1 files changed, 7 insertions, 2 deletions

diff --git a/chromium/net/socket/nss_ssl_util.cc b/chromium/net/socket/nss_ssl_util.cc
index be33ac5add0..7e3aee430c4 100644
--- a/chromium/net/socket/nss_ssl_util.cc
+++ b/chromium/net/socket/nss_ssl_util.cc
@@ -58,12 +58,13 @@ class NSSSSLInitSingleton {
           enabled = false;
 
         // Trim the list of cipher suites in order to keep the size of the
-        // ClientHello down. DSS, ECDH, CAMELLIA, SEED and ECC+3DES cipher
-        // suites are disabled.
+        // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and
+        // HMAC-SHA256 cipher suites are disabled.
         if (info.symCipher == ssl_calg_camellia ||
             info.symCipher == ssl_calg_seed ||
             (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) ||
             info.authAlgorithm == ssl_auth_dsa ||
+            info.macAlgorithm == ssl_hmac_sha256 ||
             info.nonStandard ||
             strcmp(info.keaTypeName, "ECDH") == 0) {
           enabled = false;
@@ -232,6 +233,10 @@ int MapNSSError(PRErrorCode err) {
     case SEC_ERROR_BAD_DER:
     case SEC_ERROR_EXTRA_INPUT:
       return ERR_SSL_BAD_PEER_PUBLIC_KEY;
+    // During renegotiation, the server presented a different certificate than
+    // was used earlier.
+    case SSL_ERROR_WRONG_CERTIFICATE:
+      return ERR_SSL_SERVER_CERT_CHANGED;
 
     default: {
       if (IS_SSL_ERROR(err)) {