[CSHARP-1937] C# Driver 2.X does not allow upload to GridFS when FIPS is enabled Created: 10/Mar/17 Updated: 05/Feb/18 Resolved: 05/Feb/18 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | GridFS |
| Affects Version/s: | 2.2.3, 2.4.2 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Steve Hall | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 3 |
| Labels: | FIPS, c#, gridfs | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows 10 x64 |
||
| Issue Links: |
|
||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||
| Description |
|
Hi
This yields the following error : {{ This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.}} I expect this is due to GridFSForwardOnlyUploadStream.cs using IncrementalMD5. We used to be able to upload with the old driver as we could specify disabling the MD5 check when connecting to GridFS :
Thanks, |
| Comments |
| Comment by Robert Stam [ 05/Feb/18 ] |
|
We no longer plan to write our own implementation of MD5 to bypass FIPS mode enforcement in the OS. Instead, we are making a small change to the GridFS API which will allow the application to disable computation of the MD5 checksum. An application will be able to use GridFS on a FIPS mode machine by using the new option to disable the MD5 checksum. See: |
| Comment by Steve Hall [ 10/Mar/17 ] |
|
Thanks Robert - I know, FIPS is very annoying but we have customers who insist on it being enabled and this means we're dead in the water with them with respect to upgrading our code to the new driver. Thanks for the update |
| Comment by Robert Stam [ 10/Mar/17 ] |
|
The 2.x GridFS implementation follows the new GridFS spec that all drivers follow. In this new spec (and therefore in the 2.x C# driver) calculating the MD5 hash is mandatory, and therefore can no longer be turned off. FIPS unfortunately doesn't distinguish between cryptographic uses of MD5 (where security is important) and benign uses of MD5 such as used by GridFS. We have a related ticket to write our own implementation of MD5 to use where security is not important. FIPS wouldn't see that and therefore GridFS could be used even when FIPS is enabled. |
| Comment by Steve Hall [ 10/Mar/17 ] |
|
I expect this issue occurs on all versions of the 2.x driver but I have only tested it on the ones listed. |