From 35327b5afc3d3ee71aa95fd76eca7792eb2d2055 Mon Sep 17 00:00:00 2001 From: "agl@google.com" Date: Tue, 10 Apr 2012 22:34:36 +0000 Subject: net: False Start only for NPN capable servers. This change causes NSS only to False Start with NPN capable servers. It also removes the False Start blacklist and this has the effect of enabling 1/n-1 record splitting for those hosts that were previously on the blacklist. However, those hosts have been getting 1/n-1 from Opera, Firefox and IE for a few months now. BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/10014010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131649 0039d316-1c4b-4281-b951-d872f2087c98 --- net/third_party/nss/README.chromium | 3 +++ net/third_party/nss/patches/applypatches.sh | 2 ++ net/third_party/nss/ssl/ssl3con.c | 1 + net/third_party/nss/ssl/ssl3ext.c | 4 ++++ 4 files changed, 10 insertions(+) (limited to 'net/third_party/nss') diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index 6e2ca29..d7110f0 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -65,6 +65,9 @@ Patches: https://bugzilla.mozilla.org/show_bug.cgi?id=681065 patches/dtls.patch + * Enable False Start only when the server supports NPN. + patches/falsestartnpn.patch + Apply the patches to NSS by running the patches/applypatches.sh script. Read the comments at the top of patches/applypatches.sh for instructions. diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh index dbb603e..766a0ca 100755 --- a/net/third_party/nss/patches/applypatches.sh +++ b/net/third_party/nss/patches/applypatches.sh @@ -34,3 +34,5 @@ patch -p6 < $patches_dir/restartclientauth.patch patch -p6 < $patches_dir/encryptedclientcerts.patch patch -p4 < $patches_dir/dtls.patch + +patch -p6 < $patches_dir/falsestartnpn.patch diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index e8a7f017..d0eb042 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -6086,6 +6086,7 @@ ssl3_CanFalseStart(sslSocket *ss) { rv = ss->opt.enableFalseStart && !ss->sec.isServer && !ss->ssl3.hs.isResuming && + ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn) && ss->ssl3.cwSpec && ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa || diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c index 80c1f7f..4e043b8 100644 --- a/net/third_party/nss/ssl/ssl3ext.c +++ b/net/third_party/nss/ssl/ssl3ext.c @@ -567,6 +567,8 @@ ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *dat return SECFailure; } + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; + return SECSuccess; } @@ -635,6 +637,8 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, return SECFailure; } + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; + SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); } -- cgit v1.1