Be stricter with TLS configuration for ntpd constraints.

We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@

src/usr.sbin/ntpd/constraint.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.35 2016/12/05 10:41:33 rzalamena Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.36 2018/11/05 00:13:36 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -869,15 +869,9 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
 
 	if ((httpsdate->tls_config = tls_config_new()) == NULL)
 		goto fail;
-
-	if (tls_config_set_ciphers(httpsdate->tls_config, "all") != 0)
+	if (tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len) == -1)
 		goto fail;
 
-	if (ca == NULL || ca_len == 0)
-		tls_config_insecure_noverifycert(httpsdate->tls_config);
-	else
-		tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len);
-
 	return (httpsdate);
 
  fail: