Do not use HTTP/2 without adequate security.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 3651e8d62466696169433993af5f4cd92d62b67b..79394d4e1a37ace962fb2f64b492fcd8c37746fd 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -973,8 +973,22 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
   SECStatus rv = SECSuccess;
 
   if (!ssl_config_.next_protos.empty()) {
-    std::vector<uint8_t> wire_protos =
-        SerializeNextProtos(ssl_config_.next_protos);
+    DCHECK(NSS_IsInitialized());
+    const std::vector<uint16> cipher_suites =
+        GetNSSDefaultEnabledCipherSuites();
+    std::vector<uint16> implemented_enabled_cipher_suites;
+    for (uint16 cipher : cipher_suites) {
+      PRBool enabled = PR_FALSE;
+      if (PK11_TokenExists(cipher) &&
+          SSL_CipherPrefGet(nss_fd_, cipher, &enabled) == SECSuccess &&
+          enabled) {
+        implemented_enabled_cipher_suites.push_back(cipher);
+      }
+    }
+    std::vector<uint8_t> wire_protos = SerializeNextProtos(
+        ssl_config_.next_protos,
+        IsSecurityAdequateForHTTP2(ssl_config_,
+                                   implemented_enabled_cipher_suites));
     rv = SSL_SetNextProtoNego(
         nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
         wire_protos.size());