]> git.kaiwu.me - haproxy.git/commit
MEDIUM: ssl: set FIPS-approved sigalgs defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:37:27 +0000 (13:37 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Thu, 2 Jul 2026 15:51:59 +0000 (15:51 +0000)
commitccf69bd011e8a1d9c903cfbec11f350d8a1aa1d2
tree0afbbb1fccf48f51cac094c82084a6debb773328
parent035e4000c82fc17de39fda01075e73b27ea3e858
MEDIUM: ssl: set FIPS-approved sigalgs defaults for AWS-LC FIPS builds

When AWS-LC is built in FIPS mode, unconditionally override the
compile-time signature algorithm defaults with the FIPS-approved set
before config parsing. Explicit ssl-default-{bind,server}-sigalgs
keywords in the global section still take precedence over these
defaults.

The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_SIGALGS        - ECDSA (P-256/384/521),
                                               RSA-PSS and RSA-PKCS1
                                               with SHA-256/384/512
  CONNECT/LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS - same set for client
                                               certificate sigalgs

SHA-1 based algorithms and non-FIPS primitives (ed25519, ed448) are
excluded from the defaults.
include/haproxy/defaults.h
src/ssl_sock.c