Do not use HTTP/2 without adequate security.

net/socket/nss_ssl_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/nss_ssl_util.h"
 
 #include <nss.h>
 #include <secerr.h>
 #include <ssl.h>
 #include <sslerr.h>
@@ skipping 117 matching lines @@
             info.nonStandard ||
             strcmp(info.keaTypeName, "ECDH") == 0) {
           enabled = false;
         }
 
         if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) {
           // Enabled to allow servers with only a DSA certificate to function.
           enabled = true;
         }
         SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled);
+        if (enabled) {
+          default_enabled_cipher_suites_.push_back(
+              static_cast<uint16>(ssl_ciphers[i]));
+        }
       }
     }
 
     // Enable SSL.
     SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
 
     // Calculate the order of ciphers that we'll use for NSS sockets. (Note
     // that, even if a cipher is specified in the ordering, it must still be
     // enabled in order to be included in a ClientHello.)
     //
@@ skipping 50 matching lines @@
     return model_fd_;
   }
 
   ~NSSSSLInitSingleton() {
     // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
     SSL_ClearSessionCache();
     if (model_fd_)
       PR_Close(model_fd_);
   }
 
+  std::vector<uint16> default_enabled_cipher_suites_;
+
  private:
   PRFileDesc* model_fd_;
 };
 
 base::LazyInstance<NSSSSLInitSingleton>::Leaky g_nss_ssl_init_singleton =
     LAZY_INSTANCE_INITIALIZER;
 
 }  // anonymous namespace
 
 // Initialize the NSS SSL library if it isn't already initialized.  This must
 // be called before any other NSS SSL functions.  This function is
 // thread-safe, and the NSS SSL library will only ever be initialized once.
 // The NSS SSL library will be properly shut down on program exit.
 void EnsureNSSSSLInit() {
   // Initializing SSL causes us to do blocking IO.
   // Temporarily allow it until we fix
   //   http://code.google.com/p/chromium/issues/detail?id=59847
   base::ThreadRestrictions::ScopedAllowIO allow_io;
 
   g_nss_ssl_init_singleton.Get();
 }
 
 PRFileDesc* GetNSSModelSocket() {
   return g_nss_ssl_init_singleton.Get().GetModelSocket();
 }
 
+const std::vector<uint16>& GetNSSDefaultEnabledCipherSuites() {
+  return g_nss_ssl_init_singleton.Get().default_enabled_cipher_suites_;
+}
+
 // Map a Chromium net error code to an NSS error code.
 // See _MD_unix_map_default_error in the NSS source
 // tree for inspiration.
 PRErrorCode MapErrorToNSS(int result) {
   if (result >=0)
     return result;
 
   switch (result) {
     case ERR_IO_PENDING:
       return PR_WOULD_BLOCK_ERROR;
@@ skipping 164 matching lines @@
       base::Bind(&NetLogSSLFailedNSSFunctionCallback,
                  function, param, PR_GetError()));
 }
 
 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error,
                                                         int ssl_lib_error) {
   return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error);
 }
 
 }  // namespace net