West Wind Internet and Client Tools
Does wwSFTP support FIPS
Gravatar is a globally recognized avatar based on your email address. Does wwSFTP support FIPS
  VFPJCOOK
  All
  Sep 15, 2020 @ 12:14pm

Rick,

My code that uses wwSFTP class to access and get and put files via SFTP began having an issue when my cloud service provider changed a policy whereby the cert provider now uses FIPs. He is saying that could effect SSH.

He is telling me "If your internal SFTP client can’t support FIPS or is having an error using SFTP vis SSH due to FIPs, that would probably be the culprit."

So I guess my question for you is, does wwSFTP support FIPs?

Thanks, John

Gravatar is a globally recognized avatar based on your email address. re: Does wwSFTP support FIPS
  Rick Strahl
  VFPJCOOK
  Sep 15, 2020 @ 02:07pm

I have no idea what FIPS is so I'm going to go with the answer is no...

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Does wwSFTP support FIPS
  VFPJCOOK
  Rick Strahl
  Sep 15, 2020 @ 02:40pm

Well, If you are interested: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/why-we-8217-re-not-recommending-8220-fips-mode-8221-anymore/ba-p/701037

The article states "If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes."

I am worried it may effect more than just wwSFTP. I have asked my CSP for clarification as to why they enabled FIPS mode. It could possibly have to do with government workstations (my customers are government entities) being required to have FIPS enabled so our cloud servers had to do the same. We were having disconnects and enabling FIPS mode fixed that issue.

When I hear from my CSP I will post more, John

Gravatar is a globally recognized avatar based on your email address. re: Does wwSFTP support FIPS
  Rick Strahl
  VFPJCOOK
  Sep 15, 2020 @ 03:00pm

I'm not really sure what you're saying here. If the cloud provider is changing policy it would seem that they would no longer use FIPS since Microsoft recommends not using it.

wwSFTP uses an open source library for the SFTP connection. It's not based on the Microsoft network stack (other than sockets) so it's not using the standard infrastructure, but given active development I suspect it wouldn't be using a legacy protocol in the first place.

There's a discussion on the topic here:

https://github.com/sshnet/SSH.NET/issues/190

Towards the bottom of that post is also a message that seems to suggest that you can turn off the .NET encryption check support that effectively might make FIPS work.

https://github.com/sshnet/SSH.NET/issues/190#issuecomment-443278230

The gist of that comment is to add the following to your app.exe.config (or vfp9.exe.config) add:

<configuration>
     <runtime>
         <enforceFIPSPolicy enabled="false" />
     </runtime>
</configuration>

+++ Rick ---

© 1996-2020