Do not use HTTP/2 without adequate security.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 3651e8d62466696169433993af5f4cd92d62b67b..39a5c2a4edbaf7481f909ea3fd0af6dc151283d7 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -973,8 +973,23 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
   SECStatus rv = SECSuccess;
 
   if (!ssl_config_.next_protos.empty()) {
-    std::vector<uint8_t> wire_protos =
-        SerializeNextProtos(ssl_config_.next_protos);
+    //EnsureNSSSSLInit();

[Bence, 2014/12/10 18:05:21]

davidben: do I need EnsureNSSSSLInit() here, or is the one in line 3143 executed
before this?

[davidben, 2014/12/10 21:29:57]

NSS is initialized at this point.

+    DCHECK(NSS_IsInitialized());
+    const std::vector<uint16> cipher_suites = GetNSSEnabledCipherSuites();
+    // We still have to apply the disabled_cipher_suites list to these cipher
+    // suites, because NSS does not know about them quite yet.
+    std::vector<uint16> enabled_cipher_suites;
+    for (std::vector<uint16>::const_iterator it = cipher_suites.begin();
+         it != cipher_suites.end(); ++it) {
+      if (std::find(ssl_config_.disabled_cipher_suites.begin(),
+                    ssl_config_.disabled_cipher_suites.end(),
+                    *it) == ssl_config_.disabled_cipher_suites.end()) {
+        enabled_cipher_suites.push_back(*it);
+      }
+    }
+    std::vector<uint8_t> wire_protos = SerializeNextProtos(
+        ssl_config_.next_protos,
+        IsSecurityAdequateForHTTP2(ssl_config_, enabled_cipher_suites));
     rv = SSL_SetNextProtoNego(
         nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
         wire_protos.size());