MSMQ and Federal Information Processing Standard (FIPS)

The United States Government has a couple of standards that provide a benchmark for implementing cryptographic software.

These are:

• Federal Information Processing Standard 140-1 (FIPS 140-1)
  which was published in January 1994, and is superceded by...
• Federal Information Processing Standard 140-2 (FIPS 140-2)
  which was published in May 2001.

To enable FIPS compliant algorithms in Windows 2003:

1. In Control Panel, double-click Administrative Tools.
2. In Administrative Tools, double-click Local Security Policy.
3. In Local Security Policy, expand Local Policies, expand Security Options, and then double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.
4. In the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Properties dialog box, click the Local Security Setting tab.
5. On the Local Security Setting tab, click Enabled, and then click OK.
6. Close Local Security Policy.

If you enable these algorithms, however, you cannot send messages by using MSMQ over HTTPS. This is because by default a Secure Sockets Layer (SSL) 3.0 connection is established but SSL 3.0 is not FIPS compliant.

Back in April, a hotfix was produced to get round this as discussed in:

FIX: You cannot use Microsoft Message Queuing 3.0 to send messages over HTTPS if Federal Information Processing Standard (FIPS) is enabled in Windows Server 2003