Configure 389ds with "default" cipher suite

nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS

https://fedorahosted.org/freeipa/ticket/5684

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

install/updates/20-sslciphers.update

@@ -1,6 +1,6 @@
 # change configured ciphers
-# the result of this update will be that all ciphers
-# provided by NSS which ar not weak will be enabled
+# the result of this update will be that default ciphers
+# provided by DS which are not weak will be enabled
 dn: cn=encryption,cn=config
-only:nsSSL3Ciphers: +all
+only:nsSSL3Ciphers: default
 addifnew:allowWeakCipher: off

ipaserver/install/dsinstance.py

@@ -777,7 +777,7 @@ class DsInstance(service.Service):
         conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
 
         mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
                (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
         conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
@@ -1240,7 +1240,7 @@ class DsInstance(service.Service):
         conn.do_external_bind('root')
 
         mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
                (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
         conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)