Google Git
Sign in
boringssl/boringssl/refs/heads/chromium-2311^!/.
commit
b8cbbec76bb6e8c0b7cbd20bba06a1516ef26c23
[log] [tgz]
author
Adam Langley <agl@google.com>
Wed Apr 01 13:11:01 2015 -0700
committer
Adam Langley <agl@google.com>
Mon Apr 06 10:46:44 2015 -0700
tree
b4398e22c8037f12987771c9b84f7a83c8b535a1
parent
367545d0b46d2b8a494af69ec086df325d04de11 [diff]
Don't False Start with DHE.

BUG=460271

Change-Id: Ic233511114012149e4a1074470c16bd9f701cf5a
Reviewed-on: https://boringssl-review.googlesource.com/4192
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d070e82..ce90f4d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -2895,14 +2895,12 @@
 int ssl3_can_false_start(const SSL *s) {
   const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
 
-  /* False Start only for TLS 1.2 with a forward-secure, AEAD cipher and ALPN or
-   * NPN. */
+  /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
   return !SSL_IS_DTLS(s) &&
       SSL_version(s) >= TLS1_2_VERSION &&
       (s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
       cipher != NULL &&
-      (cipher->algorithm_mkey == SSL_kEDH ||
-       cipher->algorithm_mkey == SSL_kEECDH) &&
+      cipher->algorithm_mkey == SSL_kEECDH &&
       (cipher->algorithm_enc == SSL_AES128GCM ||
        cipher->algorithm_enc == SSL_AES256GCM ||
        cipher->algorithm_enc == SSL_CHACHA20POLY1305);