1 files changed, 14 insertions, 2 deletions

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 646b107958..74e75321ac 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -133,11 +133,11 @@ const (
 	signatureECDSA uint8 = 3
 )
 
-// supportedSignatureAlgorithms contains the signature and hash algorithms that
+// defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
 // the code advertises as supported in a TLS 1.2 ClientHello and in a TLS 1.2
 // CertificateRequest. The two fields are merged to match with TLS 1.3.
 // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
-var supportedSignatureAlgorithms = []SignatureScheme{
+var defaultSupportedSignatureAlgorithms = []SignatureScheme{
 	PKCS1WithSHA256,
 	ECDSAWithP256AndSHA256,
 	PKCS1WithSHA384,
@@ -659,6 +659,9 @@ func (c *Config) time() time.Time {
 }
 
 func (c *Config) cipherSuites() []uint16 {
+	if needFIPS() {
+		return fipsCipherSuites(c)
+	}
 	s := c.CipherSuites
 	if s == nil {
 		s = defaultCipherSuites()
@@ -667,6 +670,9 @@ func (c *Config) cipherSuites() []uint16 {
 }
 
 func (c *Config) minVersion() uint16 {
+	if needFIPS() {
+		return fipsMinVersion(c)
+	}
 	if c == nil || c.MinVersion == 0 {
 		return minVersion
 	}
@@ -674,6 +680,9 @@ func (c *Config) minVersion() uint16 {
 }
 
 func (c *Config) maxVersion() uint16 {
+	if needFIPS() {
+		return fipsMaxVersion(c)
+	}
 	if c == nil || c.MaxVersion == 0 {
 		return maxVersion
 	}
@@ -683,6 +692,9 @@ func (c *Config) maxVersion() uint16 {
 var defaultCurvePreferences = []CurveID{X25519, CurveP256, CurveP384, CurveP521}
 
 func (c *Config) curvePreferences() []CurveID {
+	if needFIPS() {
+		return fipsCurvePreferences(c)
+	}
 	if c == nil || len(c.CurvePreferences) == 0 {
 		return defaultCurvePreferences
 	}