Does it support Windows Xp users?


#1

Hello,

I am interested in installing letsencrypt to my website
which is on digital ocean server. so I am reading this tutorial: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

and https://www.youtube.com/watch?v=m9aa7xqX67c

but before i do that…

please tell me does letsencrypt certificate support Windows XP users ?

specifically will they be able to access my site from Google chrome on Windows Xp ?

Thank you


#2

Hi @bundyboy

There are a lot of modern Secure Ciphers which Windows XP doesn’t know about.

Mozilla publishes a list of ciphers to support various browsers and versions and you can review them here: https://wiki.mozilla.org/Security/Server_Side_TLS

Things to note SSL v3 is generally not recommended due to heartbleed vulnerability

The second challenge you will face is that Windows XP SP3 + is required to work with SHA256 certificates. The current default for all certification authorities is SHA256 certificates.

Andrei


#3

Hi Andrei :slight_smile:

thank you for help

so what I should do ?

from this tutorial: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

After I am done with this tutorial what certificate will be installed ? latest or ?

or I have a choice?

because it would be great if it can work for Win XP sp3 users

thank you


#4

The certificates are compatible with XP >= SP3.

There’s a second aspect to XP compatibility, and that’s the protocol and cipher suites your web server supports. That’s independent of the certificate (and Let’s Encrypt). If you want to remain compatible with XP, you’ll need to enable some outdated protocols and cipher suites like SSLv3 and DES-CBC.

Enabling these protocols and ciphers is definitely a security trade-off, but it’s still significantly better than no HTTPS at all, so if you absolutely need XP compatibility, it might be acceptable. The Mozilla Wiki link posted by @ahaw021 has some more details on this topic.

The guide you referenced uses cipher suites (in section “Nginx configuration additions — 2 of 3”) that would not be compatible with Windows XP. You can use the suggested settings from Mozilla’s SSL Configuration Generator if you want to change that. (Select “Nginx” and “Old” first - “Old” being the cipher suite selection that supports XP.) The relevant settings you need to change are ssl_protocols and ssl_ciphers.


#5

SSLv3’s problems have nothing to do with Heartbleed.

You may find older posts stating LE certificates are incompatible with Windows XP. This used to be true, but was resolved when the default intermediate certificate was changed from Let’s Encrypt Authority X1 to Let’s Encrypt Authority X3. The reason for that were incompatible extensions that restricted LE from issuing certificates for the .mil TLD.


#6

Wut…?   


#7

apologies POODLE was the word i was looking for

the message I was trying to get across that in general SSL v3 is not a good thing to enable on your servers

https://disablessl3.com/

sorry for misleading


#8

Certainly, disabling SSLv3 is a very good step towards secure HTTPS. And almost not even useful any longer. If one would check their site at https://www.ssllabs.com/ssltest/ one would see it almost always uses TLSv1.0 or higher.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.