]> git.kaiwu.me - haproxy.git/commit
MEDIUM: ssl: set FIPS-approved cipher defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 12:44:45 +0000 (12:44 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Thu, 2 Jul 2026 15:51:59 +0000 (15:51 +0000)
commite1d78ce5c366e648c7ba427cf23913c6e871f458
treef0be35291a3f54b477c99cec39821f698fe57a27
parent4be36758f611487592eade6e6b124477f3bb3e30
MEDIUM: ssl: set FIPS-approved cipher defaults for AWS-LC FIPS builds

When AWS-LC is built in FIPS mode, unconditionally override the
compile-time cipher defaults with FIPS-approved sets before config
parsing. Explicit ssl-default-{bind,server}-ciphers{suites} keywords
in the global section still take precedence over these defaults.

The approved sets are defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS     - AES-128-GCM-SHA256 and
                                            AES-256-GCM-SHA384 (TLS 1.2)
  CONNECT/LISTEN_DEFAULT_FIPS_CIPHERSUITES - TLS_AES_128_GCM_SHA256 and
                                             TLS_AES_256_GCM_SHA384 (TLS 1.3)

This ensures internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant cipher lists
without requiring explicit configuration.
include/haproxy/defaults.h
src/ssl_sock.c