]> git.kaiwu.me - haproxy.git/commit
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:26:19 +0000 (13:26 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Thu, 2 Jul 2026 15:51:59 +0000 (15:51 +0000)
commit8f7351fb02ccc1fd6b0d027897663fb24a67a834
treeaaf5fb8910cff0978626b913cacd2dc3c81c64fd
parent0ce28bf35e902e40f9e462da8431980dac1ae7a8
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds

When AWS-LC is built in FIPS mode, unconditionally override the
compile-time curve defaults with the FIPS-approved NIST P-curves
before config parsing. Explicit ssl-default-{bind,server}-curves
keywords in the global section still take precedence over these
defaults.

The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_CURVES - P-256, P-384, P-521

This ensures that internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant curve lists
without requiring explicit configuration.
include/haproxy/defaults.h
src/ssl_sock.c