kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't False Start with DHE.

Browse Source 
BUG=460271

Change-Id: I271a270067605ec629944633c3e22c2069ba9a24
Reviewed-on: https://boringssl-review.googlesource.com/4192
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
Adam Langley 2015-04-01 13:11:01 -07:00
parent be55790652
commit e631d9679e
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/ssl_lib.c
View File

@ -2870,14 +2870,12 @@ void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
int ssl3_can_false_start(const SSL *s) {
const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
/* False Start only for TLS 1.2 with a forward-secure, AEAD cipher and ALPN or
* NPN. */
/* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
return !SSL_IS_DTLS(s) &&
SSL_version(s) >= TLS1_2_VERSION &&
(s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
cipher != NULL &&
(cipher->algorithm_mkey == SSL_kDHE ||
cipher->algorithm_mkey == SSL_kECDHE) &&
cipher->algorithm_mkey == SSL_kECDHE &&
(cipher->algorithm_enc == SSL_AES128GCM ||
cipher->algorithm_enc == SSL_AES256GCM ||
cipher->algorithm_enc == SSL_CHACHA20POLY1305);