Is FIPS compliance REQUIRED for TLS 1.2 communication in Windows?

Question

Ok, this has been an ongoing issue for some time. I have been experimenting for a couple of months now and so far the only way I can get my applications to communicate with Windows Server 2008 R2 is to enable the "Use FIPS Compliant algorithms for encrypting, hashing, and signing" setting in the Group Policy of both the client and server machines. Once that is turned on (TLS 1.2 enabled and TLS 1.0 disabled in the registry of both client and server) it works.

But, my dilemma is that I don't need FIPS compliance, and based on Microsoft's recommendation and the fact that I have to upgrade and change a lot of code in order to make all of my apps FIPS compliance (not to mention the uncertainty of whether all 3rd party apps in use will comply on the clients), I am hoping for a better solution.

For the record, the applications I am trying to get to communicate are MS Web Deploy 3.6, .NET Remoting over HTTPS/IIS, and ClickOnce deployment.

It dawned on me that when I enable TLS 1.2 on the server without enabling FIPS mode that the browsers can communicate with it. So, obviously there is some way to get the job done without this setting, I just haven't found it.

I looked at this answer and this answer, but this seems like a low-level setting that can't be set in the configuration file, so it won't work in at least 2 of my 3 cases (it might work with .NET remoting, I haven't tried yet). But the lack of examples is appalling - maybe this is the answer, but I can't figure out how to use it.

An acceptable solution would be to enable FIPS compliance only for certain users, so I can configure each app separately, but since all I can find are machine-wide settings I am at a loss.

One other potential solution I came up with is to use a VPN to connect to the server so my apps don't need an encrypted protocol to communicate. However, since I am using Windows Server 2008 R2 Web Edition (which doesn't support VPN) I am stuck with using a 3rd party solution (which hopefully would support TLS 1.2) or rebuilding my server on a new OS.

My question is specifically: How can I make compiled .NET applications such as MS Web Deploy 3.6 communicate over TLS 1.2 without enabling FIPS compliance, just like the browsers do?

Answer 1

My answer is based on information from the article: Transport Layer Security (TLS) best practices with the .NET Framework and appears rely on having .NET 4.7 or greater installed which didn't exist when this question was originally asked.

My testing was done on a 2016 server with .NET 4.7 acting as both the client and the server, communicating with itself. The client EXE was targeting a pre-4.7 version of .NET. In this case it seems like the following values default to 0 if they're not present in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

After adding these values I no longer needed to have FIPS enabled for TLS 1.2 to work.