Support the new TLS 1.2 HMAC-SHA256 cipher suites specified in
RFC 5246 and RFC 5289.
To avoid making ClientHello too big, the new DH_DSS, DH_RSA,
DHE_DSS, DH_anon, ECDH_ECDSA, and ECDH_RSA are not added.
Do not generate client_write_IV and server_write_IV in TLS 1.1+
for CBC block ciphers because 1) they aren't used, and 2) a
buffer in the NSS softoken is not big enough if the HMAC key
is 32 bytes (for HMAC-SHA256) and client_write_IV and
server_write_IV are still generated.
Do not downgrade to TLS 1.1 silently when SSL_BYPASS_PKCS11
mode is requested because we won't be able to test the new
TLS 1.2 only cipher suites in PKCS #11 bypass mode. Instead,
silently turn off PKCS #11 bypass if TLS 1.2 is enabled.
TEST=none (done in NSS upstream)