#define LISTEN_DEFAULT_CIPHERSUITES NULL
#endif
+/* FIPS-approved TLS 1.2 ciphers for AWS-LC FIPS builds (AES-GCM only) */
+#ifndef CONNECT_DEFAULT_FIPS_CIPHERS
+#define CONNECT_DEFAULT_FIPS_CIPHERS \
+ "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+#endif
+
+#ifndef LISTEN_DEFAULT_FIPS_CIPHERS
+#define LISTEN_DEFAULT_FIPS_CIPHERS \
+ "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+#endif
+
+/* FIPS-approved TLS 1.3 cipher suites for AWS-LC FIPS builds */
+#ifndef CONNECT_DEFAULT_FIPS_CIPHERSUITES
+#define CONNECT_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
+#endif
+
+#ifndef LISTEN_DEFAULT_FIPS_CIPHERSUITES
+#define LISTEN_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
+#endif
+
/* named curve used as defaults for ECDHE ciphers */
#ifndef ECDHE_DEFAULT_CURVE
#define ECDHE_DEFAULT_CURVE "prime256v1"
global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
#endif
+#if defined(OPENSSL_IS_AWSLC)
+ /* When AWS-LC is built in FIPS mode, override any compile-time cipher
+ * defaults with the FIPS-approved sets. This runs before the config
+ * parser so that explicit ssl-default-{bind,server}-ciphers{suites}
+ * keywords in the global section still take precedence. */
+ if (FIPS_mode()) {
+ free(global_ssl.listen_default_ciphers);
+ global_ssl.listen_default_ciphers = strdup(LISTEN_DEFAULT_FIPS_CIPHERS);
+ free(global_ssl.connect_default_ciphers);
+ global_ssl.connect_default_ciphers = strdup(CONNECT_DEFAULT_FIPS_CIPHERS);
+ free(global_ssl.listen_default_ciphersuites);
+ global_ssl.listen_default_ciphersuites = strdup(LISTEN_DEFAULT_FIPS_CIPHERSUITES);
+ free(global_ssl.connect_default_ciphersuites);
+ global_ssl.connect_default_ciphersuites = strdup(CONNECT_DEFAULT_FIPS_CIPHERSUITES);
+ }
+#endif /* OPENSSL_IS_AWSLC */
+
xprt_register(XPRT_SSL, &ssl_sock);
#if HA_OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_library_init();