diff --git a/experiments/field_trials.py b/experiments/field_trials.py
index 764c47e551..6cc1d58495 100755
--- a/experiments/field_trials.py
+++ b/experiments/field_trials.py
@@ -86,6 +86,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([
     FieldTrial('WebRTC-PaddingMode-RecentLargePacket',
                'webrtc:15201',
                date(2024, 4, 1)),
+    FieldTrial('WebRTC-PermuteTlsClientHello',
+               'webrtc:15467',
+               date(2024, 7, 1)),
     FieldTrial('WebRTC-PreventSsrcGroupsWithUnexpectedSize',
                'chromium:1459124',
                date(2024, 4, 1)),
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index d462f77ce4..cbbb8e96ab 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -1098,6 +1098,11 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
     }
   }
 
+#ifdef OPENSSL_IS_BORINGSSL
+  SSL_CTX_set_permute_extensions(
+      ctx, webrtc::field_trial::IsEnabled("WebRTC-PermuteTlsClientHello"));
+#endif
+
   return ctx;
 }
 
diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc
index 8417314a3a..0a99d9b1f0 100644
--- a/rtc_base/ssl_stream_adapter_unittest.cc
+++ b/rtc_base/ssl_stream_adapter_unittest.cc
@@ -1808,3 +1808,46 @@ TEST_F(SSLStreamAdapterTestDTLSLegacyProtocols,
   SetupProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
   TestHandshake(false);
 }
+
+// These tests are a no-op under OpenSSL.
+#ifdef OPENSSL_IS_BORINGSSL
+// TODO(https://bugs.webrtc.org/10261): when removing
+// SSLStreamAdapterTestDTLSLegacyProtocols that this class
+// inherits from move the code to this class.
+class SSLStreamAdapterTestDTLSExtensionPermutation
+    : public SSLStreamAdapterTestDTLSLegacyProtocols {
+ public:
+  SSLStreamAdapterTestDTLSExtensionPermutation()
+      : SSLStreamAdapterTestDTLSLegacyProtocols() {}
+};
+
+// Tests for enabling the (D)TLS extension permutation which randomizes the
+// order of extensions in the client hello.
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientDefaultServerDefault) {
+  ConfigureClient("");
+  ConfigureServer("");
+  TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientDefaultServerPermute) {
+  ConfigureClient("");
+  ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/");
+  TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientPermuteServerDefault) {
+  ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/");
+  ConfigureServer("");
+  TestHandshake();
+}
+
+TEST_F(SSLStreamAdapterTestDTLSExtensionPermutation,
+       ClientPermuteServerPermute) {
+  ConfigureClient("WebRTC-PermuteTlsClientHello/Enabled/");
+  ConfigureServer("WebRTC-PermuteTlsClientHello/Enabled/");
+  TestHandshake();
+}
+#endif  // OPENSSL_IS_BORINGSSL