Ticket #47838 - harden the list of ciphers available by default
Description:
Directory Server used to maintain the supported cipher suite list.
This patch abandons the table and retrieve the list dynamically
from NSS using its API SSL_GetImplementedCiphers.
We still keeps a lookup table _lookup_cipher to find out a name
defined in NSS from the old cipher name for the backward compatibility.
E.g. "rc4" --> "SSL_CK_RC4_128_WITH_MD5".
Changes on the value of nsSSL3Ciphers:
. If "+all" is included in the value of nsSSL3Ciphers, enable all
ciphers first, then disable specified ciphers starting with "-".
Otherwise (without "+all"), disable all the ciphers first, then
enable specified ciphers starting with "+".
. Introduced a keyword "default" for nsSSL3Ciphers. If the config
attribute nsSSL3Ciphers does not exist, the value is empty or the
value is "default", the default cipher set is enabled.
The enabled ciphers are logged in the error log as follows:
[..] - SSL alert: Configured NSS Ciphers
[..] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[..] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
If specified ciphers are weak or very weak, the cipher is logged
with (WEAK CIPHER) or (MUST BE DISABLED) as follows:
[..] - SSL alert: Configured NSS Ciphers
[..] - SSL alert: TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[..] - SSL alert: TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
To log all the available ciphers, set log level to CONFIG
(SLAPI_LOG_CONFIG). Then, all the ciphers are logged.
See also http://directory.fedoraproject.org/wiki/NSS_Ciphers
https://fedorahosted.org/389/ticket/47838
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)