Update default ciphers

[oberstet]

Deprecate SHA1 and use the following ciphers per default:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256

Filtered output of openssl ciphers -tls1 according to these criteria:

• SHA256 or SHA384 only
• only use ciphers with perfect forward secrecy (ECDHE, DHE)
• only use RSA
• prefer GCM over CBC
• only use AES256 or AES128

This leave exactly 8 ciphers as above.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/43745375-update-default-ciphers?utm_campaign=plugin&utm_content=tracker%2F462544&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F462544&utm_medium=issues&utm_source=github).

[oberstet]

Above provides A+ rating (100/100/90/90) on https://www.ssllabs.com

[oberstet]

You will need RSA certs with 4096 bits key length, and DH params of 4096 bits as well. Plus HSTS and a valid cert chain.