Bug 707384 - only allow FIPS approved cipher suites in FIPS mode
https://bugzilla.redhat.com/show_bug.cgi?id=707384
Resolves: bug 707384
Bug Description: only allow FIPS approved cipher suites in FIPS mode
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: These changes only affect the server if FIPS mode has been
set in the internal security module, that is, if
modutil -dbdir /etc/dirsrv/slapd-myhost -chkfips true
returns
FIPS mode enabled.
1) If cn=encryption,cn=config nsSSL3Ciphers is missing or set to "+all",
the server will silently use only FIPS approved cipher suites.
2) If cn=encryption,cn=config nsSSL3Ciphers has a list of ciphers, and at
least one non-FIPS approved cipher suites is enabled, the server will log
to the errors log the list of unapproved cipher suites specified, and will
restrict the server to only the FIPS approved ciphers specified in the list.
3) The attribute nsSSLSupportedCiphers in cn=encryption,cn=config will list
only FIPS approved ciphers
4) If the CONFIG log level (64) is set, more detailed information will be
logged to the errors log about cipher config processing
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit f290f80e90c116ab5c04171f6a833aa4fdee98e6)