OLD | NEW |
(Empty) | |
| 1 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| 2 index d22a7d6..a7617fb 100644 |
| 3 --- a/nss/lib/ssl/ssl3con.c |
| 4 +++ b/nss/lib/ssl/ssl3con.c |
| 5 @@ -2865,12 +2865,14 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
| 6 * Forces the use of the provided epoch |
| 7 * ssl_SEND_FLAG_CAP_RECORD_VERSION |
| 8 * Caps the record layer version number of TLS ClientHello to { 3, 1 } |
| 9 - * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore |
| 10 + * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore |
| 11 * ClientHello.client_version and use the record layer version number |
| 12 * (TLSPlaintext.version) instead when negotiating protocol versions. In |
| 13 * addition, if the record layer version number of ClientHello is { 3, 2 } |
| 14 - * (TLS 1.1) or higher, these servers reset the TCP connections. Set this |
| 15 - * flag to work around such servers. |
| 16 + * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly, |
| 17 + * some F5 BIG-IP servers hang if a record containing a ClientHello has a |
| 18 + * version greater than 0x0301 and a length greater than 255. Set this flag |
| 19 + * to work around such servers. |
| 20 */ |
| 21 PRInt32 |
| 22 ssl3_SendRecord( sslSocket * ss, |
| 23 @@ -5363,7 +5365,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
| 24 } |
| 25 |
| 26 flags = 0; |
| 27 - if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) { |
| 28 + if (!ss->firstHsDone && !IS_DTLS(ss)) { |
| 29 flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION; |
| 30 } |
| 31 rv = ssl3_FlushHandshake(ss, flags); |
OLD | NEW |