Description
What is the problem this feature will solve?
We would like to modify the default ciphers on startup, unless the user has overridden with --tls-cipher-list. So for example on startup, we'll compare tls.DEFAULT_CIPHERS against crypto.constants.defaultCoreCipherList and if they're the same (the user hasn't overridden on command line) then we might want to
tls.DEFAULT_CIPHERS = tls.DEFAULT_CIPHERS+'!AES128-SHA:!AES128-SHA256:!AES256-SHA:!AES256-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!TLS_AES_128_GCM_SHA256:!TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA384:!kRSA'
to remove some older / weaker ciphers.
This also means we can customise the modification to remove more things, but still get the benefit of any new, stronger ciphers added.
What is the feature you are proposing to solve the problem?
We can do it today using the above method, but because tls.DEFAULT_CIPHERS isn't documented it's implied that you may remove it in the future, I'm asking for it to be documented.
What alternatives have you considered?
We could build and set crypto.constants.defaultCoreCipherList ourselves, but when we then upgrade we would need to re-review the cipher list to add in any new ciphers to our "blessed" list. Using the above method is more dynamic and easier to change (i.e. we don't need to rebuild).