We have FIPS encryption enabled on our server, in order to be PCI DSS compliant. Having disabled this temporarily to install Octopus, it was then re-enabled and the service ran all day. Overnight, following a server-reboot (some Microsoft patches got applied automatically too), the service no longer wants to start. Do we need to disable FIPS encryption (not possible) in order to run Octopus, or do you know if a recent patch has caused an issue?
Thanks for any assistance, here is a snippet from the OctopusServer.txt log file:
2015-03-12 10:24:59.7252 11 ERROR Unhandled exception from web server: An exception was thrown while executing a resolve operation. See the InnerException for details. —> Exception has been thrown by the target of an invocation. (See inner exception for details.)
Autofac.Core.DependencyResolutionException: An exception was thrown while executing a resolve operation. See the InnerException for details. —> Exception has been thrown by the target of an invocation. (See inner exception for details.) —> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider…ctor()
Furthermore, it appears that by disabling FIPS encryption, the service will start. when FIPS encryption is then re-enabled, and the service is restarted, it will not start successfully.
Thanks for getting in touch! I am sorry to say that you cannot run Octopus Server with FIPS. The reason being that both Lucene and Raven are embedded and they use algorithms that are not FIPS compliant. You can run it on the Tentacle server however.
In 3.0 we are removing Raven, embedded databases and Lucene, so it is possible that this will be able to run with FIPS enabled.
Sorry for the delay, Paul has confirmed that 3.0 should be compliant with FIPS and if you find it isn’t, we will make it so.
Now that majority of our architecture is in house, there should be nothing stopping this from being the case.
“System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing” set to enabled.
When enabled on Windows Server 2012r2 x64 it will fail to allow logins. I attempted to log in using AD credentials from the same domain that the server is in.
From the login page:
“This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”
From the octopus log:
2016-02-16 13:39:47.6980 16 ERROR Unhandled error on request: https://octopus-xxxx.prod.local/api/users/login by : Exception has been thrown by the target of an invocation.
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider…ctor()
Thanks for the extra feedback and details. I’ve added a task to both fix this and make our testing around FIPS more robust.
You can track it here: https://github.com/OctopusDeploy/Issues/issues/2376
It is in our current sprint which gives it a very good chance of being started soon.