I'm trying to set up a web application to work in an environment where the FIPSAlgorithmPolicy is set to 1 in the Windows registry (specifically, HKLM/SYSTEM/CurrentControlSet/Control/Lsa). When this flag is enabled, any call to the class MD5CryptoServiceProvider will cause an Invalid Operation Exception to be thrown with the following stack trace:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.RijndaelManaged..ctor() +10480142
System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +439
System.Web.Configuration.MachineKeySection.EnsureConfig() +152
System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +48
System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +381
System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +59
System.Web.UI.HiddenFieldPageStatePersister.Save() +89
System.Web.UI.Page.SaveAllState() +1117
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3864
Based on what I read in this article, you're supposed to be able to add the following to your config file to disable the algorithm check:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
</configuration>
This works for me in a test Console application by modifying its app.config. However, it doesn't seem to work when a modify a .NET 2.0 web application's web.config.
What's interesting to me is that even though I'm catching all exceptions when I go instantiate an MD5CryptoServiceProvider in code, it doesn't seem to even make it to that portion of my code. This is the code that's called in my test app:
protected string printSomething()
{
string toPrint = String.Empty;
try
{
MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
toPrint = "Created algorithm.";
}
catch (Exception e)
{
toPrint = e.ToString();
}
return toPrint;
}
And this is what I see when I visit the page:
So this brings up a couple of questions:
- Why is IIS throwing a YSOD instead of allowing my app to catch the exception?
- What do I need to do so that my web app is able to use
<enforceFIPSPolicy enabled="false"/>?
1). Your code isn't throwing the exception. ASP.NET is doing something else. ASP.NET is trying to serialize the ViewState; which can be encrypted by the machine key. When ASP.NET does this internally; it uses the RijndaelManaged class (which is not FIPS 140 compliant; and blows up. Likewise; when ASP.NET tries to encrypt / decrypt a forms authentication ticket; it will use the machine key as well.
You have a few options for the Machine Key issue. You can use 3DES (which will always use a FIPS compliant implementation by setting the MachineKey in your web.config to look like this:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES" />
2). I'm not sure why your flag is being ignored. It shouldn't be. I'll edit if I figure anything out.
Note that the MD5CryptoServiceProvider might still bomb. MD5 is not a FIPS compliant hash. As far as I know; only the SHA-1 and SHA-2 hash algorithms are in .NET. The crypto functions that end in CryptoServiceProvider rely on the Windows CSP; which also acknowledges that flag. An alternative would be to use BouncyCastle instead of .NET's implementation since it doesn't care about that flag.
I think you need to update a few more files. From here
- Go to C:\Program Files\Common Files\Microsoft Shared\DevServer\9.0 or whatever folder contains WebDev.WebServer.Exe
- Create a text file named “WebDev.WebServer.Exe.config.” Be sure the extension is “config” and not “txt.”
Add the following text to the file.
<configuration> <runtime> <enforceFIPSPolicy enabled="0" /> </runtime> </configuration>If the ASP.NET Development Server is running, stop it. You can do this by right-clicking its icon in the system tray and selecting Stop.
- Go to
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\or whatever folder contains devenv.exe.config. Add the following line to the runtime section of devenv.exe.config.
<enforceFIPSPolicy enabled=”0” />If Visual Studio is open then close it and open it again.
Double check that you don't have in your Web.config. When debug compilation is set, .NET uses an MD5 hash for some internal bookkeeping. MD5 is not FIPS compliant so you get this error.
ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The RijndaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms. To solve this, you can specify a different algorithm in your web.config using this line:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
Its also confirms here by MSFT that you get the same error. To fix it:
In a text editor such as Notepad, open the application-level Web.config file. In the Web.config file, locate the section. Add the following section to in the section:
`<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>`
Save the Web.config file. Restart the Microsoft Internet Information Services (IIS) service. To do this, run the following command at a command prompt: iisreset
As you've found, the web.config entry doesn't work, at least in iis 7.5 forward. Instead, you need to use an application pool configuration file, as described here
So, even though this is old, it's still a bit relevant. The setting
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false" />
</runtime>
</configuration>
goes in aspnet.config in the Framework and/or Framework64 .net folders. This bypass setting works on an application config file. Web.config is not an application configuration file.
来源:https://stackoverflow.com/questions/6652850/enforcefipspolicy-flag-in-web-config-doesnt-seem-to-working-for-web-application