Why can't Windows XP handle newer SSL certificate versions?

31,033

Solution 1

OK, so looking at the example of mpql.net, we start with the SSL Labs analysis.

The problem appears to be that the server only supports elliptic curve cryptography (the various TLS_ECDHE_xxx suites) and, according to the MSDN articles Secure Sockets Layer Protocol and TLS Cipher Suites, Windows XP doesn't include any of the elliptic curve protocols. This is not related to the certificates per se, but to the way the web server is configured.

Firefox still works because it uses its own cryptographic library rather than using the SSL support built into Windows. Of course, if you were using a version of Firefox as old as Windows XP is, it probably wouldn't work either. :-)

Solution 2

Solution for this problem in XP is installing KB3055973-v3 that adds support for TLS 128-bit & 256-bit Advanced Encryption Standard (AES) cipher suites. Google for this solution and beware it is natively for English OS version, otherwise you need to modify the installation files.

Solution 3

certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility. However, Firefox apparently still does support Windows XP and can access those websites freely.

Chrome and IE use the CA store of windows while Firefox uses it's own independent store.

Why can't a simple community developer just create a "patch" for Chrome and IE if Firefox can support them?

It might be that some developer can do it, but why should somebody invest its time to support an OS which is dead and insecure just to support browsers which are no longer supported (Chrome will drop support end of 2015). If you feel this needs to be done anyway just do it. Otherwise, drop XP or at least use Firefox with it.

Share:
31,033
Banderi
Author by

Banderi

Always pushing to learn as much as possible. Love to write code for indie games and websites, and to develop further knowledge about anything regarding IT. Also graphic design, 3D graphics and digital/traditional art.

Updated on January 18, 2020

Comments

  • Banderi
    Banderi over 4 years

    As I understand, as Windows XP support was officially dropped, the newest versions of SSL certificates used in certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility. However, Firefox apparently still does support Windows XP and can access those websites freely.

    I don't quite understand how the SSL certificates compatibility works, how is it possible that on Chrome and IE it requires you to switch to a new OS altogether but that's not needed when just using a different browser? Why can't a simple community developer just create a "patch" for Chrome and IE if Firefox can support them? What's the connection between the browser and the OS? Where do I draw the line?

  • Banderi
    Banderi over 8 years
    What's a "CA store"? What does it have to do with Windows XP incompatibility?
  • Banderi
    Banderi over 8 years
    Hmm, it makes sense... But what exactly is that makes Windows XP itself incompatible? Aren't SSL certificates handled by the browsers? What do they have to do with the OS?
  • Dallas
    Dallas over 8 years
    Because the way it stores Certificates. The computer stores certs so it knows that the site "person" its talking to is trusted or not trusted and if that site is who that site says they are make sense? Can I ask a question why you are asking this question?
  • Steffen Ullrich
    Steffen Ullrich over 8 years
    @Banderi: That's the place were the root certificates are stored which are needed for the validation of the certificates. Which certificates are stored there depends on the OS. Important is also the ability to deal with the new certificates signed with SHA-256. Support for these was added with XP SP3.
  • Banderi
    Banderi over 8 years
    But if certificates are tied to the way the OS stores, why does Chrome and IE not work and Firefox does? I'm asking this just out of personal curiosity. I have an old XP laptop that suddenly stopped working with some sites and was wondering where in the line between opening regedit and being a Microsoft developer would one be needing to stand to solve it.
  • Banderi
    Banderi over 8 years
    Hmm... so, the fact that I'm running WinXP changes the certificates the website uses to secure the connection I'm requesting? This would mean that Chrome and IE simply stopped supporting the certificates specifically requested by XP while Firefox still support them, and to theoretically patch this it would require to heavily change the way XP handles/requests certificates, correct?
  • Harry Johnston
    Harry Johnston over 8 years
    I suspect it's that XP can't understand the certificate the site is providing. Chrome and IE delegate the task of validating the certificate to Windows. Firefox does it itself. But without an example of a site that is failing, it's hard to be sure. (It might also not be the certificate at all, but the cipher suite.)
  • Banderi
    Banderi over 8 years
    This website, for example, doesn't work on XP but works on Seven: mpql.net/tools/dark-souls The error, at least on Chrome, is always the same for these websites, ERR_SSL_VERSION_OR_CIPHER_MISMATCH
  • Banderi
    Banderi over 8 years
    So.... Basically, the reason Firefox works is because it's handling cryptography on it's own rather than letting XP do it like Chrome and IE? That makes sense. So to "solve" it you would need to either make the browser use their own implementation or patch Windows XP, neither of which is doable... that explains why nobody ever bothered trying. This clears up pretty much everything, thanks!
  • Harry Johnston
    Harry Johnston over 8 years
    Theoretically you could write a shim - a library that you inject into the program and which intercepts and replaces the API calls. But it would be challenging, and probably not very reliable.
  • Banderi
    Banderi over 8 years
    Hmm, sounds cool. But yeah, probably more convenient to upgrade the OS at this point.
  • Steffen Ullrich
    Steffen Ullrich over 8 years
    @Banderi: This site is using an EC key in the certificate which is only supported since Windows Vista. Apart from that it uses SNI which is not support bei IE on XP either. To support this you would need to replace an important part of the crypto stack of the OS or use your own like Firefox does. See also support.globalsign.com/customer/portal/articles/….
  • Solomon Rutzky
    Solomon Rutzky about 3 years
    Hi there. The link for that download is: microsoft.com/en-us/download/details.aspx?id=48214 . While the description is "Adds support for TLS 128-bit & 256-bit Advanced Encryption Standard (AES) cipher suites", it should also be noted that the patch is for "Windows Embedded POSReady 2009". I can't get it to work on regular XP. It gives an error message: "The version of Windows you have installed does not match the update you are trying to install".
  • user688056
    user688056 almost 3 years
    a +1 from me; the search hint was very usefull as of 2021; someone actually had same problem on github and did a full mod github.com/FaultlineHC/TLSonXP