Machine ID FIPS support

[strideynet]

Closes #22448

Goals:

• Refuse to run if not compiled with boringcrypto
• Use FIPS relevant endpoints for cloud providers (e.g AWS)
• Restrict TLS / SSH cipher suites and TLS version to the good-listed sets
• RSA2048 should be used for private key generation

[strideynet]

Investigation into our existing FIPS releases reveals that tbot is already being built with boringcrypto, this means the build elements of this task are not necessary.

[strideynet]

TODO:

• Double check private key generation for certificates is correct
• Stand up a FIPS enterprise cluster w/ machine ID using AWS IAM joining to completely test this story.

[strideynet]

Can confirm RSA 2048 is used for all private key generation in tbot for impersonated and bot identity.

[strideynet]

Set up FIPS teleport enterprise cluster on AWS and tested:

• Machine ID joining with IAM joining
• Machine ID identity file used by tsh to list hosts
• Machine ID identity file used by tsh to ssh to host
• Machine ID ssd_config used with openssh to ssh to host

Enterprise auth server was running build from same version as tbot. Default Teleport config with only change being fips enabled and ACME enabled.

[GavinFrazar]

Use FIPS relevant endpoints for cloud providers (e.g AWS)

Is that supposed to be included in this PR? I don't see that

[strideynet]

Use FIPS relevant endpoints for cloud providers (e.g AWS)

Is that supposed to be included in this PR? I don't see that

It's easy to miss - it literally just required passing the boolean into the registration parameters https://github.com/gravitational/teleport/pull/23563/files#diff-ada93b8988e691f20b53943cf8d5cb35f29c1502d7639766f6f4b43dcd3eb6c8R476

[public-teleport-github-review-bot]

@strideynet See the table below for backport results.

Branch	Result
branch/v12	Failed