I digress from my original posting and move to different direction. I believe the current Nginx SSL settings ARE FIPSv2 compliant. Not sure for v3 but its not public yet. I’m not sure why it wasn’t compliant at first when I did my testing at Qualys on the SSL.
I went back added your protocols and the results were FIPS ready . My certification might not of been right initially when I first did the test.
For Qualys requirements to past there test.
With that being said currently settings do not have elliptical curve enable. To make that happen you have to generate a 2048 bit key and on most computers that doesn’t take to long. On 1 GB digital ocean a 4096 bit key takes a long time. So I can’t I see that being done at install, at least not at default.
I wrote a tool script for mail-in-a-box to just install DHEC.
But there’s a additional option for a more conservative cipher suite but be advise your limiting your coverage to the newest technology. It limits the cipher suites to 256 and EC. Also limits to TLS1.2. I think Qualys shows only the newest browsers and phones are able to support the protocols
I can think there are many good reasons why a user would want these settings. But at the same time I can count the number of users on my system so I know coverage and efficiency isn’t issue for me. I used this to get a complete 100 across the board at Qualys for all four categories for my website.
Use as reference to achieve an 100:
For explanation for anyone that doesn’t know what FIPS is, like me. Here are some resources.
Finally my code.
https://raw.githubusercontent.com/jko11222/mailinabox/ssl_branch/tools/ssl_dhec.sh