Allow TLS ciphers/protocols to be configurable for console proxies

The console proxies (VNC, SPICE, etc) currently don't allow the
allowed TLS ciphers and protocol versions to be configurable.  This
results in the defaults being used from the underlying system,
which may not be secure enough for many deployments.  This patch
allows for the ciphers and minimum SSL/TLS protocol version for
each console proxy to be configured in nova's config.

We utilize websockify underneath our console proxies, which added
support for allowed ciphers and the SSL/TLS version to be
configurable as of version 0.9.0.  This change updates the lower
constraint for this dependency.

Closes-Bug: #1842149
Related-Bug: #1771773
Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5

doc/source/admin/remote-console-access.rst

@@ -105,6 +105,8 @@ The :program:`nova-novncproxy` service accepts the following options:
 - :oslo.config:option:`cert`
 - :oslo.config:option:`key`
 - :oslo.config:option:`web`
+- :oslo.config:option:`console.ssl_ciphers`
+- :oslo.config:option:`console.ssl_minimum_version`
 - :oslo.config:option:`vnc.novncproxy_host`
 - :oslo.config:option:`vnc.novncproxy_port`
 
@@ -326,6 +328,8 @@ The :program:`nova-spicehtml5proxy` service accepts the following options.
 - :oslo.config:option:`cert`
 - :oslo.config:option:`key`
 - :oslo.config:option:`web`
+- :oslo.config:option:`console.ssl_ciphers`
+- :oslo.config:option:`console.ssl_minimum_version`
 - :oslo.config:option:`spice.html5proxy_host`
 - :oslo.config:option:`spice.html5proxy_port`
 
@@ -407,6 +411,8 @@ The :program:`nova-serialproxy` service accepts the following options.
 - :oslo.config:option:`cert`
 - :oslo.config:option:`key`
 - :oslo.config:option:`web`
+- :oslo.config:option:`console.ssl_ciphers`
+- :oslo.config:option:`console.ssl_minimum_version`
 - :oslo.config:option:`serial_console.serialproxy_host`
 - :oslo.config:option:`serial_console.serialproxy_port`