mirror of
https://github.com/haproxy/haproxy.git
synced 2026-07-11 10:07:10 -04:00
AWS-LC does not expose TLS 1.3 ciphersuites set via SSL_CTX_set_ciphersuites() through SSL_CTX_get_ciphers(), so the existing NID-based cipher check in ssl_fips_check_ciphers() cannot catch non-FIPS TLS 1.3 suites. This is further compounded by a defect in the AWS-LC-FIPS 3.x branch where TLS 1.3 ciphers are missing from SSL_get_ciphers() entirely (fixed in https://github.com/aws/aws-lc/pull/2092), making any SSL_CTX-based inspection unreliable across versions. Add ssl_fips_check_ciphersuites() which validates the ciphersuite string directly against a FIPS-approved allowlist (TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384). A NULL string is silently accepted since the global defaults were already overwritten with FIPS values at init time. The new check is called right after SSL_CTX_set_ciphersuites() in both the bind (ssl_sock_prepare_ctx) and server (ssl_sock_prepare_srv_ssl_ctx) configuration paths. |
||
|---|---|---|
| .. | ||
| haproxy | ||
| import | ||
| make | ||