git patch file (master)
0001-Ticket-47908-389-ds-1.3.3.0-does-not-adjust-cipher-s.patch

Note: the test cipher list is all weak (except fortezza, which is not available).

If "allowWeakCipher: on" (default; unless allowWeakCipher is set, it is "on" for the user specified ciphers), the server starts with the warnings (for each cipher name):
{{{
[..] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server.
}}}
and one for "fortezza":
{{{
[..] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza
}}}
But if "allowWeakCipher: off", SSL is disabled and the server starts without listening on the secure port.
{{{
[..] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
[..] - ERROR: SSL Initialization Failed. Disabling SSL.
}}}

Reviewed by Rich (Thank you!!)

Pushed to master:
685607f..83a6ceb master -> master
commit 83a6ceb

Pushed to 389-ds-base-1.3.3:
906106b..4e34740 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 4e34740

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1239

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.