]> git.kaiwu.me - haproxy.git/commit
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:26:19 +0000 (13:26 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Fri, 10 Jul 2026 17:42:03 +0000 (19:42 +0200)
commit3b2cd5f9fb621150ecd611a01403fbe3d6a5a470
treee708fee7575f836dd006252f010c2c7a947dcfbf
parent29f5126317ebc3f48575f98b69143060baa2cf05
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds

When AWS-LC is built in FIPS mode, unconditionally override the
compile-time curve defaults with the FIPS-approved NIST P-curves
before config parsing. Explicit ssl-default-{bind,server}-curves
keywords in the global section still take precedence over these
defaults.

The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_CURVES - P-256, P-384, P-521

This ensures that internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant curve lists
without requiring explicit configuration.
include/haproxy/defaults.h
src/ssl_sock.c