Certificate not working on a certain Windows XP machine


#1

So today my dad noticed that my freshly let’s-encrypted domains aren’t working on his Windows XP machine. I took a look on it but I can’t really figure out the problem.

Some facts I have gathered:

About the server:

  • Domain: www.loilo.de
  • I tested the domain on ssllabs.com and the only potential problem I could find was the required SNI support
  • My page seems to work on other XP systems (according to browserstack.com)

About the client:

  • This is the first case I know of where the domain did not work correctly.
  • His Windows says: “The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.” (Pretty hard to actually find anything about this statement on Google…)
  • SNI test pages are working fine on his PC. (for example sni.velox.ch)
  • System clock is set correctly
  • No proxy
  • Microsoft Security Essentials as antivirus

I don’t know what else to look for. Anyone got an idea?


#2

Okay, I guess this answers my question. So no way to get it to work on XP SP3, what a pity. :worried:


#3

Honestly, take the opportunity and get your dad off of Windows XP. Install him a XFCE or LXDE based distro dual boot and sell it with “I’m going to make your computer go faster”. Worked perfectly here.


#4

Believe me, I tried. He can do that himself, he’s not that incapable of working with computers at all. But he’s mostly like “never change a running system”. But the growing number of things like that are currently kind of pushing him towards using a newer OS.

But still this means that all let’s-encrypted pages won’t work in XP and I can’t convince random visitors to upgrade their system. :wink:

I 301 redirected all HTTP requests to my site to HTTPS but I think with XP users in mind that might not be a good idea.

Do you know if there’s a possibility to check the according SSL support in nginx conf files and only redirect to HTTPS if it’s properly supported?


#5

I don’t know if nginx has those kind of features, but with the aid of, for example, this list, you could make some kind of “finger print” for browsers according to the ClientHello the client sends. For example, supported ciphers or something. I have no clue if that’s discriminating enough, but perhaps the XP clients have something “unique” you can identify them by.

Hmmm, wait a minute… You want to check in the HTTP phase. So you can check by User Agent header, although those can be faked ofcourse… :unamused:


#6

Nothing off the shelf, no. Give https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ a read.

But I wouldn’t care that much about WinXP really, anybody still under that deserves to get a broken web and yes, I do even include less developed countries here, only Android 2 is a different story but even less easily a target audience for your website.


#7

Yeah, I just had that idea as well. So simple it actually didn’t come to my mind instantly. :no_mouth:


#8

No offense, but that’s a horrible view on accessibility - in my eyes, of course. Anyway, I’m probably just going to limit the redirect to no-XP users.


#9

Here’s a mod_rewrite piece of code someone has posted in the github issue on this :neutral_face:


#10

Thanks, I already saw that. I’m going to try to convert this to nginx config and then tell if it was a success.


#11

tried it with nginx at https://community.centminmod.com/threads/letsencrypt-ssl-certificates-and-windows-xp-workarounds.5272/ for testing works as long as the winxp visitor never visited https version of your site (with HSTS enabled)


#12

Hi, I tried a lite version of firefox and found out it works with LE certification on Windows XP sp3.
Hope that it might help solving this problem:

lightfirefox.sourceforge.net