mirror of
https://github.com/haproxy/haproxy.git
synced 2026-07-14 19:43:29 -04:00
MEDIUM: ssl: set FIPS-approved cipher defaults for AWS-LC FIPS builds
When AWS-LC is built in FIPS mode, unconditionally override the
compile-time cipher defaults with FIPS-approved sets before config
parsing. Explicit ssl-default-{bind,server}-ciphers{suites} keywords
in the global section still take precedence over these defaults.
The approved sets are defined as macros in include/haproxy/defaults.h
alongside the existing CONNECT/LISTEN_DEFAULT_CIPHERS family:
CONNECT/LISTEN_DEFAULT_FIPS_CIPHERS - AES-128-GCM-SHA256 and
AES-256-GCM-SHA384 (TLS 1.2)
CONNECT/LISTEN_DEFAULT_FIPS_CIPHERSUITES - TLS_AES_128_GCM_SHA256 and
TLS_AES_256_GCM_SHA384 (TLS 1.3)
This ensures internal servers (httpclient, Lua SSL sockets) that
inherit global defaults also operate with FIPS-compliant cipher lists
without requiring explicit configuration.
This commit is contained in:
parent
4c420b5734
commit
1739b648cf
2 changed files with 39 additions and 0 deletions
|
|
@ -438,6 +438,28 @@
|
|||
#define LISTEN_DEFAULT_CIPHERSUITES NULL
|
||||
#endif
|
||||
|
||||
/* FIPS-approved TLS 1.2 ciphers for AWS-LC FIPS builds (AES-GCM only) */
|
||||
#ifndef CONNECT_DEFAULT_FIPS_CIPHERS
|
||||
#define CONNECT_DEFAULT_FIPS_CIPHERS \
|
||||
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
|
||||
#endif
|
||||
|
||||
#ifndef LISTEN_DEFAULT_FIPS_CIPHERS
|
||||
#define LISTEN_DEFAULT_FIPS_CIPHERS \
|
||||
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
|
||||
#endif
|
||||
|
||||
/* FIPS-approved TLS 1.3 cipher suites for AWS-LC FIPS builds */
|
||||
#ifndef CONNECT_DEFAULT_FIPS_CIPHERSUITES
|
||||
#define CONNECT_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
|
||||
#endif
|
||||
|
||||
#ifndef LISTEN_DEFAULT_FIPS_CIPHERSUITES
|
||||
#define LISTEN_DEFAULT_FIPS_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
|
||||
#endif
|
||||
|
||||
/* named curve used as defaults for ECDHE ciphers */
|
||||
#ifndef ECDHE_DEFAULT_CURVE
|
||||
#define ECDHE_DEFAULT_CURVE "prime256v1"
|
||||
|
|
|
|||
|
|
@ -8512,6 +8512,23 @@ static void __ssl_sock_init(void)
|
|||
global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_IS_AWSLC)
|
||||
/* When AWS-LC is built in FIPS mode, override any compile-time cipher
|
||||
* defaults with the FIPS-approved sets. This runs before the config
|
||||
* parser so that explicit ssl-default-{bind,server}-ciphers{suites}
|
||||
* keywords in the global section still take precedence. */
|
||||
if (FIPS_mode()) {
|
||||
free(global_ssl.listen_default_ciphers);
|
||||
global_ssl.listen_default_ciphers = strdup(LISTEN_DEFAULT_FIPS_CIPHERS);
|
||||
free(global_ssl.connect_default_ciphers);
|
||||
global_ssl.connect_default_ciphers = strdup(CONNECT_DEFAULT_FIPS_CIPHERS);
|
||||
free(global_ssl.listen_default_ciphersuites);
|
||||
global_ssl.listen_default_ciphersuites = strdup(LISTEN_DEFAULT_FIPS_CIPHERSUITES);
|
||||
free(global_ssl.connect_default_ciphersuites);
|
||||
global_ssl.connect_default_ciphersuites = strdup(CONNECT_DEFAULT_FIPS_CIPHERSUITES);
|
||||
}
|
||||
#endif /* OPENSSL_IS_AWSLC */
|
||||
|
||||
xprt_register(XPRT_SSL, &ssl_sock);
|
||||
#if HA_OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
SSL_library_init();
|
||||
|
|
|
|||
Loading…
Reference in a new issue