When AWS-LC is built in FIPS mode, unconditionally override the
compile-time curve defaults with the FIPS-approved NIST P-curves
before config parsing. Explicit ssl-default-{bind,server}-curves
keywords in the global section still take precedence over these
defaults.
The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
CONNECT/LISTEN_DEFAULT_FIPS_CURVES - P-256, P-384, P-521
This ensures that internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant curve lists
without requiring explicit configuration.
#define LISTEN_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
#endif
+/* FIPS-approved elliptic curves for AWS-LC FIPS builds (NIST P-curves only) */
+#ifndef CONNECT_DEFAULT_FIPS_CURVES
+#define CONNECT_DEFAULT_FIPS_CURVES "P-256:P-384:P-521"
+#endif
+
+#ifndef LISTEN_DEFAULT_FIPS_CURVES
+#define LISTEN_DEFAULT_FIPS_CURVES "P-256:P-384:P-521"
+#endif
+
/* named curve used as defaults for ECDHE ciphers */
#ifndef ECDHE_DEFAULT_CURVE
#define ECDHE_DEFAULT_CURVE "prime256v1"
global_ssl.listen_default_ciphersuites = strdup(LISTEN_DEFAULT_FIPS_CIPHERSUITES);
free(global_ssl.connect_default_ciphersuites);
global_ssl.connect_default_ciphersuites = strdup(CONNECT_DEFAULT_FIPS_CIPHERSUITES);
+ free(global_ssl.listen_default_curves);
+ global_ssl.listen_default_curves = strdup(LISTEN_DEFAULT_FIPS_CURVES);
+ free(global_ssl.connect_default_curves);
+ global_ssl.connect_default_curves = strdup(CONNECT_DEFAULT_FIPS_CURVES);
}
#endif /* OPENSSL_IS_AWSLC */