3.2.x: unknown keyword 'ssl-default-bind-client-sigalgs' in 'global' section

[nilsthieme]

Hi, after upgrading haproxy ingress from 3.1.14 to 3.2.1 / 3.2.3 / 3.2.4 (tried all and all show the same behavior) we're getting the following errors that prevent HAProxy Ingress Controller pods from starting up:

2026-01-12 09:07:26.962 msg="config Fatal errors found in configuration."
2026-01-12 09:07:26.962 msg="config Error(s) found in configuration file /etc/haproxy/haproxy.cfg.3664682e-f244-4138-aa46-099bb293fd47"
2026-01-12 09:07:26.962 msg="config parsing [/etc/haproxy/haproxy.cfg.3664682e-f244-4138-aa46-099bb293fd47:30] unknown keyword 'ssl-dh-param-file' in 'global' section; did you mean 'tune.ssl.default-dh-param' maybe ?"
2026-01-12 09:07:26.962 msg="config parsing [/etc/haproxy/haproxy.cfg.3664682e-f244-4138-aa46-099bb293fd47:26] unknown keyword 'ssl-default-bind-client-sigalgs' in 'global' section; did you mean 'ssl-default-bind-sigalgs' maybe ?"
2026-01-12 09:07:26.961 2026/01/12 08:07:26 ERROR   controller/controller.go:183 [transactionID=3664682e-f244-4138-aa46-099bb293fd47] validation error: exit status 1: err transactionId=3664682e-f244-4138-aa46-099bb293fd47 
2026-01-12 09:07:26.961 2026/01/12 08:07:26 ERROR   controller/controller.go:182 [transactionID=3664682e-f244-4138-aa46-099bb293fd47] unable to Sync HAProxy configuration !!

We do have configured those keywords in the global section, as can be seen in this haproxy.cfg on a pod running 3.1.14:

global
  [...]
  ###_config-snippet_### BEGIN
  [...]
  ssl-default-bind-client-sigalgs ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512
  ssl-dh-param-file /opt/dhparam.d/dhparam.pem
  [...]
  ###_config-snippet_### END

But as per docs ssl-default-bind-client-sigalgs and docs ssl-dh-param-file they are still valid config options in HAProxy 3.2. We also could not find any related changes mentioned in release notes of either HAProxy Ingress Controller or HAProxy itself.
Is this an intended change missing from documentation and likely release notes or a bug?

On another note, releases 3.2.x seem to be missing at both https://www.haproxy.com/documentation/kubernetes-ingress/community/changelog/ and https://www.haproxy.com/documentation/kubernetes-ingress/community/release-notes/.

[hdurand0710]

Hi @nilsthieme ,
The change is that with haproxy 3.2, the OpenSSL library was switch to AWS-LC.
With AWS-LC, there is no DHE ciphers.
ssl-dh-param-file and ssl-default-bind-client-sigalgs are not supported with AWS-LC.
However, the Core team will change the error message to state that it's supported by the SSL library instead of unknown keyword.

About the release note, it's not yet published. It should be available today, this afernoon.
The switch to AWS-LC will be documented there.