Enable AES_256_GCM ciphers.

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 8a860f35ba4fee669f8b7cf277527755f1b4b47c..a98b8156e7221e21bb6a7c5bbd2291f52426c156 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -971,11 +971,13 @@ int SSLClientSocketOpenSSL::Init() {
   SSL_set_mode(ssl_, mode.set_mask);
   SSL_clear_mode(ssl_, mode.clear_mask);
 
-  // See SSLConfig::disabled_cipher_suites for description of the suites
-  // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256
-  // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
-  // as the handshake hash.
-  std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK");
+  // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
+  // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
+  // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not
+  // supported. As DHE is being deprecated, don't add a cipher only to remove it
+  // immediately.
+  std::string command(
+      "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK");
 
   if (ssl_config_.require_ecdhe)
     command.append(":!kRSA:!kDHE");