Why does VShell log “Not accepting FTPS connections because VShell FIPS mode is on"

[bgagnon]

On the Windows platform, VShell’s FTPS/HTTPS implementation utilizes the SChannel crypto library native to the Windows Operating system.

Although FIPS mode may be enabled in VShell (and active for SSH/SFTP connections)…

… FTPS/HTTPS functionality will not be allowed unless FIPS mode is also enabled in Windows.

If FIPS mode is enabled in VShell but not enabled at the operating system level within Windows, VShell’s FTPS/HTTPS logs will display a warning: Not accepting FTPS (HTTPS) connections because VShell FIPS mode is on. For example:

An inspection of your Windows system’s local security policy will likely reveal that in the Security Options section of your Windows machine’s Local Policies, the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing option is currently Disabled.

To enable FIPS mode for Windows/SChannel, a Windows system admin must edit the Local Security Policy on the Windows machine where VShell is installed and enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security option.

To summarize, if FIPS mode has been enabled in VShell via an ADM template…

…and the system level configuration has been made:

Then the warn category message in VShell’s FTPS/HTTPS log file becomes an info category message that reads: VShell FIPS mode is enabled and the Microsoft SChannel setting for FIPS is on.