tls: revert disable RC4 and cipher lists changes

This reverts commit 67d9a56251c4491beacb666ba5833574d0cf0d12.

This commit actually reverts both
67d9a56251c4491beacb666ba5833574d0cf0d12 and
02a549ed2b2afe85d8ff0335b6684ad54023afb7 (both related to ciphers list
changes). It does it in one commit because reverting
02a549ed2b2afe85d8ff0335b6684ad54023afb7 results in an empty commit.

These changes are not yet ready to be released, and before they are we
want to be able to publish new releases. We're reverting them so that we
can submit a new PR that will contain all these changes plus what's
necessary to be able to land them properly.

Conflicts:
	src/node.cc

PR: #25511
PR-URL: https://github.com/joyent/node/pull/25511
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

1 files changed, 6 insertions, 60 deletions

diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
index 49b37106e..fbd97e88a 100644
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@@ -109,60 +109,6 @@ handshake extensions allowing you:
   * SNI - to use one TLS server for multiple hostnames with different SSL
     certificates.
 
-## Modifying the Default Cipher Suite
-
-Node.js is built with a default suite of enabled and disabled ciphers.
-Currently, the default cipher suite is:
-
-    ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH
-
-This default can be overridden entirely using the `--cipher-list` command line
-switch or `NODE_CIPHER_LIST` environment variable. For instance:
-
-    node --cipher-list=ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384
-
-Setting the environment variable would have the same effect:
-
-    NODE_CIPHER_LIST=ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384
-
-CAUTION: The default cipher suite has been carefully selected to reflect current
-security best practices and risk mitigation. Changing the default cipher suite
-can have a significant impact on the security of an application. The
-`--cipher-list` and `NODE_CIPHER_LIST` options should only be used if
-absolutely necessary.
-
-### Using Legacy Default Cipher Suite ###
-
-It is possible for the built-in default cipher suite to change from one release
-of Node.js to another. For instance, v0.10.39 uses a different default than
-v0.10.38. Such changes can cause issues with applications written to assume
-certain specific defaults. To help buffer applications against such changes,
-the `--enable-legacy-cipher-list` command line switch or `NODE_LEGACY_CIPHER_LIST`
-environment variable can be set to specify a specific preset default:
-
-    # Use the v0.10.38 defaults
-    node --enable-legacy-cipher-list=v0.10.38
-    // or
-    NODE_LEGACY_CIPHER_LIST=v0.10.38
-
-Currently, the values supported for the `enable-legacy-cipher-list` switch and
-`NODE_LEGACY_CIPHER_LIST` environment variable include:
-
-    v0.10.38 - To enable the default cipher suite used in v0.10.38
-
-      ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
-
-These legacy cipher suites are also made available for use via the
-`getLegacyCiphers()` method:
-
-    var tls = require('tls');
-    console.log(tls.getLegacyCiphers('v0.10.38'));
-
-CAUTION: Changes to the default cipher suite are typically made in order to
-strengthen the default security for applications running within Node.js.
-Reverting back to the defaults used by older releases can weaken the security
-of your applications. The legacy cipher suites should only be used if absolutely
-necessary.
 
 ## tls.getCiphers()
 
@@ -205,13 +151,13 @@ automatically set as a listener for the [secureConnection][] event.  The
     conjunction with the `honorCipherOrder` option described below to
     prioritize the non-CBC cipher.
 
-    Defaults to `ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH`.
+    Defaults to `AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH`.
     Consult the [OpenSSL cipher list format documentation] for details on the
     format. ECDH (Elliptic Curve Diffie-Hellman) ciphers are not yet supported.
 
 
     `AES128-GCM-SHA256` is used when node.js is linked against OpenSSL 1.0.1
-    or newer and the client speaks TLS 1.2.
+    or newer and the client speaks TLS 1.2, RC4 is used as a secure fallback.
 
     **NOTE**: Previous revisions of this section suggested `AES256-SHA` as an
     acceptable cipher. Unfortunately, `AES256-SHA` is a CBC cipher and therefore
@@ -387,7 +333,7 @@ Here is an example of a client of echo server as described previously:
       // These are necessary only if using the client certificate authentication
       key: fs.readFileSync('client-key.pem'),
       cert: fs.readFileSync('client-cert.pem'),
-
+    
       // This is necessary only if the server uses the self-signed certificate
       ca: [ fs.readFileSync('server-cert.pem') ]
     };
@@ -579,7 +525,7 @@ A ClearTextStream is the `clear` member of a SecurePair object.
 
 ### Event: 'secureConnect'
 
-This event is emitted after a new connection has been successfully handshaked.
+This event is emitted after a new connection has been successfully handshaked. 
 The listener will be called no matter if the server's certificate was
 authorized or not. It is up to the user to test `cleartextStream.authorized`
 to see if the server certificate was signed by one of the specified CAs.
@@ -604,14 +550,14 @@ some properties corresponding to the field of the certificate.
 
 Example:
 
-    { subject:
+    { subject: 
        { C: 'UK',
          ST: 'Acknack Ltd',
          L: 'Rhys Jones',
          O: 'node.js',
          OU: 'Test TLS Certificate',
          CN: 'localhost' },
-      issuer:
+      issuer: 
        { C: 'UK',
          ST: 'Acknack Ltd',
          L: 'Rhys Jones',