Harden default TLS configuration (RIPD-1332, RIPD-1333, RIPD-1334):

The existing configuration includes 512 and 1024 bit DH
parameters and supports ciphers such as RC4 and 3DES and
hash algorithms like SHA-1 which are no longer considered
secure.

Going forward, use only 2048-bit DH parameters and define
a new default set of modern ciphers to use:

    HIGH:!aNULL:!MD5:!DSS:!SHA1:!3DES:!RC4:!EXPORT:!DSS

Additionally, allow administrators who wish to have different
settings to configure custom global and per-port ciphers suites
in the configuration file using the `ssl_ciphers` directive.

src/ripple/server/Port.h

@@ -49,6 +49,7 @@ struct Port
     std::string ssl_key;
     std::string ssl_cert;
     std::string ssl_chain;
+    std::string ssl_ciphers;
     std::shared_ptr<boost::asio::ssl::context> context;
 
     // How many incoming connections are allowed on this
@@ -81,6 +82,7 @@ struct ParsedPort
     std::string ssl_key;
     std::string ssl_cert;
     std::string ssl_chain;
+    std::string ssl_ciphers;
     int limit = 0;
 
     boost::optional<boost::asio::ip::address> ip;

src/ripple/server/impl/Port.cpp

@@ -216,6 +216,7 @@ parse_Port (ParsedPort& port, Section const& section, std::ostream& log)
     set(port.ssl_key, "ssl_key", section);
     set(port.ssl_cert, "ssl_cert", section);
     set(port.ssl_chain, "ssl_chain", section);
+    set(port.ssl_ciphers, "ssl_ciphers", section);
 }
 
 } // ripple