Index: net/third_party/nss/patches/falsestartnpn.patch |
diff --git a/net/third_party/nss/patches/falsestartnpn.patch b/net/third_party/nss/patches/falsestartnpn.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..af195059636c8778d261f48f6a067ecb3cab3ca1 |
--- /dev/null |
+++ b/net/third_party/nss/patches/falsestartnpn.patch |
@@ -0,0 +1,40 @@ |
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c |
+index e8a7f01..53215e7 100644 |
+--- a/net/third_party/nss/ssl/ssl3con.c |
++++ b/net/third_party/nss/ssl/ssl3con.c |
+@@ -6088,8 +6088,7 @@ ssl3_CanFalseStart(sslSocket *ss) { |
+ !ss->ssl3.hs.isResuming && |
+ ss->ssl3.cwSpec && |
+ ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && |
+- (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa || |
+- ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh || |
++ (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh || |
+ ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh); |
+ ssl_ReleaseSpecReadLock(ss); |
+ return rv; |
+diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c |
+index 80c1f7f..6d5866b 100644 |
+--- a/net/third_party/nss/ssl/ssl3ext.c |
++++ b/net/third_party/nss/ssl/ssl3ext.c |
+@@ -567,6 +567,12 @@ ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *dat |
+ return SECFailure; |
+ } |
+ |
++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
++ |
++ /* TODO: server side NPN support would require calling |
++ * ssl3_RegisterServerHelloExtensionSender here in order to echo the |
++ * extension back to the client. */ |
++ |
+ return SECSuccess; |
+ } |
+ |
+@@ -635,6 +641,8 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, |
+ return SECFailure; |
+ } |
+ |
++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
++ |
+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
+ return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); |
+ } |