So today my dad noticed that my freshly letās-encrypted domains arenāt working on his Windows XP machine. I took a look on it but I canāt really figure out the problem.
I tested the domain on ssllabs.com and the only potential problem I could find was the required SNI support
My page seems to work on other XP systems (according to browserstack.com)
About the client:
This is the first case I know of where the domain did not work correctly.
His Windows says: āThe certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.ā (Pretty hard to actually find anything about this statement on Googleā¦)
SNI test pages are working fine on his PC. (for example sni.velox.ch)
System clock is set correctly
No proxy
Microsoft Security Essentials as antivirus
I donāt know what else to look for. Anyone got an idea?
Honestly, take the opportunity and get your dad off of Windows XP. Install him a XFCE or LXDE based distro dual boot and sell it with āIām going to make your computer go fasterā. Worked perfectly here.
Believe me, I tried. He can do that himself, heās not that incapable of working with computers at all. But heās mostly like ānever change a running systemā. But the growing number of things like that are currently kind of pushing him towards using a newer OS.
But still this means that all letās-encrypted pages wonāt work in XP and I canāt convince random visitors to upgrade their system.
I 301 redirected all HTTP requests to my site to HTTPS but I think with XP users in mind that might not be a good idea.
Do you know if thereās a possibility to check the according SSL support in nginx conf files and only redirect to HTTPS if itās properly supported?
I donāt know if nginx has those kind of features, but with the aid of, for example, this list, you could make some kind of āfinger printā for browsers according to the ClientHello the client sends. For example, supported ciphers or something. I have no clue if thatās discriminating enough, but perhaps the XP clients have something āuniqueā you can identify them by.
Hmmm, wait a minuteā¦ You want to check in the HTTP phase. So you can check by User Agent header, although those can be faked ofcourseā¦
But I wouldnāt care that much about WinXP really, anybody still under that deserves to get a broken web and yes, I do even include less developed countries here, only Android 2 is a different story but even less easily a target audience for your website.
No offense, but thatās a horrible view on accessibility - in my eyes, of course. Anyway, Iām probably just going to limit the redirect to no-XP users.