7 files changed, 31 insertions, 19 deletions
diff --git a/net/socket/next_proto.cc b/net/socket/next_proto.cc
index 0a80372..0285044 100644
--- a/net/socket/next_proto.cc
+++ b/net/socket/next_proto.cc
@@ -40,4 +40,15 @@ bool NextProtoIsSPDY(NextProto next_proto) {
          next_proto <= kProtoSPDYMaximumVersion;
 }
 
+void DisableHTTP2(NextProtoVector* next_protos) {
+  for (NextProtoVector::iterator it = next_protos->begin();
+       it != next_protos->end();) {
+    if (*it == kProtoHTTP2) {
+      it = next_protos->erase(it);
+      continue;
+    }
+    ++it;
+  }
+}
+
 }  // namespace net
diff --git a/net/socket/next_proto.h b/net/socket/next_proto.h
index 62cac9a..06f31ba 100644
--- a/net/socket/next_proto.h
+++ b/net/socket/next_proto.h
@@ -58,6 +58,9 @@ NET_EXPORT NextProtoVector NextProtosWithSpdyAndQuic(bool spdy_enabled,
 // Returns true if |next_proto| is a version of SPDY or HTTP/2.
 bool NextProtoIsSPDY(NextProto next_proto);
 
+// Remove HTTP/2 from |next_protos|.
+NET_EXPORT void DisableHTTP2(NextProtoVector* next_protos);
+
 }  // namespace net
 
 #endif  // NET_SOCKET_NEXT_PROTO_H_
diff --git a/net/socket/ssl_client_socket.cc b/net/socket/ssl_client_socket.cc
index 8f88b31..3472fd0 100644
--- a/net/socket/ssl_client_socket.cc
+++ b/net/socket/ssl_client_socket.cc
@@ -189,13 +189,9 @@ bool SSLClientSocket::IsTLSVersionAdequateForHTTP2(
 
 // static
 std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
-    const NextProtoVector& next_protos,
-    bool can_advertise_http2) {
+    const NextProtoVector& next_protos) {
   std::vector<uint8_t> wire_protos;
   for (const NextProto next_proto : next_protos) {
-    if (!can_advertise_http2 && next_proto == kProtoHTTP2) {
-      continue;
-    }
     const std::string proto = NextProtoToString(next_proto);
     if (proto.size() > 255) {
       LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << proto;
diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h
index 6780060..bd728b2 100644
--- a/net/socket/ssl_client_socket.h
+++ b/net/socket/ssl_client_socket.h
@@ -178,12 +178,10 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   // inadequate TLS version.
   static bool IsTLSVersionAdequateForHTTP2(const SSLConfig& ssl_config);
 
-  // Serializes |next_protos| in the wire format for ALPN: protocols are listed
-  // in order, each prefixed by a one-byte length.  Any HTTP/2 protocols in
-  // |next_protos| are ignored if |can_advertise_http2| is false.
+  // Serialize |next_protos| in the wire format for ALPN and NPN: protocols are
+  // listed in order, each prefixed by a one-byte length.
   static std::vector<uint8_t> SerializeNextProtos(
-      const NextProtoVector& next_protos,
-      bool can_advertise_http2);
+      const NextProtoVector& next_protos);
 
  private:
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index f558e71..f8a56d7 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -858,10 +858,12 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
         PK11_TokenExists(CKM_NSS_CHACHA20_POLY1305);
     const bool adequate_key_agreement = PK11_TokenExists(CKM_DH_PKCS_DERIVE) ||
                                         PK11_TokenExists(CKM_ECDH1_DERIVE);
-    std::vector<uint8_t> wire_protos =
-        SerializeNextProtos(ssl_config_.next_protos,
-                            adequate_encryption && adequate_key_agreement &&
-                                IsTLSVersionAdequateForHTTP2(ssl_config_));
+    NextProtoVector next_protos = ssl_config_.next_protos;
+    if (!adequate_encryption || !adequate_key_agreement ||
+        !IsTLSVersionAdequateForHTTP2(ssl_config_)) {
+      DisableHTTP2(&next_protos);
+    }
+    std::vector<uint8_t> wire_protos = SerializeNextProtos(next_protos);
     rv = SSL_SetNextProtoNego(
         nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
         wire_protos.size());
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 9fc6454..6775763 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -952,10 +952,12 @@ int SSLClientSocketOpenSSL::Init() {
       enabled_ciphers_vector.push_back(id);
     }
 
-    std::vector<uint8_t> wire_protos =
-        SerializeNextProtos(ssl_config_.next_protos,
-                            HasCipherAdequateForHTTP2(enabled_ciphers_vector) &&
-                                IsTLSVersionAdequateForHTTP2(ssl_config_));
+    NextProtoVector next_protos = ssl_config_.next_protos;
+    if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) ||
+        !IsTLSVersionAdequateForHTTP2(ssl_config_)) {
+      DisableHTTP2(&next_protos);
+    }
+    std::vector<uint8_t> wire_protos = SerializeNextProtos(next_protos);
     SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0],
                         wire_protos.size());
   }
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 77a0aab..019ccc8 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -2373,7 +2373,7 @@ TEST(SSLClientSocket, SerializeNextProtos) {
   next_protos.push_back(kProtoHTTP11);
   next_protos.push_back(kProtoSPDY31);
   static std::vector<uint8_t> serialized =
-      SSLClientSocket::SerializeNextProtos(next_protos, true);
+      SSLClientSocket::SerializeNextProtos(next_protos);
   ASSERT_EQ(18u, serialized.size());
   EXPECT_EQ(8, serialized[0]);  // length("http/1.1")
   EXPECT_EQ('h', serialized[1]);