net: only False Start with forward secret servers.

net/third_party/nss/ssl/ssl3con.c

Index: net/third_party/nss/ssl/ssl3con.c
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index d0eb0425d48522c9c3d7bb2e67a5ef18cf9cb3f4..53215e783a065d2930adaa942b14d45841838fe9 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -6086,11 +6086,9 @@ ssl3_CanFalseStart(sslSocket *ss) {
     rv = ss->opt.enableFalseStart &&
 	 !ss->sec.isServer &&
 	 !ss->ssl3.hs.isResuming &&
-	 ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn) &&
 	 ss->ssl3.cwSpec &&
 	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
-	(ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa ||
-	 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh  ||
+	(ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh  ||
 	 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);

[wtc, 2012/04/19 22:33:53]

It would be nice to add a comment to briefly explain why
only certain key exchange algorithms are compatible with
False Start.

IMPORTANT: Looking at this more closely, I think we're testing the wrong
member of ss->ssl3.hs.kea_def here.

I assume we don't want to enable False Start with the
non-ephemeral DH and ECDH cipher suites such as
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA.  If so, we should
be testing
  ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
  ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
  ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
  ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa

See
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3...

and http://mxr.mozilla.org/security/ident?i=kea_ecdhe_rsa

[agl, 2012/04/20 18:30:29]

Done.
Thanks! Done.

     ssl_ReleaseSpecReadLock(ss);
     return rv;