Don't pad the second ClientHello. While the previous CL fixed a bug in computing this padding, we don't actually need to pad the second (cleartext) ClientHello anyway. This padding is to work around bugs in old F5 and WebSphere servers, which do not speak TLS 1.3. Save a few bytes. Change-Id: I9b5d9bb1c0d880f1b1c9182667a9d3d82588c04c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47999 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index 33621a3..9cd9f49 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc
@@ -3318,7 +3318,8 @@ } size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs); - if (!SSL_is_dtls(ssl) && !ssl->quic_method) { + if (!SSL_is_dtls(ssl) && !ssl->quic_method && + !ssl->s3->used_hello_retry_request) { header_len += SSL3_HM_HEADER_LENGTH + 2 + CBB_len(&extensions) + psk_extension_len; size_t padding_len = 0;