5f3c87e Ticket #47838 - harden the list of ciphers available by default

Authored and Committed by nhosoi 6 years ago
    Ticket #47838 - harden the list of ciphers available by default
    
    Description:
    1. Introducing a new attribute allowWeakCipher in "cn=encryption,cn=config".
       allowWeakCipher: [on | off]
                         on  -- allows weak ciphers.
                                Default setting for user specified ciphers.
                         off -- rejects weak ciphers.
                                Default setting for +all and default.
    
    2. allowWeakCipher is applied only to the user specified cipher suites
       such as "nsSSL3Ciphers: +rsa_rc4_128_md5".
       If allowWeakCipher is enabled and the user specified cipher is weak,
          SSL alert is logged in the error log:
           SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
           allowWeakCipher is "on" (default setting for the backward compatibility).
           We strongly recommend to set it to "off".  Please replace the value of
           allowWeakCipher with "off" in the encryption config entry cn=encryption,
           cn=config and restart the server.
    
    3. If specified cipher suite is not supported, ignore the cipher suite
       and continue setting ciphers.
    
    https://fedorahosted.org/389/ticket/47838
    
    Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
    
        
file modified
+2 -1
file modified
+160 -102