[Help needed] Windows XP support

as I said maybe when you declare whats not perimtted, you have to declare what’s permitted, so try to declare “allow all” and “forbid that tld that for no reason I can imagine has been blocked from LE”.

As far as I have been able to discover, there isn’t an “allow all” that XP understands.

The problem seems to be that if you use NameConstraints at all, XP requires you to restrict the dirName.

Why letsencrypt intermediate cert needs to use NameConstraints at all? To block certificates issued to .mil domains? How about just not issuing such certificates in the first place?

why are mil domains are blocked in the first place? is that some bad country or what? north korean domains arent blocked as well…

Intermediate (letsencrypts) certficate is issued by DST Root CA X3 so I’m guessing they did not want to allow letencrypt to issue to .mil domains (.mil is us military) - probably because they or some other ca they certify is doing that for a lot of money already and they did not want to lose that business. Internet freedom abruptly ends when there is enough money on the line.

1 Like

As @naox said, this is a requirement from IdenTrust, who cross-signed our intermediate so we could be immediately trusted in most browsers.

why does the US military need an own TLD?
it’s just a military. if anything.

same stupid junk that .edu is just for us universities…

Historical stuff from the early days. Obviously we should just drop all TLDs except the country-coded ones and each country can set the policy for how names under their ccTLD work.

Note that discussion about why TLDs are the way they are is probably off-topic here. Feel free to start a new topic about it if you will.

It is important to have .gov .mil .edu - etc domains so that users know they are reaching a confirmed organization that is part of that grouping. It raises trust and blocks possible fishing sites in that TLD.

well then they can do something like gov.us or whatever. (puclic pseudo-subdomains like co.uk are there since half an eternity)

the point that I have is that at least mil and edu are only for US stuff. would they be international it would be better, especially since an .edu email address is often used to verify university students which is impossible outside the US.

@motoko’s right: discussion of alternate TLD schemes is off-topic in this thread.

I’ve tryied to access https://helloworld.letsencryp.com using Chrome on a WinXP non-SP3…I use that as a test.

Why don’t you try to create and https://winxp.letsencryp.org cert with best settings so we can try to minimize XP effects ?

I have to rollback an https site due to that 0.1% of users not allowed to purchase…I know it sounds weird… But my client want it back like it was before…

well the problem is that how the LE certs are, you cannot make an LE based HTTPS site for XP because XPs cert verification is f’ed up.

It should be fixed for making “SSL Everywhere”.
from my global sites… 70% is windows, and from this 8% is windows XP :confused:

There are any hot fixes for my win xp users?

well a registry change can solve it, but that’s bad for security. or just use Firefox it ships its own security.

The intermediate certificates signed by “ISRG Root X1” don’t have the Name Constraint extension like the IdenTrust cross signed certs, so if LE itself gets accepted by all major parties, the problem would go away.

sure, but that would require microsoft to release new windows xp service pack with this ca (“ISRG Root X1”) in trust store and then wait 4 years so everyone installs it on top of their windows xp :slight_smile:
If letsencrypt intermediate is not trusted by ca that is preinstalled in windows xp sp3 trust store then it does not work on windows xp on any browser that uses it (all except firefox)

Ah yes, very good point :stuck_out_tongue_closed_eyes: :blush:

It’s time to let it die IMHO.

Given that XP doesn’t support newer crypto options or sni, the fact is it’s days are limited anyway…

Should start putting notices for xp on non HTTPS sites, and not redirect them to HTTPS. Same for stagnant android <4 … Varyby user-agent for proxies…

3 Likes