[XrdHttp] Enable elliptic-curve support for OpenSSL 1.0.2+

[jthiltges]

ECC support is automatically enabled in OpenSSL 1.1+, but must be initialized in 1.0.

From quick testing on CentOS 7, this seems to resolve #1149 for me. Results from HTTPS connections to various versions:

• 4.11.2:
  • Protocol : TLSv1.2
  • Cipher : AES256-GCM-SHA384
• 4.11.3rc1:
  • Client: SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
  • Server: SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1435
• 4.11.3rc1 with this PR:
  • Protocol : TLSv1.2
  • Cipher : ECDHE-RSA-AES256-GCM-SHA384

[abh3]

OK, is this completely sufficient? I noticed that the suggested patch for Android does a lot more than this for openssl versions < 1.0.2. Take a look at:
https://dovecot.org/pipermail/dovecot/2017-February/107070.html
does it have any relevance for us (it seems to based on the new cipher list).

[jthiltges]

That's a good point on the curve configuration for older OpenSSL. I think backwards compatibility is a good question both here, and for the list of default SSL ciphers.

With the RHEL6 end-of-life approaching, is it reasonable to leave SSL settings unchanged for EL6 and before, and use the more secure SSL defaults for EL7 and beyond? That'll be a trivial change to the code.