Hi Damien, Thanks, that's a good point! However checking only OPENSSL_IS_AWSLC won't be enough, FIPS versions are LTS and are supported by HAProxy (especially AWS-LC-3.0.0), you could either check AWSLC_API_VERSION > 34 or the TLSEXT_nid_unknown constant which was added by the awslc patch.
Also note that we haven't supported boringSSL for a several years, I don't know if you've tried compiling with it but the build will likely fail. On Thu, Nov 13, 2025 at 02:24:10PM +0000, Damien Claisse wrote: > Subject: [PATCH] MINOR: ssl-sample: expose ssl_*c_curve for AWS-LC and > BoringSSL > The underlying SSL_get_negotiated_group function has been backported > into AWS-LC [1] and BoringSSL [2], so expose the feature for users of > these TLS stacks as well. > > [1] > https://github.com/aws/aws-lc/commit/d6a37244ad8922f41f70195104b9da9f64c96202 > [2] > https://boringssl.googlesource.com/boringssl/+/6cf98208371e5c2c8b9d34ce3b8c452ea90e2963 > --- > src/ssl_sample.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/src/ssl_sample.c b/src/ssl_sample.c > index 230deafc3..ed5b72693 100644 > --- a/src/ssl_sample.c > +++ b/src/ssl_sample.c > @@ -1501,9 +1501,10 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, > struct sample *smp, const ch > * front and backend connection. > * > * The function to get the curve name (SSL_get_negotiated_group) is only > available > - * in OpenSSLv3 onwards and not for previous versions. > + * in OpenSSLv3 onwards and not for previous versions. It is also available > in > + * AWS-LC and BoringSSL. > */ > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || defined(OPENSSL_IS_AWSLC) > || defined(OPENSSL_IS_BORINGSSL) > static int > smp_fetch_ssl_fc_ec(const struct arg *args, struct sample *smp, const char > *kw, void *private) > { > @@ -2549,7 +2550,7 @@ static struct sample_fetch_kw_list > sample_fetch_keywords = {ILH, { > { "ssl_bc_alpn", smp_fetch_ssl_fc_alpn, 0, > NULL, SMP_T_STR, SMP_USE_L5SRV }, > #endif > { "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, > NULL, SMP_T_STR, SMP_USE_L5SRV }, > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || defined(OPENSSL_IS_AWSLC) > || defined(OPENSSL_IS_BORINGSSL) > { "ssl_bc_curve", smp_fetch_ssl_fc_ec, 0, > NULL, SMP_T_STR, SMP_USE_L5SRV }, > #endif > #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) > @@ -2612,7 +2613,7 @@ static struct sample_fetch_kw_list > sample_fetch_keywords = {ILH, { > { "ssl_fc", smp_fetch_ssl_fc, 0, > NULL, SMP_T_BOOL, SMP_USE_L5CLI }, > { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, > NULL, SMP_T_SINT, SMP_USE_L5CLI }, > { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, > NULL, SMP_T_STR, SMP_USE_L5CLI }, > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || defined(OPENSSL_IS_AWSLC) > || defined(OPENSSL_IS_BORINGSSL) > { "ssl_fc_curve", smp_fetch_ssl_fc_ec, 0, > NULL, SMP_T_STR, SMP_USE_L5CLI }, > #endif > { "ssl_fc_early_rcvd", smp_fetch_ssl_fc_early_rcvd, 0, > NULL, SMP_T_BOOL, SMP_USE_L5CLI }, > -- > 2.43.0 > > -- William Lallemand
