Don't False Start with DHE. BUG=460271 Change-Id: Ic233511114012149e4a1074470c16bd9f701cf5a Reviewed-on: https://boringssl-review.googlesource.com/4192 Reviewed-by: Adam Langley <agl@google.com>

commit: b8cbbec76bb6e8c0b7cbd20bba06a1516ef26c23 [log] [tgz]
author: Adam Langley <agl@google.com> Wed Apr 01 13:11:01 2015 -0700
committer: Adam Langley <agl@google.com> Mon Apr 06 10:46:44 2015 -0700
tree: b4398e22c8037f12987771c9b84f7a83c8b535a1
parent: 367545d0b46d2b8a494af69ec086df325d04de11 [diff]
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d070e82..ce90f4d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -2895,14 +2895,12 @@
 int ssl3_can_false_start(const SSL *s) {
   const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
 
-  /* False Start only for TLS 1.2 with a forward-secure, AEAD cipher and ALPN or
-   * NPN. */
+  /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
   return !SSL_IS_DTLS(s) &&
       SSL_version(s) >= TLS1_2_VERSION &&
       (s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
       cipher != NULL &&
-      (cipher->algorithm_mkey == SSL_kEDH ||
-       cipher->algorithm_mkey == SSL_kEECDH) &&
+      cipher->algorithm_mkey == SSL_kEECDH &&
       (cipher->algorithm_enc == SSL_AES128GCM ||
        cipher->algorithm_enc == SSL_AES256GCM ||
        cipher->algorithm_enc == SSL_CHACHA20POLY1305);
commit	b8cbbec76bb6e8c0b7cbd20bba06a1516ef26c23	[log] [tgz]
author	Adam Langley <agl@google.com>	Wed Apr 01 13:11:01 2015 -0700
committer	Adam Langley <agl@google.com>	Mon Apr 06 10:46:44 2015 -0700
tree	b4398e22c8037f12987771c9b84f7a83c8b535a1
parent	367545d0b46d2b8a494af69ec086df325d04de11 [diff]