Adjust TLS defaults to implement RFC 9325

[mpg]

Suggested enhancement

RFC 9325 is the latest Best Current Practices document regarding TLS and DTLS. It makes recommendations about which mechanisms should be preferred and which should be avoided when using (D)TLS, especially 1.2.

We should adjust our defaults in order to match these recommendations:

• default preference list should have the RFC preferred items first;
• things that the RFC recommends against should be disabled by default at compile-time and/or runtime, ideally both (or removed from the code base entirely.

Since adjusting defaults could break existing code, we can't to this in a minor version unless there's a pressing security reason, so most of this will have to wait for Mbed TLs 4.0.

Justification

Mbed TLS needs this because we want our users to be secure by default.

[mpg]

Quick review of the RFC:

• [x] MUST NOT negotiate (D)TLS 1.1 or lower - already removed from the code base in 3.0.
• [x] SHOULD support TLS 1.3 and MUST prefer it - ~currently it's disabled in the default config~ [edit: enabled since 3.6.0] and when it's enabled we prefer it.
• [x] SHOULD support (D)TLS 1.3 - out of scope here, will be its own series of EPICs.
• [x] SHOULD NOT support TLS-level compression - already removed in 3.0
• [ ] resumption - I think we already implement all the recommendations, should double-check though
• [ ] renego - I think we already implement all the recommendations, should double-check though
• [ ] SNI - MUST support OK, the rest should be checked
• [ ] ALPN - MUST support OK, the rest should be checked
• [ ] NULL ciphersuites: MUST NOT negotiate - compile-time disabled by default, but still available and used - but we should make them also disabled by default at runtime (even when enabled at compile-time) to reduce the risk of accidental use.
• [x] RC4 ciphersuites: MUST NOT negotiate - already removed from the code base in 3.0.
• [x] MUST NOT negotiate cipher suites offering less than 112 bits of security - we only had single-DES, ciphersuites already removed in 3.0.
• [x] SHOULD NOT negotiate cipher suites that use algorithms offering less than 128 bits of security - we only had 3DES, ciphersuites already removed in 3.0.
• [ ] SHOULD NOT negotiate RSA key exchange - we're considering removing it entirely, otherwise we should disable it by default at compile-time and runtime and mark as deprecated.
• [ ] SHOULD NOT negotiate static (EC)DH key exchange - we've never implemented static DH, but we do support static ECDH. It's currently enabled by default, so should be disabled by by default at compile-time and runtime.
• [ ] SHOULD NOT negotiate DHE key exchange - we're planning on removing it entirely, otherwise we should disable it by default at compile-time and runtime and mark as deprecated.
• [x] MUST support and prefer forward secrecy - we already do.
• [ ] SHOULD not use CBC ciphersuite unless EtM is used - not so easy to implement, ideally removing CBC entirely would be nice but perhaps not possible. If we can't remove, should create a new config option for that (currently they're controlled by MBEDTLS_CIPHER_MODE_CBC), disabled by default.
• [ ] SHOULD include/prefer TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - we use a ChachaPoly ciphersuite instead, and I think we should keep doing so unless our AES implementation has been improved.
• [x] SHOULD include the "Supported Elliptic Curves Extension" - we do
• [x] SHOULD support NIST P‑256 and X25519 - we do
• [ ] ECPointFormatList MUST contain a single element, "uncompressed" - I think that's the case, let's double-check
• [ ] Limits on key usage - I don't think we have anything, so this seems to go beyond config
• [ ] Key sizes - for RSA out of our control, for DH irrelevant if we remove it, otherwise should enforce the minimum
• [ ] Curves of less than 224 bits MUST NOT be used - we're considering removing them entirely, otherwise should just exclude them from the default list.
• [x] SHA-1 or MD5 MUST NOT be used - that's already the case
• [x] MUST NOT use the Truncated HMAC - already removed in 3.0