net: only False Start with forward secret servers.

Bodo made the point that we originally sacrificed an aspect of forward secrecy
in order to use False Start widely. Specifically, an attacker can alter the
handshake and cause a non-forward secure ciphersuite to be selected and the
client's initial write will not be forward secret.

Since we are no longer trying to use False Start everywhere, we can close that
gap by only allowing it for forward secret connections.

This change also addresses follow up comments on
https://chromiumcodereview.appspot.com/10014010/ and adds the patch file that
was missing in that change.

BUG=none
TEST=net_unittests


Review URL: http://codereview.chromium.org/10136001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@133255 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 10 insertions, 0 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 5fd5f11..5b24440 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -2101,6 +2101,16 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
                                                  PRFileDesc* socket,
                                                  PRBool checksig,
                                                  PRBool is_server) {
+#ifdef SSL_ENABLE_FALSE_START
+  PRBool npn;
+  SECStatus rv =
+      SSL_HandshakeNegotiatedExtension(socket, ssl_next_proto_nego_xtn, &npn);
+  if (rv != SECSuccess || !npn) {
+    // If the server doesn't support NPN, then we don't do False Start with it.
+    SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
+  }
+#endif
+
   // Tell NSS to not verify the certificate.
   return SECSuccess;
 }