[CSHARP-3729] Connection fails when using authentication while FIPS enabled Created: 08/Jul/21  Updated: 01/Feb/22  Resolved: 09/Jul/21

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Barak Spojnikov Assignee: James Kovacs
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates CSHARP-1703 SCRAM-SHA-1 fails on FIPS machines Closed
is duplicated by CSHARP-4032 MD5.Create Method Use of Broken Crypt... Closed

 Description   

When setting up authentication while FIPS is enabled on the Windows machine the driver will fail to connect due to a usage of MD5 hashing mechanism.

Exact stack trace:

Exception Message [A timeout occured after 30000ms selecting a server using CompositeServerSelector{ Selectors = ReadPreferenceServerSelector{ ReadPreference = { Mode = Primary, TagSets = [] } }, LatencyLimitingServerSelector{ AllowedLatencyRange = 00:00:00.0150000 } }. Client view of cluster state is { ClusterId : "1", ConnectionMode : "Automatic", Type : "Unknown", State : "Disconnected", Servers : [{ ServerId: "{ ClusterId : 1, EndPoint : "127.0.0.1:27018" }", EndPoint: "127.0.0.1:27018", State: "Disconnected", Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.MD5.Create()
   at MongoDB.Driver.Core.Authentication.AuthenticationHelper.MongoPasswordDigest(String username, SecureString password)
   at MongoDB.Driver.Core.Authentication.ScramSha1Authenticator.ClientFirst.Transition(SaslConversation conversation, Byte[] bytesReceivedFromServer)
   at MongoDB.Driver.Core.Authentication.SaslAuthenticator.Transition(SaslConversation conversation, ISaslStep currentStep, BsonDocument result)
   at MongoDB.Driver.Core.Authentication.SaslAuthenticator.<AuthenticateAsync>d__7.MoveNext()



 Comments   
Comment by Barak Spojnikov [ 09/Jul/21 ]

@James Kovacs Thanks for the detailed reply

Comment by James Kovacs [ 08/Jul/21 ]

Hi, barak.spoj@sisense.com,

Thank you for reaching out to MongoDB about authentication failing when FIPS mode is enabled.

Reviewing the provided stack trace, ScramSha1Authenticator is present, which means that you're using SCRAM-SHA-1 authentication. The SCRAM-SHA-1 authentication protocol uses the MD5 hash in a non-cryptographic manner, but even so it is not compatible with FIPS mode. See CSHARP-1703 for more information.

We recommend switching to a FIPS-compatible authentication protocol such as SCRAM-SHA-256 (available in MongoDB 4.0+), LDAP, Kerberos, or x.509. Note that LDAP and Kerberos support requires MongoDB Enterprise. SCRAM-SHA-256 and x.509 are available in both MongoDB Community and Enterprise.

Please let us know if you have any additional questions.

Sincerely,
James

Generated at Wed Feb 07 21:46:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.