Reject renegotiations in SSLClientSocket by default.

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 9338bcf96c45cf9734247215a45bcea3f1c26a4c..f28c9b2c749b34863bac9a48f3ac8fe57902b8e6 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -624,6 +624,10 @@ bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
   return true;
 }
 
+void SSLClientSocketOpenSSL::SetRenegotiationsAllowed(bool allowed) {
+  SSL_set_reject_peer_renegotiations(ssl_, allowed ? 0 : 1);
+}
+
 int SSLClientSocketOpenSSL::Read(IOBuffer* buf,
                                  int buf_len,
                                  const CompletionCallback& callback) {
@@ -843,6 +847,10 @@ int SSLClientSocketOpenSSL::Init() {
                                ssl_config_.fastradio_padding_enabled &&
                                    ssl_config_.fastradio_padding_eligible);
 
+  // By default, renegotiations are rejected. Callers may opt into accepting
+  // future handshakes after the initial one has completed.
+  SSL_set_reject_peer_renegotiations(ssl_, 1);
+
   return OK;
 }