Ticket #47838 - harden the list of ciphers available by default
Description:
1. Introducing a new attribute allowWeakCipher in "cn=encryption,cn=config".
allowWeakCipher: [on | off]
on -- allows weak ciphers.
Default setting for user specified ciphers.
off -- rejects weak ciphers.
Default setting for +all and default.
2. allowWeakCipher is applied only to the user specified cipher suites
such as "nsSSL3Ciphers: +rsa_rc4_128_md5".
If allowWeakCipher is enabled and the user specified cipher is weak,
SSL alert is logged in the error log:
SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward compatibility).
We strongly recommend to set it to "off". Please replace the value of
allowWeakCipher with "off" in the encryption config entry cn=encryption,
cn=config and restart the server.
3. If specified cipher suite is not supported, ignore the cipher suite
and continue setting ciphers.
https://fedorahosted.org/389/ticket/47838
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)