Add MD5 and SHA-1 server signatures

[davidben]

These correspond to the configurations deprecated by RFC 9155. I've marked MD5 as "bad" because it really should have been out of clients by now. I've marked SHA-1 as "dubious" for now because it's analogous to TLS 1.0/1.1, and clients still support it for now (but hopefully not for much longer).

(I just copied the existing configuration for the cipher suite pages. Not positive if I've done it right.)

[davidben]

@christhompson

[christhompson]

The good news this should work (with two small syntax fixes), and it's an easy thing to maintain (since it doesn't require new certs). The bad news is the ssl_conf_command was added in Nginx 1.19.4 and the current server... is Nginx 1.10.3. So landing this will be blocked on me completing the server upgrade after all.

[davidben]

So landing this will be blocked on me completing the server upgrade after all.

Oof. In the likely event the upgrade makes it impossible to sign MD5, that's no big deal. I don't think any browser supports that anyway. I just added it for completeness.

Clearly we should fork the Go TLS stack and write a custom TLS terminator to sit in front of NGINX... :-)