Is enforceFIPSPolicy config key, as described here meant for windows application only?
On my development machine (Windows 7) I enabled FIPS and then If I created a simple console app, as follows:
static void Main(string[] args)
{
var algorithm = new RijndaelManaged();
Console.WriteLine("Algorithm created!");
}
When I run it I get FIPS error:
System.InvalidOperationException: This implementation is not part of the Windows
Platform FIPS validated cryptographic algorithms.
Then if I add following under configuration element in app.config file:
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
The application executes successfully.
Now if I do the same thing in the web application (ASP.NET MVC 4):
public ActionResult Index()
{
var alg = new RijndaelManaged();
return View();
}
The code will fail, even if I add same config section in the application web.config file.
I was also able to observe the same behavior in WCF web service.
I would assume that this has to do with the fact that web applications and web services are hosted in IIS (although I reproduced the same behavior with Cassini as well).
Is there any way to have a web app to "opt out" of FIPS checks same way we can do it for windows applications? Has anybody been successful in doing that?
