From: William Lallemand Date: Tue, 30 Jun 2026 13:26:19 +0000 (+0000) Subject: MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/NGINX-js-1660x332.png%20%22NGINX%20JavaScript%20Banner%22?a=commitdiff_plain;h=b5f23c7f3fd32f8112aad831aed591789982faa1;p=haproxy.git MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds When AWS-LC is built in FIPS mode, unconditionally override the compile-time curve defaults with the FIPS-approved NIST P-curves before config parsing. Explicit ssl-default-{bind,server}-curves keywords in the global section still take precedence over these defaults. The approved set is defined as macros in include/haproxy/defaults.h alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family: CONNECT/LISTEN_DEFAULT_FIPS_CURVES - P-256, P-384, P-521 This ensures that internal servers (httpclient, Lua SSL sockets) that inherit global defaults also operate with FIPS-compliant curve lists without requiring explicit configuration. --- diff --git a/include/haproxy/defaults.h b/include/haproxy/defaults.h index 87ebe88f0..95262c79f 100644 --- a/include/haproxy/defaults.h +++ b/include/haproxy/defaults.h @@ -460,6 +460,15 @@ #define LISTEN_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384" #endif +/* FIPS-approved elliptic curves for AWS-LC FIPS builds (NIST P-curves only) */ +#ifndef CONNECT_DEFAULT_FIPS_CURVES +#define CONNECT_DEFAULT_FIPS_CURVES "P-256:P-384:P-521" +#endif + +#ifndef LISTEN_DEFAULT_FIPS_CURVES +#define LISTEN_DEFAULT_FIPS_CURVES "P-256:P-384:P-521" +#endif + /* named curve used as defaults for ECDHE ciphers */ #ifndef ECDHE_DEFAULT_CURVE #define ECDHE_DEFAULT_CURVE "prime256v1" diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f77eb0162..8b58f8662 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8533,6 +8533,10 @@ static void __ssl_sock_init(void) global_ssl.listen_default_ciphersuites = strdup(LISTEN_DEFAULT_FIPS_CIPHERSUITES); free(global_ssl.connect_default_ciphersuites); global_ssl.connect_default_ciphersuites = strdup(CONNECT_DEFAULT_FIPS_CIPHERSUITES); + free(global_ssl.listen_default_curves); + global_ssl.listen_default_curves = strdup(LISTEN_DEFAULT_FIPS_CURVES); + free(global_ssl.connect_default_curves); + global_ssl.connect_default_curves = strdup(CONNECT_DEFAULT_FIPS_CURVES); } #endif /* OPENSSL_IS_AWSLC */