On Thu, 2 May 2024 at 17:14, Froehlich, Dominik <dominik.froehl...@sap.com> wrote: > The closest I’ve gotten is the “curves” property: > https://docs.haproxy.org/2.8/configuration.html#5.1-curves > > However, I think it only restricts the available elliptic curves in a ECDHE > handshake, but it does not prevent a TLS 1.3 client from selecting a > non-ECDHE prime group, for example “ffdhe8192”.
If I understand the code correctly, both nginx and haproxy call SSL_CTX_set1_curves_list(), what exactly makes you think that haproxy does something different? Lukas