Require ECDHE cipher in remoting client.

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index ba47b97920af2cf31137d80d1e0d3acc2a57be57..4efaf7e7b594c885d38de23ef6b219099ee441b8 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -765,18 +765,17 @@ int SSLClientSocketOpenSSL::Init() {
   // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
   // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
   // as the handshake hash.
-  std::string command(
-      "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
+  std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK");
   // Walk through all the installed ciphers, seeing if any need to be
   // appended to the cipher removal |command|.
   for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
     const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
     const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher));
-    // Remove any ciphers with a strength of less than 80 bits. Note the NSS
-    // implementation uses "effective" bits here but OpenSSL does not provide
-    // this detail. This only impacts Triple DES: reports 112 vs. 168 bits,
-    // both of which are greater than 80 anyway.
-    bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80;
+    bool disable = false;
+    if (ssl_config_.require_ecdhe) {
+      base::StringPiece kx_name(SSL_CIPHER_get_kx_name(cipher));
+      disable = kx_name != "ECDHE_RSA" && kx_name != "ECDHE_ECDSA";
+    }
     if (!disable) {
       disable = std::find(ssl_config_.disabled_cipher_suites.begin(),
                           ssl_config_.disabled_cipher_suites.end(), id) !=