This suggestion is migrated to Developer Community. Please use below link to view the current status.
Use FIPS compliant algorithms if FIPS policy enforcement is enabled on the server. Department of Defense Security Technical Implementation Guides require that FIPS policy is enforced: http://www.stigviewer.com/stig/microsoft_dot_net_framework_4.0/2014-01-08/finding/V-30926
This applies to all US Department of Defense. It is understood that MD5 is much faster and might not even be used for security reasons (i.e. using MD5 to generate a hash to determine file differences on version control check in). However if FIPS is enabled, why not use a FIPS compliant algorithm?
It is much better to experience some degredation in performance when FIPS policy is enabled than to occasionally swallow exceptions and exhibit strange behavior (i.e. mark changes as merged from one branch to another, but not actually take the merge).
FIPs support is mandatory for us to continue using VS and TFS. If other Microsoft products are used in DoD without issue then MS needs to make it clear to DoD purchasers and users that this product has limitations. It seems like a clear violation of trust when an MS product is purchased by DoD without proper consideration for that products limitations on DoD and other government networks.
Mike Lombardi commented
This is currently preventing us from being able to deploy TFS with a risk acceptance which makes choosing TFS as a solution much less attractive.
Wiliam F. Cook commented
IT mandated FIPS compliance yesterday, and all **** has brooken loose trying to get anything done with TFS and Visual Studio. This is killing us right now.
Michael Dongtham commented
Visual Studio 2015 uses HMACSHA256 which is FIPS 140 compliant or should be since anything SHA1 and above is supposed to be FIPS 140 compliant. The Microsoft Windows 7 (Windows 8, Windows 8.1, and Windows 10) OS are incorrectly flagging the more-secure-than-sha1 algorithm as a weak algorithm and thus non FIPS 140 compliant.
Is Microsoft planning on releasing an update which correctly identifies its own HMACSHA256 algorithm as FIPS 140 compliant?
Maybe when they do the check they should do something like if ( Int32.Parse(GetType().Substring(GetType().IndexOf("SHA")+3))>=1 or how about simply if ( GetType().IndexOf("SHA")>0 )
Duh. Microsoft cannot even correctly identify its own algorithms...
Ben Sykes commented
This is preventing us from using the Build/Release Agent altogether without FIPS disabled. The Agent errors out. We will likely be prevented from adopting TFS altogether if this is not implemented.