Per @ewindisch, removing the CBC ciphers from the client preferred TLS
cipher suites. This will allow a future version of the server to also
remove the CBC ciphers from the accepted list.
This changes the server default to client + additional CBC cipher list,
and client default to the non-CBC ciphers.
Also, cipher order preference is modified so that best and highest-bit count
ciphers are most preferred.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This patch creates a new `tlsconfig` package to handle creation of
secure-enough TLS configurations for clients and servers.
The package was created by refactoring TLS code in the client and the
daemon. After this patch, it is expected that all code creating TLS
configurations use this `tlsconfig` package for greater security,
consistency and readability.
On the server side, this fixes a bug where --tlsverify was not taken
into account. Now, if specified, it will require the client to
authenticate.
Signed-off-by: Tibor Vass <tibor@docker.com>