Disable SSLv3 by default in SOAP client

Put SSL3 ciphers back:
http://svn.shibboleth.net/view/cpp-xmltooling?rev=1042&view=rev

Thanks for the review, I'll revert the cipher change, but leave SSL3 completely off in the handshake.

Ian, is it unacceptable to disable SSL3 entirely, or does this need to be an option?

I think it's acceptable to disable the SSLv3 protocol entirely. The only circumstances in which that would cause an issue would be an IdP which supported back-channel queries but did not support TLSv1.0, which seems like an implausible combination even for quite old IdPs.

I also added !SSLv3 to the cipher list, but that is controllable (and I'll expose an explicit option for that in a future minor rev).

It's my recollection that SSLv3 and TLSv1.0 share a list of cipher suites, so saying !SSLv3 in the cipher suite list also disables TLSv1.0 unintentionally. So, that would be bad as it would require IdPs to support TLSv1.1 or TLSv1.2 which isn't broadly the case yet.

I did a quick search and found this:

http://security.stackexchange.com/questions/70832/why-doesnt-the-tls-protocol-work-without-the-sslv3-ciphersuites

Ian, is it unacceptable to disable SSL3 entirely, or does this need to be an option?

The way I've been doing this for SSL2 is at the OpenSSL layer, so that it applies regardless of libcurl settings or ambiguity over what various options mean (like we see with Tomcat and all the accumulated options with different meanings). But it's not exposed as an option to override.

I also added !SSLv3 to the cipher list, but that is controllable (and I'll expose an explicit option for that in a future minor rev).

If I have to disable SSL3 conditionally, I'll need to add an option now just to make it safe to disable.

http://svn.shibboleth.net/view/cpp-xmltooling?view=revision&revision=1041