From 45e87488fe7fbd8860b040b70c41e4557e06edc4 Mon Sep 17 00:00:00 2001
From: davidben <davidben@chromium.org>
Date: Thu, 10 Dec 2015 16:09:38 -0800
Subject: Only enable RC4 when manually enabled and in a fallback handshake

While the option to manually enable RC4 exists (via SSLConfig's
|rc4_enabled|, which can be controlled via admin policy or field trial), it
should only be enabled in fallback handshakes, where no other
ciphersuite could be negotiated.

BUG=568694

Review URL: https://codereview.chromium.org/1512753007

Cr-Commit-Position: refs/heads/master@{#364534}
---
 net/socket/ssl_client_socket_nss.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'net/socket/ssl_client_socket_nss.cc')

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 032840a..273d665 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -2788,8 +2788,11 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
         SECSuccess) {
       continue;
     }
-    if (info.symCipher == ssl_calg_rc4 && !ssl_config_.rc4_enabled)
+    if (info.symCipher == ssl_calg_rc4 &&
+        !(ssl_config_.rc4_enabled &&
+          ssl_config_.deprecated_cipher_suites_enabled)) {
       SSL_CipherPrefSet(nss_fd_, ssl_ciphers[i], PR_FALSE);
+    }
     if (info.keaType == ssl_kea_dh &&
         !ssl_config_.deprecated_cipher_suites_enabled) {
       // Only offer DHE on the second handshake. https://crbug.com/538690
-- 
cgit v1.1