(PUP-2582) Update apache vhost SSL settings
Previously the apache vhost defined an SSLCipherSuite which included
several weak ciphers. This commit disables the following algorithms:
aNULL, eNULL, DES, 3DES, IDEA, SEED, DSS, PSK, RC4, MD5
Second, previously LOW, SSLv2, and EXP were removed, but not
killed from the list, which meant that they could be added again in
subsequent declarations.
Third, ALL:!ADH meant that AECDH was enabled. This commit uses !aNULL
to disable all anonymous authentication algorithms. It also explicitly
specifies !eNULL (anonymous encryption algorithms).
Fourth, we were only enabling SSLv3 and TLSv1, but not TLSv1.1 or
TLSv1.2. TLSv1.2 protects against attacks known to work against SSLv3
and TLSv1.0.
Finally, SSLHonorCipherOrder is set to on, because certain clients do
not send ciphers in the correct preferred order, and this setting will
help mitigate that problem.
Thanks to Aaron Zauner <azet@azet.org> for bringing this to our attention.