web.config 中的 enforceFIPSPolicy 标志似乎不适用于 Web 应用程序
我正在尝试设置一个 Web 应用程序,使其在 Windows 注册表中的 FIPSAlgorithmPolicy 设置为 1 的环境中工作(具体来说,HKLM/SYSTEM/CurrentControlSet/Control /LSA)。启用此标志后,对类 MD5CryptoServiceProvider 的任何调用都将导致抛出 无效操作异常,并显示以下堆栈跟踪:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.RijndaelManaged..ctor() +10480142
System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +439
System.Web.Configuration.MachineKeySection.EnsureConfig() +152
System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +48
System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +381
System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +59
System.Web.UI.HiddenFieldPageStatePersister.Save() +89
System.Web.UI.Page.SaveAllState() +1117
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3864
基于我在 这个文章,您应该能够将以下内容添加到您的配置文件中以禁用算法检查:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
</configuration>
这对我来说通过修改其 app.config 在测试控制台应用程序中有效。但是,当修改 .NET 2.0 Web 应用程序的 web.config 时,它似乎不起作用。
对我来说有趣的是,尽管当我在代码中实例化 MD5CryptoServiceProvider 时捕获了所有异常,但它似乎甚至没有到达我的代码的该部分。这是我的测试应用程序中调用的代码:
protected string printSomething()
{
string toPrint = String.Empty;
try
{
MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
toPrint = "Created algorithm.";
}
catch (Exception e)
{
toPrint = e.ToString();
}
return toPrint;
}
这是我访问页面时看到的内容:
因此,这带来了几个问题:
- 为什么 IIS 抛出 YSOD 而不是让我的应用程序捕获异常?
- 我需要做什么才能让我的网络应用程序能够使用
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
1).您的代码没有抛出异常。 ASP.NET 正在做其他事情。 ASP.NET 正在尝试序列化 ViewState;可以通过机器密钥加密。当 ASP.NET 在内部执行此操作时;它使用
RijndaelManaged类(不符合 FIPS 140;并且会崩溃。同样;当 ASP.NET 尝试加密/解密表单身份验证票证时;它也会使用计算机密钥。您对于机器密钥问题,您可以使用 3DES(通过将 web.config 中的 MachineKey 设置为如下所示,它将始终使用符合 FIPS 的实现:
2)。不应该被忽略。如果我发现什么,
MD5CryptoServiceProvider 可能仍然不符合 FIPS。 .NET 中的 SHA-1 和 SHA-2 哈希算法以BouncyCastle 而不是 .NET 的实现,因为它不关心该标志。
CryptoServiceProvider结尾的加密函数依赖于 Windows CSP;另一种方法是使用1). Your code isn't throwing the exception. ASP.NET is doing something else. ASP.NET is trying to serialize the ViewState; which can be encrypted by the machine key. When ASP.NET does this internally; it uses the
RijndaelManagedclass (which is not FIPS 140 compliant; and blows up. Likewise; when ASP.NET tries to encrypt / decrypt a forms authentication ticket; it will use the machine key as well.You have a few options for the Machine Key issue. You can use 3DES (which will always use a FIPS compliant implementation by setting the MachineKey in your web.config to look like this:
2). I'm not sure why your flag is being ignored. It shouldn't be. I'll edit if I figure anything out.
Note that the
MD5CryptoServiceProvidermight still bomb. MD5 is not a FIPS compliant hash. As far as I know; only the SHA-1 and SHA-2 hash algorithms are in .NET. The crypto functions that end inCryptoServiceProviderrely on the Windows CSP; which also acknowledges that flag. An alternative would be to use BouncyCastle instead of .NET's implementation since it doesn't care about that flag.我认为您需要更新更多文件。从此处
将以下文本添加到文件中。
<代码><配置>;
<运行时>
如果 ASP.NET 开发服务器正在运行,请将其停止。您可以通过右键单击系统托盘中的图标并选择“停止”来执行此操作。
将以下行添加到 devenv.exe.config 的运行时部分。
如果 Visual Studio 已打开,则将其关闭,然后再次打开。
一些可以尝试的附加操作
仔细检查您是否没有您的 Web.config。当设置调试编译时,.NET 使用 MD5 哈希进行某些内部簿记。 MD5 不符合 FIPS,因此您会收到此错误。
ASP.NET 2.0 在处理视图状态数据时使用 AES 算法的 RijndaelManaged 实现。 RijndaelManaged 实施尚未经过美国国家标准与技术研究所 (NIST) 的认证,符合联邦信息处理标准 (FIPS)。因此,AES 算法不是 Windows 平台 FIPS 验证的加密算法的一部分。要解决此问题,您可以使用以下行在 web.config 中指定不同的算法:
它也确认了此处(来自 MSFT),您遇到了相同的错误。要修复它:
I think you need to update a few more files. From here
Add the following text to the file.
<configuration><runtime>
<enforceFIPSPolicy enabled="0" />
</runtime>
</configuration>
If the ASP.NET Development Server is running, stop it. You can do this by right-clicking its icon in the system tray and selecting Stop.
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\or whatever folder contains devenv.exe.config.Add the following line to the runtime section of devenv.exe.config.
<enforceFIPSPolicy enabled=”0” />If Visual Studio is open then close it and open it again.
Some addition things to try
Double check that you don't have in your Web.config. When debug compilation is set, .NET uses an MD5 hash for some internal bookkeeping. MD5 is not FIPS compliant so you get this error.
ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The RijndaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms. To solve this, you can specify a different algorithm in your web.config using this line:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>Its also confirms here by MSFT that you get the same error. To fix it:
正如您所发现的,web.config 条目不起作用,至少在 iis 7.5 及更高版本中是这样。相反,您需要使用应用程序池配置文件,如这里
As you've found, the web.config entry doesn't work, at least in iis 7.5 forward. Instead, you need to use an application pool configuration file, as described here
所以,尽管这是旧的,但它仍然有点相关。该设置
位于 Framework 和/或 Framework64 .net 文件夹中的 aspnet.config 中。此绕过设置适用于应用程序配置文件。 Web.config 不是应用程序配置文件。
So, even though this is old, it's still a bit relevant. The setting
goes in aspnet.config in the Framework and/or Framework64 .net folders. This bypass setting works on an application config file. Web.config is not an application configuration file.