tls: update default ciphers to use gcm and aes128

AES-GCM or CHACHA20_POLY1305 ciphers must be used in current version of
Chrome to avoid an 'obsolete cryptography' warning.

Prefer 128 bit AES over 192 and 256 bit AES considering attacks that
specifically affect the larger key sizes but do not affect AES 128.

PR-URL: #1660
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Roman Reiss <[email protected]>

Author: Mike MacCana

doc/api/tls.markdown

@@ -141,14 +141,37 @@ automatically set as a listener for the [secureConnection][] event.  The
   - `ciphers`: A string describing the ciphers to use or exclude, seperated by
     `:`. The default cipher suite is:
 
-        ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:
-        DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:
-        HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA
-
-    The default cipher suite prefers ECDHE and DHE ciphers for Perfect Forward
-    secrecy, while offering *some* backward compatibiltity. Old clients which
-    rely on insecure and deprecated RC4 or DES-based ciphers (like Internet
-    Explorer 6) aren't able to complete the handshake with the default
+        ECDHE-RSA-AES128-GCM-SHA256:
+        ECDHE-ECDSA-AES128-GCM-SHA256:
+        ECDHE-RSA-AES256-GCM-SHA384:
+        ECDHE-ECDSA-AES256-GCM-SHA384:
+        DHE-RSA-AES128-GCM-SHA256:
+        ECDHE-RSA-AES128-SHA256:
+        DHE-RSA-AES128-SHA256:
+        ECDHE-RSA-AES256-SHA384:
+        DHE-RSA-AES256-SHA384:
+        ECDHE-RSA-AES256-SHA256:
+        DHE-RSA-AES256-SHA256:
+        HIGH:
+        !aNULL:
+        !eNULL:
+        !EXPORT:
+        !DES:
+        !RC4:
+        !MD5:
+        !PSK:
+        !SRP:
+        !CAMELLIA
+
+    The default cipher suite prefers GCM ciphers for [Chrome's 'modern
+    cryptography' setting] and also prefers ECDHE and DHE ciphers for Perfect
+    Forward secrecy, while offering *some* backward compatibiltity.
+
+    128 bit AES is preferred over 192 and 256 bit AES in light of [specific
+    attacks affecting larger AES key sizes].
+
+    Old clients that rely on insecure and deprecated RC4 or DES-based ciphers
+    (like Internet Explorer 6) aren't able to complete the handshake with the default
     configuration. If you absolutely must support these clients, the
     [TLS recommendations] may offer a compatible cipher suite. For more details
     on the format, see the [OpenSSL cipher list format documentation].
@@ -784,6 +807,8 @@ The string representation of the local IP address.
 The numeric representation of the local port.
 
 [OpenSSL cipher list format documentation]: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
+[Chrome's 'modern cryptography' setting]: http://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome
+[specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
 [BEAST attacks]: http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
 [tls.createServer]: #tls_tls_createserver_options_secureconnectionlistener
 [tls.createSecurePair]: #tls_tls_createsecurepair_context_isserver_requestcert_rejectunauthorized

lib/tls.js

@@ -15,12 +15,17 @@ exports.CLIENT_RENEG_WINDOW = 600;
 exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;
 
 exports.DEFAULT_CIPHERS = [
+  'ECDHE-RSA-AES128-GCM-SHA256',
+  'ECDHE-ECDSA-AES128-GCM-SHA256',
+  'ECDHE-RSA-AES256-GCM-SHA384',
+  'ECDHE-ECDSA-AES256-GCM-SHA384',
+  'DHE-RSA-AES128-GCM-SHA256',
+  'ECDHE-RSA-AES128-SHA256',
+  'DHE-RSA-AES128-SHA256',
   'ECDHE-RSA-AES256-SHA384',
   'DHE-RSA-AES256-SHA384',
   'ECDHE-RSA-AES256-SHA256',
   'DHE-RSA-AES256-SHA256',
-  'ECDHE-RSA-AES128-SHA256',
-  'DHE-RSA-AES128-SHA256',
   'HIGH',
   '!aNULL',
   '!eNULL',