Reject renegotiations in SSLClientSocket by default.

net/http/http_stream_factory_impl_job.cc

Index: net/http/http_stream_factory_impl_job.cc
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 38f185a4e9edd69b15517afa531d4c5027430020..a5fd4b7a01c66bf1ce40f158bea58d1bd102801e 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -1118,6 +1118,9 @@ int HttpStreamFactoryImpl::Job::DoCreateStream() {
           request_->websocket_handshake_stream_create_helper()
               ->CreateBasicStream(connection_.Pass(), using_proxy));
     } else {
+      // HTTP/1.1 requires renegotiations enabled to support TLS client
+      // authentication coming in during a request.
+      connection_->socket()->SetRenegotiationsAllowed(true);

[Ryan Sleevi, 2015/05/07 01:41:26]

This is also needed for WebSockets, which can and do use client certs

[davidben, 2015/05/07 19:12:34]

Well, this doesn't break all client certs. Sane deployments (relatively
speaking) of client certs don't do the awful renego hack. :-) But you're right.
It should be up at the top of this block, in case someone does the renego hack
on the WebSockets entry point. Fixed.

       stream_.reset(new HttpBasicStream(connection_.release(), using_proxy));
     }
     return OK;