diff --git a/neqo-crypto/bindings/bindings.toml b/neqo-crypto/bindings/bindings.toml
index 01a4e178ac..24bce62a7e 100644
--- a/neqo-crypto/bindings/bindings.toml
+++ b/neqo-crypto/bindings/bindings.toml
@@ -103,6 +103,7 @@ variables = [
     "SSL_ENABLE_HELLO_DOWNGRADE_CHECK",
     "SSL_SUPPRESS_END_OF_EARLY_DATA",
     "SSL_ENABLE_GREASE",
+    "SSL_ENABLE_CH_EXTENSION_PERMUTATION"
 ]
 
 [nss_ciphers]
diff --git a/neqo-crypto/src/agent.rs b/neqo-crypto/src/agent.rs
index 9f52ae663b..b3e76ca39b 100644
--- a/neqo-crypto/src/agent.rs
+++ b/neqo-crypto/src/agent.rs
@@ -408,6 +408,7 @@ impl SecretAgent {
         self.set_option(ssl::Opt::Tickets, false)?;
         self.set_option(ssl::Opt::OcspStapling, true)?;
         self.set_option(ssl::Opt::Grease, grease)?;
+        self.set_option(ssl::Opt::EnableChExtensionPermutation, true)?;
         Ok(())
     }
 
diff --git a/neqo-crypto/src/ssl.rs b/neqo-crypto/src/ssl.rs
index 3906f3482f..3dd2dbb8dd 100644
--- a/neqo-crypto/src/ssl.rs
+++ b/neqo-crypto/src/ssl.rs
@@ -46,6 +46,7 @@ pub enum Opt {
     HelloDowngradeCheck,
     SuppressEndOfEarlyData,
     Grease,
+    EnableChExtensionPermutation,
 }
 
 impl Opt {
@@ -66,6 +67,7 @@ impl Opt {
             Self::HelloDowngradeCheck => SSLOption::SSL_ENABLE_HELLO_DOWNGRADE_CHECK,
             Self::SuppressEndOfEarlyData => SSLOption::SSL_SUPPRESS_END_OF_EARLY_DATA,
             Self::Grease => SSLOption::SSL_ENABLE_GREASE,
+            Self::EnableChExtensionPermutation => SSLOption::SSL_ENABLE_CH_EXTENSION_PERMUTATION,
         };
         i as PRInt32
     }