mirror of
https://github.com/haproxy/haproxy.git
synced 2026-07-11 18:15:49 -04:00
|
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Add ssl_fips_check_sigalgs() which validates the configured signature algorithm list against the FIPS-approved set: ECDSA on NIST P-curves with SHA-256/384/512, RSA-PSS (rsae and pss variants) with SHA-256/ 384/512, and RSA-PKCS1 with SHA-256/384/512. SHA-1 based algorithms and non-FIPS primitives (ed25519, ed448) are rejected. The check uses the same strchr-based string parsing as ssl_fips_check_ciphersuites(). A NULL list is silently accepted since the global defaults were already overwritten with FIPS values at init time. The check is called right after SSL_CTX_set1_sigalgs_list() and SSL_CTX_set1_client_sigalgs_list() in both the bind (ssl_sock_prepare_ctx) and server (ssl_sock_prepare_srv_ssl_ctx) configuration paths. |
||
|---|---|---|
| .. | ||
| haproxy | ||
| import | ||
| make | ||