i know these old ciphers are insecure, but id rather have https using tls 1.0 on my site than http only for these old browsers
i host a forum and chatroom for old browsers, and want https to work, but the browsers i allow [ie6 and above mainly] only support tls 1.0
i tried cloudflare and setting minimum tls version to 1.0, but that didnt work, so i tried a seperate domain to bypass cloudflare and directly access the site, but even when enabling tls 1.0 and 1.1 in nginx ssl config it still doesnt work, i read something about windows 2000 allowing just 1 cert per ip, and only being able to handle sha1, and not sha2 which letsencrypt uses
how can i get a sha1 cert so these browsers can still benefit from a little security when visiting my site, even if its not much?
My domain is: redtro.net
I ran this command: the setup and stuff to get the needed certs
It produced this output: worked for moden browsers
My web server is (include version): debian 12, hosted at contabo
I can login to a root shell on my machine (yes or no, or I don't know): yes, always worked, why wouldnt it now
I'm using a control panel to manage my site: no, just plain ftp and a nginx config
The version of my certbot is 2.1.0
The issue with 1 cert per IP etc is just on the server side, client side doesn't care about your IP. [Good point about SNI @MikeMcQ!]
Client side, you will have a a set of TLS protocol levels that a client can speak, and within those a set of TLS cipher suites that they are prepared to negotiate with the service.
So your server needs to support both the TLS protocol level that a client will use, and at least one common cipher suite (dictated in part by your certificate key type, RSA being the only real choice for older browsers).
Your domain proxied at Cloudflare requires SNI. If the browser client does not support it that won't work.
If the client does not support SNI, it can connect directly to your nginx server. But, be sure the default server block has your website configuration. Without SNI the default server block is the only one that client can talk to using HTTPS.
I only see ECDSA certs and ciphers for your main domain. Try using RSA cert and setting up matching ciphers. In Certbot I think you just use --key-type rsa and optionally keysize. Note that the EFF has dropped support for Windows more than 1.5 years ago but you should still be able to get a rsa cert with those options.
You might consider a unique domain name just for HTTP for these older clients. You can then monitor access log for that domain name to know when it is no longer needed.
my idea was using secure.forum.redtro.net unproxied to bypass cloudflare
what do you mean by the second part, eff dropped support for windows and stuff, and a rsa cert with a keysize. i did read that win2k supports only a limited keysize or something
im really new to this
thanks for the help regardless tho!
Various alternatives are described there. The most popular are:
Certify the Web (gui)
Posh-ACME (powershell)
simple-acme (cli) (as replacement for win-acme)
Yeah, pretty sure you need to be using an RSA cert. I think that version of Certbot defaults to ECDSA. So, you need to specify --key-type rsa. I am not sure what key-size is appropriate for those older systems. See the Certbot docs for defaults.
oh nonono, i gotta learn to give more info when i make a new post lol. my vps is running on debian 12
i just want to use https on ie6. i heard of self signed certs but those need to be added everytime on every device. makes me confused why they do allow http [no encryption] but dont allow sha1 signing [weakish encryption]. even the microsoft update catalog uses sha1 in their popup window
ill look up what rsa certs are. but can the system even read them if theyre sha2? i honestly have no idea. i diagnose myself with stupid ;w;
sorry, my fault. You did say that. So, nevermind about the EFF and Windows then
@webprofusion is the author of Certify the Web and knows way more about Windows than I do. He said RSA cert was required for those older browsers.
I looked at your cert history and only see ECDSA certs. You should get an RSA cert on your nginx. And setup suitable ciphers there too. The SSL Labs report showed only ECDSA compatible ciphers which is why I mention that.
Don't overthink the SHA thing since you can't do anything about it anyway. Sort out the RSA stuff which is a known issue. I just checked Certbot docs and rsa key size default is 2048 so that's probably fine.
