ss->sec.isServer &&
++           !ss->ssl3.hs.isResuming &&
++           (ss->ssl3.hs.ws == wait_change_cipher ||
++            ss->ssl3.hs.ws == wait_finished ||         
++            ss->ssl3.hs.ws == wait_new_session_ticket)) {
++           rv = ssl3_CheckFalseStart(ss);
++           if (rv == SECSuccess &&
++               ss->handshakeCallback &&
++               (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
++               /* Call the handshake callback here for backwards compatibility
++                * with applications that were using false start before
++                * canFalseStartCallback was added.
++                */
++               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
++           }
++       } else {
++           rv = SECSuccess;
++       }
+     }
+ 
+ done:
+@@ -10983,6 +11068,8 @@
+ SECStatus
+ ssl3_FinishHandshake(sslSocket * ss)
+ {
++    PRBool falseStarted;
++
+     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+     PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
+@@ -10990,6 +11077,7 @@
+     /* The first handshake is now completed. */
+     ss->handshake           = NULL;
+     ss->firstHsDone         = PR_TRUE;
++    ss->enoughFirstHsDone   = PR_TRUE;
+ 
+     if (ss->ssl3.hs.cacheSID) {
+        (*ss->sec.cache)(ss->sec.ci.sid);
+@@ -10997,9 +11085,14 @@
+     }
+ 
+     ss->ssl3.hs.ws = idle_handshake;
++    falseStarted = ss->ssl3.hs.canFalseStart;
++    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
+ 
+-    /* Do the handshake callback for sslv3 here, if we cannot false start. */
+-    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
++    /* Call the handshake callback for sslv3 here, unless we called it already
++     * for the case where false start was done without a canFalseStartCallback.
++     */
++    if (ss->handshakeCallback &&
++       !(falseStarted && !ss->canFalseStartCallback)) {
+        (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+     }
+