Issue starting the service

Hi,

We have FIPS encryption enabled on our server, in order to be PCI DSS compliant. Having disabled this temporarily to install Octopus, it was then re-enabled and the service ran all day. Overnight, following a server-reboot (some Microsoft patches got applied automatically too), the service no longer wants to start. Do we need to disable FIPS encryption (not possible) in order to run Octopus, or do you know if a recent patch has caused an issue?

Thanks for any assistance, here is a snippet from the OctopusServer.txt log file:

2015-03-12 10:24:59.7252 11 ERROR Unhandled exception from web server: An exception was thrown while executing a resolve operation. See the InnerException for details. —> Exception has been thrown by the target of an invocation. (See inner exception for details.)
Autofac.Core.DependencyResolutionException: An exception was thrown while executing a resolve operation. See the InnerException for details. —> Exception has been thrown by the target of an invocation. (See inner exception for details.) —> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider…ctor()

Thanks - Michael.

In the Application Logs, I can see the following error:

Faulting application name: Octopus.Server.exe, version: 2.6.3.886, time stamp: 0x54ea8e18
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a
Exception code: 0xe0434352
Fault offset: 0x000000000000940d
Faulting process id: 0x17d8
Faulting application start time: 0x01d05cae9ecf4c69
Faulting application path: C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 08f06a47-c8a2-11e4-a95d-3c4a92eeefda

Not sure if they are related to the following microsoft updates:

https://technet.microsoft.com/library/security/MS15-025
https://technet.microsoft.com/library/security/MS15-023

Furthermore, it appears that by disabling FIPS encryption, the service will start. when FIPS encryption is then re-enabled, and the service is restarted, it will not start successfully.

Hi Michael,

Thanks for getting in touch! I am sorry to say that you cannot run Octopus Server with FIPS. The reason being that both Lucene and Raven are embedded and they use algorithms that are not FIPS compliant. You can run it on the Tentacle server however.
In 3.0 we are removing Raven, embedded databases and Lucene, so it is possible that this will be able to run with FIPS enabled.

Sorry if that is bad news.
Vanessa

Hi Vanessa,

Thanks for that – do you have a timeframe for when 3.0 is due to be released?

Many thanks,

Michael

Hi Michael,

We are aiming for a June* stable release. Pre-release by April.
*All dates are subject to change being out of control of support folks :wink:

Vanessa

Hi Vanessa,

Thanks for that. And can you confirm whether version 3.0 will function with FIPS encryption disabled?

Michael

Hi Michael,

Sorry for the delay, Paul has confirmed that 3.0 should be compliant with FIPS and if you find it isn’t, we will make it so.
Now that majority of our architecture is in house, there should be nothing stopping this from being the case.

Vanessa

Hi Vanessa,
I can confirm that with the following policy set via Group Policy Mangement:

Console Root\local computer policy\computer configuration\windows settings\security settings\local policies\security options:

“System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing” set to enabled.

When enabled on Windows Server 2012r2 x64 it will fail to allow logins. I attempted to log in using AD credentials from the same domain that the server is in.

From the login page:
“This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”

From the octopus log:

2016-02-16 13:39:47.6980 16 ERROR Unhandled error on request: https://octopus-xxxx.prod.local/api/users/login by : Exception has been thrown by the target of an invocation.
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider…ctor()

I am using Octopus Deploy 3.2.23 x64.

Hi,

Thanks for the extra feedback and details. I’ve added a task to both fix this and make our testing around FIPS more robust.
You can track it here: https://github.com/OctopusDeploy/Issues/issues/2376
It is in our current sprint which gives it a very good chance of being started soon.

Vanessa

Hi Vanessa,

I can say that the 3.3.1 build of Octopus Deploy addressing the FIPS compliance during login no longer shows an issue.

Thanks for the follow up.

Please read the following article we produced around FIPS and Octopus: http://docs.octopus.com/display/OD/FIPS+and+Octopus+Deploy

We will attempt to keep this updated and if and when you encounter any new areas of Octopus that cause errors please let us know.

Vanessa