]> git.kaiwu.me - haproxy.git/commitdiff
MEDIUM: ssl: set FIPS-approved curve defaults for AWS-LC FIPS builds
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:26:19 +0000 (13:26 +0000)
committerWilliam Lallemand <wlallemand@haproxy.com>
Tue, 30 Jun 2026 13:57:11 +0000 (13:57 +0000)
When AWS-LC is built in FIPS mode, unconditionally override the
compile-time curve defaults with the FIPS-approved NIST P-curves
before config parsing. Explicit ssl-default-{bind,server}-curves
keywords in the global section still take precedence over these
defaults.

The approved set is defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS family:
  CONNECT/LISTEN_DEFAULT_FIPS_CURVES - P-256, P-384, P-521

This ensures that internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant curve lists
without requiring explicit configuration.

include/haproxy/defaults.h
src/ssl_sock.c

index 87ebe88f0be016dc7d68cde0f9622ec97a157534..95262c79f4d219e8466dd663f13761ecc95caafe 100644 (file)
 #define LISTEN_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
 #endif
 
+/* FIPS-approved elliptic curves for AWS-LC FIPS builds (NIST P-curves only) */
+#ifndef CONNECT_DEFAULT_FIPS_CURVES
+#define CONNECT_DEFAULT_FIPS_CURVES "P-256:P-384:P-521"
+#endif
+
+#ifndef LISTEN_DEFAULT_FIPS_CURVES
+#define LISTEN_DEFAULT_FIPS_CURVES "P-256:P-384:P-521"
+#endif
+
 /* named curve used as defaults for ECDHE ciphers */
 #ifndef ECDHE_DEFAULT_CURVE
 #define ECDHE_DEFAULT_CURVE "prime256v1"
index f77eb01628165b97613f525fa13ff463c36837bc..8b58f8662af82dff49e3e1c722ed59c34e4bab75 100644 (file)
@@ -8533,6 +8533,10 @@ static void __ssl_sock_init(void)
                global_ssl.listen_default_ciphersuites = strdup(LISTEN_DEFAULT_FIPS_CIPHERSUITES);
                free(global_ssl.connect_default_ciphersuites);
                global_ssl.connect_default_ciphersuites = strdup(CONNECT_DEFAULT_FIPS_CIPHERSUITES);
+               free(global_ssl.listen_default_curves);
+               global_ssl.listen_default_curves = strdup(LISTEN_DEFAULT_FIPS_CURVES);
+               free(global_ssl.connect_default_curves);
+               global_ssl.connect_default_curves = strdup(CONNECT_DEFAULT_FIPS_CURVES);
        }
 #endif /* OPENSSL_IS_AWSLC */