OpenSSL: deprecate Mozilla TLS Server recommendation

We shouldn't hardcode a list of ciphers. It should always be a
configurable list of ciphers. Furthermore, restricting the ciphers is
only part of the security recommendations: TLS methods, curves and so on
must also be considered.

This patch deprecates the constants, and makes the related methods as
NOOP since they didn't work as expected on OpenSSL 1.1 and later, as
they only changes the cipher suites for TLS v1.3 (identical to default)
and didn't change the ciphers list for TLS v1.2 and below (oops).

scripts/generate_ssl_server_defaults.cr

@@ -56,6 +56,7 @@ File.open(DEFAULTS_FILE, "w") do |file|
       # available at #{guidelines.href}.
       #
       # See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
+      @[Deprecated("Deprecated with no replacement. Prefer setting a security level, global system configuration, or build your own from #{url}")]
       CIPHERS_#{level.upcase} = "#{all_ciphers.join(":")}"
 
       # The list of secure ciphersuites on **#{level}** compatibility level as per Mozilla
@@ -68,6 +69,7 @@ File.open(DEFAULTS_FILE, "w") do |file|
       # available at #{guidelines.href}.
       #
       # See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
+      @[Deprecated("Deprecated with no replacement. Prefer setting a security level, global system configuration, or build your own from #{url}")]
       CIPHER_SUITES_#{level.upcase} = "#{ciphersuites.join(":")}"
     CRYSTAL
   end

src/openssl/ssl/context.cr

@@ -320,36 +320,27 @@ abstract class OpenSSL::SSL::Context
   end
 
   # Sets the current ciphers and ciphers suites to **modern** compatibility level as per Mozilla
-  # recommendations. See `CIPHERS_MODERN` and `CIPHER_SUITES_MODERN`. See `#security_level=` for some
-  # sensible system configuration.
+  # recommendations. See `#security_level=` for some sensible system configuration.
+  #
+  # Does nothing as per Crystal 1.13.
+  @[Deprecated("Deprecated with no replacement. Prefer #security_level, global system configuration or build your own from https://wiki.mozilla.org/Security/Server_Side_TLS")]
   def set_modern_ciphers
-    {% if LibSSL.has_method?(:ssl_ctx_set_ciphersuites) %}
-      self.cipher_suites = CIPHER_SUITES_MODERN
-    {% else %}
-      self.ciphers = CIPHERS_MODERN
-    {% end %}
   end
 
   # Sets the current ciphers and ciphers suites to **intermediate** compatibility level as per Mozilla
-  # recommendations. See `CIPHERS_INTERMEDIATE` and `CIPHER_SUITES_INTERMEDIATE`. See `#security_level=` for some
-  # sensible system configuration.
+  # recommendations. See `#security_level=` for some sensible system configuration.
+  #
+  # Does nothing as per Crystal 1.13.
+  @[Deprecated("Deprecated with no replacement. Prefer #security_level, global system configuration or build your own from https://wiki.mozilla.org/Security/Server_Side_TLS")]
   def set_intermediate_ciphers
-    {% if LibSSL.has_method?(:ssl_ctx_set_ciphersuites) %}
-      self.cipher_suites = CIPHER_SUITES_INTERMEDIATE
-    {% else %}
-      self.ciphers = CIPHERS_INTERMEDIATE
-    {% end %}
   end
 
   # Sets the current ciphers and ciphers suites to **old** compatibility level as per Mozilla
-  # recommendations. See `CIPHERS_OLD` and `CIPHER_SUITES_OLD`. See `#security_level=` for some
-  # sensible system configuration.
+  # recommendations. See `#security_level=` for some sensible system configuration.
+  #
+  # Does nothing as per Crystal 1.13.
+  @[Deprecated("Deprecated with no replacement. Prefer #security_level, global system configuration or build your own from https://wiki.mozilla.org/Security/Server_Side_TLS")]
   def set_old_ciphers
-    {% if LibSSL.has_method?(:ssl_ctx_set_ciphersuites) %}
-      self.cipher_suites = CIPHER_SUITES_OLD
-    {% else %}
-      self.ciphers = CIPHERS_OLD
-    {% end %}
   end
 
   # Returns the security level used by this TLS context.