net: don't send resumption ClientHello records with versions > 0x0301.

net/third_party/nss/patches/resumeclienthelloversion.patch

+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+index d22a7d6..a7617fb 100644
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -2865,12 +2865,14 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
+  *    Forces the use of the provided epoch
+  * ssl_SEND_FLAG_CAP_RECORD_VERSION
+  *    Caps the record layer version number of TLS ClientHello to { 3, 1 }
+- *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore 
++ *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
+  *    ClientHello.client_version and use the record layer version number
+  *    (TLSPlaintext.version) instead when negotiating protocol versions. In
+  *    addition, if the record layer version number of ClientHello is { 3, 2 }
+- *    (TLS 1.1) or higher, these servers reset the TCP connections. Set this
+- *    flag to work around such servers.
++ *    (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
++ *    some F5 BIG-IP servers hang if a record containing a ClientHello has a
++ *    version greater than 0x0301 and a length greater than 255. Set this flag
++ *    to work around such servers.
+  */
+ PRInt32
+ ssl3_SendRecord(   sslSocket *        ss,
+@@ -5363,7 +5365,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+     }
+ 
+     flags = 0;
+-    if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
++    if (!ss->firstHsDone && !IS_DTLS(ss)) {
+        flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
+     }
+     rv = ssl3_FlushHandshake(ss, flags);