Index: net/third_party/nss/patches/resumeclienthelloversion.patch |
diff --git a/net/third_party/nss/patches/resumeclienthelloversion.patch b/net/third_party/nss/patches/resumeclienthelloversion.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..7c330c71fff338fc67efbf5da93023cb1f8814ad |
--- /dev/null |
+++ b/net/third_party/nss/patches/resumeclienthelloversion.patch |
@@ -0,0 +1,31 @@ |
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
+index d22a7d6..a7617fb 100644 |
+--- a/nss/lib/ssl/ssl3con.c |
++++ b/nss/lib/ssl/ssl3con.c |
+@@ -2865,12 +2865,14 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
+ * Forces the use of the provided epoch |
+ * ssl_SEND_FLAG_CAP_RECORD_VERSION |
+ * Caps the record layer version number of TLS ClientHello to { 3, 1 } |
+- * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore |
++ * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore |
+ * ClientHello.client_version and use the record layer version number |
+ * (TLSPlaintext.version) instead when negotiating protocol versions. In |
+ * addition, if the record layer version number of ClientHello is { 3, 2 } |
+- * (TLS 1.1) or higher, these servers reset the TCP connections. Set this |
+- * flag to work around such servers. |
++ * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly, |
++ * some F5 BIG-IP servers hang if a record containing a ClientHello has a |
++ * version greater than 0x0301 and a length greater than 255. Set this flag |
++ * to work around such servers. |
+ */ |
+ PRInt32 |
+ ssl3_SendRecord( sslSocket * ss, |
+@@ -5363,7 +5365,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ } |
+ |
+ flags = 0; |
+- if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) { |
++ if (!ss->firstHsDone && !IS_DTLS(ss)) { |
+ flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION; |
+ } |
+ rv = ssl3_FlushHandshake(ss, flags); |