SP800-131a in Strict Mode
SP800-131a Strict mode will enforce these restrictions and if any
parameter is outside of those parameter the SSL/TLS handshake will
fail:
- FIPS mode must be enabled - DES, RC2 and two-key Triple DES cipher algorithms are disabled
- MD5 and SHA1 signature algorithms are disabled
- RSA and DSA certificates with key length less than 2048-bits are disabled
- EC certificates with key length less than 224-bits are disabled
- Protocol must be TLSV1.2
- TLSV1.3 is disabled. SSL, TLSV1.0 and TLSV1.1 are disabled and will be removed in a future release