1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
index d22a7d6..a7617fb 100644
--- a/nss/lib/ssl/ssl3con.c
+++ b/nss/lib/ssl/ssl3con.c
@@ -2865,12 +2865,14 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
* Forces the use of the provided epoch
* ssl_SEND_FLAG_CAP_RECORD_VERSION
* Caps the record layer version number of TLS ClientHello to { 3, 1 }
- * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
+ * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
* ClientHello.client_version and use the record layer version number
* (TLSPlaintext.version) instead when negotiating protocol versions. In
* addition, if the record layer version number of ClientHello is { 3, 2 }
- * (TLS 1.1) or higher, these servers reset the TCP connections. Set this
- * flag to work around such servers.
+ * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
+ * some F5 BIG-IP servers hang if a record containing a ClientHello has a
+ * version greater than 0x0301 and a length greater than 255. Set this flag
+ * to work around such servers.
*/
PRInt32
ssl3_SendRecord( sslSocket * ss,
@@ -5363,7 +5365,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
}
flags = 0;
- if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
+ if (!ss->firstHsDone && !IS_DTLS(ss)) {
flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
}
rv = ssl3_FlushHandshake(ss, flags);
|
