Commit b8cbbec7 authored by Adam Langley's avatar Adam Langley
Browse files

Don't False Start with DHE.

BUG=460271

Change-Id: Ic233511114012149e4a1074470c16bd9f701cf5a
Reviewed-on: https://boringssl-review.googlesource.com/4192

Reviewed-by: default avatarAdam Langley <[email protected]>
parent 367545d0
......@@ -2895,14 +2895,12 @@ void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
int ssl3_can_false_start(const SSL *s) {
const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
/* False Start only for TLS 1.2 with a forward-secure, AEAD cipher and ALPN or
* NPN. */
/* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
return !SSL_IS_DTLS(s) &&
SSL_version(s) >= TLS1_2_VERSION &&
(s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
cipher != NULL &&
(cipher->algorithm_mkey == SSL_kEDH ||
cipher->algorithm_mkey == SSL_kEECDH) &&
cipher->algorithm_mkey == SSL_kEECDH &&
(cipher->algorithm_enc == SSL_AES128GCM ||
cipher->algorithm_enc == SSL_AES256GCM ||
cipher->algorithm_enc == SSL_CHACHA20POLY1305);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment