]> git.kaiwu.me - haproxy.git/commit
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:26:19 +0000 (13:26 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:57:11 +0000 (13:57 +0000)
commitb5f23c7f3fd32f8112aad831aed591789982faa1
treebc2426fe095a5ca027fc2d9179439f2c51545c9d
parent8bed24905fb44bcb77d568a16102af8cfe172901
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds

When AWS-LC is built in FIPS mode, unconditionally override the
compile-time curve defaults with the FIPS-approved NIST P-curves
before config parsing. Explicit ssl-default-{bind,server}-curves
keywords in the global section still take precedence over these
defaults.

The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_CURVES - P-256, P-384, P-521

This ensures that internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant curve lists
without requiring explicit configuration.
include/haproxy/defaults.h
src/ssl_sock.c