Certificate not working on a certain Windows XP machine

So today my dad noticed that my freshly letā€™s-encrypted domains arenā€™t working on his Windows XP machine. I took a look on it but I canā€™t really figure out the problem.

Some facts I have gathered:

About the server:

  • Domain: www.loilo.de
  • I tested the domain on ssllabs.com and the only potential problem I could find was the required SNI support
  • My page seems to work on other XP systems (according to browserstack.com)

About the client:

  • This is the first case I know of where the domain did not work correctly.
  • His Windows says: ā€œThe certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.ā€ (Pretty hard to actually find anything about this statement on Googleā€¦)
  • SNI test pages are working fine on his PC. (for example sni.velox.ch)
  • System clock is set correctly
  • No proxy
  • Microsoft Security Essentials as antivirus

I donā€™t know what else to look for. Anyone got an idea?

Okay, I guess this answers my question. So no way to get it to work on XP SP3, what a pity. :worried:

Honestly, take the opportunity and get your dad off of Windows XP. Install him a XFCE or LXDE based distro dual boot and sell it with ā€œIā€™m going to make your computer go fasterā€. Worked perfectly here.

Believe me, I tried. He can do that himself, heā€™s not that incapable of working with computers at all. But heā€™s mostly like ā€œnever change a running systemā€. But the growing number of things like that are currently kind of pushing him towards using a newer OS.

But still this means that all letā€™s-encrypted pages wonā€™t work in XP and I canā€™t convince random visitors to upgrade their system. :wink:

I 301 redirected all HTTP requests to my site to HTTPS but I think with XP users in mind that might not be a good idea.

Do you know if thereā€™s a possibility to check the according SSL support in nginx conf files and only redirect to HTTPS if itā€™s properly supported?

I donā€™t know if nginx has those kind of features, but with the aid of, for example, this list, you could make some kind of ā€œfinger printā€ for browsers according to the ClientHello the client sends. For example, supported ciphers or something. I have no clue if thatā€™s discriminating enough, but perhaps the XP clients have something ā€œuniqueā€ you can identify them by.

Hmmm, wait a minuteā€¦ You want to check in the HTTP phase. So you can check by User Agent header, although those can be faked ofcourseā€¦ :unamused:

Nothing off the shelf, no. Give https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ a read.

But I wouldnā€™t care that much about WinXP really, anybody still under that deserves to get a broken web and yes, I do even include less developed countries here, only Android 2 is a different story but even less easily a target audience for your website.

Yeah, I just had that idea as well. So simple it actually didnā€™t come to my mind instantly. :no_mouth:

No offense, but thatā€™s a horrible view on accessibility - in my eyes, of course. Anyway, Iā€™m probably just going to limit the redirect to no-XP users.

Hereā€™s a mod_rewrite piece of code someone has posted in the github issue on this :neutral_face:

Thanks, I already saw that. Iā€™m going to try to convert this to nginx config and then tell if it was a success.

tried it with nginx at https://community.centminmod.com/threads/letsencrypt-ssl-certificates-and-windows-xp-workarounds.5272/ for testing works as long as the winxp visitor never visited https version of your site (with HSTS enabled)

Hi, I tried a lite version of firefox and found out it works with LE certification on Windows XP sp3.
Hope that it might help solving this problem:

lightfirefox.sourceforge.net