Prefer GODEBUG=fips140 over GOFIPS

[qmuntal]

This PR makes our backends to fail if GODEBUG=fips140=1 is set but FIPS mode is not enabled, as agreed in https://github.com/microsoft/go-lab/blob/main/docs/adr/0012-remove-gofips.md.

⚠️ This partially reverts #1496: it reintroduces openssl.SetFIPS(true) 😢 . Removing it will make life more difficult for applications running on non-FIPS distros (like Mariner 2 when not running on FIPS mode) which have properly configured OpenSSL to be FIPS-compliant, as most times one still need to call FIPS_mode_set(true). On the upside, since #1496 we use openssl.FIPSCapable instead of openssl.FIPS, which makes it less likely to end up calling openssl.SetFIPS. Most importantly, we no longer call that function when running on Azure Linux 3, which was my main goal with #1496.

For #1445.

[dagood]

This partially reverts #1496: it reintroduces openssl.SetFIPS(true) 😢 . Removing it will make life more difficult for applications running on non-FIPS distros (like Mariner 2 when not running on FIPS mode) which have properly configured OpenSSL to be FIPS-compliant, as most times one still need to call FIPS_mode_set(true).

(I assume "Removing it will make life more difficult" should be "Removing it would have made life more difficult" or similar, because this PR adds it back in?)

Why are we supporting this situation? My reading of the ADR is that we will intentionally make this situation harder--there is no provision for this halfway point. In the PR thread, my sense was that it only makes sense in a testing scenario, and we should instead document how the user can properly enable OpenSSL FIPS "locally-ish" on the test machine.