13c0d2f Ticket #47838 - harden the list of ciphers available by default

Authored and Committed by nhosoi 9 years ago
    Ticket #47838 - harden the list of ciphers available by default
    
    Description:
    Directory Server used to maintain the supported cipher suite list.
    This patch abandons the table and retrieve the list dynamically
    from NSS using its API SSL_GetImplementedCiphers.
    
    We still keeps a lookup table _lookup_cipher to find out a name
    defined in NSS from the old cipher name for the backward compatibility.
    E.g. "rc4" --> "SSL_CK_RC4_128_WITH_MD5".
    
    Changes on the value of nsSSL3Ciphers:
    . If "+all" is included in the value of nsSSL3Ciphers, enable all
    ciphers first, then disable specified ciphers starting with "-".
    Otherwise (without "+all"), disable all the ciphers first, then
    enable specified ciphers starting with "+".
    . Introduced a keyword "default" for nsSSL3Ciphers.  If the config
    attribute nsSSL3Ciphers does not exist, the value is empty or the
    value is "default", the default cipher set is enabled.
    
    The enabled ciphers are logged in the error log as follows:
     [..] - SSL alert: Configured NSS Ciphers
     [..] - SSL alert:   TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
     [..] - SSL alert:   TLS_RSA_WITH_AES_128_CBC_SHA: enabled
    
    If specified ciphers are weak or very weak, the cipher is logged
    with (WEAK CIPHER) or (MUST BE DISABLED) as follows:
     [..] - SSL alert: Configured NSS Ciphers
     [..] - SSL alert:   TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
     [..] - SSL alert:   TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
    
    To log all the available ciphers, set log level to CONFIG
    (SLAPI_LOG_CONFIG).  Then, all the ciphers are logged.
    
    See also http://directory.fedoraproject.org/wiki/NSS_Ciphers
    
    https://fedorahosted.org/389/ticket/47838
    
    Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
    
        
file modified
+271 -130