#60 configuration issues preventing perfect score on ssllabs.com test

[Mark Roseman]

Running the (very useful) SSL server test at ssllabs.com against https://www.tcl.tk gives a grade of C; see attachment for details.

Disabling ssl3 (i.e. -ssl3 0) and providing a different set of ciphers (e.g. -cipher; several different recommended sets can be found at https://alexcreek.com/apache-ssl-configuration-snippets.html) can bring the grade up to an A-.

However, it looks like we'd need to add one option to the code to enable forward secrecy, which I presume would bring us up to an A, that is SSL_OP_CIPHER_SERVER_PREFERENCE (added in OpenSSL 0.9.7; this is what Apache's SSLHonorCipherOrder maps to), which specifies that the server, not the client decides the preferred order of ciphers. This appears to be a legitimate case to add a new option rather than hardcoding it in (note that this flag isn't part of SSL_OP_ALL).

Assuming this s far as implementing these three options, is it best to start with defaults that give us an 'A' out of the box, stick with the OpenSSL defaults and probably document the changes to make (which Apache etc. do, but they may have more concerns with backwards and forwards compatibility?)