Allows https for ie6 on win2k

MikeMcQ · September 14, 2025, 3:16pm

I don't think you quite understand the difference between nginx http context and server blocks.

Please upload the config.txt from this. An UPPER case T is essential

sudo nginx -T >~/config.txt

The config.txt will be in your home directory and be fairly large. You should see just two lines displayed to the console but the entire active nginx config in that .txt file

9peppe · September 14, 2025, 3:59pm

Wait, if it's just your windows xp/2000 machines instead of all windows xp/2000 machines... why not use your private certificate authority with whatever config you want?

(It will reintroduce several vulnerabilities, but you can probably adopt reasonable countermeasures)

Patryk · September 15, 2025, 1:57pm

Correct. By default, all domains on Cloudflare require SNI. If needed, non-SNI support can be enabled by contacting Enterprise Sales.

RSA certificate will be issued automatically with any paid plan, then the edge will respond with ECDSA or RSA depending on capabilities of the client.

Still, created certificate will be SHA-2. If SHA-1 is needed, you can upload a custom certificate with Business plan. Since you can't get a publicly-trusted SHA-1 certificate any more, this becomes a private CA.

crt · September 15, 2025, 2:40pm

contacting enterprise sales sounds expensive, something i cant afford
i think im just gonna stick with http then.

Patryk · September 15, 2025, 3:00pm

Hehe, yeah. You have a very niche problem.

Your options are:

some commercial CAs might still be able to issue "legacy certificates" from their old roots that have been pulled from trust stores (but still present in old operating systems; they don't need to follow rules any more), this is going to cost you $$ though, and unsure whether this practice has stopped already
create a private CA, and ask users to import it into their systems
use modern computers sitting on a side to discuss vintage computers
~~just use HTTP~~

griffin · September 15, 2025, 3:09pm

Try to avoid that if at all possible!

Patryk · September 15, 2025, 3:10pm

indeed!

MikeMcQ · September 15, 2025, 3:12pm

Did you ever sort out why your nginx didn't connect using TLS 1.0 or 1.1

I am pretty sure it is because your HTTP context or default server block did not allow it as I noted earlier. A single server block cannot override those except in very unusual situations which yours is not.

crt · September 15, 2025, 3:26pm

Please upload the config.txt from this. An UPPER case T is essential
sudo nginx -T >~/config.txt

do i paste it here or is there some sort of dm function? i dont think its smart putting every endpoint and all the settings here out in the open maybe

9peppe · September 15, 2025, 3:31pm

Can a proxy on a modern machine strip TLS and offer http websites to the old machine?

crt · September 15, 2025, 3:31pm

mr griffin im afraid thats the only alternative, as i suppose leaking the backend ip is gonna cause a lot more issues, like direct access to the vps ip and allowing ddos. contabo's protection is just some guy in the server room unplugging the ethernet as far as im aware ;w;'

system · October 15, 2025, 3:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enable TLS1.0 in Nginx, getting SNI errors, additional cert Help	20	2661	March 8, 2020
Requesting specific old ciphers for TLS certificates Help	15	1470	November 29, 2023
Clients on windows 7 not able to connect after certbot upgrade Issuance Tech	38	1227	November 2, 2023
My certificat is working in Safari and IE, but not in Firefox Help	14	5512	November 27, 2015
The certificate generated with certbot does not work on Windows XP Help	54	3405	August 28, 2018

Allows https for ie6 on win2k

Related topics