tls: Use a default prio string disabling TLS1.0 forcing min 128bits

Fixes #4010

Unless user sets this explicitly, we should try explicitly avoid
deprecated protocol versions. While gnutls should do this for
connections initiated thusly, clients such as drivers etc might
use obsolete versions.

Message-Id: <20190107131513.30197-1-calle@scylladb.com>

db/config.cc

@@ -102,6 +102,8 @@ db::config::config()
 db::config::~config()
 {}
 
+const sstring db::config::default_tls_priority("SECURE128:-VERS-TLS1.0");
+
 namespace utils {
 
 template<>

db/config.hh

@@ -762,6 +762,8 @@ public:
     add_options(boost::program_options::options_description_easy_init&);
 
     const db::extensions& extensions() const;
+
+    static const sstring default_tls_priority;
 private:
     template<typename T>
     struct log_legacy_value : public named_value<T, value_status::Used> {

init.cc

@@ -105,6 +105,8 @@ void init_ms_fd_gossiper(sharded<gms::feature_service>& features
             creds->set_x509_trust_file(ms_trust_store, x509_crt_format::PEM).get();
         }
 
+        creds->set_priority_string(db::config::default_tls_priority);
+
         if (!ms_tls_prio.empty()) {
             creds->set_priority_string(ms_tls_prio);
         }

service/storage_service.cc

@@ -2166,6 +2166,7 @@ future<> storage_service::start_native_transport() {
                     auto cred = std::make_shared<seastar::tls::credentials_builder>();
 
                     cred->set_dh_level(seastar::tls::dh_params::level::MEDIUM);
+                    cred->set_priority_string(db::config::default_tls_priority);
 
                     if (ceo.count("priority_string")) {
                         cred->set_priority_string(ceo.at("priority_string"));