haproxy/include
William Lallemand 8bed24905f MEDIUM: ssl: add FIPS TLS 1.3 ciphersuite check for AWS-LC
AWS-LC does not expose TLS 1.3 ciphersuites set via SSL_CTX_set_ciphersuites()
through SSL_CTX_get_ciphers(), so the existing NID-based cipher check in
ssl_fips_check_ciphers() cannot catch non-FIPS TLS 1.3 suites.  This is
further compounded by a defect in the AWS-LC-FIPS 3.x branch where TLS 1.3
ciphers are missing from SSL_get_ciphers() entirely (fixed in
https://github.com/aws/aws-lc/pull/2092), making any SSL_CTX-based
inspection unreliable across versions.

Add ssl_fips_check_ciphersuites() which validates the ciphersuite string
directly against a FIPS-approved allowlist (TLS_AES_128_GCM_SHA256 and
TLS_AES_256_GCM_SHA384).  A NULL string is silently accepted since the
global defaults were already overwritten with FIPS values at init time.

The new check is called right after SSL_CTX_set_ciphersuites() in both
the bind (ssl_sock_prepare_ctx) and server (ssl_sock_prepare_srv_ssl_ctx)
configuration paths.
2026-06-30 13:57:11 +00:00
..
haproxy MEDIUM: ssl: add FIPS TLS 1.3 ciphersuite check for AWS-LC 2026-06-30 13:57:11 +00:00
import MINOR: mjson: reintroduce mjson_next() 2026-04-14 10:57:21 +02:00
make BUILD: makefile: add a qinfo macro to pass info in quiet mode 2025-01-08 11:26:05 +01:00