Using FIPS Mode with the .NET SDK
 |
As of v.5.8.3, the .NET SDK provides the OpenSSL v.1.1.1j libraries, which do not support FIPS mode. If you must use FIPS mode, you need to obtain an older version of OpenSSL that supports FIPS mode(NOT recommended).
|
As long as you have an OpenSSL version that supports FIPS mode, your application can use FIPS mode. Version 5.8.0 of the .NET SDK was the last release of the SDK to support FIPS mode
 |
Not all hardware platforms where applications written using the .NET SDK can run support FIPS-140-2-validated cryptography. For example, on platforms based on IA32 architecture, the processor must support the SSE2 instruction set. This set is available in Intel x86 CPUs, starting with Pentium 4. The application log will have a message that FIPS-140-2-validated cryptography is enabled. If you enable it, be sure that your certificates include only FIPS approved encryption algorithms. The FIPS approved algorithms are AES, 3DES, RSA, DSA, DH, SHA1, and SHA2.
|
If you are using the FIPS version of the .NET SDK and the application directly communicates with a Java-based SSL/TLS server (such as the ThingWorx Platform), the cipher suite list should include !kEDH (as shown below). Otherwise, ephemeral Diffie-Hellman (EDH) key exchange may fail:
<CipherSuites>DEFAULT:!kEDH</CipherSuites>
In addition, depending on the Java version, the Apache Tomcat server used by your ThingWorx Foundation instance may or may not be FIPS compliant:
• Java 7 — By default, the strong encryption ciphers necessary for the FIPS mode edge client to connect are NOT enabled. To enable them, you must add the following line to the Apache Tomcat server.xml configuration file’s <Connector> tag:
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
• Java 8 — By default, the strong encryption ciphers necessary for the FIPS mode edge client to connect ARE enabled. You do not need to modify the Apache Tomcat file.
By default in both Java 7 and 8, weak encryption ciphers are enabled. To disable weak encryption ciphers for running in FIPS mode, update the following two lines in the Java configuration file, java.security:
jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
With weak encryption ciphers disabled, the FIPS mode edge client will connect to the server, but the non-FIPS mode edge client will NOT connect to the server.