]> git.kaiwu.me - haproxy.git/commit
MEDIUM: ssl: set FIPS-approved sigalgs defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:37:27 +0000 (13:37 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Fri, 10 Jul 2026 17:42:03 +0000 (19:42 +0200)
commit46c3edcb16be36bbd14c309d65f3a5a5e3fb28db
treedc5a46864f77971899b4299259b31da94f4ee99c
parent96c7759f3b8b37612d3395ca1a0a47a3f92c516f
MEDIUM: ssl: set FIPS-approved sigalgs defaults for AWS-LC FIPS builds

When AWS-LC is built in FIPS mode, unconditionally override the
compile-time signature algorithm defaults with the FIPS-approved set
before config parsing. Explicit ssl-default-{bind,server}-sigalgs
keywords in the global section still take precedence over these
defaults.

The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_SIGALGS        - ECDSA (P-256/384/521),
                                               RSA-PSS and RSA-PKCS1
                                               with SHA-256/384/512
  CONNECT/LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS - same set for client
                                               certificate sigalgs

SHA-1 based algorithms and non-FIPS primitives (ed25519, ed448) are
excluded from the defaults.
include/haproxy/defaults.h
src/ssl_sock.c