Remove weak TLS cipher suites

[smerkviladze]

- What I did

• Added a new strongTLSCiphers list defining a secure, modern set of TLS cipher suites.
• Removed weak and deprecated algorithms (CBC-mode ciphers) by only allowing AES-GCM and ChaCha20-Poly1305.
• Updated both server and client TLS configurations to use strongTLSCiphers.

- How I did it

• Created the strongTLSCiphers variable containing only secure ciphers.
• Configured NewServerTLSConfig and NewClientTLSConfig to use a clone of strongTLSCiphers via CipherSuites.

- How to test it

• Before enforcing strong TLS ciphers, weak CBC-mode ciphers were allowed, for example:
  • https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/
  • https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/

➜  swarmkit git:(master) ✗ nmap --script ssl-enum-ciphers -p 4242 127.0.0.1          
Starting Nmap 7.98 ( https://nmap.org/ ) at 2025-10-03 15:54 +0400
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT     STATE SERVICE
4242/tcp open  vrml-multi-use
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

• Verify that, after applying strongTLSCiphers, only secure ciphers are enabled and all weak CBC-mode ciphers are removed:

➜  swarmkit git:(master) ✗ nmap --script ssl-enum-ciphers -p 4242 127.0.0.1  
Starting Nmap 7.98 ( https://nmap.org/ ) at 2025-10-03 19:24 +0400
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT     STATE SERVICE
4242/tcp open  vrml-multi-use
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

- Description for the changelog

Removed weak TLS cipher suites and allowed only modern, secure ciphers.

[crazy-max]

Why this got merged with broken CI?

3.641 level=error msg="Running error: 1 error occurred:\n\t* can't run linter goanalysis_metalinter: inspect: failed to load package : could not load export data: no export data for \"slices\"\n\n"

slices package was introduced in Go 1.21 and swarmkit currently builds with Go 1.18