FIPS mode compatibility

I’ve set up Octopus 3.2.1 but in order to log in I had to disable FIPS mode (https://support.microsoft.com/en-us/kb/811833) because otherwise login to server would fail with “This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”

Per this thread http://help.octopusdeploy.com/discussions/problems/31392-issue-starting-the-service, Octopus 3.0 was supposed to be compatible with FIPS. Can you confirm whether this is actually the case, and if not, do you have plans to support FIPS mode in the future?

The U.S. government enables FIPS mode by default on its servers.

Hi Dmitriy,

Thanks for getting in touch! Octopus 3 should be FIPS compliant. We have been able to confirm this.
So we need to figure out what might be the cause of your instance not allowing FIPS to be enabled.

What we will need to diagnose and replicate are very specific details. If you could answer the following with as much detail as possible

  1. What OS version are you using
    1a. What bit version of OS and also Octopus Server
  2. What SQL server version are you using
    2a. Is SQL server local or external
  3. Are you using AD or user/pass
    3a. if AD did you have to define the container
  4. are you using the Octopus default paths
    4a. If not, what did you redefine

Hopefully this will help us figure out which part FIPS is complaining about.
Vanessa

Hi,

I have similar problem but for C# step script, when I use simply .Net method like Console.WriteLine I have error noncompliant with FIPS.

I use:
Tentacle version 3.2.5
Calamari: 3.1.16

Additional when I run scriptcs.exe on target machine and execute simple C# code result is the same.

Hi Sebastian,

Could you also answer the questions that I asked the OP about environment details as this will help us better to replicate the issue.

Thanks!
Vanessa

Hi,

ad1: I use:
Windows Server 2012 R2 6.3.9600
Octopus Server 3.2.5
Tentacle version 3.2.5
Calamari: 3.1.16
.Net 4.5

ad2: I don’t use SQL Server in this context
ad3: I don’t use AD
ad4: Yes, I use Octopus default paths

Vanessa,

sure. See below.

  1. What OS version are you using
    1a. What bit version of OS and also Octopus Server

Windows Server 2012 R2 Standard

Octopus Server 3.2.1

  1. What SQL server version are you using
    2a. Is SQL server local or external

SQL Server 2014 Express with Advanced Services

Local

  1. Are you using AD or user/pass
    3a. if AD did you have to define the container

No AD

  1. are you using the Octopus default paths
    4a. If not, what did you redefine

Yes

Hi Dmitriy and Sebastian,

Thanks for the info. I’ve added an issue to investigate what is causing it. I will let you know if we require any further information.
Here is the issue if you want to track it: https://github.com/OctopusDeploy/Issues/issues/2196

Thanks for the report!
Vanessa

The issue (https://github.com/OctopusDeploy/Issues/issues/2196) is now marked as closed, but I tried to re-enable FIPS mode and am getting the same error in the latest Server 3.2.22 when logging in.

Hi Dmitriy,

Can you send the server logs from when the error is still happening. We were able to very easily reproduce the same error when you reported it, but cannot now with that version.
So we need to know what it is about your environment that’s different from the ones we are using to test, as we used exactly the details you gave us.
We are hoping the stack trace in the logs from seeing this error will help.

Vanessa

Sure, see attached. I can always reproduce it on Octopus Server machine
after I switch FIPS mode back on.


Dmitriy Korobskiy

Octopus_FIPS_Issue.zip (84 KB)

Hi Dmitriy,

We found this was due to our Gravatar usage - it only accepts email addresses in MD5 - so we have disabled it when FIPS is in use.
We made this and other changes, it will be part of our 3.3.1 release.
Please track the issue here: https://github.com/OctopusDeploy/Issues/issues/2376

Vanessa