Bug 1638369 - enable some TLS ciphersuites with SHA-2-based MACs for compatibility r=jcj,kjacobs

We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).

Differential Revision: https://phabricator.services.mozilla.com/D76543

security/manager/ssl/nsNSSCallbacks.cpp

@@ -1010,6 +1010,12 @@ static void AccumulateCipherSuite(Telemetry::HistogramID probe,
     case TLS_RSA_WITH_SEED_CBC_SHA:
       value = 67;
       break;
+    case TLS_RSA_WITH_AES_128_GCM_SHA256:
+      value = 68;
+      break;
+    case TLS_RSA_WITH_AES_256_GCM_SHA384:
+      value = 69;
+      break;
     // TLS 1.3 PSK resumption
     case TLS_AES_128_GCM_SHA256:
       value = 70;

security/manager/ssl/nsNSSComponent.cpp

@@ -1060,6 +1060,10 @@ static const CipherPref sCipherPrefs[] = {
      true},
     {"security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true},
 
+    {"security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_128_GCM_SHA256,
+     true},  // deprecated (RSA key exchange)
+    {"security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_256_GCM_SHA384,
+     true},  // deprecated (RSA key exchange)
     {"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA,
      true},  // deprecated (RSA key exchange)
     {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA,