nss: do not enable AES cipher-suites by default

  {"rsa_des_56_sha",             TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},

  {"rsa_rc4_56_sha",             TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},

  /* AES ciphers. */

  {"dhe_dss_aes_128_cbc_sha",    TLS_DHE_DSS_WITH_AES_128_CBC_SHA},

  {"dhe_dss_aes_256_cbc_sha",    TLS_DHE_DSS_WITH_AES_256_CBC_SHA},

  {"dhe_rsa_aes_128_cbc_sha",    TLS_DHE_RSA_WITH_AES_128_CBC_SHA},

  {"dhe_rsa_aes_256_cbc_sha",    TLS_DHE_RSA_WITH_AES_256_CBC_SHA},

  {"rsa_aes_128_sha",            TLS_RSA_WITH_AES_128_CBC_SHA},

  {"rsa_aes_256_sha",            TLS_RSA_WITH_AES_256_CBC_SHA},

  /* ECC ciphers. */

  {"ecdh_anon_aes_256_sha",      TLS_ECDH_anon_WITH_AES_256_CBC_SHA},

};

/* following ciphers are new in NSS 3.4 and not enabled by default, therefore

   they are enabled explicitly */

static const int enable_ciphers_by_default[] = {

  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

  TLS_DHE_DSS_WITH_AES_256_CBC_SHA,

  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,

  TLS_RSA_WITH_AES_128_CBC_SHA,

  TLS_RSA_WITH_AES_256_CBC_SHA,

  SSL_NULL_WITH_NULL_NULL

};

static const char* pem_library = "libnsspem.so";

SECMODModule* mod = NULL;

  curl_socket_t sockfd = conn->sock[sockindex];

  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  CURLcode curlerr;

  const int *cipher_to_enable;

  PRSocketOptionData sock_opt;

  long time_left;

  PRUint32 timeout;

  /* reset the flag to avoid an infinite loop */

  data->state.ssl_connect_retry = FALSE;

  /* enable all ciphers from enable_ciphers_by_default */

  cipher_to_enable = enable_ciphers_by_default;

  while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {

    if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {

      curlerr = CURLE_SSL_CIPHER;

      goto error;

    }

    cipher_to_enable++;

  }

  if(data->set.ssl.cipher_list) {

    if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {

      curlerr = CURLE_SSL_CIPHER;