问题
I am attempting to enable TLS 1.2 on our Windows 2008 R2 server for PCI compliance, and have managed to get it working by following this obscure blog post which requires turning on FIPS validation. Finally, after weeks of looking for a solution, click-once, .NET remoting, and MS Web Deploy are communicating over TLS 1.2.
However, I also have web applications on the machine that quit functioning when I enabled FIPS validation with the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.] System.Security.Cryptography.RijndaelManaged..ctor() +10489630 System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +439 System.Web.Configuration.MachineKeySection.EnsureConfig() +152 System.Web.Configuration.MachineKeySection.HashData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length) +48 System.Web.Configuration.MachineKeySection.HashAndBase64EncodeString(String s) +136 System.Web.SessionState.OutOfProcSessionStateStore.OneTimeInit() +763 System.Web.SessionState.OutOfProcSessionStateStore.Initialize(String name, NameValueCollection config) +223 System.Web.SessionState.OutOfProcSessionStateStore.Initialize(String name, NameValueCollection config, IPartitionResolver partitionResolver) +43 System.Web.SessionState.SessionStateModule.InitModuleFromConfig(HttpApplication app, SessionStateSection config) +11279756 System.Web.SessionState.SessionStateModule.Init(HttpApplication app) +155 System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +480 System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +336 System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +350 System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +382
[HttpException (0x80004005): This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.] System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +11421094 System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +88 System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +4405316
Version Information: Microsoft .NET Framework Version:2.0.50727.5485; ASP.NET Version:2.0.50727.5491
I am using the ASP.NET state service with all 3 of the applications and they are getting this stack trace.
I have searched around for solutions and they all basically say to switch the algorithm to one that is FIPS compliant.
- Problem with FIPS Validated Cryptographic Algorithms
- ASPX pages fail due to FIPS 140 security policy
But since this is being thrown by ASP.NET itself what is the solution? I am using .NET 3.5, would upgrading to a newer framework solve the issue? Or is there a simpler fix, such as a configuration setting?
NOTE: I also attempted to use in-process session state which bypasses this error and then I am getting the same error with cookie encryption (which is apparently also using
System.Security.Cryptography.RijndaelManaged). I tried setting the machine key to the one in the example here (for a test), and also combined it with AES as the decryption and validation settings, but it didn't have any effect on the error message.
回答1:
The following changes worked in my situation...
- Enable TLS protocols in Windows registry. See IIS 7.5: How to enable TLS 1.1 and TLS 1.2
In the application code, add the following line of code when the application starts (e.g.,
Application_Startfor aSystem.Web.Http.Application)System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;
来源:https://stackoverflow.com/questions/33691866/session-state-fips-validation-error-in-asp-net