1diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2index d22a7d6..a7617fb 100644 3--- a/nss/lib/ssl/ssl3con.c 4+++ b/nss/lib/ssl/ssl3con.c 5@@ -2865,12 +2865,14 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, 6 * Forces the use of the provided epoch 7 * ssl_SEND_FLAG_CAP_RECORD_VERSION 8 * Caps the record layer version number of TLS ClientHello to { 3, 1 } 9- * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore 10+ * (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore 11 * ClientHello.client_version and use the record layer version number 12 * (TLSPlaintext.version) instead when negotiating protocol versions. In 13 * addition, if the record layer version number of ClientHello is { 3, 2 } 14- * (TLS 1.1) or higher, these servers reset the TCP connections. Set this 15- * flag to work around such servers. 16+ * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly, 17+ * some F5 BIG-IP servers hang if a record containing a ClientHello has a 18+ * version greater than 0x0301 and a length greater than 255. Set this flag 19+ * to work around such servers. 20 */ 21 PRInt32 22 ssl3_SendRecord( sslSocket * ss, 23@@ -5363,7 +5365,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) 24 } 25 26 flags = 0; 27- if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) { 28+ if (!ss->firstHsDone && !IS_DTLS(ss)) { 29 flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION; 30 } 31 rv = ssl3_FlushHandshake(ss, flags); 32